diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 06752088548..ba61823ac7c 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -42,7 +42,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -54,7 +54,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@v3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -68,4 +68,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 diff --git a/ASIM/dev/ASimYaml2ARM/KqlFuncYaml2Arm.py b/ASIM/dev/ASimYaml2ARM/KqlFuncYaml2Arm.py index 1f7ae15d680..06b2bf56757 100644 --- a/ASIM/dev/ASimYaml2ARM/KqlFuncYaml2Arm.py +++ b/ASIM/dev/ASimYaml2ARM/KqlFuncYaml2Arm.py @@ -200,9 +200,9 @@ logging.debug ('Generating ARM template') # generate the ARM template armTemplate = copy.deepcopy(func_arm_template) - armTemplate['resources'][0]['resources'][0]['name'] = Alias - armTemplate['resources'][0]['resources'][0]['properties']['query'] = Query - armTemplate['resources'][0]['resources'][0]['properties']['category'] = Category + armTemplate['resources'][0]['name'] = f"[concat(parameters('Workspace'), '/{Alias}')]" + armTemplate['resources'][0]['properties']['query'] = Query + armTemplate['resources'][0]['properties']['category'] = Category if params: Parameters = "" for param in params: @@ -220,9 +220,9 @@ if Parameters != "": Parameters = f'{Parameters},' Parameters = Parameters + ParamString - armTemplate['resources'][0]['resources'][0]['properties']['functionParameters'] = Parameters - armTemplate['resources'][0]['resources'][0]['properties']['FunctionAlias'] = Alias - armTemplate['resources'][0]['resources'][0]['properties']['displayName'] = Title + armTemplate['resources'][0]['properties']['functionParameters'] = Parameters + armTemplate['resources'][0]['properties']['FunctionAlias'] = Alias + armTemplate['resources'][0]['properties']['displayName'] = Title logging.debug ('Writing ARM template') # Write template diff --git a/ASIM/dev/ASimYaml2ARM/func_arm_template.json b/ASIM/dev/ASimYaml2ARM/func_arm_template.json index 3c2a5b14ca8..5f23c33136c 100644 --- a/ASIM/dev/ASimYaml2ARM/func_arm_template.json +++ b/ASIM/dev/ASimYaml2ARM/func_arm_template.json @@ -1,45 +1,35 @@ { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Workspace": { - "type": "string", - "metadata": { - "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." - } - }, - "WorkspaceRegion": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The region of the selected workspace. The default value will use the Region selection above." - } - } + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", - "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "functionAlias", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "displayName", - "category": "ASIM", - "FunctionAlias": "functionAlias", - "query": "parserQuery", - "version": 1 - } - } - ] + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "resourceName", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "displayName", + "category": "ASIM", + "FunctionAlias": "functionAlias", + "query": "parserQuery", + "version": 1 } - ] - } \ No newline at end of file + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json index b56305d3f48..382856e0058 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit event ASIM parser", - "category": "ASIM", - "FunctionAlias": "ASimAuditEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuditEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludeASimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuditEventEmpty, \n ASimAuditEventMicrosoftExchangeAdmin365 (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),\n ASimAuditEventMicrosoftWindowsEvents (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),\n ASimAuditEventMicrosoftSecurityEvents (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftSecurityEvents' in (DisabledParsers))),\n ASimAuditEventMicrosoftEvent (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftEvents' in (DisabledParsers))),\n ASimAuditEventAzureActivity (BuiltInDisabled or ('ExcludeASimAuditEventAzureActivity' in (DisabledParsers))),\n ASimAuditEventCiscoMeraki (BuiltInDisabled or ('ExcludeASimAuditEventCiscoMeraki' in (DisabledParsers))),\n ASimAuditEventCiscoMerakiSyslog (BuiltInDisabled or ('ExcludeASimAuditEventCiscoMerakiSyslog' in (DisabledParsers))),\n ASimAuditEventBarracudaWAF (BuiltInDisabled or ('ExcludeASimAuditEventBarracudaWAF' in (DisabledParsers))),\n ASimAuditEventBarracudaCEF (BuiltInDisabled or ('ExcludeASimAuditEventBarracudaCEF' in (DisabledParsers))),\n ASimAuditEventCiscoISE (BuiltInDisabled or ('ExcludeASimAuditEventCiscoISE' in (DisabledParsers))),\n ASimAuditEventVectraXDRAudit(BuiltInDisabled or ('ExcludeASimAuditEventVectraXDRAudit' in (DisabledParsers))),\n ASimAuditEventSentinelOne (BuiltInDisabled or ('ExcludeASimAuditEventSentinelOne' in (DisabledParsers))),\n ASimAuditEventCrowdStrikeFalconHost(BuiltInDisabled or ('ExcludeASimAuditEventCrowdStrikeFalconHost' in (DisabledParsers))),\n ASimAuditEventVMwareCarbonBlackCloud(BuiltInDisabled or ('ExcludeASimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers)))\n", - "version": 1, - "functionParameters": "pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit event ASIM parser", + "category": "ASIM", + "FunctionAlias": "ASimAuditEvent", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuditEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludeASimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuditEventEmpty, \n ASimAuditEventMicrosoftExchangeAdmin365 (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),\n ASimAuditEventMicrosoftWindowsEvents (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),\n ASimAuditEventMicrosoftSecurityEvents (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftSecurityEvents' in (DisabledParsers))),\n ASimAuditEventMicrosoftEvent (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftEvents' in (DisabledParsers))),\n ASimAuditEventAzureActivity (BuiltInDisabled or ('ExcludeASimAuditEventAzureActivity' in (DisabledParsers))),\n ASimAuditEventCiscoMeraki (BuiltInDisabled or ('ExcludeASimAuditEventCiscoMeraki' in (DisabledParsers))),\n ASimAuditEventCiscoMerakiSyslog (BuiltInDisabled or ('ExcludeASimAuditEventCiscoMerakiSyslog' in (DisabledParsers))),\n ASimAuditEventBarracudaWAF (BuiltInDisabled or ('ExcludeASimAuditEventBarracudaWAF' in (DisabledParsers))),\n ASimAuditEventBarracudaCEF (BuiltInDisabled or ('ExcludeASimAuditEventBarracudaCEF' in (DisabledParsers))),\n ASimAuditEventCiscoISE (BuiltInDisabled or ('ExcludeASimAuditEventCiscoISE' in (DisabledParsers))),\n ASimAuditEventVectraXDRAudit(BuiltInDisabled or ('ExcludeASimAuditEventVectraXDRAudit' in (DisabledParsers))),\n ASimAuditEventSentinelOne (BuiltInDisabled or ('ExcludeASimAuditEventSentinelOne' in (DisabledParsers))),\n ASimAuditEventCrowdStrikeFalconHost(BuiltInDisabled or ('ExcludeASimAuditEventCrowdStrikeFalconHost' in (DisabledParsers))),\n ASimAuditEventVMwareCarbonBlackCloud(BuiltInDisabled or ('ExcludeASimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers))),\n ASimAuditEventInfobloxBloxOne(BuiltInDisabled or ('ExcludeASimAuditEventInfobloxBloxOne' in (DisabledParsers))),\n ASimAuditEventIllumioSaaSCore(BuiltInDisabled or ('ExcludeASimAuditEventIllumioSaaSCore' in (DisabledParsers)))\n", + "version": 1, + "functionParameters": "pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventAzureAdminActivity/ASimAuditEventAzureAdminActivity.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventAzureAdminActivity/ASimAuditEventAzureAdminActivity.json index 7458c2cf4c0..34929ff6da1 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventAzureAdminActivity/ASimAuditEventAzureAdminActivity.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventAzureAdminActivity/ASimAuditEventAzureAdminActivity.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventAzureActivity')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventAzureActivity", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Azure administrative activity", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventAzureActivity", - "query": "let parser=(disabled:bool=false){\n let AzureActivityOperationLookup = datatable (op:string, EventType:string) \n [\n 'ACTION', 'Execute',\n 'WRITE', 'Set',\n 'DELETE', 'Delete'\n ];\n let AzureActivityStatusLookup = datatable (ActivityStatusValue:string, ActivitySubstatusValue:string, EventResult:string, EventResultDetails:string) \n [\n \"Accept\",\"Accepted\",\"Success\",\"\",\n \"Accept\",\"Created\",\"Success\",\"\",\n \"Accept\",\"OK\",\"Success\",\"\",\n \"Accept\",\"\",\"Success\",\"\",\n \"Accepted\",\"\",\"Success\",\"\",\n \"Active\",\"\",\"Success\",\"Active\",\n \"Failed\",\"\",\"Failure\",\"\",\n \"Failure\",\"BadRequest\",\"Failure\",\"Bad Request\",\n \"Failure\",\"Conflict\",\"Failure\",\"Bad Request\",\n \"Failure\",\"Forbidden\",\"Failure\",\"Unauthorized\",\n \"Failure\",\"InternalServerError\",\"Failure\",\"Internal error\",\n \"Failure\",\"MethodNotAllowed\",\"Failure\",\"Bad Request\",\n \"Failure\",\"NotFound\",\"Failure\",\"Not found\",\n \"Failure\",\"Unauthorized\",\"Failure\",\"Unauthorized\",\n \"Failure\",\"\",\"Failure\",\"\",\n \"In Progress\",\"\",\"Success\",\"In Progress\",\n \"Resolved\",\"\",\"Success\",\"\",\n \"Start\",\"\",\"Success\",\"Start\",\n \"Started\",\"\",\"Success\",\"Start\",\n \"Succeeded\",\"\",\"Success\",\"\",\n \"Success\",\"Created\",\"Success\",\"\",\n \"Success\",\"NoContent\",\"Success\",\"\",\n \"Success\",\"OK\",\"Success\",\"\",\n \"Success\",\"\",\"Success\",\"\",\n \"Updated\",\"\",\"Success\",\"\",\n \"Succeeded\",\"OK\",\"Success\",\"\",\n \"Accepted\",\"Accepted\",\"Success\",\"\",\n \"Accepted\",\"OK\",\"Success\",\"\",\n \"Failed\",\"Forbidden\",\"Failure\",\"Unauthorized\",\n \"Succeeded\",\"Created\",\"Success\",\"\",\n \"Failed\",\"BadRequest\",\"Failure\",\"Bad request\",\n \"Accepted\",\"Created\",\"Success\",\"\",\n \"Failed\",\"Conflict\",\"Failure\",\"Bad request\",\n \"Failed\",\"MethodNotAllowed\",\"Failure\",\"Bad request\",\n \"Failure\",\"BadGateway\",\"Failure\",\"Bad request\",\n \"Succeeded\",\"NoContent\",\"Success\",\"\",\n \"Failure\",\"ServiceUnavailable\",\"Failure\",\"Internal error\",\n \"Failure\",\"GatewayTimeout\",\"Failure\",\"Internal error\",\n \"Failed\",\"NotFound\",\"Failure\",\"Not found\",\n \"Failed\",\"BadGateway\",\"Failure\",\"Bad request\",\n \"Failure\",\"UnsupportedMediaType\",\"Failure\",\"Bad request\",\n \"Failed\",\"Unauthorized\",\"Failure\",\"Unauthorized\",\n \"Cancel\",\"\",\"Failure\",\"Cancelled\"\n ];\n AzureActivity \n | where not(disabled)\n | where CategoryValue == \"Administrative\"\n | project-away HTTPRequest, Level, SourceSystem, EventSubmissionTimestamp, TenantId, OperationId, Hierarchy, Category, ResourceId, ResourceProvider, Resource\n | project-rename \n Operation = OperationNameValue,\n SrcIpAddr = CallerIpAddress,\n EventOriginalUid = EventDataId,\n ActorSessionId = CorrelationId,\n EventOriginalType = CategoryValue\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Azure',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n ObjectType = \"Cloud Resource\",\n TargetAppName = \"Azure\",\n TargetAppType = \"CSP\"\n // --\n // Calculate EventResult, EventResultDetails, and EventResultOriginalDetails\n | extend\n EventOriginalResultDetails = strcat (\n ActivityStatusValue, \n iff (ActivitySubstatusValue !=\"\", strcat(' [', ActivitySubstatusValue, ']'), \"\")\n )\n | extend \n ActivitySubstatusValue = iff (ActivitySubstatusValue matches regex \"\\\\d+\", \"\", ActivitySubstatusValue)\n | lookup AzureActivityStatusLookup on ActivityStatusValue, ActivitySubstatusValue\n | extend EventResult = iff(EventResult == \"\", \"Other\", EventResult)\n | extend EventSeverity = iff(EventResult == \"Failure\", \"Low\", \"Informational\")\n | project-away ActivityStatus*, ActivitySubstatus*\n // --\n // Calculate Actor\n | extend \n Caller = iff(Caller == \"Microsoft.RecoveryServices\", \"\", Caller)\n | extend \n ActorUsernameType = iff (Caller has \"@\", \"UPN\", \"\")\n | extend \n ActorUsername = iff (ActorUsernameType == \"UPN\", Caller, \"\"),\n ActorUserId = iff (ActorUsernameType != \"UPN\", Caller, \"\")\n | extend\n ActorUserIdType = iff (ActorUserId != \"\", \"AADID\", \"\")\n | project-away Caller\n // --\n // Calculate Object\n | extend \n entity = tostring(Properties_d.entity), \n resource = tostring(Properties_d.resource),\n entity_name = tostring(Properties_d.[\"Entity Name\"])\n | extend Object = case ( \n entity != \"\", entity,\n strcat (\"/subscriptions/\", SubscriptionId, \"/resourceGroups/\", ResourceGroup, \"/providers/\", ResourceProviderValue, \"/\",resource, iff (entity_name != \"\", strcat(\"/\", entity_name), \"\"))\n )\n | project-away entity, resource,entity_name, _SubscriptionId, SubscriptionId, ResourceGroup, ResourceProviderValue\n // --\n // Calculate EventType\n | extend op = toupper(tostring(split(Operation,\"/\")[-1]))\n | lookup AzureActivityOperationLookup on op\n | extend EventType = iff (EventType == \"\", \"Other\", EventType)\n | project-away op\n // Aliases\n | extend AdditionalFields = pack_dictionary(\"Authorization\", Authorization_d, \"Claims\", Claims_d, \"Error\", Properties_d.statusMessage)\n // -- Aliases\n | extend \n IpAddr = SrcIpAddr,\n User = ActorUsername,\n Application = TargetAppName,\n Dst = TargetAppName,\n Src = SrcIpAddr,\n // -- Entity identifier explicit aliases\n ActorUserUpn = ActorUsername,\n ActorUserAadId = ActorUserId\n | project-away OperationName, Properties*, Authorization*, Claims*\n // -- Properties*\n};\nparser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Azure administrative activity", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventAzureActivity", + "query": "let parser=(disabled:bool=false){\n let AzureActivityOperationLookup = datatable (op:string, EventType:string) \n [\n 'ACTION', 'Execute',\n 'WRITE', 'Set',\n 'DELETE', 'Delete'\n ];\n let AzureActivityStatusLookup = datatable (ActivityStatusValue:string, ActivitySubstatusValue:string, EventResult:string, EventResultDetails:string) \n [\n \"Accept\",\"Accepted\",\"Success\",\"\",\n \"Accept\",\"Created\",\"Success\",\"\",\n \"Accept\",\"OK\",\"Success\",\"\",\n \"Accept\",\"\",\"Success\",\"\",\n \"Accepted\",\"\",\"Success\",\"\",\n \"Active\",\"\",\"Success\",\"Active\",\n \"Failed\",\"\",\"Failure\",\"\",\n \"Failure\",\"BadRequest\",\"Failure\",\"Bad Request\",\n \"Failure\",\"Conflict\",\"Failure\",\"Bad Request\",\n \"Failure\",\"Forbidden\",\"Failure\",\"Unauthorized\",\n \"Failure\",\"InternalServerError\",\"Failure\",\"Internal error\",\n \"Failure\",\"MethodNotAllowed\",\"Failure\",\"Bad Request\",\n \"Failure\",\"NotFound\",\"Failure\",\"Not found\",\n \"Failure\",\"Unauthorized\",\"Failure\",\"Unauthorized\",\n \"Failure\",\"\",\"Failure\",\"\",\n \"In Progress\",\"\",\"Success\",\"In Progress\",\n \"Resolved\",\"\",\"Success\",\"\",\n \"Start\",\"\",\"Success\",\"Start\",\n \"Started\",\"\",\"Success\",\"Start\",\n \"Succeeded\",\"\",\"Success\",\"\",\n \"Success\",\"Created\",\"Success\",\"\",\n \"Success\",\"NoContent\",\"Success\",\"\",\n \"Success\",\"OK\",\"Success\",\"\",\n \"Success\",\"\",\"Success\",\"\",\n \"Updated\",\"\",\"Success\",\"\",\n \"Succeeded\",\"OK\",\"Success\",\"\",\n \"Accepted\",\"Accepted\",\"Success\",\"\",\n \"Accepted\",\"OK\",\"Success\",\"\",\n \"Failed\",\"Forbidden\",\"Failure\",\"Unauthorized\",\n \"Succeeded\",\"Created\",\"Success\",\"\",\n \"Failed\",\"BadRequest\",\"Failure\",\"Bad request\",\n \"Accepted\",\"Created\",\"Success\",\"\",\n \"Failed\",\"Conflict\",\"Failure\",\"Bad request\",\n \"Failed\",\"MethodNotAllowed\",\"Failure\",\"Bad request\",\n \"Failure\",\"BadGateway\",\"Failure\",\"Bad request\",\n \"Succeeded\",\"NoContent\",\"Success\",\"\",\n \"Failure\",\"ServiceUnavailable\",\"Failure\",\"Internal error\",\n \"Failure\",\"GatewayTimeout\",\"Failure\",\"Internal error\",\n \"Failed\",\"NotFound\",\"Failure\",\"Not found\",\n \"Failed\",\"BadGateway\",\"Failure\",\"Bad request\",\n \"Failure\",\"UnsupportedMediaType\",\"Failure\",\"Bad request\",\n \"Failed\",\"Unauthorized\",\"Failure\",\"Unauthorized\",\n \"Cancel\",\"\",\"Failure\",\"Cancelled\"\n ];\n AzureActivity \n | where not(disabled)\n | where CategoryValue == \"Administrative\"\n | project-away HTTPRequest, Level, SourceSystem, EventSubmissionTimestamp, TenantId, OperationId, Hierarchy, Category, ResourceId, ResourceProvider, Resource\n | project-rename \n Operation = OperationNameValue,\n SrcIpAddr = CallerIpAddress,\n EventOriginalUid = EventDataId,\n ActorSessionId = CorrelationId,\n EventOriginalType = CategoryValue\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Azure',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n ObjectType = \"Cloud Resource\",\n TargetAppName = \"Azure\",\n TargetAppType = \"CSP\"\n // --\n // Calculate EventResult, EventResultDetails, and EventResultOriginalDetails\n | extend\n EventOriginalResultDetails = strcat (\n ActivityStatusValue, \n iff (ActivitySubstatusValue !=\"\", strcat(' [', ActivitySubstatusValue, ']'), \"\")\n )\n | extend \n ActivitySubstatusValue = iff (ActivitySubstatusValue matches regex \"\\\\d+\", \"\", ActivitySubstatusValue)\n | lookup AzureActivityStatusLookup on ActivityStatusValue, ActivitySubstatusValue\n | extend EventResult = iff(EventResult == \"\", \"Other\", EventResult)\n | extend EventSeverity = iff(EventResult == \"Failure\", \"Low\", \"Informational\")\n | project-away ActivityStatus*, ActivitySubstatus*\n // --\n // Calculate Actor\n | extend \n Caller = iff(Caller == \"Microsoft.RecoveryServices\", \"\", Caller)\n | extend \n ActorUsernameType = iff (Caller has \"@\", \"UPN\", \"\")\n | extend \n ActorUsername = iff (ActorUsernameType == \"UPN\", Caller, \"\"),\n ActorUserId = iff (ActorUsernameType != \"UPN\", Caller, \"\")\n | extend\n ActorUserIdType = iff (ActorUserId != \"\", \"AADID\", \"\")\n | project-away Caller\n // --\n // Calculate Object\n | extend \n entity = tostring(Properties_d.entity), \n resource = tostring(Properties_d.resource),\n entity_name = tostring(Properties_d.[\"Entity Name\"])\n | extend Object = case ( \n entity != \"\", entity,\n strcat (\"/subscriptions/\", SubscriptionId, \"/resourceGroups/\", ResourceGroup, \"/providers/\", ResourceProviderValue, \"/\",resource, iff (entity_name != \"\", strcat(\"/\", entity_name), \"\"))\n )\n | project-away entity, resource,entity_name, _SubscriptionId, SubscriptionId, ResourceGroup, ResourceProviderValue\n // --\n // Calculate EventType\n | extend op = toupper(tostring(split(Operation,\"/\")[-1]))\n | lookup AzureActivityOperationLookup on op\n | extend EventType = iff (EventType == \"\", \"Other\", EventType)\n | project-away op\n // Aliases\n | extend AdditionalFields = pack_dictionary(\"Authorization\", Authorization_d, \"Claims\", Claims_d, \"Error\", Properties_d.statusMessage)\n // -- Aliases\n | extend \n IpAddr = SrcIpAddr,\n User = ActorUsername,\n Application = TargetAppName,\n Dst = TargetAppName,\n Src = SrcIpAddr,\n // -- Entity identifier explicit aliases\n ActorUserUpn = ActorUsername,\n ActorUserAadId = ActorUserId\n | project-away OperationName, Properties*, Authorization*, Claims*\n // -- Properties*\n};\nparser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaCEF/ASimAuditEventBarracudaCEF.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaCEF/ASimAuditEventBarracudaCEF.json index dfd07538af7..f3cabe4c350 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaCEF/ASimAuditEventBarracudaCEF.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaCEF/ASimAuditEventBarracudaCEF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventBarracudaCEF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventBarracudaCEF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Barracuda WAF", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventBarracudaCEF", - "query": "let EventTypeLookup = datatable (\n ChangeType_s: string,\n EventType_lookup: string\n)\n [\n \"SET\", \"Set\",\n \"ADD\", \"Create\",\n \"DEL\", \"Delete\",\n \"NONE\", \"Other\",\n \"\", \"Other\"\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet ObjectTypeLookup = datatable (ObjectType_s: string, ObjectType: string)[\n \"global\", \"Other\",\n \"Services\", \"Service\",\n \"web_firewall_policy\", \"Policy Rule\",\n \"service\", \"Service\",\n \"json_url_profile\", \"Other\",\n \"server\", \"Service\",\n \"header_acl\", \"Directory Service Object\",\n \"virtual_ip_config_address\", \"Configuration Atom\",\n \"aps_req_rewrite_policy\", \"Policy Rule\",\n \"aps_url_acl\", \"Directory Service Object\",\n \"websocket_security_policy\", \"Policy Rule\",\n \"aps_ftp_acl\", \"Directory Service Object\",\n \"user_system_ip\", \"Configuration Atom\",\n \"syslog_server\", \"Service\",\n \"attack_action\", \"Configuration Atom\",\n \"global_adr\", \"Configuration Atom\",\n \"aps_content_protection\", \"Other\"\n];\nlet parser = (disabled: bool=false) {\n let BarracudaCEF = \n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor startswith \"Barracuda\"\n and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"AUDIT\" \n and (toupper(ProcessName) !in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | parse trim(@'[^\\w(\")]+', Message) with * \"Reason=\" Reason: string \n | extend Reason = trim('\"', Reason)\n | extend \n EventResultDetails = Reason,\n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | lookup EventTypeLookup on $left.EventOutcome == $right.ChangeType_s\n | lookup ObjectTypeLookup on $left.FileType == $right.ObjectType_s\n | extend\n EventResult = \"Success\", \n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventVendor = \"Barracuda\",\n EventProduct = \"WAF\",\n EventCount = toint(1)\n | extend\n EventType = EventType_lookup,\n Dvc = DeviceName, \n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime) - tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n Operation = ProcessName,\n DvcIpAddr = DeviceAddress,\n NewValue = DeviceCustomString1,\n SrcIpAddr = SourceIP,\n EventMessage = Message,\n OldValue = DeviceCustomString2,\n DvcHostname = DeviceName,\n ActorUsername = DestinationUserName,\n Object = FileName,\n ThreatConfidence = toint(ThreatConfidence) ,\n EventUid = _ItemId \n | extend\n Src = SrcIpAddr,\n EventEndTime = EventStartTime,\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n User = ActorUsername,\n Value = NewValue \n | extend\n IpAddr = SrcIpAddr,\n ValueType = iff(isnotempty(Value), \"Other\", \"\")\n | project-away\n EventType_lookup,\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Reason,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId,\n CollectorHostName,\n _ItemId;\n BarracudaCEF\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventBarracudaCEF", + "query": "let EventTypeLookup = datatable (\n ChangeType_s: string,\n EventType_lookup: string\n)\n [\n \"SET\", \"Set\",\n \"ADD\", \"Create\",\n \"DEL\", \"Delete\",\n \"NONE\", \"Other\",\n \"\", \"Other\"\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet ObjectTypeLookup = datatable (ObjectType_s: string, ObjectType: string)[\n \"global\", \"Other\",\n \"Services\", \"Service\",\n \"web_firewall_policy\", \"Policy Rule\",\n \"service\", \"Service\",\n \"json_url_profile\", \"Other\",\n \"server\", \"Service\",\n \"header_acl\", \"Directory Service Object\",\n \"virtual_ip_config_address\", \"Configuration Atom\",\n \"aps_req_rewrite_policy\", \"Policy Rule\",\n \"aps_url_acl\", \"Directory Service Object\",\n \"websocket_security_policy\", \"Policy Rule\",\n \"aps_ftp_acl\", \"Directory Service Object\",\n \"user_system_ip\", \"Configuration Atom\",\n \"syslog_server\", \"Service\",\n \"attack_action\", \"Configuration Atom\",\n \"global_adr\", \"Configuration Atom\",\n \"aps_content_protection\", \"Other\"\n];\nlet parser = (disabled: bool=false) {\n let BarracudaCEF = \n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor startswith \"Barracuda\"\n and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"AUDIT\" \n and (toupper(ProcessName) !in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | parse trim(@'[^\\w(\")]+', Message) with * \"Reason=\" Reason: string \n | extend Reason = trim('\"', Reason)\n | extend \n EventResultDetails = Reason,\n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | lookup EventTypeLookup on $left.EventOutcome == $right.ChangeType_s\n | lookup ObjectTypeLookup on $left.FileType == $right.ObjectType_s\n | extend\n EventResult = \"Success\", \n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventVendor = \"Barracuda\",\n EventProduct = \"WAF\",\n EventCount = toint(1)\n | extend\n EventType = EventType_lookup,\n Dvc = DeviceName, \n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime) - tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n Operation = ProcessName,\n DvcIpAddr = DeviceAddress,\n NewValue = DeviceCustomString1,\n SrcIpAddr = SourceIP,\n EventMessage = Message,\n OldValue = DeviceCustomString2,\n DvcHostname = DeviceName,\n ActorUsername = DestinationUserName,\n Object = FileName,\n ThreatConfidence = toint(ThreatConfidence) ,\n EventUid = _ItemId \n | extend\n Src = SrcIpAddr,\n EventEndTime = EventStartTime,\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n User = ActorUsername,\n Value = NewValue \n | extend\n IpAddr = SrcIpAddr,\n ValueType = iff(isnotempty(Value), \"Other\", \"\")\n | project-away\n EventType_lookup,\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Reason,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId,\n CollectorHostName,\n _ItemId;\n BarracudaCEF\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaWAF/ASimAuditEventBarracudaWAF.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaWAF/ASimAuditEventBarracudaWAF.json index c2962c4d54d..6bf210aa676 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaWAF/ASimAuditEventBarracudaWAF.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaWAF/ASimAuditEventBarracudaWAF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventBarracudaWAF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventBarracudaWAF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Barracuda WAF", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventBarracudaWAF", - "query": "let barracudaSchema = datatable(\n LogType_s: string,\n UnitName_s: string,\n EventName_s: string,\n DeviceReceiptTime_s: string,\n ChangeType_s: string,\n CommandName_s: string,\n Severity_s: string,\n LoginIP_s: string,\n NewValue_s: string,\n HostIP_s: string,\n host_s: string,\n OldValue_s: string,\n EventMessage_s: string,\n AdminName_s: string,\n ObjectType_s: string,\n ObjectName_s: string,\n TimeTaken_d: real,\n _ResourceId: string,\n RawData: string,\n SourceIP: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string\n)[];\nlet EventTypeLookup = datatable (\n ChangeType_s: string,\n EventType_lookup: string\n)\n [\n \"SET\", \"Set\",\n \"ADD\", \"Create\",\n \"DEL\", \"Delete\",\n \"NONE\", \"Other\",\n \"\", \"Other\"\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet ObjectTypeLookup = datatable (ObjectType_s: string, ObjectType: string)[\n \"global\", \"Other\",\n \"Services\", \"Service\",\n \"web_firewall_policy\", \"Policy Rule\",\n \"service\", \"Service\",\n \"json_url_profile\", \"Other\",\n \"server\", \"Service\",\n \"header_acl\", \"Directory Service Object\",\n \"virtual_ip_config_address\", \"Configuration Atom\",\n \"aps_req_rewrite_policy\", \"Policy Rule\",\n \"aps_url_acl\", \"Directory Service Object\",\n \"websocket_security_policy\", \"Policy Rule\",\n \"aps_ftp_acl\", \"Directory Service Object\",\n \"user_system_ip\", \"Configuration Atom\",\n \"syslog_server\", \"Service\",\n \"attack_action\", \"Configuration Atom\",\n \"global_adr\", \"Configuration Atom\",\n \"aps_content_protection\", \"Other\"\n];\nlet parser = (disabled: bool=false) {\n let BarracudaCustom = \n (union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled) \n and LogType_s == \"AUDIT\" \n and EventName_s !in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\")\n | parse trim(@'[^\\w(\")]+', EventMessage_s) with * \"Reason=\" Reason: string\n | extend Reason = trim('\"', Reason)\n | extend\n EventResultDetails = Reason,\n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | lookup EventTypeLookup on ChangeType_s\n | lookup ObjectTypeLookup on ObjectType_s\n | extend\n EventType = EventType_lookup,\n EventResult = \"Success\", \n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventVendor = \"Barracuda\",\n EventProduct = \"WAF\",\n EventCount = toint(1)\n | extend\n Dvc = UnitName_s, \n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s) - tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s))),\n Operation = CommandName_s,\n DvcIpAddr = HostIP_s,\n NewValue = NewValue_s,\n SrcIpAddr = LoginIP_s,\n EventMessage = EventMessage_s,\n OldValue = OldValue_s,\n DvcHostname = host_s,\n ActorUsername = AdminName_s,\n Object = ObjectName_s \n | extend\n Src = SrcIpAddr,\n EventEndTime = EventStartTime,\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n User = ActorUsername,\n Value = NewValue \n | extend\n IpAddr = SrcIpAddr,\n ValueType = iff(isnotempty(Value), \"Other\", \"\")\n | project-away\n *_d,\n *_s,\n EventType_lookup,\n _ResourceId,\n Reason,\n severity,\n RawData,\n SourceIP,\n Message,\n Computer,\n MG,\n ManagementGroupName,\n TenantId,\n SourceSystem\n );\n BarracudaCustom\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventBarracudaWAF", + "query": "let barracudaSchema = datatable(\n LogType_s: string,\n UnitName_s: string,\n EventName_s: string,\n DeviceReceiptTime_s: string,\n ChangeType_s: string,\n CommandName_s: string,\n Severity_s: string,\n LoginIP_s: string,\n NewValue_s: string,\n HostIP_s: string,\n host_s: string,\n OldValue_s: string,\n EventMessage_s: string,\n AdminName_s: string,\n ObjectType_s: string,\n ObjectName_s: string,\n TimeTaken_d: real,\n _ResourceId: string,\n RawData: string,\n SourceIP: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string\n)[];\nlet EventTypeLookup = datatable (\n ChangeType_s: string,\n EventType_lookup: string\n)\n [\n \"SET\", \"Set\",\n \"ADD\", \"Create\",\n \"DEL\", \"Delete\",\n \"NONE\", \"Other\",\n \"\", \"Other\"\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet ObjectTypeLookup = datatable (ObjectType_s: string, ObjectType: string)[\n \"global\", \"Other\",\n \"Services\", \"Service\",\n \"web_firewall_policy\", \"Policy Rule\",\n \"service\", \"Service\",\n \"json_url_profile\", \"Other\",\n \"server\", \"Service\",\n \"header_acl\", \"Directory Service Object\",\n \"virtual_ip_config_address\", \"Configuration Atom\",\n \"aps_req_rewrite_policy\", \"Policy Rule\",\n \"aps_url_acl\", \"Directory Service Object\",\n \"websocket_security_policy\", \"Policy Rule\",\n \"aps_ftp_acl\", \"Directory Service Object\",\n \"user_system_ip\", \"Configuration Atom\",\n \"syslog_server\", \"Service\",\n \"attack_action\", \"Configuration Atom\",\n \"global_adr\", \"Configuration Atom\",\n \"aps_content_protection\", \"Other\"\n];\nlet parser = (disabled: bool=false) {\n let BarracudaCustom = \n (union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled) \n and LogType_s == \"AUDIT\" \n and EventName_s !in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\")\n | parse trim(@'[^\\w(\")]+', EventMessage_s) with * \"Reason=\" Reason: string\n | extend Reason = trim('\"', Reason)\n | extend\n EventResultDetails = Reason,\n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | lookup EventTypeLookup on ChangeType_s\n | lookup ObjectTypeLookup on ObjectType_s\n | extend\n EventType = EventType_lookup,\n EventResult = \"Success\", \n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventVendor = \"Barracuda\",\n EventProduct = \"WAF\",\n EventCount = toint(1)\n | extend\n Dvc = UnitName_s, \n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s) - tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s))),\n Operation = CommandName_s,\n DvcIpAddr = HostIP_s,\n NewValue = NewValue_s,\n SrcIpAddr = LoginIP_s,\n EventMessage = EventMessage_s,\n OldValue = OldValue_s,\n DvcHostname = host_s,\n ActorUsername = AdminName_s,\n Object = ObjectName_s \n | extend\n Src = SrcIpAddr,\n EventEndTime = EventStartTime,\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n User = ActorUsername,\n Value = NewValue \n | extend\n IpAddr = SrcIpAddr,\n ValueType = iff(isnotempty(Value), \"Other\", \"\")\n | project-away\n *_d,\n *_s,\n EventType_lookup,\n _ResourceId,\n Reason,\n severity,\n RawData,\n SourceIP,\n Message,\n Computer,\n MG,\n ManagementGroupName,\n TenantId,\n SourceSystem\n );\n BarracudaCustom\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoISE/ASimAuditEventCiscoISE.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoISE/ASimAuditEventCiscoISE.json index 0f110d63c3d..7d5c5488a14 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoISE/ASimAuditEventCiscoISE.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoISE/ASimAuditEventCiscoISE.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventCiscoISE')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventCiscoISE", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM filtering parser for Cisco ISE", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventCiscoISE", - "query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventType: string,\nEventResult: string,\nEventOriginalSeverity: string,\nEventSeverity: string,\nObject: string,\nOperation: string,\nEventMessage: string\n)[\n\"52000\", \"Create\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Added configuration\", \"Added configuration\",\n\"52001\", \"Set\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Changed configuration\", \"Changed configuration\",\n\"52002\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Deleted configuration\", \"Deleted configuration\",\n\"52003\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Deregister Node\", \"One of the ISE instances in the deployment has been de-registered.\",\n\"52004\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Register Node\", \"A new ISE instance has been registered and has joined the deployment.\",\n\"52005\", \"Enable\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Activate Node\", \"An ISE instance has been activated to receive updates from the Primary node.\",\n\"52006\", \"Disable\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Deactivate ISE Node\", \"An ISE instance has been deactivated and will no longer receive updates from the Primary node.\",\n\"52007\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Force Full replication\", \"A Force Full replication has been issued for an ISE instance.\",\n\"52008\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Replacement Register Handler\", \"A new ISE instance has joined the deployment through hardware replacement.\",\n\"52009\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Promote Node\", \"A Secondary node has been promoted to be the Primary node of the deployment.\",\n\"52013\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Hardware Replacement\", \"A new ISE instance has joined the deployment through hardware replacement.\",\n\"52015\", \"Enable\", \"Success\", \"NOTICE\", \"Informational\", \"LogCollector Target\", \"Enable LogCollector Target\", \"Enable the deployment Log Collector target.\",\n\"52016\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"LogCollector Node\", \"Select LogCollector Node\", \"The Log Collector node for the deployment has been selected.\",\n\"52017\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Apply software update\", \"Apply a software update to the selected ISE instances.\",\n\"52030\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Full replication succeeded\", \"Full replication was completed successfully\",\n\"52031\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Full replication failed\", \"Failed to complete full replication\",\n\"52033\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Registration succeeded\", \"Registration with the primary node was completed successfully\",\n\"52035\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Registration failed\", \"Failed to perform the full replication requested by the primary instance\",\n\"52038\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Registration succeeded\", \"The ISE instance was successfully joined to a distributed ISE deployment\",\n\"52039\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Registration failed\", \"The ISE instance was unable to join a distributed deployment\",\n\"52042\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Primary instance\", \"Demotion succeeded\", \"Demotion of the existing primary instance was completed successfully\",\n\"52043\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Primary instance\", \"Demotion failed\", \"Demotion of the existing primary instance failed\",\n\"52045\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Secondary instance\", \"Promotion succeeded\", \"Promotion of the secondary instance was completed successfully\",\n\"52046\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Secondary instance\", \"Promotion failed\", \"Promotion of a secondary instance failed\",\n\"52072\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Deregister succeeded\", \"Deregistration was completed successfully\",\n\"52073\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Deregister failed\", \"Deregistration failed\",\n\"52078\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Delete node failed\", \"Failed to delete the ISE secondary instance in inactive mode from the deployment\",\n\"52079\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"ISE secondary instance\", \"Delete node succeeded\", \"The ISE primary instance successfully deleted the secondary instance in inactive mode\",\n\"52080\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Delete node failed\", \"Failed to delete the ISE secondary instance in inactive mode from the primary instance\",\n\"52082\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Backup failed\", \"An immediate backup for the secondary instance failed\",\n\"52084\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE primary instance\", \"Backup succeeded\", \"An immediate backup for the primary instance was completed successfully\",\n\"52085\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE primary instance\", \"Backup failed\", \"An immediate backup for the primary failed\",\n\"52091\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Update bundle\", \"Software update failed\", \"Software update download of update bundle failed\",\n\"52092\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Software update succeeded\", \"The software update was completed successfully\",\n\"52093\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Software update failed\", \"The software update failed\",\n\"57000\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Log file(s)\", \"Deleted rolled-over local log file(s)\", \"Deleted rolled-over local log file(s)\",\n\"58001\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process started\", \"An ISE process has started\",\n\"58002\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process stopped\", \"An ISE process has stopped\",\n\"58003\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE processes\", \"ISE processes started\", \"All ISE processes have started\",\n\"58004\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE processes\", \"ISE processes stopped\", \"All ISE processes have stopped\",\n\"58005\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process was restarted by watchdog service\", \"The watchdog service has restarted an ISE process\",\n\"60000\", \"Install\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Patch installation completed successfully on the node\", \"Patch installation completed successfully on the node\",\n\"60001\", \"Install\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Patch installation failed on the node\", \"Patch installation failed on the node\",\n\"60002\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Patch rollback completed successfully on the node\", \"Patch rollback completed successfully on the node\",\n\"60003\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Patch rollback failed on the node\", \"Patch rollback failed on the node\",\n\"60050\", \"Create\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node added to deployment successfully\", \"Node added to deployment successfully\",\n\"60051\", \"Create\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to add node to deployment\", \"Failed to add node to deployment\",\n\"60052\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node removed from deployment\", \"Node removed from deployment\",\n\"60053\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to remove node from deployment\", \"Failed to remove node from deployment\",\n\"60054\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node updated successfully\", \"Node updated successfully\",\n\"60055\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to update node\", \"Failed to update node\",\n\"60056\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Cluster\", \"The runtime status of the node group has changed\", \"There is a change in the cluster state\",\n\"60057\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"PSN node\", \"A PSN node went down\", \"One of the PSN nodes in the node group has gone down\",\n\"60058\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Heartbeat System\", \"The initial status of the heartbeat system\", \"The initial status of the heartbeat system\",\n\"60059\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node has successfully registered with MnT\", \"Node has successfully registered with MnT\",\n\"60060\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Policy Service nodes\", \"Administrator invoked OCSP Clear Cache operation for all Policy Service nodes\", \"The ISE Administrator invoked OCSP Clear Cache operation for all Policy Service nodes\",\n\"60061\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Policy Service nodes\", \"OCSP Clear Cache operation completed successfully\", \"OCSP Clear Cache operation completed successfully on all Policy Service nodes\",\n\"60062\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Policy Service nodes\", \"OCSP Clear Cache operation terminated with error\", \"OCSP Clear Cache clear operation terminated with error on one or more Policy Service nodes\",\n\"60063\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE secondary node\", \"Replication to node completed successfully\", \"Replication of data to secondary node completed successfully\",\n\"60064\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary node\", \"Replication to node failed\", \"Replication of data to secondary node failed\",\n\"60068\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - manual download initiated\", \"The Profiler Feed Service has begun the check and download of new and/or updated Profiles in response to Administrator's request\",\n\"60069\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - Profiles Downloaded\", \"The Profiler Feed Service has downloaded new and/or updated Profiles\",\n\"60070\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - No Profiles Downloaded\", \"The Profiler Feed Service found no new and/or updated Profiles to download\",\n\"60083\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"Syslog Server\", \"Syslog Server configuration change\", \"Syslog Server configuration change has occurred\",\n\"60084\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI user\", \"ADEOS CLI user configuration change\", \"Configuration change occurred for ADEOS CLI user\",\n\"60085\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS Repository\", \"ADEOS Repository configuration change\", \"Configuration change occurred for ADEOS repository\",\n\"60086\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS SSH Service\", \"ADEOS SSH Service configuration change\", \"Configuration change occurred for ADEOS SSH Service\",\n\"60087\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS Maximum SSH CLI sessions\", \"ADEOS Maximum SSH CLI sessions configuration change\", \"Configuration change occurred for ADEOS Maximum CLI sessions\",\n\"60088\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS SNMP agent\", \"ADEOS SNMP agent configuration change\", \"Configuration change occurred for ADEOS SNMP agent\",\n\"60089\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI kron scheduler\", \"ADEOS CLI kron scheduler policy configuration change\", \"Configuration change occurred for ADEOS CLI kron scheduler policy\",\n\"60090\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI kron scheduler\", \"ADEOS CLI kron scheduler occurence configuration change\", \"Configuration change occurred for ADEOS CLI kron scheduler occurence\",\n\"60091\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI pre-login banner\", \"ADEOS CLI pre-login banner configuration change\", \"Configuration change occurred for ADEOS CLI pre-login banner\",\n\"60092\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI post-login banner\", \"ADEOS CLI post-login banner configuration change\", \"Configuration change occurred for ADEOS CLI post-login banner\",\n\"60094\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Backup has completed successfully\", \"ISE Backup has completed successfully\",\n\"60095\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Backup has failed\", \"ISE Backup has failed\",\n\"60097\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Log Backup has completed successfully\", \"ISE Log Backup has completed successfully\",\n\"60098\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Log Backup has failed\", \"ISE Log Backup has failed\",\n\"60100\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Restore has completed successfully\", \"ISE Restore has completed successfully\",\n\"60101\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Restore has failed\", \"ISE Restore has failed\",\n\"60102\", \"Install\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application installation completed successfully\", \"Application installation completed successfully\",\n\"60103\", \"Install\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application installation failed\", \"Application installation failed\",\n\"60105\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application remove completed successfully\", \"Application remove completed successfully\",\n\"60106\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application remove failed\", \"Application remove failed\",\n\"60107\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application upgrade failed\", \"Application upgrade failed\",\n\"60111\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application patch remove has completed successfully\", \"Application patch remove has completed successfully\",\n\"60112\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application patch remove has failed\", \"Application patch remove has failed\",\n\"60113\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE server\", \"ISE server reload has been initiated\", \"ISE server reload has been initiated\",\n\"60114\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE server\", \"ISE server shutdown has been initiated\", \"ISE server shutdown has been initiated\",\n\"60118\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"File\", \"ADEOS CLI user has used delete CLI to delete file\", \"ADEOS CLI user has used delete CLI to delete file\",\n\"60119\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"File\", \"ADEOS CLI user has used copy CLI to copy file\", \"ADEOS CLI user has used copy CLI to copy file\",\n\"60120\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"Directory\", \"ADEOS CLI user has used mkdir CLI to create a directory\", \"ADEOS CLI user has used mkdir CLI to create a directory\",\n\"60121\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has copied out running system configuration\", \"ADEOS CLI user has copied out running system configuration\",\n\"60122\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has copied in system configuration\", \"ADEOS CLI user has copied in system configuration\",\n\"60123\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has saved running system configuration\", \"ADEOS CLI user has saved running system configuration\",\n\"60126\", \"Install\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application patch installation failed\", \"Application patch installation failed\",\n\"60128\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"File\", \"Failure occurred trying to copy file in from ADEOS CLI\", \"Failure occurred trying to copy file in from ADEOS CLI\",\n\"60129\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"File\", \"Failure occurred trying to copy file out from ADEOS CLI\", \"Failure occurred trying to copy file out from ADEOS CLI\",\n\"60130\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE Backup\", \"ISE Scheduled Backup has been configured\", \"ISE Scheduled Backup has been configured\",\n\"60131\", \"Create\", \"Success\", \"INFO\", \"Informational\", \"ISE Support bundle\", \"ISE Support bundle has been created from web UI\", \"ISE Support bundle has been created from web UI\",\n\"60132\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE Support bundle\", \"ISE Support bundle has been deleted from web UI\", \"ISE Support bundle has been deleted from web UI\",\n\"60133\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE Support bundle\", \"ISE Support bundle generation from web UI has failed\", \"ISE Support bundle generation from web UI has failed\",\n\"60153\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Certificate\", \"Certificate has been exported\", \"Certificate has been exported\",\n\"60166\", \"Other\", \"\", \"WARN\", \"Informational\", \"Certificate\", \"Certificate will expire soon\", \"Certificate Expiration warning\",\n\"60167\", \"Other\", \"\", \"WARN\", \"Informational\", \"Certificate\", \"Certificate has expired\", \"Certificate has expired\",\n\"60172\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Alarm(s) has/have been acknowledged\", \"These alarms are acknowledged and will not be displayed on the Dashboard\",\n\"60173\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Outdated alarms are purged\", \"Only latest 15000 alarms would be retained and rest of them are purged\",\n\"60187\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application upgrade succeeded\", \"Application upgrade succeeded\",\n\"60189\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Terminal Session timeout has been modified\", \"Configuration change occurred for ADEOS CLI Terminal Session timeout\",\n\"60193\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"RSA key configuration has been modified\", \"Configuration change occurred for ADEOS CLI RSA key\",\n\"60194\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Host key configuration has been modified\", \"Configuration change occurred for ADEOS CLI host key\",\n\"60197\", \"Disable\", \"Success\", \"NOTICE\", \"Informational\", \"Certificate\", \"Revoked ISE CA issued Certificate.\", \"Certificate issued to Endpoint by ISE CA is revoked by Administrator\",\n\"60198\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"MnT\", \"MnT purge event occurred\", \"MnT purge event occurred\",\n\"60199\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"An IP-SGT mapping was deployed successfully\", \"An IP-SGT mapping was deployed successfully to a TrustSec device\",\n\"60200\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"An IP-SGT mapping has failed deploying\", \"An IP-SGT mapping has failed deploying to a TrustSec device\",\n\"60201\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"IP-SGT deployment to TrustSec device was successful\", \"IP-SGT deployment to TrustSec device was successful\",\n\"60202\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"IP-SGT deployment to TrustSec device failed\", \"IP-SGT deployment to TrustSec device failed\",\n\"60207\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Logging loglevel configuration has been modified\", \"Configuration change occurred for ADEOS CLI logging loglevel\",\n\"60208\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Root CA certificate has been replaced\", \"Root CA certificate has been replaced\",\n\"60209\", \"Enable\", \"Success\", \"INFO\", \"Informational\", \"CA service\", \"CA service enabled\", \"CA service enabled\",\n\"60210\", \"Disable\", \"Success\", \"INFO\", \"Informational\", \"CA service\", \"CA service disabled\", \"CA service disabled\",\n\"60213\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"CA keys were replaced by import operation\", \"CA keys were replaced by import operation\",\n\"60214\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"CA keys were exported\", \"CA keys were exported\",\n\"60215\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Endpoint certs were marked expired\", \"Endpoint certs were marked expired by daily scheduled job\",\n\"60216\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Endpoint certs were purged\", \"Endpoint certs were purged by daily scheduled job\",\n\"60451\", \"Enable\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Telemetry is enabled on this deployment\", \"Telemetry is enabled on this deployment\",\n\"60452\", \"Disable\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Telemetry is disabled on this deployment\", \"Telemetry is disabled on this deployment\",\n\"61002\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SGT from IEPG\", \"ISE has learned a new SGT from IEPG\",\n\"61003\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has propagated a new EEPG to APIC\", \"ISE has propagated a new EEPG to APIC.\",\n\"61004\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SXP mapping from APIC endpoint\", \"ISE has learned a new SXP mapping from APIC endpoint\",\n\"61005\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has propagated a new endpoint(SXP mapping) to APIC\", \"ISE has propagated a new endpoint(SXP mapping) to APIC\",\n\"61006\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SGT\", \"ISE has removed an SGT due to deleted IEPG\", \"ISE has removed an SGT due to deleted IEPG\",\n\"61007\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed EEPG from APIC due to SGT deletion\", \"ISE has removed EEPG from APIC due to SGT deletion\",\n\"61008\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed an SXP mapping due to endpoint deletion on APIC\", \"ISE has removed an SXP mapping due to endpoint deletion on APIC\",\n\"61009\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed endpoint APIC due to SXP mapping removal a new SXP mapping to APIC\", \"ISE has removed endpoint APIC due to SXP mapping removal a new SXP mapping to APIC\",\n\"61016\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh EPG subscriber against APIC\", \"ISE failed to refresh EPG subscriber against APIC\",\n\"61017\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh endpoint subscriber against APIC\", \"ISE failed to refresh endpoint subscriber against APIC\",\n\"61018\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh EEPG subscriber against APIC\", \"ISE failed to refresh EEPG subscriber against APIC\",\n\"61020\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh L3EXTOUT subscriber against APIC\", \"ISE failed to refresh L3EXTOUT subscriber against APIC\",\n\"61022\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to propagate SGT to EEPG\", \"ISE has failed to propagate SGT to EEPG\",\n\"61023\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to learn IEPG from APIC\", \"ISE has failed to learn IEPG from APIC\",\n\"61024\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to parse VRF for EPG\", \"ISE has failed to parse VRF for EPG\",\n\"61030\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"TrustSec deploy verification was canceled.\", \"TrustSec deployment verification process was canceled as a new TrustSec deploy started.\",\n\"61033\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"TrustSec deployment verification process succeeded.\", \"ISE trustsec configuration was successfully deployed to all network access devices.\",\n\"61034\", \"Other\", \"\", \"INFO\", \"Low\", \"ISE instance\", \"Maximum resource limit reached.\", \"Maximum resource limit reached.\",\n\"61051\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Synflood-limit configured\", \"Synflood-limit configured\",\n\"61052\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Rate-limit configured\", \"Rate-limit configured\",\n\"61100\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new tenant from ACI\", \"ISE has learned a new tenant from ACI\",\n\"61101\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI tenant\", \"ISE has removed ACI tenant\", \"ISE has removed ACI tenant\",\n\"61102\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn new tenant from ACI in ISE\", \"Failed to learn new tenant from ACI in ISE\",\n\"61103\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to remove ACI tenant in ISE\", \"Failed to remove ACI tenant in ISE\",\n\"61104\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new tenant from SDA\", \"ISE has learned a new tenant from SDA\",\n\"61105\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new VN info\", \"IISE has learned a new VN info\",\n\"61106\", \"Create\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to create VN info in ISE\", \"Failed to create VN info in ISE\",\n\"61107\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"VN info is updated in ISE\", \"VN info is updated in ISE\",\n\"61108\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to update VN info in ISE\", \"Failed to update VN info in ISE\",\n\"61109\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI tenant\", \"VN info is deleted in ISE\", \"VN info is deleted in ISE\",\n\"61110\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to deleted VN info in ISE\", \"Failed to deleted VN info in ISE\",\n\"61111\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Domain registration process failed\", \"Domain registration process failed\",\n\"61114\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Domain registration completed successfully\", \"Domain registration completed successfully\",\n\"61115\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Domain registration failed\", \"Domain registration failed\",\n\"61116\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ACI certificate\", \"Unable to store ACI certificate\", \"Unable to store ACI certificate\",\n\"61117\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ACI connector\", \"ACI connector started successfully\", \"ACI connector started successfully\",\n\"61118\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ACI connector\", \"Failed to start ACI connector\", \"Failed to start ACI connector\",\n\"61120\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI certificate\", \"Successfully deleted ACI certificate from ISE\", \"Successfully deleted ACI certificate from ISE\",\n\"61121\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI certificate\", \"Failed to delete ACI certificate from ISE\", \"Failed to delete ACI certificate from ISE\",\n\"61122\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI keystore\", \"Failed to delete ACI keystore\", \"Failed to delete ACI keystore\",\n\"61123\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new ACI domain\", \"ISE has learned a new ACI domain\",\n\"61124\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn a new ACI domain\", \"Failed to learn a new ACI domain\",\n\"61125\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI domain\", \"ISE has removed ACI domain\", \"ISE has removed ACI domain\",\n\"61126\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI domain\", \"Failed to remove ACI domain\", \"Failed to remove ACI domain\",\n\"61127\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SDA domain\", \"ISE has learned a new SDA domain\",\n\"61128\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn a new SDA domain\", \"Failed to learn a new SDA domain\",\n\"61129\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SDA domain\", \"ISE has removed SDA domain\", \"ISE has removed SDA domain\",\n\"61130\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"SDA domain\", \"Failed to remove SDA domain\", \"Failed to remove SDA domain\",\n\"61158\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE failed in receiving SDA SXP configuration\", \"ISE failed in receiving SDA SXP configuration\",\n\"61160\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE failed to publish Gateway advertisement message to ACI\", \"ISE failed to publish Gateway advertisement message to ACI\",\n\"61161\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE learned new SXP Listener\", \"ISE learned new SXP Listener\",\n\"61162\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE updates VN defined for SXP Listener\", \"ISE updates VN defined for SXP Listener\",\n\"61163\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE learned new VN defined for SXP Listener\", \"ISE learned new VN defined for SXP Listener\",\n\"61164\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE updates SXP Listener\", \"ISE updates SXP Listener\",\n\"61165\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE removed all SXP connections related to SXP Listener\", \"ISE removed all SXP connections related to SXP Listener\",\n\"61166\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ACI\", \"ACI published Gateway advertisement message to SDA\", \"ACI published Gateway advertisement message to SDA\",\n\"61167\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Send ACI Gateway advertisement message to ISE\", \"Send ACI Gateway advertisement message to ISE\",\n\"61168\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to send ACI Gateway advertisement message to ISE\", \"Failed to send ACI Gateway advertisement message to ISE/SDA\",\n\"61169\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Successfully Send ACI Gateway advertisement message\", \"Successfully Send ACI Gateway advertisement message\",\n\"61234\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE instance\", \"Got event with unknown properties\", \"Got event with unknown properties\",\n\"62000\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Agentless script execute completed\", \"Agentless script execute completed\",\n\"62001\", \"Execute\", \"Failure\", \"WARN\", \"Low\", \"ISE instance\", \"Agentless script execute failed\", \"Agentless script execute failed\",\n\"62002\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Agentless script upload completed\", \"Agentless script upload completed\",\n\"62003\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"ISE instance\", \"Agentless script upload failed\", \"Agentless script upload failed\",\n\"61300\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Network Access policy request\", \"Network Access policy request\",\n\"61301\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Device Admin policy request\", \"Device Admin policy request\",\n\"61302\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Policy component request\", \"Policy component request\",\n\"60467\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"OCSP Certificate renewal failed\", \"OCSP Certificate renewal failed.\",\n\"60468\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Root CA Regeneration failed\", \"Regeneration of Root CA failed.\",\n\"62008\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync service starts\", \"Meraki connector sync service starts\",\n\"62009\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync service stops\", \"Meraki connector sync service stops\",\n\"62010\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync service failure\", \"Meraki connector sync service failure\",\n\"62011\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync cycle starts\", \"Meraki connector sync cycle starts\",\n\"62012\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync cycle stops\", \"Meraki connector sync cycle stops\",\n\"62013\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync cycle failure\", \"Meraki connector sync cycle failure\",\n\"62014\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync operation success\", \"Meraki connector sync operation success\",\n\"62015\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync operation failure\", \"Meraki connector sync operation failure\",\n\"62016\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Port 2484 opened for Data Connect\", \"Port 2484 opened for Data Connect\",\n\"62017\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Data Connect port 2484 closed\", \"Data Connect port 2484 closed\"];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n| summarize make_set(EventOriginalType));\nlet CiscoISEAuditParser=(disabled: bool=false) {\nSyslog\n| where not(disabled)\n| where ProcessName has_any (\"CISE\", \"CSCO\")\n| parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n| where EventOriginalType in (EventOriginalTypeList)\n| lookup EventFieldsLookup on EventOriginalType \n| parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n| project-rename SrcIpAddr=['Remote-Address'], TargetIpAddr =['Device IP Address']\n| extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n| extend ActorUsername = coalesce(['User-Name'], UserName, User)\n| extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) \n| extend \n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"AuditEvent\"\n , EventSchemaVersion = \"0.1.0\"\n , ObjectType = \"Configuration Atom\"\n , TargetAppName = \"ISE\"\n , TargetAppType = \"Service\"\n// ***************** ********************\n| extend \n Dvc = coalesce(DvcIpAddr, DvcHostname)\n , Application = TargetAppName\n , IpAddr = coalesce(SrcIpAddr, TargetIpAddr)\n , Dst = TargetIpAddr\n , Src = SrcIpAddr\n , User = ActorUsername\n// ***************** *******************\n| project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n NetworkDeviceName,\n ['User-Name'],\n UserName\n};\nCiscoISEAuditParser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM filtering parser for Cisco ISE", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventCiscoISE", + "query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventType: string,\nEventResult: string,\nEventOriginalSeverity: string,\nEventSeverity: string,\nObject: string,\nOperation: string,\nEventMessage: string\n)[\n\"52000\", \"Create\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Added configuration\", \"Added configuration\",\n\"52001\", \"Set\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Changed configuration\", \"Changed configuration\",\n\"52002\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Deleted configuration\", \"Deleted configuration\",\n\"52003\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Deregister Node\", \"One of the ISE instances in the deployment has been de-registered.\",\n\"52004\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Register Node\", \"A new ISE instance has been registered and has joined the deployment.\",\n\"52005\", \"Enable\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Activate Node\", \"An ISE instance has been activated to receive updates from the Primary node.\",\n\"52006\", \"Disable\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Deactivate ISE Node\", \"An ISE instance has been deactivated and will no longer receive updates from the Primary node.\",\n\"52007\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Force Full replication\", \"A Force Full replication has been issued for an ISE instance.\",\n\"52008\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Replacement Register Handler\", \"A new ISE instance has joined the deployment through hardware replacement.\",\n\"52009\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Promote Node\", \"A Secondary node has been promoted to be the Primary node of the deployment.\",\n\"52013\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Hardware Replacement\", \"A new ISE instance has joined the deployment through hardware replacement.\",\n\"52015\", \"Enable\", \"Success\", \"NOTICE\", \"Informational\", \"LogCollector Target\", \"Enable LogCollector Target\", \"Enable the deployment Log Collector target.\",\n\"52016\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"LogCollector Node\", \"Select LogCollector Node\", \"The Log Collector node for the deployment has been selected.\",\n\"52017\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Apply software update\", \"Apply a software update to the selected ISE instances.\",\n\"52030\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Full replication succeeded\", \"Full replication was completed successfully\",\n\"52031\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Full replication failed\", \"Failed to complete full replication\",\n\"52033\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Registration succeeded\", \"Registration with the primary node was completed successfully\",\n\"52035\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Registration failed\", \"Failed to perform the full replication requested by the primary instance\",\n\"52038\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Registration succeeded\", \"The ISE instance was successfully joined to a distributed ISE deployment\",\n\"52039\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Registration failed\", \"The ISE instance was unable to join a distributed deployment\",\n\"52042\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Primary instance\", \"Demotion succeeded\", \"Demotion of the existing primary instance was completed successfully\",\n\"52043\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Primary instance\", \"Demotion failed\", \"Demotion of the existing primary instance failed\",\n\"52045\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Secondary instance\", \"Promotion succeeded\", \"Promotion of the secondary instance was completed successfully\",\n\"52046\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Secondary instance\", \"Promotion failed\", \"Promotion of a secondary instance failed\",\n\"52072\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Deregister succeeded\", \"Deregistration was completed successfully\",\n\"52073\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Deregister failed\", \"Deregistration failed\",\n\"52078\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Delete node failed\", \"Failed to delete the ISE secondary instance in inactive mode from the deployment\",\n\"52079\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"ISE secondary instance\", \"Delete node succeeded\", \"The ISE primary instance successfully deleted the secondary instance in inactive mode\",\n\"52080\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Delete node failed\", \"Failed to delete the ISE secondary instance in inactive mode from the primary instance\",\n\"52082\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Backup failed\", \"An immediate backup for the secondary instance failed\",\n\"52084\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE primary instance\", \"Backup succeeded\", \"An immediate backup for the primary instance was completed successfully\",\n\"52085\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE primary instance\", \"Backup failed\", \"An immediate backup for the primary failed\",\n\"52091\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Update bundle\", \"Software update failed\", \"Software update download of update bundle failed\",\n\"52092\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Software update succeeded\", \"The software update was completed successfully\",\n\"52093\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Software update failed\", \"The software update failed\",\n\"57000\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Log file(s)\", \"Deleted rolled-over local log file(s)\", \"Deleted rolled-over local log file(s)\",\n\"58001\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process started\", \"An ISE process has started\",\n\"58002\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process stopped\", \"An ISE process has stopped\",\n\"58003\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE processes\", \"ISE processes started\", \"All ISE processes have started\",\n\"58004\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE processes\", \"ISE processes stopped\", \"All ISE processes have stopped\",\n\"58005\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process was restarted by watchdog service\", \"The watchdog service has restarted an ISE process\",\n\"60000\", \"Install\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Patch installation completed successfully on the node\", \"Patch installation completed successfully on the node\",\n\"60001\", \"Install\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Patch installation failed on the node\", \"Patch installation failed on the node\",\n\"60002\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Patch rollback completed successfully on the node\", \"Patch rollback completed successfully on the node\",\n\"60003\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Patch rollback failed on the node\", \"Patch rollback failed on the node\",\n\"60050\", \"Create\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node added to deployment successfully\", \"Node added to deployment successfully\",\n\"60051\", \"Create\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to add node to deployment\", \"Failed to add node to deployment\",\n\"60052\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node removed from deployment\", \"Node removed from deployment\",\n\"60053\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to remove node from deployment\", \"Failed to remove node from deployment\",\n\"60054\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node updated successfully\", \"Node updated successfully\",\n\"60055\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to update node\", \"Failed to update node\",\n\"60056\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Cluster\", \"The runtime status of the node group has changed\", \"There is a change in the cluster state\",\n\"60057\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"PSN node\", \"A PSN node went down\", \"One of the PSN nodes in the node group has gone down\",\n\"60058\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Heartbeat System\", \"The initial status of the heartbeat system\", \"The initial status of the heartbeat system\",\n\"60059\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node has successfully registered with MnT\", \"Node has successfully registered with MnT\",\n\"60060\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Policy Service nodes\", \"Administrator invoked OCSP Clear Cache operation for all Policy Service nodes\", \"The ISE Administrator invoked OCSP Clear Cache operation for all Policy Service nodes\",\n\"60061\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Policy Service nodes\", \"OCSP Clear Cache operation completed successfully\", \"OCSP Clear Cache operation completed successfully on all Policy Service nodes\",\n\"60062\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Policy Service nodes\", \"OCSP Clear Cache operation terminated with error\", \"OCSP Clear Cache clear operation terminated with error on one or more Policy Service nodes\",\n\"60063\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE secondary node\", \"Replication to node completed successfully\", \"Replication of data to secondary node completed successfully\",\n\"60064\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary node\", \"Replication to node failed\", \"Replication of data to secondary node failed\",\n\"60068\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - manual download initiated\", \"The Profiler Feed Service has begun the check and download of new and/or updated Profiles in response to Administrator's request\",\n\"60069\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - Profiles Downloaded\", \"The Profiler Feed Service has downloaded new and/or updated Profiles\",\n\"60070\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - No Profiles Downloaded\", \"The Profiler Feed Service found no new and/or updated Profiles to download\",\n\"60083\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"Syslog Server\", \"Syslog Server configuration change\", \"Syslog Server configuration change has occurred\",\n\"60084\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI user\", \"ADEOS CLI user configuration change\", \"Configuration change occurred for ADEOS CLI user\",\n\"60085\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS Repository\", \"ADEOS Repository configuration change\", \"Configuration change occurred for ADEOS repository\",\n\"60086\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS SSH Service\", \"ADEOS SSH Service configuration change\", \"Configuration change occurred for ADEOS SSH Service\",\n\"60087\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS Maximum SSH CLI sessions\", \"ADEOS Maximum SSH CLI sessions configuration change\", \"Configuration change occurred for ADEOS Maximum CLI sessions\",\n\"60088\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS SNMP agent\", \"ADEOS SNMP agent configuration change\", \"Configuration change occurred for ADEOS SNMP agent\",\n\"60089\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI kron scheduler\", \"ADEOS CLI kron scheduler policy configuration change\", \"Configuration change occurred for ADEOS CLI kron scheduler policy\",\n\"60090\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI kron scheduler\", \"ADEOS CLI kron scheduler occurence configuration change\", \"Configuration change occurred for ADEOS CLI kron scheduler occurence\",\n\"60091\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI pre-login banner\", \"ADEOS CLI pre-login banner configuration change\", \"Configuration change occurred for ADEOS CLI pre-login banner\",\n\"60092\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI post-login banner\", \"ADEOS CLI post-login banner configuration change\", \"Configuration change occurred for ADEOS CLI post-login banner\",\n\"60094\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Backup has completed successfully\", \"ISE Backup has completed successfully\",\n\"60095\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Backup has failed\", \"ISE Backup has failed\",\n\"60097\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Log Backup has completed successfully\", \"ISE Log Backup has completed successfully\",\n\"60098\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Log Backup has failed\", \"ISE Log Backup has failed\",\n\"60100\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Restore has completed successfully\", \"ISE Restore has completed successfully\",\n\"60101\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Restore has failed\", \"ISE Restore has failed\",\n\"60102\", \"Install\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application installation completed successfully\", \"Application installation completed successfully\",\n\"60103\", \"Install\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application installation failed\", \"Application installation failed\",\n\"60105\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application remove completed successfully\", \"Application remove completed successfully\",\n\"60106\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application remove failed\", \"Application remove failed\",\n\"60107\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application upgrade failed\", \"Application upgrade failed\",\n\"60111\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application patch remove has completed successfully\", \"Application patch remove has completed successfully\",\n\"60112\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application patch remove has failed\", \"Application patch remove has failed\",\n\"60113\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE server\", \"ISE server reload has been initiated\", \"ISE server reload has been initiated\",\n\"60114\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE server\", \"ISE server shutdown has been initiated\", \"ISE server shutdown has been initiated\",\n\"60118\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"File\", \"ADEOS CLI user has used delete CLI to delete file\", \"ADEOS CLI user has used delete CLI to delete file\",\n\"60119\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"File\", \"ADEOS CLI user has used copy CLI to copy file\", \"ADEOS CLI user has used copy CLI to copy file\",\n\"60120\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"Directory\", \"ADEOS CLI user has used mkdir CLI to create a directory\", \"ADEOS CLI user has used mkdir CLI to create a directory\",\n\"60121\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has copied out running system configuration\", \"ADEOS CLI user has copied out running system configuration\",\n\"60122\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has copied in system configuration\", \"ADEOS CLI user has copied in system configuration\",\n\"60123\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has saved running system configuration\", \"ADEOS CLI user has saved running system configuration\",\n\"60126\", \"Install\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application patch installation failed\", \"Application patch installation failed\",\n\"60128\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"File\", \"Failure occurred trying to copy file in from ADEOS CLI\", \"Failure occurred trying to copy file in from ADEOS CLI\",\n\"60129\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"File\", \"Failure occurred trying to copy file out from ADEOS CLI\", \"Failure occurred trying to copy file out from ADEOS CLI\",\n\"60130\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE Backup\", \"ISE Scheduled Backup has been configured\", \"ISE Scheduled Backup has been configured\",\n\"60131\", \"Create\", \"Success\", \"INFO\", \"Informational\", \"ISE Support bundle\", \"ISE Support bundle has been created from web UI\", \"ISE Support bundle has been created from web UI\",\n\"60132\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE Support bundle\", \"ISE Support bundle has been deleted from web UI\", \"ISE Support bundle has been deleted from web UI\",\n\"60133\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE Support bundle\", \"ISE Support bundle generation from web UI has failed\", \"ISE Support bundle generation from web UI has failed\",\n\"60153\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Certificate\", \"Certificate has been exported\", \"Certificate has been exported\",\n\"60166\", \"Other\", \"\", \"WARN\", \"Informational\", \"Certificate\", \"Certificate will expire soon\", \"Certificate Expiration warning\",\n\"60167\", \"Other\", \"\", \"WARN\", \"Informational\", \"Certificate\", \"Certificate has expired\", \"Certificate has expired\",\n\"60172\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Alarm(s) has/have been acknowledged\", \"These alarms are acknowledged and will not be displayed on the Dashboard\",\n\"60173\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Outdated alarms are purged\", \"Only latest 15000 alarms would be retained and rest of them are purged\",\n\"60187\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application upgrade succeeded\", \"Application upgrade succeeded\",\n\"60189\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Terminal Session timeout has been modified\", \"Configuration change occurred for ADEOS CLI Terminal Session timeout\",\n\"60193\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"RSA key configuration has been modified\", \"Configuration change occurred for ADEOS CLI RSA key\",\n\"60194\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Host key configuration has been modified\", \"Configuration change occurred for ADEOS CLI host key\",\n\"60197\", \"Disable\", \"Success\", \"NOTICE\", \"Informational\", \"Certificate\", \"Revoked ISE CA issued Certificate.\", \"Certificate issued to Endpoint by ISE CA is revoked by Administrator\",\n\"60198\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"MnT\", \"MnT purge event occurred\", \"MnT purge event occurred\",\n\"60199\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"An IP-SGT mapping was deployed successfully\", \"An IP-SGT mapping was deployed successfully to a TrustSec device\",\n\"60200\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"An IP-SGT mapping has failed deploying\", \"An IP-SGT mapping has failed deploying to a TrustSec device\",\n\"60201\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"IP-SGT deployment to TrustSec device was successful\", \"IP-SGT deployment to TrustSec device was successful\",\n\"60202\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"IP-SGT deployment to TrustSec device failed\", \"IP-SGT deployment to TrustSec device failed\",\n\"60207\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Logging loglevel configuration has been modified\", \"Configuration change occurred for ADEOS CLI logging loglevel\",\n\"60208\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Root CA certificate has been replaced\", \"Root CA certificate has been replaced\",\n\"60209\", \"Enable\", \"Success\", \"INFO\", \"Informational\", \"CA service\", \"CA service enabled\", \"CA service enabled\",\n\"60210\", \"Disable\", \"Success\", \"INFO\", \"Informational\", \"CA service\", \"CA service disabled\", \"CA service disabled\",\n\"60213\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"CA keys were replaced by import operation\", \"CA keys were replaced by import operation\",\n\"60214\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"CA keys were exported\", \"CA keys were exported\",\n\"60215\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Endpoint certs were marked expired\", \"Endpoint certs were marked expired by daily scheduled job\",\n\"60216\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Endpoint certs were purged\", \"Endpoint certs were purged by daily scheduled job\",\n\"60451\", \"Enable\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Telemetry is enabled on this deployment\", \"Telemetry is enabled on this deployment\",\n\"60452\", \"Disable\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Telemetry is disabled on this deployment\", \"Telemetry is disabled on this deployment\",\n\"61002\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SGT from IEPG\", \"ISE has learned a new SGT from IEPG\",\n\"61003\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has propagated a new EEPG to APIC\", \"ISE has propagated a new EEPG to APIC.\",\n\"61004\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SXP mapping from APIC endpoint\", \"ISE has learned a new SXP mapping from APIC endpoint\",\n\"61005\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has propagated a new endpoint(SXP mapping) to APIC\", \"ISE has propagated a new endpoint(SXP mapping) to APIC\",\n\"61006\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SGT\", \"ISE has removed an SGT due to deleted IEPG\", \"ISE has removed an SGT due to deleted IEPG\",\n\"61007\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed EEPG from APIC due to SGT deletion\", \"ISE has removed EEPG from APIC due to SGT deletion\",\n\"61008\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed an SXP mapping due to endpoint deletion on APIC\", \"ISE has removed an SXP mapping due to endpoint deletion on APIC\",\n\"61009\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed endpoint APIC due to SXP mapping removal a new SXP mapping to APIC\", \"ISE has removed endpoint APIC due to SXP mapping removal a new SXP mapping to APIC\",\n\"61016\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh EPG subscriber against APIC\", \"ISE failed to refresh EPG subscriber against APIC\",\n\"61017\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh endpoint subscriber against APIC\", \"ISE failed to refresh endpoint subscriber against APIC\",\n\"61018\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh EEPG subscriber against APIC\", \"ISE failed to refresh EEPG subscriber against APIC\",\n\"61020\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh L3EXTOUT subscriber against APIC\", \"ISE failed to refresh L3EXTOUT subscriber against APIC\",\n\"61022\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to propagate SGT to EEPG\", \"ISE has failed to propagate SGT to EEPG\",\n\"61023\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to learn IEPG from APIC\", \"ISE has failed to learn IEPG from APIC\",\n\"61024\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to parse VRF for EPG\", \"ISE has failed to parse VRF for EPG\",\n\"61030\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"TrustSec deploy verification was canceled.\", \"TrustSec deployment verification process was canceled as a new TrustSec deploy started.\",\n\"61033\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"TrustSec deployment verification process succeeded.\", \"ISE trustsec configuration was successfully deployed to all network access devices.\",\n\"61034\", \"Other\", \"\", \"INFO\", \"Low\", \"ISE instance\", \"Maximum resource limit reached.\", \"Maximum resource limit reached.\",\n\"61051\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Synflood-limit configured\", \"Synflood-limit configured\",\n\"61052\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Rate-limit configured\", \"Rate-limit configured\",\n\"61100\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new tenant from ACI\", \"ISE has learned a new tenant from ACI\",\n\"61101\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI tenant\", \"ISE has removed ACI tenant\", \"ISE has removed ACI tenant\",\n\"61102\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn new tenant from ACI in ISE\", \"Failed to learn new tenant from ACI in ISE\",\n\"61103\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to remove ACI tenant in ISE\", \"Failed to remove ACI tenant in ISE\",\n\"61104\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new tenant from SDA\", \"ISE has learned a new tenant from SDA\",\n\"61105\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new VN info\", \"IISE has learned a new VN info\",\n\"61106\", \"Create\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to create VN info in ISE\", \"Failed to create VN info in ISE\",\n\"61107\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"VN info is updated in ISE\", \"VN info is updated in ISE\",\n\"61108\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to update VN info in ISE\", \"Failed to update VN info in ISE\",\n\"61109\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI tenant\", \"VN info is deleted in ISE\", \"VN info is deleted in ISE\",\n\"61110\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to deleted VN info in ISE\", \"Failed to deleted VN info in ISE\",\n\"61111\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Domain registration process failed\", \"Domain registration process failed\",\n\"61114\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Domain registration completed successfully\", \"Domain registration completed successfully\",\n\"61115\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Domain registration failed\", \"Domain registration failed\",\n\"61116\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ACI certificate\", \"Unable to store ACI certificate\", \"Unable to store ACI certificate\",\n\"61117\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ACI connector\", \"ACI connector started successfully\", \"ACI connector started successfully\",\n\"61118\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ACI connector\", \"Failed to start ACI connector\", \"Failed to start ACI connector\",\n\"61120\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI certificate\", \"Successfully deleted ACI certificate from ISE\", \"Successfully deleted ACI certificate from ISE\",\n\"61121\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI certificate\", \"Failed to delete ACI certificate from ISE\", \"Failed to delete ACI certificate from ISE\",\n\"61122\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI keystore\", \"Failed to delete ACI keystore\", \"Failed to delete ACI keystore\",\n\"61123\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new ACI domain\", \"ISE has learned a new ACI domain\",\n\"61124\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn a new ACI domain\", \"Failed to learn a new ACI domain\",\n\"61125\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI domain\", \"ISE has removed ACI domain\", \"ISE has removed ACI domain\",\n\"61126\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI domain\", \"Failed to remove ACI domain\", \"Failed to remove ACI domain\",\n\"61127\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SDA domain\", \"ISE has learned a new SDA domain\",\n\"61128\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn a new SDA domain\", \"Failed to learn a new SDA domain\",\n\"61129\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SDA domain\", \"ISE has removed SDA domain\", \"ISE has removed SDA domain\",\n\"61130\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"SDA domain\", \"Failed to remove SDA domain\", \"Failed to remove SDA domain\",\n\"61158\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE failed in receiving SDA SXP configuration\", \"ISE failed in receiving SDA SXP configuration\",\n\"61160\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE failed to publish Gateway advertisement message to ACI\", \"ISE failed to publish Gateway advertisement message to ACI\",\n\"61161\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE learned new SXP Listener\", \"ISE learned new SXP Listener\",\n\"61162\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE updates VN defined for SXP Listener\", \"ISE updates VN defined for SXP Listener\",\n\"61163\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE learned new VN defined for SXP Listener\", \"ISE learned new VN defined for SXP Listener\",\n\"61164\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE updates SXP Listener\", \"ISE updates SXP Listener\",\n\"61165\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE removed all SXP connections related to SXP Listener\", \"ISE removed all SXP connections related to SXP Listener\",\n\"61166\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ACI\", \"ACI published Gateway advertisement message to SDA\", \"ACI published Gateway advertisement message to SDA\",\n\"61167\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Send ACI Gateway advertisement message to ISE\", \"Send ACI Gateway advertisement message to ISE\",\n\"61168\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to send ACI Gateway advertisement message to ISE\", \"Failed to send ACI Gateway advertisement message to ISE/SDA\",\n\"61169\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Successfully Send ACI Gateway advertisement message\", \"Successfully Send ACI Gateway advertisement message\",\n\"61234\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE instance\", \"Got event with unknown properties\", \"Got event with unknown properties\",\n\"62000\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Agentless script execute completed\", \"Agentless script execute completed\",\n\"62001\", \"Execute\", \"Failure\", \"WARN\", \"Low\", \"ISE instance\", \"Agentless script execute failed\", \"Agentless script execute failed\",\n\"62002\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Agentless script upload completed\", \"Agentless script upload completed\",\n\"62003\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"ISE instance\", \"Agentless script upload failed\", \"Agentless script upload failed\",\n\"61300\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Network Access policy request\", \"Network Access policy request\",\n\"61301\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Device Admin policy request\", \"Device Admin policy request\",\n\"61302\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Policy component request\", \"Policy component request\",\n\"60467\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"OCSP Certificate renewal failed\", \"OCSP Certificate renewal failed.\",\n\"60468\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Root CA Regeneration failed\", \"Regeneration of Root CA failed.\",\n\"62008\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync service starts\", \"Meraki connector sync service starts\",\n\"62009\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync service stops\", \"Meraki connector sync service stops\",\n\"62010\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync service failure\", \"Meraki connector sync service failure\",\n\"62011\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync cycle starts\", \"Meraki connector sync cycle starts\",\n\"62012\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync cycle stops\", \"Meraki connector sync cycle stops\",\n\"62013\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync cycle failure\", \"Meraki connector sync cycle failure\",\n\"62014\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync operation success\", \"Meraki connector sync operation success\",\n\"62015\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync operation failure\", \"Meraki connector sync operation failure\",\n\"62016\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Port 2484 opened for Data Connect\", \"Port 2484 opened for Data Connect\",\n\"62017\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Data Connect port 2484 closed\", \"Data Connect port 2484 closed\"];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n| summarize make_set(EventOriginalType));\nlet CiscoISEAuditParser=(disabled: bool=false) {\nSyslog\n| where not(disabled)\n| where ProcessName has_any (\"CISE\", \"CSCO\")\n| parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n| where EventOriginalType in (EventOriginalTypeList)\n| lookup EventFieldsLookup on EventOriginalType \n| parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n| project-rename SrcIpAddr=['Remote-Address'], TargetIpAddr =['Device IP Address']\n| extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n| extend ActorUsername = coalesce(['User-Name'], UserName, User)\n| extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) \n| extend \n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"AuditEvent\"\n , EventSchemaVersion = \"0.1.0\"\n , ObjectType = \"Configuration Atom\"\n , TargetAppName = \"ISE\"\n , TargetAppType = \"Service\"\n// ***************** ********************\n| extend \n Dvc = coalesce(DvcIpAddr, DvcHostname)\n , Application = TargetAppName\n , IpAddr = coalesce(SrcIpAddr, TargetIpAddr)\n , Dst = TargetIpAddr\n , Src = SrcIpAddr\n , User = ActorUsername\n// ***************** *******************\n| project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n NetworkDeviceName,\n ['User-Name'],\n UserName\n};\nCiscoISEAuditParser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMeraki/ASimAuditEventCiscoMeraki.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMeraki/ASimAuditEventCiscoMeraki.json index edd5821b03d..58c6e771407 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMeraki/ASimAuditEventCiscoMeraki.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMeraki/ASimAuditEventCiscoMeraki.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventCiscoMeraki')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventCiscoMeraki", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventCiscoMeraki", - "query": "let EventFieldsLookup = datatable(TempOperation: string, Operation: string, EventResult: string, EventType: string)\n[\n \"vpn_connectivity_change\", \"VPN connectivity change\",\"Success\", \"Set\",\n \"purging ISAKMP-SA\", \"Purging ISAKMP-SA\",\"Partial\", \"Delete\",\n \"purged ISAKMP-SA\", \"Purged ISAKMP-SA\",\"Success\", \"Delete\",\n \"ISAKMP-SA deleted\", \"ISAKMP-SA deleted\",\"Success\", \"Delete\",\n \"IPsec-SA request\", \"IPsec-SA request queued\",\"Failure\", \"Other\",\n \"failed to get sainfo\", \"Failed to get sainfo\",\"Failure\", \"Other\",\n \"failed to pre-process ph2 packet\", \"Failed to pre-process ph2 packet\",\"Failure\", \"Other\",\n \"phase2 negotiation failed\", \"Phase2 negotiation failed\",\"Failure\", \"Other\",\n \"initiate new phase 1 negotiation\", \"Initiate new phase 1 negotiation\",\"Success\", \"Initialize\",\n \"ISAKMP-SA established\", \"ISAKMP-SA established\",\"Success\", \"Create\",\n \"initiate new phase 2 negotiation\", \"Initiate new phase 2 negotiation\",\"Partial\", \"Initialize\",\n \"IPsec-SA established\", \"IPsec-SA established\",\"Success\", \"Create\",\n \"STP role\", \"Spanning-tree interface role change\",\"Success\", \"Set\",\n \"STP BPDU\", \"Spanning-tree guard state change\", \"\", \"\",\n \"VRRP transition\", \"VRRP transition\",\"Success\", \"Set\",\n \"port status change\", \"Port status change\", \"\", \"\"\n];\nlet EventSeverityLookup=datatable(EventResult: string, EventSeverity: string)[\n \"Success\", \"Informational\",\n \"Partial\", \"Informational\",\n \"Failure\", \"Low\"\n];\nlet parser=(disabled: bool=false) {\nlet allData = union isfuzzy=true\n (\n meraki_CL\n | project-rename LogMessage = Message\n );\nlet PreFilteredData = allData\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (\"vpn_connectivity_change\", \"status changed\", \"VRRP active\", \"VRRP passive\") or LogMessage has_cs \"Site-to-site\" or LogMessage has_cs \"Port\")\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\";\nlet SiteToSiteData = PreFilteredData\n | where Substring has_cs \"Site-to-site\";\nlet SiteToSite_deleted = SiteToSiteData\n | where Substring has \"ISAKMP-SA deleted\"\n | extend TempOperation = \"ISAKMP-SA deleted\"\n | parse Substring with * \" deleted \" temp_deletedSrcIp:string \"-\" temp_deletedTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_deletedSrcIp,\n temp_targetipport = temp_deletedTargetIp;\nlet SiteToSite_negotiation = SiteToSiteData\n | where Substring has_any(\"initiate new phase 1 negotiation\", \"initiate new phase 2 negotiation\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \": \" temp_negotiationSrcIp:string \"<=>\" temp_negotiationTargetIp:string\n | extend temp_srcipport = temp_negotiationSrcIp,\n temp_targetipport = temp_negotiationTargetIp;\nlet SiteToSite_ESP = SiteToSiteData\n | where Substring has \"phase2 negotiation failed due to time up waiting for phase1\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" due to \" EventResultDetails \" ESP \" temp_espSrcIp:string \"->\" temp_espTargetIp:string\n | extend temp_srcipport = temp_espSrcIp,\n temp_targetipport = temp_espTargetIp;\nlet SiteToSite_tunnel = SiteToSiteData\n | where Substring has \"IPsec-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \":\" * \"Tunnel \" temp_tunnelSrcIp:string \"->\" temp_tunnelTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_tunnelSrcIp,\n temp_targetipport = temp_tunnelTargetIp;\nlet SiteToSite_ISAKMPestablished = SiteToSiteData\n | where Substring has \"ISAKMP-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" established \" temp_estSrcIp:string \"-\" temp_estTargetIp:string \" \" temp_restmessage:string\n | extend TempOperation = strcat(TempOperation, ' ', 'established'),\n temp_srcipport = temp_estSrcIp,\n temp_targetipport = temp_estTargetIp;\nlet SiteToSite_IPsecSArequest = SiteToSiteData\n | where Substring has \"IPsec-SA request\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" for \" temp_forTaregtSrcIp:string \" \" * \" due to\" EventResultDetails:string\n | extend temp_targetipport = temp_forTaregtSrcIp;\nlet SiteToSite_purging = SiteToSiteData\n | where Substring has_any(\"purging ISAKMP-SA\", \"purged ISAKMP-SA\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" spi=\" temp_restmessage:string;\nlet SiteToSite_failed = SiteToSiteData\n | where Substring has_any (\"failed to get sainfo\", \"failed to pre-process ph2 packet\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string\n | extend TempOperation = tostring(split(TempOperation, ' (')[0]);\nlet VPNConnectivityChangeData = PreFilteredData\n | where Substring has \"vpn_connectivity_change\"\n | parse-kv Substring as (type: string, peer_contact: string, connectivity: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend type = trim('\"', type),\n connectivity = trim('\"', connectivity)\n | extend TempOperation = type,\n temp_srcipport = peer_contact;\nlet StatusChangedData = PreFilteredData\n | where Substring has \"status changed\"\n | parse Substring with * \"port \" port:string \" \" portnextpart:string\n | extend TempOperation = \"port status change\";\nlet PortData = PreFilteredData\n | where Substring has_cs \"Port\"\n | parse Substring with * \"Port \" Port1:string \" received an \" TempOperation1:string \" from \" STPMac:string \" \" temp_restmessage:string\n | parse Substring with * \"Port \" Port2:string \" changed \" TempOperation2:string \" from \" PortNextPart:string\n | extend Port = coalesce(Port1,Port2)\n | extend TempOperation = coalesce(TempOperation1, TempOperation2);\nlet VRRPData = PreFilteredData\n | where Substring has_any(\"VRRP active\", \"VRRP passive\")\n | extend TempOperation = \"VRRP transition\";\nunion VPNConnectivityChangeData, StatusChangedData, PortData, VRRPData, SiteToSite_deleted, SiteToSite_ESP, SiteToSite_failed, SiteToSite_IPsecSArequest, SiteToSite_ISAKMPestablished, SiteToSite_negotiation, SiteToSite_purging, SiteToSite_tunnel\n | extend Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | lookup EventFieldsLookup on TempOperation\n | extend \n temp_srcipport = iff(temp_srcipport has \"]\" and temp_srcipport !has \":\", trim(']', temp_srcipport), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"]\" and temp_targetipport !has \":\", trim(']', temp_targetipport), temp_targetipport)\n | extend \n temp_srcipport = iff(temp_srcipport has \"[\" and temp_srcipport !has \":\", replace_string(temp_srcipport,'[',':'), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"[\" and temp_targetipport !has \":\", replace_string(temp_targetipport,'[',':'), temp_targetipport),\n DvcMacAddr = iff(Operation == \"Spanning-tree guard state change\" and isnotempty(STPMac) and STPMac matches regex \"([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4})\\'*\", STPMac, \"\")\n | extend temp_srcipport = iff(isempty(DvcMacAddr) and isnotempty(STPMac) and Operation == \"Spanning-tree guard state change\", STPMac, temp_srcipport)\n | extend\n temp_srcipport = trim(\"'\", temp_srcipport),\n temp_targetipport = trim(\"'\", temp_targetipport)\n | extend \n temp_srcipport = trim('\"', temp_srcipport),\n temp_targetipport = trim('\"', temp_targetipport)\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\n | extend SrcIpAddr = iff(temp_srcipport has \".\", split(temp_srcipport, \":\")[0], coalesce(temp_srcip, temp_srcipport))\n | parse temp_targetipport with * \"[\" temp_targetip \"]:\" temp_targetport\n | extend TargetIpAddr = iff(temp_targetipport has \".\", split(temp_targetipport, \":\")[0], coalesce(temp_targetip, temp_targetipport))\n | extend TargetPortNumber = iff(TargetIpAddr has \".\", toint(split(temp_targetipport, \":\")[1]), toint(coalesce(temp_targetport, \"\")))\n | extend SrcPortNumber = case(\n isnotempty(temp_srcipport),\n iff(SrcIpAddr has \".\", toint(split(temp_srcipport, \":\")[1]), toint(coalesce(temp_srcport, \"\"))),\n Substring has_cs \"Port\",\n toint(Port),\n Operation == \"Port status change\",\n toint(port),\n int(null)\n )\n | extend EventResult = case(\n (Operation == \"Port status change\" and Substring has \"from Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"connected\", \"forwarding\")),\n \"Success\",\n (Operation == \"Port status change\" and Substring has \"to Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"disconnected\", \"error disabled\", \"blocked\", \"disabled\", \"not configured\")),\n \"Failure\",\n Operation has_cs \"Spanning-tree guard state change\" and Substring has \"learning\",\n \"Partial\",\n EventResult\n )\n | extend EventType = case(Operation in(\"Port status change\", \"Spanning-tree guard state change\") and EventResult == \"Success\", \"Enable\",\n (Operation == \"Port status change\" and EventResult == \"Failure\") or (Operation == \"Spanning-tree guard state change\" and EventResult in (\"Partial\", \"Failure\")), \"Disable\",\n EventType\n )\n | lookup EventSeverityLookup on EventResult\n | extend\n EventResultDetails = case(\n Operation == \"VPN connectivity change\" and isnotempty(connectivity), strcat(\"connectivity=\", connectivity),\n Operation == \"IPsec-SA request queued\" or Operation == \"Phase2 negotiation failed\", split(Substring, 'due to')[1], \n Substring has \"Site-to-site\", split(Substring, 'Site-to-site ')[1],\n Substring\n ),\n EventMessage = Substring,\n EventOriginalType = LogType,\n EventUid = _ResourceId\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime, \n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n TempOperation*,\n temp*,\n STPMac,\n peer_contact,\n connectivity,\n Port*,\n port,\n portnextpart,\n LogType,\n type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n ManagementGroupName,\n RawData\n };\n parser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventCiscoMeraki", + "query": "let EventFieldsLookup = datatable(TempOperation: string, Operation: string, EventResult: string, EventType: string)\n[\n \"vpn_connectivity_change\", \"VPN connectivity change\",\"Success\", \"Set\",\n \"purging ISAKMP-SA\", \"Purging ISAKMP-SA\",\"Partial\", \"Delete\",\n \"purged ISAKMP-SA\", \"Purged ISAKMP-SA\",\"Success\", \"Delete\",\n \"ISAKMP-SA deleted\", \"ISAKMP-SA deleted\",\"Success\", \"Delete\",\n \"IPsec-SA request\", \"IPsec-SA request queued\",\"Failure\", \"Other\",\n \"failed to get sainfo\", \"Failed to get sainfo\",\"Failure\", \"Other\",\n \"failed to pre-process ph2 packet\", \"Failed to pre-process ph2 packet\",\"Failure\", \"Other\",\n \"phase2 negotiation failed\", \"Phase2 negotiation failed\",\"Failure\", \"Other\",\n \"initiate new phase 1 negotiation\", \"Initiate new phase 1 negotiation\",\"Success\", \"Initialize\",\n \"ISAKMP-SA established\", \"ISAKMP-SA established\",\"Success\", \"Create\",\n \"initiate new phase 2 negotiation\", \"Initiate new phase 2 negotiation\",\"Partial\", \"Initialize\",\n \"IPsec-SA established\", \"IPsec-SA established\",\"Success\", \"Create\",\n \"STP role\", \"Spanning-tree interface role change\",\"Success\", \"Set\",\n \"STP BPDU\", \"Spanning-tree guard state change\", \"\", \"\",\n \"VRRP transition\", \"VRRP transition\",\"Success\", \"Set\",\n \"port status change\", \"Port status change\", \"\", \"\"\n];\nlet EventSeverityLookup=datatable(EventResult: string, EventSeverity: string)[\n \"Success\", \"Informational\",\n \"Partial\", \"Informational\",\n \"Failure\", \"Low\"\n];\nlet parser=(disabled: bool=false) {\nlet allData = union isfuzzy=true\n (\n meraki_CL\n | project-rename LogMessage = Message\n );\nlet PreFilteredData = allData\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (\"vpn_connectivity_change\", \"status changed\", \"VRRP active\", \"VRRP passive\") or LogMessage has_cs \"Site-to-site\" or LogMessage has_cs \"Port\")\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\";\nlet SiteToSiteData = PreFilteredData\n | where Substring has_cs \"Site-to-site\";\nlet SiteToSite_deleted = SiteToSiteData\n | where Substring has \"ISAKMP-SA deleted\"\n | extend TempOperation = \"ISAKMP-SA deleted\"\n | parse Substring with * \" deleted \" temp_deletedSrcIp:string \"-\" temp_deletedTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_deletedSrcIp,\n temp_targetipport = temp_deletedTargetIp;\nlet SiteToSite_negotiation = SiteToSiteData\n | where Substring has_any(\"initiate new phase 1 negotiation\", \"initiate new phase 2 negotiation\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \": \" temp_negotiationSrcIp:string \"<=>\" temp_negotiationTargetIp:string\n | extend temp_srcipport = temp_negotiationSrcIp,\n temp_targetipport = temp_negotiationTargetIp;\nlet SiteToSite_ESP = SiteToSiteData\n | where Substring has \"phase2 negotiation failed due to time up waiting for phase1\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" due to \" EventResultDetails \" ESP \" temp_espSrcIp:string \"->\" temp_espTargetIp:string\n | extend temp_srcipport = temp_espSrcIp,\n temp_targetipport = temp_espTargetIp;\nlet SiteToSite_tunnel = SiteToSiteData\n | where Substring has \"IPsec-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \":\" * \"Tunnel \" temp_tunnelSrcIp:string \"->\" temp_tunnelTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_tunnelSrcIp,\n temp_targetipport = temp_tunnelTargetIp;\nlet SiteToSite_ISAKMPestablished = SiteToSiteData\n | where Substring has \"ISAKMP-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" established \" temp_estSrcIp:string \"-\" temp_estTargetIp:string \" \" temp_restmessage:string\n | extend TempOperation = strcat(TempOperation, ' ', 'established'),\n temp_srcipport = temp_estSrcIp,\n temp_targetipport = temp_estTargetIp;\nlet SiteToSite_IPsecSArequest = SiteToSiteData\n | where Substring has \"IPsec-SA request\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" for \" temp_forTaregtSrcIp:string \" \" * \" due to\" EventResultDetails:string\n | extend temp_targetipport = temp_forTaregtSrcIp;\nlet SiteToSite_purging = SiteToSiteData\n | where Substring has_any(\"purging ISAKMP-SA\", \"purged ISAKMP-SA\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" spi=\" temp_restmessage:string;\nlet SiteToSite_failed = SiteToSiteData\n | where Substring has_any (\"failed to get sainfo\", \"failed to pre-process ph2 packet\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string\n | extend TempOperation = tostring(split(TempOperation, ' (')[0]);\nlet VPNConnectivityChangeData = PreFilteredData\n | where Substring has \"vpn_connectivity_change\"\n | parse-kv Substring as (type: string, peer_contact: string, connectivity: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend type = trim('\"', type),\n connectivity = trim('\"', connectivity)\n | extend TempOperation = type,\n temp_srcipport = peer_contact;\nlet StatusChangedData = PreFilteredData\n | where Substring has \"status changed\"\n | parse Substring with * \"port \" port:string \" \" portnextpart:string\n | extend TempOperation = \"port status change\";\nlet PortData = PreFilteredData\n | where Substring has_cs \"Port\"\n | parse Substring with * \"Port \" Port1:string \" received an \" TempOperation1:string \" from \" STPMac:string \" \" temp_restmessage:string\n | parse Substring with * \"Port \" Port2:string \" changed \" TempOperation2:string \" from \" PortNextPart:string\n | extend Port = coalesce(Port1,Port2)\n | extend TempOperation = coalesce(TempOperation1, TempOperation2);\nlet VRRPData = PreFilteredData\n | where Substring has_any(\"VRRP active\", \"VRRP passive\")\n | extend TempOperation = \"VRRP transition\";\nunion VPNConnectivityChangeData, StatusChangedData, PortData, VRRPData, SiteToSite_deleted, SiteToSite_ESP, SiteToSite_failed, SiteToSite_IPsecSArequest, SiteToSite_ISAKMPestablished, SiteToSite_negotiation, SiteToSite_purging, SiteToSite_tunnel\n | extend Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | lookup EventFieldsLookup on TempOperation\n | extend \n temp_srcipport = iff(temp_srcipport has \"]\" and temp_srcipport !has \":\", trim(']', temp_srcipport), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"]\" and temp_targetipport !has \":\", trim(']', temp_targetipport), temp_targetipport)\n | extend \n temp_srcipport = iff(temp_srcipport has \"[\" and temp_srcipport !has \":\", replace_string(temp_srcipport,'[',':'), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"[\" and temp_targetipport !has \":\", replace_string(temp_targetipport,'[',':'), temp_targetipport),\n DvcMacAddr = iff(Operation == \"Spanning-tree guard state change\" and isnotempty(STPMac) and STPMac matches regex \"([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4})\\'*\", STPMac, \"\")\n | extend temp_srcipport = iff(isempty(DvcMacAddr) and isnotempty(STPMac) and Operation == \"Spanning-tree guard state change\", STPMac, temp_srcipport)\n | extend\n temp_srcipport = trim(\"'\", temp_srcipport),\n temp_targetipport = trim(\"'\", temp_targetipport)\n | extend \n temp_srcipport = trim('\"', temp_srcipport),\n temp_targetipport = trim('\"', temp_targetipport)\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\n | extend SrcIpAddr = iff(temp_srcipport has \".\", split(temp_srcipport, \":\")[0], coalesce(temp_srcip, temp_srcipport))\n | parse temp_targetipport with * \"[\" temp_targetip \"]:\" temp_targetport\n | extend TargetIpAddr = iff(temp_targetipport has \".\", split(temp_targetipport, \":\")[0], coalesce(temp_targetip, temp_targetipport))\n | extend TargetPortNumber = iff(TargetIpAddr has \".\", toint(split(temp_targetipport, \":\")[1]), toint(coalesce(temp_targetport, \"\")))\n | extend SrcPortNumber = case(\n isnotempty(temp_srcipport),\n iff(SrcIpAddr has \".\", toint(split(temp_srcipport, \":\")[1]), toint(coalesce(temp_srcport, \"\"))),\n Substring has_cs \"Port\",\n toint(Port),\n Operation == \"Port status change\",\n toint(port),\n int(null)\n )\n | extend EventResult = case(\n (Operation == \"Port status change\" and Substring has \"from Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"connected\", \"forwarding\")),\n \"Success\",\n (Operation == \"Port status change\" and Substring has \"to Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"disconnected\", \"error disabled\", \"blocked\", \"disabled\", \"not configured\")),\n \"Failure\",\n Operation has_cs \"Spanning-tree guard state change\" and Substring has \"learning\",\n \"Partial\",\n EventResult\n )\n | extend EventType = case(Operation in(\"Port status change\", \"Spanning-tree guard state change\") and EventResult == \"Success\", \"Enable\",\n (Operation == \"Port status change\" and EventResult == \"Failure\") or (Operation == \"Spanning-tree guard state change\" and EventResult in (\"Partial\", \"Failure\")), \"Disable\",\n EventType\n )\n | lookup EventSeverityLookup on EventResult\n | extend\n EventResultDetails = case(\n Operation == \"VPN connectivity change\" and isnotempty(connectivity), strcat(\"connectivity=\", connectivity),\n Operation == \"IPsec-SA request queued\" or Operation == \"Phase2 negotiation failed\", split(Substring, 'due to')[1], \n Substring has \"Site-to-site\", split(Substring, 'Site-to-site ')[1],\n Substring\n ),\n EventMessage = Substring,\n EventOriginalType = LogType,\n EventUid = _ResourceId\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime, \n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n TempOperation*,\n temp*,\n STPMac,\n peer_contact,\n connectivity,\n Port*,\n port,\n portnextpart,\n LogType,\n type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n ManagementGroupName,\n RawData\n };\n parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMerakiSyslog/ASimAuditEventCiscoMerakiSyslog.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMerakiSyslog/ASimAuditEventCiscoMerakiSyslog.json index f0c0216bef7..207a26099d0 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMerakiSyslog/ASimAuditEventCiscoMerakiSyslog.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMerakiSyslog/ASimAuditEventCiscoMerakiSyslog.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventCiscoMerakiSyslog')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventCiscoMerakiSyslog", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventCiscoMerakiSyslog", - "query": "let EventFieldsLookup = datatable(TempOperation: string, Operation: string, EventResult: string, EventType: string)\n[\n \"vpn_connectivity_change\", \"VPN connectivity change\",\"Success\", \"Set\",\n \"purging ISAKMP-SA\", \"Purging ISAKMP-SA\",\"Partial\", \"Delete\",\n \"purged ISAKMP-SA\", \"Purged ISAKMP-SA\",\"Success\", \"Delete\",\n \"ISAKMP-SA deleted\", \"ISAKMP-SA deleted\",\"Success\", \"Delete\",\n \"IPsec-SA request\", \"IPsec-SA request queued\",\"Failure\", \"Other\",\n \"failed to get sainfo\", \"Failed to get sainfo\",\"Failure\", \"Other\",\n \"failed to pre-process ph2 packet\", \"Failed to pre-process ph2 packet\",\"Failure\", \"Other\",\n \"phase2 negotiation failed\", \"Phase2 negotiation failed\",\"Failure\", \"Other\",\n \"initiate new phase 1 negotiation\", \"Initiate new phase 1 negotiation\",\"Success\", \"Initialize\",\n \"ISAKMP-SA established\", \"ISAKMP-SA established\",\"Success\", \"Create\",\n \"initiate new phase 2 negotiation\", \"Initiate new phase 2 negotiation\",\"Partial\", \"Initialize\",\n \"IPsec-SA established\", \"IPsec-SA established\",\"Success\", \"Create\",\n \"STP role\", \"Spanning-tree interface role change\",\"Success\", \"Set\",\n \"STP BPDU\", \"Spanning-tree guard state change\", \"\", \"\",\n \"VRRP transition\", \"VRRP transition\",\"Success\", \"Set\",\n \"port status change\", \"Port status change\", \"\", \"\"\n];\nlet EventSeverityLookup=datatable(EventResult: string, EventSeverity: string)[\n \"Success\", \"Informational\",\n \"Partial\", \"Informational\",\n \"Failure\", \"Low\"\n];\nlet parser=(disabled: bool=false) {\nlet allData = union isfuzzy=true\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\nlet PreFilteredData = allData\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (\"vpn_connectivity_change\", \"status changed\", \"VRRP active\", \"VRRP passive\") or LogMessage has_cs \"Site-to-site\" or LogMessage has_cs \"Port\")\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\";\nlet SiteToSiteData = PreFilteredData\n | where Substring has_cs \"Site-to-site\";\nlet SiteToSite_deleted = SiteToSiteData\n | where Substring has \"ISAKMP-SA deleted\"\n | extend TempOperation = \"ISAKMP-SA deleted\"\n | parse Substring with * \" deleted \" temp_deletedSrcIp:string \"-\" temp_deletedTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_deletedSrcIp,\n temp_targetipport = temp_deletedTargetIp;\nlet SiteToSite_negotiation = SiteToSiteData\n | where Substring has_any(\"initiate new phase 1 negotiation\", \"initiate new phase 2 negotiation\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \": \" temp_negotiationSrcIp:string \"<=>\" temp_negotiationTargetIp:string\n | extend temp_srcipport = temp_negotiationSrcIp,\n temp_targetipport = temp_negotiationTargetIp;\nlet SiteToSite_ESP = SiteToSiteData\n | where Substring has \"phase2 negotiation failed due to time up waiting for phase1\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" due to \" EventResultDetails \" ESP \" temp_espSrcIp:string \"->\" temp_espTargetIp:string\n | extend temp_srcipport = temp_espSrcIp,\n temp_targetipport = temp_espTargetIp;\nlet SiteToSite_tunnel = SiteToSiteData\n | where Substring has \"IPsec-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \":\" * \"Tunnel \" temp_tunnelSrcIp:string \"->\" temp_tunnelTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_tunnelSrcIp,\n temp_targetipport = temp_tunnelTargetIp;\nlet SiteToSite_ISAKMPestablished = SiteToSiteData\n | where Substring has \"ISAKMP-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" established \" temp_estSrcIp:string \"-\" temp_estTargetIp:string \" \" temp_restmessage:string\n | extend TempOperation = strcat(TempOperation, ' ', 'established'),\n temp_srcipport = temp_estSrcIp,\n temp_targetipport = temp_estTargetIp;\nlet SiteToSite_IPsecSArequest = SiteToSiteData\n | where Substring has \"IPsec-SA request\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" for \" temp_forTaregtSrcIp:string \" \" * \" due to\" EventResultDetails:string\n | extend temp_targetipport = temp_forTaregtSrcIp;\nlet SiteToSite_purging = SiteToSiteData\n | where Substring has_any(\"purging ISAKMP-SA\", \"purged ISAKMP-SA\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" spi=\" temp_restmessage:string;\nlet SiteToSite_failed = SiteToSiteData\n | where Substring has_any (\"failed to get sainfo\", \"failed to pre-process ph2 packet\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string\n | extend TempOperation = tostring(split(TempOperation, ' (')[0]);\nlet VPNConnectivityChangeData = PreFilteredData\n | where Substring has \"vpn_connectivity_change\"\n | parse-kv Substring as (type: string, peer_contact: string, connectivity: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend type = trim('\"', type),\n connectivity = trim('\"', connectivity)\n | extend TempOperation = type,\n temp_srcipport = peer_contact;\nlet StatusChangedData = PreFilteredData\n | where Substring has \"status changed\"\n | parse Substring with * \"port \" port:string \" \" portnextpart:string\n | extend TempOperation = \"port status change\";\nlet PortData = PreFilteredData\n | where Substring has_cs \"Port\"\n | parse Substring with * \"Port \" Port1:string \" received an \" TempOperation1:string \" from \" STPMac:string \" \" temp_restmessage:string\n | parse Substring with * \"Port \" Port2:string \" changed \" TempOperation2:string \" from \" PortNextPart:string\n | extend Port = coalesce(Port1,Port2)\n | extend TempOperation = coalesce(TempOperation1, TempOperation2);\nlet VRRPData = PreFilteredData\n | where Substring has_any(\"VRRP active\", \"VRRP passive\")\n | extend TempOperation = \"VRRP transition\";\nunion VPNConnectivityChangeData, StatusChangedData, PortData, VRRPData, SiteToSite_deleted, SiteToSite_ESP, SiteToSite_failed, SiteToSite_IPsecSArequest, SiteToSite_ISAKMPestablished, SiteToSite_negotiation, SiteToSite_purging, SiteToSite_tunnel\n | extend Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | lookup EventFieldsLookup on TempOperation\n | extend \n temp_srcipport = iff(temp_srcipport has \"]\" and temp_srcipport !has \":\", trim(']', temp_srcipport), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"]\" and temp_targetipport !has \":\", trim(']', temp_targetipport), temp_targetipport)\n | extend \n temp_srcipport = iff(temp_srcipport has \"[\" and temp_srcipport !has \":\", replace_string(temp_srcipport,'[',':'), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"[\" and temp_targetipport !has \":\", replace_string(temp_targetipport,'[',':'), temp_targetipport),\n DvcMacAddr = iff(Operation == \"Spanning-tree guard state change\" and isnotempty(STPMac) and STPMac matches regex \"([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4})\\'*\", STPMac, \"\")\n | extend temp_srcipport = iff(isempty(DvcMacAddr) and isnotempty(STPMac) and Operation == \"Spanning-tree guard state change\", STPMac, temp_srcipport)\n | extend\n temp_srcipport = trim(\"'\", temp_srcipport),\n temp_targetipport = trim(\"'\", temp_targetipport)\n | extend \n temp_srcipport = trim('\"', temp_srcipport),\n temp_targetipport = trim('\"', temp_targetipport)\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\n | extend SrcIpAddr = iff(temp_srcipport has \".\", split(temp_srcipport, \":\")[0], coalesce(temp_srcip, temp_srcipport))\n | parse temp_targetipport with * \"[\" temp_targetip \"]:\" temp_targetport\n | extend TargetIpAddr = iff(temp_targetipport has \".\", split(temp_targetipport, \":\")[0], coalesce(temp_targetip, temp_targetipport))\n | extend TargetPortNumber = iff(TargetIpAddr has \".\", toint(split(temp_targetipport, \":\")[1]), toint(coalesce(temp_targetport, \"\")))\n | extend SrcPortNumber = case(\n isnotempty(temp_srcipport),\n iff(SrcIpAddr has \".\", toint(split(temp_srcipport, \":\")[1]), toint(coalesce(temp_srcport, \"\"))),\n Substring has_cs \"Port\",\n toint(Port),\n Operation == \"Port status change\",\n toint(port),\n int(null)\n )\n | extend EventResult = case(\n (Operation == \"Port status change\" and Substring has \"from Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"connected\", \"forwarding\")),\n \"Success\",\n (Operation == \"Port status change\" and Substring has \"to Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"disconnected\", \"error disabled\", \"blocked\", \"disabled\", \"not configured\")),\n \"Failure\",\n Operation has_cs \"Spanning-tree guard state change\" and Substring has \"learning\",\n \"Partial\",\n EventResult\n )\n | extend EventType = case(Operation in(\"Port status change\", \"Spanning-tree guard state change\") and EventResult == \"Success\", \"Enable\",\n (Operation == \"Port status change\" and EventResult == \"Failure\") or (Operation == \"Spanning-tree guard state change\" and EventResult in (\"Partial\", \"Failure\")), \"Disable\",\n EventType\n )\n | lookup EventSeverityLookup on EventResult\n | extend\n EventResultDetails = case(\n Operation == \"VPN connectivity change\" and isnotempty(connectivity), strcat(\"connectivity=\", connectivity),\n Operation == \"IPsec-SA request queued\" or Operation == \"Phase2 negotiation failed\", split(Substring, 'due to')[1], \n Substring has \"Site-to-site\", split(Substring, 'Site-to-site ')[1],\n Substring\n ),\n EventMessage = Substring,\n EventOriginalType = LogType,\n EventUid = _ResourceId\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime, \n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n TempOperation*,\n temp*,\n STPMac,\n peer_contact,\n connectivity,\n Port*,\n port,\n portnextpart,\n LogType,\n type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName,CollectorHostName\n };\n parser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventCiscoMerakiSyslog", + "query": "let EventFieldsLookup = datatable(TempOperation: string, Operation: string, EventResult: string, EventType: string)\n[\n \"vpn_connectivity_change\", \"VPN connectivity change\",\"Success\", \"Set\",\n \"purging ISAKMP-SA\", \"Purging ISAKMP-SA\",\"Partial\", \"Delete\",\n \"purged ISAKMP-SA\", \"Purged ISAKMP-SA\",\"Success\", \"Delete\",\n \"ISAKMP-SA deleted\", \"ISAKMP-SA deleted\",\"Success\", \"Delete\",\n \"IPsec-SA request\", \"IPsec-SA request queued\",\"Failure\", \"Other\",\n \"failed to get sainfo\", \"Failed to get sainfo\",\"Failure\", \"Other\",\n \"failed to pre-process ph2 packet\", \"Failed to pre-process ph2 packet\",\"Failure\", \"Other\",\n \"phase2 negotiation failed\", \"Phase2 negotiation failed\",\"Failure\", \"Other\",\n \"initiate new phase 1 negotiation\", \"Initiate new phase 1 negotiation\",\"Success\", \"Initialize\",\n \"ISAKMP-SA established\", \"ISAKMP-SA established\",\"Success\", \"Create\",\n \"initiate new phase 2 negotiation\", \"Initiate new phase 2 negotiation\",\"Partial\", \"Initialize\",\n \"IPsec-SA established\", \"IPsec-SA established\",\"Success\", \"Create\",\n \"STP role\", \"Spanning-tree interface role change\",\"Success\", \"Set\",\n \"STP BPDU\", \"Spanning-tree guard state change\", \"\", \"\",\n \"VRRP transition\", \"VRRP transition\",\"Success\", \"Set\",\n \"port status change\", \"Port status change\", \"\", \"\"\n];\nlet EventSeverityLookup=datatable(EventResult: string, EventSeverity: string)[\n \"Success\", \"Informational\",\n \"Partial\", \"Informational\",\n \"Failure\", \"Low\"\n];\nlet parser=(disabled: bool=false) {\nlet allData = union isfuzzy=true\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\nlet PreFilteredData = allData\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (\"vpn_connectivity_change\", \"status changed\", \"VRRP active\", \"VRRP passive\") or LogMessage has_cs \"Site-to-site\" or LogMessage has_cs \"Port\")\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\";\nlet SiteToSiteData = PreFilteredData\n | where Substring has_cs \"Site-to-site\";\nlet SiteToSite_deleted = SiteToSiteData\n | where Substring has \"ISAKMP-SA deleted\"\n | extend TempOperation = \"ISAKMP-SA deleted\"\n | parse Substring with * \" deleted \" temp_deletedSrcIp:string \"-\" temp_deletedTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_deletedSrcIp,\n temp_targetipport = temp_deletedTargetIp;\nlet SiteToSite_negotiation = SiteToSiteData\n | where Substring has_any(\"initiate new phase 1 negotiation\", \"initiate new phase 2 negotiation\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \": \" temp_negotiationSrcIp:string \"<=>\" temp_negotiationTargetIp:string\n | extend temp_srcipport = temp_negotiationSrcIp,\n temp_targetipport = temp_negotiationTargetIp;\nlet SiteToSite_ESP = SiteToSiteData\n | where Substring has \"phase2 negotiation failed due to time up waiting for phase1\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" due to \" EventResultDetails \" ESP \" temp_espSrcIp:string \"->\" temp_espTargetIp:string\n | extend temp_srcipport = temp_espSrcIp,\n temp_targetipport = temp_espTargetIp;\nlet SiteToSite_tunnel = SiteToSiteData\n | where Substring has \"IPsec-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \":\" * \"Tunnel \" temp_tunnelSrcIp:string \"->\" temp_tunnelTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_tunnelSrcIp,\n temp_targetipport = temp_tunnelTargetIp;\nlet SiteToSite_ISAKMPestablished = SiteToSiteData\n | where Substring has \"ISAKMP-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" established \" temp_estSrcIp:string \"-\" temp_estTargetIp:string \" \" temp_restmessage:string\n | extend TempOperation = strcat(TempOperation, ' ', 'established'),\n temp_srcipport = temp_estSrcIp,\n temp_targetipport = temp_estTargetIp;\nlet SiteToSite_IPsecSArequest = SiteToSiteData\n | where Substring has \"IPsec-SA request\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" for \" temp_forTaregtSrcIp:string \" \" * \" due to\" EventResultDetails:string\n | extend temp_targetipport = temp_forTaregtSrcIp;\nlet SiteToSite_purging = SiteToSiteData\n | where Substring has_any(\"purging ISAKMP-SA\", \"purged ISAKMP-SA\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" spi=\" temp_restmessage:string;\nlet SiteToSite_failed = SiteToSiteData\n | where Substring has_any (\"failed to get sainfo\", \"failed to pre-process ph2 packet\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string\n | extend TempOperation = tostring(split(TempOperation, ' (')[0]);\nlet VPNConnectivityChangeData = PreFilteredData\n | where Substring has \"vpn_connectivity_change\"\n | parse-kv Substring as (type: string, peer_contact: string, connectivity: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend type = trim('\"', type),\n connectivity = trim('\"', connectivity)\n | extend TempOperation = type,\n temp_srcipport = peer_contact;\nlet StatusChangedData = PreFilteredData\n | where Substring has \"status changed\"\n | parse Substring with * \"port \" port:string \" \" portnextpart:string\n | extend TempOperation = \"port status change\";\nlet PortData = PreFilteredData\n | where Substring has_cs \"Port\"\n | parse Substring with * \"Port \" Port1:string \" received an \" TempOperation1:string \" from \" STPMac:string \" \" temp_restmessage:string\n | parse Substring with * \"Port \" Port2:string \" changed \" TempOperation2:string \" from \" PortNextPart:string\n | extend Port = coalesce(Port1,Port2)\n | extend TempOperation = coalesce(TempOperation1, TempOperation2);\nlet VRRPData = PreFilteredData\n | where Substring has_any(\"VRRP active\", \"VRRP passive\")\n | extend TempOperation = \"VRRP transition\";\nunion VPNConnectivityChangeData, StatusChangedData, PortData, VRRPData, SiteToSite_deleted, SiteToSite_ESP, SiteToSite_failed, SiteToSite_IPsecSArequest, SiteToSite_ISAKMPestablished, SiteToSite_negotiation, SiteToSite_purging, SiteToSite_tunnel\n | extend Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | lookup EventFieldsLookup on TempOperation\n | extend \n temp_srcipport = iff(temp_srcipport has \"]\" and temp_srcipport !has \":\", trim(']', temp_srcipport), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"]\" and temp_targetipport !has \":\", trim(']', temp_targetipport), temp_targetipport)\n | extend \n temp_srcipport = iff(temp_srcipport has \"[\" and temp_srcipport !has \":\", replace_string(temp_srcipport,'[',':'), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"[\" and temp_targetipport !has \":\", replace_string(temp_targetipport,'[',':'), temp_targetipport),\n DvcMacAddr = iff(Operation == \"Spanning-tree guard state change\" and isnotempty(STPMac) and STPMac matches regex \"([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4})\\'*\", STPMac, \"\")\n | extend temp_srcipport = iff(isempty(DvcMacAddr) and isnotempty(STPMac) and Operation == \"Spanning-tree guard state change\", STPMac, temp_srcipport)\n | extend\n temp_srcipport = trim(\"'\", temp_srcipport),\n temp_targetipport = trim(\"'\", temp_targetipport)\n | extend \n temp_srcipport = trim('\"', temp_srcipport),\n temp_targetipport = trim('\"', temp_targetipport)\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\n | extend SrcIpAddr = iff(temp_srcipport has \".\", split(temp_srcipport, \":\")[0], coalesce(temp_srcip, temp_srcipport))\n | parse temp_targetipport with * \"[\" temp_targetip \"]:\" temp_targetport\n | extend TargetIpAddr = iff(temp_targetipport has \".\", split(temp_targetipport, \":\")[0], coalesce(temp_targetip, temp_targetipport))\n | extend TargetPortNumber = iff(TargetIpAddr has \".\", toint(split(temp_targetipport, \":\")[1]), toint(coalesce(temp_targetport, \"\")))\n | extend SrcPortNumber = case(\n isnotempty(temp_srcipport),\n iff(SrcIpAddr has \".\", toint(split(temp_srcipport, \":\")[1]), toint(coalesce(temp_srcport, \"\"))),\n Substring has_cs \"Port\",\n toint(Port),\n Operation == \"Port status change\",\n toint(port),\n int(null)\n )\n | extend EventResult = case(\n (Operation == \"Port status change\" and Substring has \"from Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"connected\", \"forwarding\")),\n \"Success\",\n (Operation == \"Port status change\" and Substring has \"to Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"disconnected\", \"error disabled\", \"blocked\", \"disabled\", \"not configured\")),\n \"Failure\",\n Operation has_cs \"Spanning-tree guard state change\" and Substring has \"learning\",\n \"Partial\",\n EventResult\n )\n | extend EventType = case(Operation in(\"Port status change\", \"Spanning-tree guard state change\") and EventResult == \"Success\", \"Enable\",\n (Operation == \"Port status change\" and EventResult == \"Failure\") or (Operation == \"Spanning-tree guard state change\" and EventResult in (\"Partial\", \"Failure\")), \"Disable\",\n EventType\n )\n | lookup EventSeverityLookup on EventResult\n | extend\n EventResultDetails = case(\n Operation == \"VPN connectivity change\" and isnotempty(connectivity), strcat(\"connectivity=\", connectivity),\n Operation == \"IPsec-SA request queued\" or Operation == \"Phase2 negotiation failed\", split(Substring, 'due to')[1], \n Substring has \"Site-to-site\", split(Substring, 'Site-to-site ')[1],\n Substring\n ),\n EventMessage = Substring,\n EventOriginalType = LogType,\n EventUid = _ResourceId\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime, \n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n TempOperation*,\n temp*,\n STPMac,\n peer_contact,\n connectivity,\n Port*,\n port,\n portnextpart,\n LogType,\n type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName,CollectorHostName\n };\n parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventCrowdStrikeFalconHost/ASimAuditEventCrowdStrikeFalconHost.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventCrowdStrikeFalconHost/ASimAuditEventCrowdStrikeFalconHost.json index 40990c8936d..f8e2201aa65 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventCrowdStrikeFalconHost/ASimAuditEventCrowdStrikeFalconHost.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventCrowdStrikeFalconHost/ASimAuditEventCrowdStrikeFalconHost.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventCrowdStrikeFalconHost')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventCrowdStrikeFalconHost", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for CrowdStrike Falcon Endpoint Protection", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventCrowdStrikeFalconHost", - "query": "let EventFieldsLookup = datatable(\n Activity: string,\n Operation: string,\n EventType_lookup: string,\n EventSubType: string,\n Object: string,\n ObjectType: string\n) \n [\n \"delete_report_execution\", \"Delete Report Execution\", \"Delete\", \"\", \"Report Execution\", \"Scheduled Task\",\n \"delete_scheduled_report\", \"Delete Scheduled Report\", \"Delete\", \"\", \"Scheduled Report\", \"Scheduled Task\",\n \"update_scheduled_report\", \"Update Scheduled Report\", \"Set\", \"\", \"Scheduled Report\", \"Scheduled Task\",\n \"create_scheduled_report\", \"Create Scheduled Report\", \"Create\", \"\", \"Scheduled Report\", \"Scheduled Task\",\n \"update_class_action\", \"Update Class Action\", \"Set\", \"\", \"Class Action\", \"Other\",\n \"update_policy\", \"Update Policy\", \"Set\", \"\", \"Policy\", \"Policy Rule\",\n \"enable_policy\", \"Enable Policy\", \"Enable\", \"\", \"Policy\", \"Policy Rule\",\n \"create_policy\", \"Create Policy\", \"Create\", \"\", \"Policy\", \"Policy Rule\",\n \"remove_rule_group\", \"Remove Rule Group\", \"Other\", \"Remove\", \"Rule Group\", \"Service\",\n \"create_rule_group\", \"Create Rule Group\", \"Create\", \"\", \"Rule Group\", \"Service\",\n \"delete_rule_group\", \"Delete Rule Group\", \"Delete\", \"\", \"Rule Group\", \"Service\",\n \"add_rule_group\", \"Add Rule Group\", \"Other\", \"Add\", \"Rule Group\", \"Service\",\n \"delete_rule\", \"Delete Rule\", \"Delete\", \"\", \"Rule\", \"Policy Rule\",\n \"update_rule\", \"Update Rule\", \"Set\", \"\", \"Rule\", \"Policy Rule\",\n \"create_rule\", \"Create Rule\", \"Create\", \"\", \"Rule\", \"Policy Rule\",\n \"disable_policy\", \"Disable Policy\", \"Disable\", \"\", \"Policy\", \"Policy Rule\",\n \"delete_policy\", \"Delete Policy\", \"Delete\", \"\", \"Policy\", \"Policy Rule\",\n \"update_priority\", \"Update Priority\", \"Set\", \"\", \"Policy\", \"Policy Rule\",\n \"assign_policy\", \"Assign Policy\", \"Other\", \"Assign\", \"Policy\", \"Policy Rule\",\n \"remove_policy\", \"Remove Policy\", \"Other\", \"Remove\", \"Policy\", \"Policy Rule\",\n \"ip_rules_added\", \"IP Rules Added\", \"Create\", \"\", \"Rule\", \"Other\",\n \"ip_rules_removed\", \"IP Rules Removed\", \"Delete\", \"\", \"Rule\", \"Other\",\n \"hide_host_requested\", \"Hide Host Requested\", \"Delete\", \"\", \"Host\", \"Other\",\n \"mobile_hide_host_requested\", \"Mobile Hide Host Requested\", \"Delete\", \"\", \"Mobile Host\", \"Other\",\n \"CreateAPIClient\", \"Create API Client\", \"Create\", \"\", \"API Client\", \"Service\",\n \"UpdateAPIClient\", \"Update API Client\", \"Set\", \"\", \"API Client\", \"Service\"\n];\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet UserAuditActivities = dynamic([\"delete_report_execution\", \"delete_scheduled_report\", \"update_scheduled_report\", \"create_scheduled_report\", \"update_class_action\", \"update_policy\", \"enable_policy\", \"create_policy\", \"remove_rule_group\", \"create_rule_group\", \"delete_rule_group\", \"add_rule_group\", \"delete_rule\", \"update_rule\", \"create_rule\", \"disable_policy\", \"delete_policy\", \"update_priority\", \"assign_policy\", \"remove_policy\", \"ip_rules_added\", \"ip_rules_removed\", \"hide_host_requested\", \"mobile_hide_host_requested\"]);\nlet AuthAuditActivities = dynamic([\"CreateAPIClient\", \"UpdateAPIClient\"]);\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n | where (DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\")\n | where (DeviceEventClassID == \"UserActivityAuditEvent\" and Activity in (UserAuditActivities)) or (DeviceEventCategory == \"AuthActivityAuditEvent\" and Activity in (AuthAuditActivities))\n | lookup EventFieldsLookup on Activity\n | lookup EventSeverityLookup on LogSeverity\n | extend\n EventType = EventType_lookup,\n EventStartTime = case(\n DeviceEventClassID == \"UserActivityAuditEvent\",\n unixtime_milliseconds_todatetime(tolong(ReceiptTime)),\n DeviceEventCategory == \"AuthActivityAuditEvent\",\n todatetime(DeviceCustomDate1),\n datetime(null)\n ),\n EventOriginalType = case(\n DeviceEventClassID == \"UserActivityAuditEvent\",\n DeviceEventClassID,\n DeviceEventCategory == \"AuthActivityAuditEvent\",\n DeviceEventCategory,\n \"\"\n ),\n EventResult = iff(EventOutcome == \"false\", \"Failure\", \"Success\"),\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\",\n EventCount = int(1),\n DvcAction = \"Allowed\",\n EventProduct = \"FalconHost\",\n EventVendor = \"CrowdStrike\"\n | project-rename\n ActorUsername = DestinationUserName,\n EventUid = _ItemId,\n DvcIpAddr = DestinationTranslatedAddress,\n EventOriginalSeverity = LogSeverity,\n EventProductVersion = DeviceVersion,\n TargetAppName = ProcessName,\n EventOriginalResultDetails = EventOutcome,\n EventOriginalSubType = Activity\n | extend\n EventEndTime = EventStartTime,\n Application = TargetAppName,\n TargetIpAddr = DvcIpAddr,\n User = ActorUsername,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n TargetAppType = iff(isnotempty(TargetAppName), \"Service\", \"\")\n | extend\n Dvc = coalesce(DvcIpAddr, EventProduct),\n Dst = TargetIpAddr\n | project-away \n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message,\n IndicatorThreatType,\n EventType_*\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for CrowdStrike Falcon Endpoint Protection", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventCrowdStrikeFalconHost", + "query": "let EventFieldsLookup = datatable(\n Activity: string,\n Operation: string,\n EventType_lookup: string,\n EventSubType: string,\n Object: string,\n ObjectType: string\n) \n [\n \"delete_report_execution\", \"Delete Report Execution\", \"Delete\", \"\", \"Report Execution\", \"Scheduled Task\",\n \"delete_scheduled_report\", \"Delete Scheduled Report\", \"Delete\", \"\", \"Scheduled Report\", \"Scheduled Task\",\n \"update_scheduled_report\", \"Update Scheduled Report\", \"Set\", \"\", \"Scheduled Report\", \"Scheduled Task\",\n \"create_scheduled_report\", \"Create Scheduled Report\", \"Create\", \"\", \"Scheduled Report\", \"Scheduled Task\",\n \"update_class_action\", \"Update Class Action\", \"Set\", \"\", \"Class Action\", \"Other\",\n \"update_policy\", \"Update Policy\", \"Set\", \"\", \"Policy\", \"Policy Rule\",\n \"enable_policy\", \"Enable Policy\", \"Enable\", \"\", \"Policy\", \"Policy Rule\",\n \"create_policy\", \"Create Policy\", \"Create\", \"\", \"Policy\", \"Policy Rule\",\n \"remove_rule_group\", \"Remove Rule Group\", \"Other\", \"Remove\", \"Rule Group\", \"Service\",\n \"create_rule_group\", \"Create Rule Group\", \"Create\", \"\", \"Rule Group\", \"Service\",\n \"delete_rule_group\", \"Delete Rule Group\", \"Delete\", \"\", \"Rule Group\", \"Service\",\n \"add_rule_group\", \"Add Rule Group\", \"Other\", \"Add\", \"Rule Group\", \"Service\",\n \"delete_rule\", \"Delete Rule\", \"Delete\", \"\", \"Rule\", \"Policy Rule\",\n \"update_rule\", \"Update Rule\", \"Set\", \"\", \"Rule\", \"Policy Rule\",\n \"create_rule\", \"Create Rule\", \"Create\", \"\", \"Rule\", \"Policy Rule\",\n \"disable_policy\", \"Disable Policy\", \"Disable\", \"\", \"Policy\", \"Policy Rule\",\n \"delete_policy\", \"Delete Policy\", \"Delete\", \"\", \"Policy\", \"Policy Rule\",\n \"update_priority\", \"Update Priority\", \"Set\", \"\", \"Policy\", \"Policy Rule\",\n \"assign_policy\", \"Assign Policy\", \"Other\", \"Assign\", \"Policy\", \"Policy Rule\",\n \"remove_policy\", \"Remove Policy\", \"Other\", \"Remove\", \"Policy\", \"Policy Rule\",\n \"ip_rules_added\", \"IP Rules Added\", \"Create\", \"\", \"Rule\", \"Other\",\n \"ip_rules_removed\", \"IP Rules Removed\", \"Delete\", \"\", \"Rule\", \"Other\",\n \"hide_host_requested\", \"Hide Host Requested\", \"Delete\", \"\", \"Host\", \"Other\",\n \"mobile_hide_host_requested\", \"Mobile Hide Host Requested\", \"Delete\", \"\", \"Mobile Host\", \"Other\",\n \"CreateAPIClient\", \"Create API Client\", \"Create\", \"\", \"API Client\", \"Service\",\n \"UpdateAPIClient\", \"Update API Client\", \"Set\", \"\", \"API Client\", \"Service\"\n];\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet UserAuditActivities = dynamic([\"delete_report_execution\", \"delete_scheduled_report\", \"update_scheduled_report\", \"create_scheduled_report\", \"update_class_action\", \"update_policy\", \"enable_policy\", \"create_policy\", \"remove_rule_group\", \"create_rule_group\", \"delete_rule_group\", \"add_rule_group\", \"delete_rule\", \"update_rule\", \"create_rule\", \"disable_policy\", \"delete_policy\", \"update_priority\", \"assign_policy\", \"remove_policy\", \"ip_rules_added\", \"ip_rules_removed\", \"hide_host_requested\", \"mobile_hide_host_requested\"]);\nlet AuthAuditActivities = dynamic([\"CreateAPIClient\", \"UpdateAPIClient\"]);\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n | where (DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\")\n | where (DeviceEventClassID == \"UserActivityAuditEvent\" and Activity in (UserAuditActivities)) or (DeviceEventCategory == \"AuthActivityAuditEvent\" and Activity in (AuthAuditActivities))\n | lookup EventFieldsLookup on Activity\n | lookup EventSeverityLookup on LogSeverity\n | extend\n EventType = EventType_lookup,\n EventStartTime = case(\n DeviceEventClassID == \"UserActivityAuditEvent\",\n unixtime_milliseconds_todatetime(tolong(ReceiptTime)),\n DeviceEventCategory == \"AuthActivityAuditEvent\",\n todatetime(DeviceCustomDate1),\n datetime(null)\n ),\n EventOriginalType = case(\n DeviceEventClassID == \"UserActivityAuditEvent\",\n DeviceEventClassID,\n DeviceEventCategory == \"AuthActivityAuditEvent\",\n DeviceEventCategory,\n \"\"\n ),\n EventResult = iff(EventOutcome == \"false\", \"Failure\", \"Success\"),\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\",\n EventCount = int(1),\n DvcAction = \"Allowed\",\n EventProduct = \"FalconHost\",\n EventVendor = \"CrowdStrike\"\n | project-rename\n ActorUsername = DestinationUserName,\n EventUid = _ItemId,\n DvcIpAddr = DestinationTranslatedAddress,\n EventOriginalSeverity = LogSeverity,\n EventProductVersion = DeviceVersion,\n TargetAppName = ProcessName,\n EventOriginalResultDetails = EventOutcome,\n EventOriginalSubType = Activity\n | extend\n EventEndTime = EventStartTime,\n Application = TargetAppName,\n TargetIpAddr = DvcIpAddr,\n User = ActorUsername,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n TargetAppType = iff(isnotempty(TargetAppName), \"Service\", \"\")\n | extend\n Dvc = coalesce(DvcIpAddr, EventProduct),\n Dst = TargetIpAddr\n | project-away \n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message,\n IndicatorThreatType,\n EventType_*\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventIllumioSaaSCore/ASimAuditEventIllumioSaaSCore.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventIllumioSaaSCore/ASimAuditEventIllumioSaaSCore.json new file mode 100644 index 00000000000..39e5b27654b --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventIllumioSaaSCore/ASimAuditEventIllumioSaaSCore.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventIllumioSaaSCore')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Illumio SaaS Core audit events", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventIllumioSaaSCore", + "query": "let EventTypeLookup = datatable(\n event_type: string, // what Illumio sends\n Operation: string,\n ObjectType:string, // an enumerated list [ Configuration Atom, Policy Rule, Cloud Resource, Other],\n Object:string,\n EventType: string, // an enumerated list [ Set, Read, Create, Delete, Execute, Install, Clear, Enable, Disable, Other ] event type\n)\n[\n 'access_restriction.create', 'Access restriction created', 'Cloud Resource', 'Access_restriction', 'Create',\n 'access_restriction.delete', 'Access restriction deleted', 'Cloud Resource', 'Access_restriction', 'Delete',\n 'access_restriction.update', 'Access restriction updated', 'Cloud Resource', 'Access_restriction', 'Set',\n 'agent.activate', 'Agent paired', 'Cloud Resource', 'Agent', 'Other',\n 'agent.activate_clone', 'Agent clone activated', 'Cloud Resource', 'Agent', 'Other',\n 'agent.clone_detected', 'Agent clone detected', 'Cloud Resource', 'Agent', 'Other',\n 'agent.deactivate', 'Agent unpaired', 'Cloud Resource', 'Agent', 'Other',\n 'agent.generate_maintenance_token', 'Generate maintenance token for any agent', 'Cloud Resource', 'Agent', 'Other',\n 'agent.goodbye', 'Agent disconnected', 'Cloud Resource', 'Agent', 'Other',\n 'agent.machine_identifier', 'Agent machine identifiers updated', 'Cloud Resource', 'Agent', 'Other',\n 'agent.refresh_token', 'Agent refreshed token', 'Cloud Resource', 'Agent', 'Other',\n 'agent.refresh_policy', 'Success or failure to apply policy on VEN', 'Cloud Resource', 'Agent', 'Other',\n 'agent.request_upgrade', 'VEN upgrade request sent', 'Cloud Resource', 'Agent', 'Other',\n 'agent.service_not_available', 'Agent reported a service not running', 'Cloud Resource', 'Agent', 'Other',\n 'agent.suspend', 'Agent suspended', 'Cloud Resource', 'Agent', 'Other',\n 'agent.tampering', 'Agent firewall tampered', 'Cloud Resource', 'Agent', 'Other',\n 'agent.unsuspend', 'Agent unsuspended', 'Cloud Resource', 'Agent', 'Other',\n 'agent.update', 'Agent properties updated.', 'Cloud Resource', 'Agent', 'Set',\n 'agent.update_interactive_users', 'Agent interactive users updated', 'Cloud Resource', 'Agent', 'Set',\n 'agent.update_iptables_href', 'Agent updated existing iptables href', 'Cloud Resource', 'Agent', 'Set',\n 'agent.update_running_containers', 'Agent updated existing containers', 'Cloud Resource', 'Agent', 'Set',\n 'agent.upload_existing_ip_table_rules', 'Agent existing IP tables uploaded', 'Cloud Resource', 'Agent', 'Other',\n 'agent.upload_support_report', 'Agent support report uploaded', 'Cloud Resource', 'Agent', 'Other',\n 'agent_support_report_request.create', 'Agent support report request created', 'Cloud Resource', 'Agent_support_report_request', 'Create',\n 'agent_support_report_request.delete', 'Agent support report request deleted', 'Cloud Resource', 'Agent_support_report_request', 'Delete',\n 'agents.clear_conditions', 'Condition cleared from a list of VENs', 'Cloud Resource', 'Agents', 'Other',\n 'agents.unpair', 'Multiple agents unpaired', 'Cloud Resource', 'Agents', 'Other',\n 'api_key.create', 'API key created', 'Cloud Resource', 'Api_key', 'Create',\n 'api_key.delete', 'API key deleted', 'Cloud Resource', 'Api_key', 'Delete',\n 'api_key.update', 'API key updated', 'Cloud Resource', 'Api_key', 'Set',\n 'auth_security_principal.create', 'RBAC auth security principal created', 'Cloud Resource', 'Auth_security_principal', 'Create',\n 'auth_security_principal.delete', 'RBAC auth security principal deleted', 'Cloud Resource', 'Auth_security_principal', 'Delete',\n 'auth_security_principal.update', 'RBAC auth security principal updated', 'Cloud Resource', 'Auth_security_principal', 'Set',\n 'authentication_settings.update', 'Authentication settings updated', 'Other', 'Authentication_settings', 'Set',\n 'cluster.create', 'PCE cluster created', 'Cloud Resource', 'Cluster', 'Create',\n 'cluster.delete', 'PCE cluster deleted', 'Cloud Resource', 'Cluster', 'Delete',\n 'cluster.update', 'PCE cluster updated', 'Cloud Resource', 'Cluster', 'Set',\n 'container_workload.update', 'Container workload updated', 'Cloud Resource', 'Container_workload', 'Set',\n 'container_cluster.create', 'Container cluster created', 'Cloud Resource', 'Container_cluster', 'Create',\n 'container_cluster.delete', 'Container cluster deleted', 'Cloud Resource', 'Container_cluster', 'Delete',\n 'container_cluster.update', 'Container cluster updated', 'Cloud Resource', 'Container_cluster', 'Set',\n 'container_cluster.update_label_map', 'Container cluster label mappings updated all at once', 'Cloud Resource', 'Container_cluster', 'Set',\n 'container_cluster.update_services', 'Container cluster services updated, created, or deleted by Kubelink', 'Cloud Resource', 'Container_cluster', 'Set',\n 'container_workload_profile.create', 'Container workload profile created', 'Cloud Resource', 'Container_workload_profile', 'Create',\n 'container_workload_profile.delete', 'Container workload profile deleted', 'Cloud Resource', 'Container_workload_profile', 'Delete',\n 'container_workload_profile.update', 'Container workload profile updated', 'Cloud Resource', 'Container_workload_profile', 'Set',\n 'database.temp_table_autocleanup_started', 'DB temp table cleanup started', 'Other', 'Database', 'Other',\n 'database.temp_table_autocleanup_completed', 'DB temp table cleanup completed', 'Other', 'Database', 'Other',\n 'domain.create', 'Domain created', 'Other', 'Domain', 'Create',\n 'domain.delete', 'Domain deleted', 'Other', 'Domain', 'Delete',\n 'domain.update', 'Domain updated', 'Other', 'Domain', 'Set',\n 'enforcement_boundary.create', 'Enforcement boundary created', 'Cloud Resource', 'Enforcement_boundary', 'Create',\n 'enforcement_boundary.delete', 'Enforcement boundary deleted', 'Cloud Resource', 'Enforcement_boundary', 'Delete',\n 'enforcement_boundary.update', 'Enforcement boundary updated', 'Cloud Resource', 'Enforcement_boundary', 'Set',\n 'event_settings.update', 'Event settings updated', 'Other', 'Event_settings', 'Set',\n 'firewall_settings.update', 'Global policy settings updated', 'Other', 'Firewall_settings', 'Set',\n 'group.create', 'Group created', 'Other', 'Group', 'Create',\n 'group.update', 'Group updated', 'Other', 'Group', 'Set',\n 'ip_list.create', 'IP list created', 'Cloud Resource', 'Ip_list', 'Create',\n 'ip_list.delete', 'IP list deleted', 'Cloud Resource', 'Ip_list', 'Delete',\n 'ip_list.update', 'IP list updated', 'Cloud Resource', 'Ip_list', 'Set',\n 'ip_lists.delete', 'IP lists deleted', 'Cloud Resource', 'Ip_lists', 'Delete',\n 'ip_tables_rule.create', 'IP tables rules created', 'Cloud Resource', 'Ip_tables_rule', 'Create',\n 'ip_tables_rule.delete', 'IP tables rules deleted', 'Cloud Resource', 'Ip_tables_rule', 'Delete',\n 'ip_tables_rule.update', 'IP tables rules updated', 'Cloud Resource', 'Ip_tables_rule', 'Set',\n 'job.delete', 'Job deleted', 'Other', 'Job', 'Delete',\n 'label.create', 'Label created', 'Cloud Resource', 'Label', 'Create',\n 'label.delete', 'Label deleted', 'Cloud Resource', 'Label', 'Delete',\n 'label.update', 'Label updated', 'Cloud Resource', 'Label', 'Set',\n 'label_group.create', 'Label group created', 'Cloud Resource', 'Label_group', 'Create',\n 'label_group.delete', 'Label group deleted', 'Cloud Resource', 'Label_group', 'Delete',\n 'label_group.update', 'Label group updated', 'Cloud Resource', 'Label_group', 'Set',\n 'labels.delete', 'Labels deleted', 'Cloud Resource', 'Labels', 'Delete',\n 'ldap_config.create', 'LDAP configuration created', 'Other', 'Ldap_config', 'Create',\n 'ldap_config.delete', 'LDAP configuration deleted', 'Other', 'Ldap_config', 'Delete',\n 'ldap_config.update', 'LDAP configuration updated', 'Other', 'Ldap_config', 'Set',\n 'ldap_config.verify_connection', 'LDAP server connection verified', 'Other', 'Ldap_config', 'Other',\n 'license.delete', 'License deleted', 'Other', 'License', 'Delete',\n 'license.update', 'License updated', 'Other', 'License', 'Set',\n 'login_proxy_ldap_config.create', 'Interservice call to login service to create LDAP config', 'Other', 'Login_proxy_ldap_config', 'Create',\n 'login_proxy_ldap_config.delete', 'Interservice call to login service to delete LDAP config', 'Other', 'Login_proxy_ldap_config', 'Delete',\n 'login_proxy_ldap_config.update', 'Interservice call to login service to update LDAP config', 'Other', 'Login_proxy_ldap_config', 'Set',\n 'login_proxy_ldap_config.verify_connection', 'Interservice call to login service to verify connection to the LDAP server', 'Other', 'Login_proxy_ldap_config', 'Other',\n 'login_proxy_msp_tenants.create', 'New MSP tenant created', 'Other', 'Login_proxy_msp_tenants', 'Create',\n 'login_proxy_msp_tenants.delete', 'MSP tenant deleted', 'Other', 'Login_proxy_msp_tenants', 'Delete',\n 'login_proxy_msp_tenants.update', 'MSP tenant updated', 'Other', 'Login_proxy_msp_tenants', 'Set',\n 'login_proxy_orgs.create', 'New managed organization created', 'Other', 'Login_proxy_orgs', 'Create',\n 'login_proxy_orgs.delete', 'Managed organization deleted', 'Other', 'Login_proxy_orgs', 'Delete',\n 'login_proxy_orgs.update', 'Managed organization updated', 'Other', 'Login_proxy_orgs', 'Set',\n 'lost_agent.found', 'Lost agent found', 'Cloud Resource', 'Lost_agent', 'Other',\n 'network.create', 'Network created', 'Cloud Resource', 'Network', 'Create',\n 'network.delete', 'Network deleted', 'Cloud Resource', 'Network', 'Delete',\n 'network.update', 'Network updated', 'Cloud Resource', 'Network', 'Set',\n 'network_device.ack_enforcement_instructions_applied', 'Enforcement instruction applied to a network device', 'Cloud Resource', 'Network_device', 'Other',\n 'network_device.assign_workload', 'Existing or new unmanaged workload assigned to a network device', 'Cloud Resource', 'Network_device', 'Other',\n 'network_device.create', 'Network device created', 'Cloud Resource', 'Network_device', 'Create',\n 'network_device.delete', 'Network device deleted', 'Cloud Resource', 'Network_device', 'Delete',\n 'network_device.update', 'Network device updated', 'Cloud Resource', 'Network_device', 'Set',\n 'network_devices.ack_multi_enforcement_instructions_applied', 'Enforcement instructions applied to multiple network devices', 'Cloud Resource', 'Network_devices', 'Other',\n 'network_endpoint.create', 'Network endpoint created', 'Cloud Resource', 'Network_endpoint', 'Create',\n 'network_endpoint.delete', 'Network endpoint deleted', 'Cloud Resource', 'Network_endpoint', 'Delete',\n 'network_endpoint.update', 'Network endpoint updated', 'Cloud Resource', 'Network_endpoint', 'Set',\n 'network_enforcement_node.activate', 'Network enforcement node activated', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.clear_conditions', 'Network enforcement node conditions cleared', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.deactivate', 'Network enforcement node deactivated', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.degraded', 'Network enforcement node failed or primary lost connectivity to secondary', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.missed_heartbeats', 'Network enforcement node did not heartbeat for more than 15 minutes', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.missed_heartbeats_check', 'Network enforcement node missed heartbeats check', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.network_devices_network_endpoints_workloads', 'Workload added to network endpoint', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.policy_ack', 'Network enforcement node acknowledgment of policy', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.request_policy', 'Network enforcement node policy requested', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.update_status', 'Network enforcement node reports when switches are not reachable', 'Cloud Resource', 'Network_enforcement_node', 'Set',\n 'network_enforcement_nodes.clear_conditions', 'A condition was cleared from a list of network enforcement nodes', 'Cloud Resource', 'Network_enforcement_nodes', 'Other',\n 'nfc.activate', 'Network function controller created', 'Other', 'Nfc', 'Other',\n 'nfc.delete', 'Network function controller deleted', 'Other', 'Nfc', 'Delete',\n 'nfc.update_discovered_virtual_servers', 'Network function controller virtual servers discovered', 'Cloud Resource', 'Nfc', 'Set',\n 'nfc.update_policy_status', 'Network function controller policy status', 'Other', 'Nfc', 'Set',\n 'nfc.update_slb_state', 'Network function controller SLB state updated', 'Other', 'Nfc', 'Set',\n 'org.create', 'Organization created', 'Other', 'Org', 'Create',\n 'org.recalc_rules', 'Rules for organization recalculated', 'Other', 'Org', 'Other',\n 'org.update', 'Organization information updated', 'Other', 'Org', 'Set',\n 'pairing_profile.create', 'Pairing profile created', 'Cloud Resource', 'Pairing_profile', 'Create',\n 'pairing_profile.create_pairing_key', 'Pairing profile pairing key created', 'Cloud Resource', 'Pairing_profile', 'Create',\n 'pairing_profile.delete', 'Pairing profile deleted', 'Cloud Resource', 'Pairing_profile', 'Delete',\n 'pairing_profile.update', 'Pairing profile updated', 'Cloud Resource', 'Pairing_profile', 'Set',\n 'pairing_profile.delete_all_pairing_keys', 'Pairing keys deleted from pairing profile', 'Cloud Resource', 'Pairing_profile', 'Delete',\n 'pairing_profiles.delete', 'Pairing profiles deleted', 'Cloud Resource', 'Pairing_profiles', 'Delete',\n 'password_policy.create', 'Password policy created', 'Cloud Resource', 'Password_policy', 'Create',\n 'password_policy.delete', 'Password policy deleted', 'Cloud Resource', 'Password_policy', 'Delete',\n 'password_policy.update', 'Password policy updated', 'Cloud Resource', 'Password_policy', 'Set',\n 'permission.create', 'RBAC permission created', 'Cloud Resource', 'Permission', 'Create',\n 'permission.delete', 'RBAC permission deleted', 'Cloud Resource', 'Permission', 'Delete',\n 'permission.update', 'RBAC permission updated', 'Cloud Resource', 'Permission', 'Set',\n 'radius_config.create', 'Create domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Create',\n 'radius_config.delete', 'Delete domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Delete',\n 'radius_config.update', 'Update domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Set',\n 'radius_config.verify_shared_secret', 'Verify RADIUS shared secret', 'Cloud Resource', 'Radius_config', 'Other',\n 'request.authentication_failed', 'API request authentication failed', 'Other', 'Request', 'Other',\n 'request.authorization_failed', 'API request authorization failed', 'Other', 'Request', 'Other',\n 'request.internal_server_error', 'API request failed due to internal server error', 'Other', 'Request', 'Other',\n 'request.service_unavailable', 'API request failed due to unavailable service', 'Other', 'Request', 'Other',\n 'request.unknown_server_error', 'API request failed due to unknown server error', 'Other', 'Request', 'Other',\n 'resource.create', 'Login resource created', 'Other', 'Resource', 'Create',\n 'resource.delete', 'Login resource deleted', 'Other', 'Resource', 'Delete',\n 'resource.update', 'Login resource updated', 'Other', 'Resource', 'Set',\n 'rule_set.create', 'Rule set created', 'Policy Rule', 'Rule_set', 'Create',\n 'rule_set.delete', 'Rule set deleted', 'Policy Rule', 'Rule_set', 'Delete',\n 'rule_set.update', 'Rule set updated', 'Policy Rule', 'Rule_set', 'Set',\n 'rule_sets.delete', 'Rule sets deleted', 'Policy Rule', 'Rule_sets', 'Delete',\n 'saml_acs.update', 'SAML assertion consumer services updated', 'Other', 'Saml_acs', 'Set',\n 'saml_config.create', 'SAML configuration created', 'Cloud Resource', 'Saml_config', 'Create',\n 'saml_config.delete', 'SAML configuration deleted', 'Cloud Resource', 'Saml_config', 'Delete',\n 'saml_config.pce_signing_cert', 'Generate a new cert for signing SAML AuthN requests', 'Cloud Resource', 'Saml_config', 'Other',\n 'saml_config.update', 'SAML configuration updated', 'Cloud Resource', 'Saml_config', 'Set',\n 'saml_sp_config.create', 'SAML Service Provider created', 'Cloud Resource', 'Saml_sp_config', 'Create',\n 'saml_sp_config.delete', 'SAML Service Provider deleted', 'Cloud Resource', 'Saml_sp_config', 'Delete',\n 'saml_sp_config.update', 'SAML Service Provider updated', 'Cloud Resource', 'Saml_sp_config', 'Set',\n 'sec_policy.create', 'Security policy created', 'Other', 'Sec_policy', 'Create',\n 'sec_policy_pending.delete', 'Pending security policy deleted', 'Other', 'Sec_policy_pending', 'Delete',\n 'sec_policy.restore', 'Security policy restored', 'Other', 'Sec_policy', 'Other',\n 'sec_rule.create', 'Security policy rules created', 'Policy Rule', 'Sec_rule', 'Create',\n 'sec_rule.delete', 'Security policy rules deleted', 'Policy Rule', 'Sec_rule', 'Delete',\n 'sec_rule.update', 'Security policy rules updated', 'Policy Rule', 'Sec_rule', 'Set',\n 'secure_connect_gateway.create', 'SecureConnect gateway created', 'Other', 'Secure_connect_gateway', 'Create',\n 'secure_connect_gateway.delete', 'SecureConnect gateway deleted', 'Other', 'Secure_connect_gateway', 'Delete',\n 'secure_connect_gateway.update', 'SecureConnect gateway updated', 'Other', 'Secure_connect_gateway', 'Set',\n 'security_principal.create', 'RBAC security principal created', 'Other', 'Security_principal', 'Create',\n 'security_principal.delete', 'RBAC security principal bulk deleted', 'Other', 'Security_principal', 'Delete',\n 'security_principal.update', 'RBAC security principal bulk updated', 'Other', 'Security_principal', 'Set',\n 'security_principals.bulk_create', 'RBAC security principals bulk created', 'Other', 'Security_principals', 'Other',\n 'service.create', 'Service created', 'Other', 'Service', 'Create',\n 'service.delete', 'Service deleted', 'Other', 'Service', 'Delete',\n 'service.update', 'Service updated', 'Other', 'Service', 'Set',\n 'service_account.create', 'Service account created', 'Other', 'Service_account', 'Create',\n 'service_account.delete', 'Service account deleted', 'Other', 'Service_account', 'Delete',\n 'service_account.update', 'Service account updated', 'Other', 'Service_account', 'Set',\n 'service_binding.create', 'Service binding created', 'Other', 'Service_binding', 'Create',\n 'service_binding.delete', 'Service binding created', 'Other', 'Service_binding', 'Delete',\n 'service_bindings.delete', 'Service bindings deleted', 'Other', 'Service_bindings', 'Delete',\n 'service_bindings.delete', 'Service binding deleted', 'Other', 'Service_bindings', 'Delete',\n 'services.delete', 'Services deleted', 'Other', 'Services', 'Delete',\n 'settings.update', 'Explorer settings updated', 'Other', 'Settings', 'Set',\n 'slb.create', 'Server load balancer created', 'Other', 'Slb', 'Create',\n 'slb.delete', 'Server load balancer deleted', 'Other', 'Slb', 'Delete',\n 'slb.update', 'Server load balancer updated', 'Other', 'Slb', 'Set',\n 'support_report.upload', 'Support report uploaded', 'Other', 'Support_report', 'Other',\n 'syslog_destination.create', 'syslog remote destination created', 'Other', 'Syslog_destination', 'Create',\n 'syslog_destination.delete', 'syslog remote destination deleted', 'Other', 'Syslog_destination', 'Delete',\n 'syslog_destination.update', 'syslog remote destination updated', 'Other', 'Syslog_destination', 'Set',\n 'system_task.agent_missed_heartbeats_check', 'Agent missed heartbeats', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_missing_heartbeats_after_upgrade', 'VEN missing heartbeat after upgrade', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_offline_check', 'Agents marked offline', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_self_signed_certs_check', 'VEN self signed certificate housekeeping check', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_settings_invalidation_error_state_check', 'VEN settings invalidation error state check', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_uninstall_timeout', 'VEN uninstall timeout', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.clear_auth_recover_condition', 'Clear VEN authentication recovery condition', 'Other', 'System_task', 'Other',\n 'system_task.compute_policy_for_unmanaged_workloads', 'Compute policy for unmanaged workloads', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.delete_expired_service_account_api_keys', 'An expired service account api_key was successfully deleted', 'Cloud Resource', 'System_task', 'Delete',\n 'system_task.delete_old_cached_perspectives', 'Delete old cached perspectives', 'Other', 'System_task', 'Delete',\n 'system_task.endpoint_offline_check', 'Endpoint marked offline', 'Other', 'System_task', 'Other',\n 'system_task.provision_container_cluster_services', 'Container cluster services provisioned', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.prune_old_log_events', 'Event pruning completed', 'Other', 'System_task', 'Other',\n 'system_task.remove_stale_zone_subsets', 'Stale zone subnets removed', 'Other', 'System_task', 'Other',\n 'system_task.set_server_sync_check', 'Set server synced', 'Other', 'System_task', 'Other',\n 'system_task.vacuum_deactivated_agent_and_deleted_workloads', 'Deactivated and deleted workloads have been vacuumed', 'Cloud Resource', 'System_task', 'Other',\n 'traffic_collector_setting.create', 'Traffic collector setting created', 'Other', 'Traffic_collector_setting', 'Create',\n 'traffic_collector_setting.delete', 'Traffic collector setting deleted', 'Other', 'Traffic_collector_setting', 'Delete',\n 'traffic_collector_setting.update', 'Traffic collector setting updated', 'Other', 'Traffic_collector_setting', 'Set',\n 'trusted_proxy_ips.update', 'Trusted proxy IPs created or updated', 'Other', 'Trusted_proxy_ips', 'Set',\n 'user.accept_invitation', 'User invitation accepted', 'Cloud Resource', 'User', 'Other',\n 'user.authenticate', 'User authenticated', 'Cloud Resource', 'User', 'Other',\n 'user.create', 'User created', 'Cloud Resource', 'User', 'Create',\n 'user.delete', 'User deleted', 'Cloud Resource', 'User', 'Delete',\n 'user.invite', 'User invited', 'Cloud Resource', 'User', 'Other',\n 'user.update', 'User information updated', 'Cloud Resource', 'User', 'Set', \n 'user.reset_password', 'User password reset', 'Cloud Resource', 'User', 'Other',\n 'user.pce_session_terminated', 'User session terminated', 'Cloud Resource', 'User', 'Other',\n 'user.login_session_terminated', 'User login session terminated', 'Cloud Resource', 'User', 'Other',\n 'user.reset_password', 'User password reset', 'Cloud Resource', 'User', 'Other',\n 'user.update', 'User information updated', 'Cloud Resource', 'User', 'Set',\n 'user.update_password', 'User password updated', 'Cloud Resource', 'User', 'Set',\n 'user.use_expired_password', 'User entered expired password', 'Cloud Resource', 'User', 'Other',\n 'user.verify_mfa', 'User verified MFA', 'Cloud Resource', 'User', 'Other',\n 'users.auth_token', 'Auth token returned for user authentication on PCE', 'Other', 'Users', 'Other',\n 'user_local_profile.create', 'User local profile created', 'Other', 'User_local_profile', 'Create',\n 'user_local_profile.delete', 'User local profile deleted', 'Other', 'User_local_profile', 'Delete',\n 'user_local_profile.reinvite', 'User local profile reinvited', 'Other', 'User_local_profile', 'Other',\n 'user_local_profile.update_password', 'User local password updated', 'Other', 'User_local_profile', 'Set',\n 'ven_settings.update', 'VEN settings updated', 'Other', 'Ven_settings', 'Set',\n 'ven_software.upgrade', 'VEN software release upgraded', 'Other', 'Ven_software', 'Set',\n 'ven_software_release.create', 'VEN software release created', 'Other', 'Ven_software_release', 'Create',\n 'ven_software_release.delete', 'VEN software release deleted', 'Other', 'Ven_software_release', 'Delete',\n 'ven_software_release.deploy', 'VEN software release deployed', 'Other', 'Ven_software_release', 'Other',\n 'ven_software_release.update', 'VEN software release updated', 'Other', 'Ven_software_release', 'Set',\n 'ven_software_releases.set_default_version', 'Default VEN software version set', 'Other', 'Ven_software_releases', 'Other',\n 'virtual_server.create', 'Virtual server created', 'Cloud Resource', 'Virtual_server', 'Create',\n 'virtual_server.delete', 'Virtual server created', 'Cloud Resource', 'Virtual_server', 'Delete',\n 'virtual_server.update', 'Virtual server updated', 'Cloud Resource', 'Virtual_server', 'Set',\n 'virtual_service.create', 'Virtual service created', 'Cloud Resource', 'Virtual_service', 'Create',\n 'virtual_service.delete', 'Virtual service deleted', 'Cloud Resource', 'Virtual_service', 'Delete',\n 'virtual_service.update', 'Virtual service updated', 'Cloud Resource', 'Virtual_service', 'Set',\n 'virtual_services.bulk_create', 'Virtual services created in bulk', 'Cloud Resource', 'Virtual_services', 'Other',\n 'virtual_services.bulk_update', 'Virtual services updated in bulk', 'Cloud Resource', 'Virtual_services', 'Other',\n 'vulnerability.create', 'Vulnerability record created', 'Other', 'Vulnerability', 'Create',\n 'vulnerability.delete', 'Vulnerability record deleted', 'Other', 'Vulnerability', 'Delete',\n 'vulnerability.update', 'Vulnerability record updated', 'Other', 'Vulnerability', 'Set',\n 'vulnerability_report.delete', 'Vulnerability report deleted', 'Other', 'Vulnerability_report', 'Delete',\n 'vulnerability_report.update', 'Vulnerability report updated', 'Other', 'Vulnerability_report', 'Set',\n 'workload.create', 'Workload created', 'Cloud Resource', 'Workload', 'Create',\n 'workload.delete', 'Workload deleted', 'Cloud Resource', 'Workload', 'Delete',\n 'workload.online', 'Workload online', 'Cloud Resource', 'Workload', 'Other',\n 'workload.recalc_rules', 'Workload policy recalculated', 'Cloud Resource', 'Workload', 'Other',\n 'workload.redetect_network', 'Workload network redetected', 'Cloud Resource', 'Workload', 'Other',\n 'workload.undelete', 'Workload undeleted', 'Cloud Resource', 'Workload', 'Other',\n 'workload.update', 'Workload settings updated', 'Cloud Resource', 'Workload', 'Set',\n 'workload.upgrade', 'Workload upgraded', 'Cloud Resource', 'Workload', 'Set',\n 'workload_interface.create', 'Workload interface created', 'Cloud Resource', 'Workload_interface', 'Create',\n 'workload_interface.delete', 'Workload interface deleted', 'Cloud Resource', 'Workload_interface', 'Delete',\n 'workload_interface.update', 'Workload interface updated', 'Cloud Resource', 'Workload_interface', 'Set',\n 'workload_interfaces.update', 'Workload interfaces updated', 'Cloud Resource', 'Workload_interfaces', 'Set',\n '', 'For example, IP address changes, new interface added, and interface shut down.', 'Other', '', 'Other',\n 'workload_service_report.update', 'Workload service report updated', 'Cloud Resource', 'Workload_service_report', 'Set',\n 'workload_settings.update', 'Workload settings updated', 'Cloud Resource', 'Workload_settings', 'Set',\n 'workloads.apply_policy', 'Workloads policies applied', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.bulk_create', 'Workloads created in bulk', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.bulk_delete', 'Workloads deleted in bulk', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.bulk_update', 'Workloads updated in bulk', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.remove_labels', 'Workloads labels removed', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.set_flow_reporting_frequency', 'Workload flow reporting frequency changed', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.set_labels', 'Workload labels applied', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.unpair', 'Workloads unpaired', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.update', 'Workloads updated', 'Cloud Resource', 'Workloads', 'Set'\n];\nlet EventSeverityLookup = datatable(\n severity: string,\n EventSeverity: string\n)\n [\n \"err\", \"High\",\n \"info\", \"Informational\",\n \"warning\", \"Medium\"\n];\nlet EventResultLookup = datatable(\n status: string,\n EventResult: string\n)\n [\n \"success\", \"Success\",\n \"failure\", \"Failure\",\n \"\", \"NA\"\n];\nlet parser = (disabled: bool = false) {\n Illumio_Auditable_Events_CL\n | where not(disabled) and event_type !startswith \"user\" // filter out user auth events \n | lookup EventTypeLookup on event_type // fetch Object, ObjectType,EventType, Operation from lookup\n | lookup EventSeverityLookup on severity // fetch EventSeverity from lookup\n | lookup EventResultLookup on status // fetch EventResult from lookup\n | extend\n ActorUsername = case(\n isnotnull(created_by.system), \"System\",\n isnotnull(created_by.user), created_by.user.username,\n isnotnull(created_by.agent), created_by.agent.hostname,\n \"Unknown\"\n )\n | extend ActorUsernameType = \"Simple\",\n temp_resource_changes = parse_json(resource_changes), \n temp_notifications = parse_json(notifications)\n | extend\n NewValue = iff(isnotnull(temp_resource_changes), temp_resource_changes[0].changes, ''),\n EventMessage = iff(isnotnull(temp_resource_changes), temp_resource_changes[0].resource, ''), \n SrcIpAddr = iff(action.src_ip == 'FILTERED', \"\", action.src_ip),\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime= TimeGenerated,\n EventProduct = 'Core',\n EventVendor = 'Illumio',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n Dvc = pce_fqdn,\n EventType = iff(isnull(EventType), event_type, EventType),\n EventOriginalUid = href,\n EventUid = _ItemId\n //aliases\n | extend \n IpAddr = SrcIpAddr,\n User = ActorUsername,\n Value = NewValue\n | project-away\n temp_*,\n event_type, // used by EventType\n severity, // used by EventSeverity\n resource_changes, // used by NewValue and EventMessage\n notifications,\n version, // simply drop version, no need to translate\n action, //used by src_ip\n status, // used by EventResult\n created_by, // used by ActorUsername and ActorType\n pce_fqdn, // used by Dvc\n href, // used by EventOriginalUid\n TenantId\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventIllumioSaaSCore/README.md b/Parsers/ASimAuditEvent/ARM/ASimAuditEventIllumioSaaSCore/README.md new file mode 100644 index 00000000000..251c9c9ac47 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventIllumioSaaSCore/README.md @@ -0,0 +1,18 @@ +# Illumio Core ASIM AuditEvent Normalization Parser + +ARM template for ASIM AuditEvent schema parser for Illumio Core. + +This ASIM parser supports normalizing Illumio Core audit events logs ingested in 'Illumio_Auditable_Events_CL' table to the ASIM Audit Event schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventIllumioSaaSCore%2FASimAuditEventIllumioSaaSCore.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventIllumioSaaSCore%2FASimAuditEventIllumioSaaSCore.json) diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventInfobloxBloxOne/ASimAuditEventInfobloxBloxOne.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventInfobloxBloxOne/ASimAuditEventInfobloxBloxOne.json new file mode 100644 index 00000000000..eab8b1dd870 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventInfobloxBloxOne/ASimAuditEventInfobloxBloxOne.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventInfobloxBloxOne')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "AuditEvent ASIM parser for Infoblox BloxOne", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventInfobloxBloxOne", + "query": "let EventSeverityLookup = datatable (LogSeverity:string, EventSeverity:string) [ \"0\", \"Low\", \"1\", \"Low\", \"2\", \"Low\", \"3\", \"Low\", \"4\", \"Medium\", \"5\", \"Medium\", \"6\", \"Medium\", \"7\", \"High\", \"8\", \"High\", \"9\", \"High\", \"10\", \"High\" ]; let OperationLookup = datatable (DeviceAction:string, Object:string, ObjectType:string) [ \"CreateSecurityPolicy\", \"Security Policy\", \"Policy Role\", \"UpdateSecurityPolicy\", \"Security Policy\", \"Policy\", \"Create\", \"Network Resource\", \"Service\", \"Update\", \"Network Resource\", \"Service\", \"Restore\", \"Infoblox Resource\", \"Service\", \"CreateOrGetDoHFQDN\", \"DOHFQDN\", \"Service\", \"CreateOrUpdateDfpService\", \"Dfp Service\", \"Service\", \"MoveToRecyclebin\", \"Recyclebin\", \"Other\", \"CreateCategoryFilter\", \"Category Filter\", \"Other\", \"GetLookalikeThreatCounts\", \"Lookalike Threat Counts\", \"Other\", \"GetLookalikeDomainCounts\", \"Lookalike Domain Counts\", \"Other\", \"CreateRoamingDeviceGroup\", \"Roaming Device Group\", \"Configuration Atom\", \"UpdatePartialRoamingDeviceGroup\", \"Partial Roaming Device Group\", \"Configuration Atom\" ]; let parser = (disabled:bool=false) { CommonSecurityLog | where not(disabled) and DeviceVendor == \"Infoblox\" and DeviceEventClassID has \"AUDIT\" | parse-kv AdditionalExtensions as (InfobloxHTTPReqBody:string, InfobloxHTTPRespBody:string) with (pair_delimiter=\";\", kv_delimiter=\"=\") | lookup EventSeverityLookup on LogSeverity | lookup OperationLookup on DeviceAction | invoke _ASIM_ResolveDvcFQDN('CollectorHostName') | project-rename EventResult = EventOutcome, Operation = DeviceAction, ActorUsername = SourceUserName, SrcIpAddr = SourceIP, EventOriginalSeverity = LogSeverity, EventMessage = Message, EventOriginalType = DeviceEventClassID, EventUid = _ItemId | extend Dvc = DvcHostname, EventEndTime = TimeGenerated, EventStartTime = TimeGenerated, EventType = case( Operation has_any (\"update\", \"upsert\"), \"Set\", Operation has \"create\", \"Create\", Operation has \"delete\", \"Delete\", \"Other\" ), Object = iff(isempty(Object), \"Infoblox Network Resource\", Object), ObjectType = iff(isempty(ObjectType), \"Service\", ObjectType), Src = SrcIpAddr, ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"), AdditionalFields = bag_pack( \"InfobloxHTTPReqBody\", InfobloxHTTPReqBody, \"InfobloxHTTPRespBody\", InfobloxHTTPRespBody ), User = ActorUsername, IpAddr = SrcIpAddr, ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) | extend EventCount = toint(1), EventProduct = \"BloxOne\", EventVendor = \"Infoblox\", EventSchema = \"AuditEvent\", EventSchemaVersion = \"0.1\" | project-away Source*, Destination*, Device*, AdditionalExtensions, CommunicationDirection, Protocol, SimplifiedDeviceAction, ExternalID, EndTime, FieldDevice*, Flex*, File*, Old*, MaliciousIP*, OriginalLogSeverity, Process*, ReceivedBytes, SentBytes, Remote*, Request*, StartTime, TenantId, ReportReferenceLink, ReceiptTime, Indicator*, _ResourceId, ThreatConfidence, ThreatDescription, ThreatSeverity, Computer, ApplicationProtocol, ExtID, Reason, Activity, Infoblox* }; parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventInfobloxBloxOne/README.md b/Parsers/ASimAuditEvent/ARM/ASimAuditEventInfobloxBloxOne/README.md new file mode 100644 index 00000000000..677be52108b --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventInfobloxBloxOne/README.md @@ -0,0 +1,18 @@ +# Infoblox BloxOne ASIM AuditEvent Normalization Parser + +ARM template for ASIM AuditEvent schema parser for Infoblox BloxOne. + +This ASIM parser supports normalizing AuditEvent logs from Infoblox BloxOne to the ASIM AuditEvent normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventInfobloxBloxOne%2FASimAuditEventInfobloxBloxOne.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventInfobloxBloxOne%2FASimAuditEventInfobloxBloxOne.json) diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftEvent/ASimAuditEventMicrosoftEvent.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftEvent/ASimAuditEventMicrosoftEvent.json index 5550bdd0a24..e709dd3ace8 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftEvent/ASimAuditEventMicrosoftEvent.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftEvent/ASimAuditEventMicrosoftEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventMicrosoftEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventMicrosoftEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Microsoft Windows Events audit events", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventMicrosoftEvent", - "query": "let parser = (disabled: bool = false) {\n // Parsed Events Ids\n let ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\n // Eventlog Event Ids\n let EventlogEventIds = dynamic([1102]);\n // Scheduled Task Event Ids\n let ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\n // Active Directory Replica Source Naming Context Event Ids\n let ActiveDirectoryReplicaIds = dynamic([4929]);\n // Firewall Event Ids\n let FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\n // Service Event Ids\n let ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \n // Directory Service Object Ids\n let DirectoryServiceIds = dynamic([5136]);\n // Clear Audit Log Event\n let AuditLogClearedEventID = dynamic([1102]); \n // EventID Lookup\n let EventIDLookup = datatable(\n EventID: int,\n Operation: string,\n EventType: string,\n Object: string,\n ObjectType: string,\n EventResult: string\n )\n [ \n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n ];\n let ParsedEvents =\n Event\n | where not(disabled)\n | where EventID in(ParsedEventIds)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | parse-kv EventData as \n (\n SubjectUserSid: string,\n SubjectUserName: string,\n SubjectDomainName: string,\n SubjectLogonId: string,\n TaskName: string,\n TaskContent: string,\n TaskContentNew: string,\n ClientProcessId: string,\n DestinationDRA: string,\n SourceDRA: string,\n SourceAddr: string,\n ObjectDN: string,\n AttributeValue: string\n )\n with (regex=@'{?([^<]*?)}?')\n | project-away EventData\n | lookup EventIDLookup on EventID\n ;\n // Parse EventLog\n let EventLog = ParsedEvents\n | where EventID in(EventlogEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n // Parse Scheduled Task\n let ScheduledTask = ParsedEvents\n | where EventID in(ScheduledTaskEventIds)\n | extend \n Object = TaskName,\n NewValue = coalesce(\n TaskContent,\n TaskContentNew\n )\n | extend \n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ADR\n let ActiveDirectoryReplica = ParsedEvents\n | where EventID in(ActiveDirectoryReplicaIds)\n | extend \n NewValue = SourceDRA,\n OldValue = DestinationDRA,\n SrcFQDN = SourceAddr\n | extend \n Value = NewValue,\n Object = OldValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse WindowsFirewall\n let WindowsFirewall = ParsedEvents\n | where EventID in(FirewallEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ServiceEvent\n let ServiceEvent = ParsedEvents\n | where EventID in(ServiceEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse DirectoryService\n let DirectoryService = ParsedEvents\n | where EventID in(DirectoryServiceIds)\n | extend \n Object = ObjectDN\n | project-rename \n NewValue = AttributeValue\n | extend\n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN\n ;\n // Union Events\n union\n EventLog,\n ScheduledTask,\n ActiveDirectoryReplica,\n WindowsFirewall,\n ServiceEvent,\n DirectoryService\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | project-rename \n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId,\n ActingAppId = ClientProcessId,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Security Events',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n EventOriginalType = tostring(EventID),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\n ActingAppType = \"Process\"\n | extend\n User = ActorUsername,\n Dvc = DvcFQDN\n | project-away Subject*, EventID, Computer\n };\n parser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Microsoft Windows Events audit events", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventMicrosoftEvent", + "query": "let parser = (disabled: bool = false) {\n // Parsed Events Ids\n let ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\n // Eventlog Event Ids\n let EventlogEventIds = dynamic([1102]);\n // Scheduled Task Event Ids\n let ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\n // Active Directory Replica Source Naming Context Event Ids\n let ActiveDirectoryReplicaIds = dynamic([4929]);\n // Firewall Event Ids\n let FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\n // Service Event Ids\n let ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \n // Directory Service Object Ids\n let DirectoryServiceIds = dynamic([5136]);\n // Clear Audit Log Event\n let AuditLogClearedEventID = dynamic([1102]); \n // EventID Lookup\n let EventIDLookup = datatable(\n EventID: int,\n Operation: string,\n EventType: string,\n Object: string,\n ObjectType: string,\n EventResult: string\n )\n [ \n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n ];\n let ParsedEvents =\n Event\n | where not(disabled)\n | where EventID in(ParsedEventIds)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | parse-kv EventData as \n (\n SubjectUserSid: string,\n SubjectUserName: string,\n SubjectDomainName: string,\n SubjectLogonId: string,\n TaskName: string,\n TaskContent: string,\n TaskContentNew: string,\n ClientProcessId: string,\n DestinationDRA: string,\n SourceDRA: string,\n SourceAddr: string,\n ObjectDN: string,\n AttributeValue: string\n )\n with (regex=@'{?([^<]*?)}?')\n | project-away EventData\n | lookup EventIDLookup on EventID\n ;\n // Parse EventLog\n let EventLog = ParsedEvents\n | where EventID in(EventlogEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n // Parse Scheduled Task\n let ScheduledTask = ParsedEvents\n | where EventID in(ScheduledTaskEventIds)\n | extend \n Object = TaskName,\n NewValue = coalesce(\n TaskContent,\n TaskContentNew\n )\n | extend \n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ADR\n let ActiveDirectoryReplica = ParsedEvents\n | where EventID in(ActiveDirectoryReplicaIds)\n | extend \n NewValue = SourceDRA,\n OldValue = DestinationDRA,\n SrcFQDN = SourceAddr\n | extend \n Value = NewValue,\n Object = OldValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse WindowsFirewall\n let WindowsFirewall = ParsedEvents\n | where EventID in(FirewallEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ServiceEvent\n let ServiceEvent = ParsedEvents\n | where EventID in(ServiceEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse DirectoryService\n let DirectoryService = ParsedEvents\n | where EventID in(DirectoryServiceIds)\n | extend \n Object = ObjectDN\n | project-rename \n NewValue = AttributeValue\n | extend\n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN\n ;\n // Union Events\n union\n EventLog,\n ScheduledTask,\n ActiveDirectoryReplica,\n WindowsFirewall,\n ServiceEvent,\n DirectoryService\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | project-rename \n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId,\n ActingAppId = ClientProcessId,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Security Events',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n EventOriginalType = tostring(EventID),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\n ActingAppType = \"Process\"\n | extend\n User = ActorUsername,\n Dvc = DvcFQDN\n | project-away Subject*, EventID, Computer\n };\n parser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftExchangeAdmin365/ASimAuditEventMicrosoftExchangeAdmin365.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftExchangeAdmin365/ASimAuditEventMicrosoftExchangeAdmin365.json index be4739ab1d7..dd2be732ec4 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftExchangeAdmin365/ASimAuditEventMicrosoftExchangeAdmin365.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftExchangeAdmin365/ASimAuditEventMicrosoftExchangeAdmin365.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventMicrosoftExchangeAdmin365')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventMicrosoftExchangeAdmin365", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Microsoft Exchange 365 administrative activity", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventMicrosoftExchangeAdmin365", - "query": "let usertypes=datatable (ActorOriginalUserType:string, ActorUserType:string)\n[\n // Regular, Regular\n \"Admin\", \"Admin\"\n , \"DcAdmin\", \"Admin\"\n , \"System\", \"System\"\n , \"Application\", \"Application\"\n , \"ServicePrincipal\", \"Service Principal\"\n , \"CustomPolicy\", \"Other\"\n , \"SystemPolicy\", \"Other\"\n , \"Reserved\", \"Other\"\n];\nlet eventtypes=datatable (op:string, EventType:string)\n[\n \"Remove\", \"Delete\",\n \"New\", \"Create\",\n \"Add\", \"Create\",\n \"Enable\", \"Enable\",\n \"Install\", \"Install\",\n \"Set\", \"Set\",\n \"Disable\", \"Disable\",\n \"disable\", \"Disable\"\n];\nlet parser=(disabled:bool=false){\n OfficeActivity\n | where not(disabled)\n | where RecordType in ('ExchangeAdmin')\n | project Operation, ResultStatus, Parameters, OrganizationName, OrganizationId, OfficeObjectId, ClientIP, UserId, UserKey, UserAgent, UserType, TimeGenerated, OriginatingServer, SourceRecordId, Type, _ResourceId\n | extend \n SplitOp = split (Operation,\"-\")\n | extend\n op=tostring(SplitOp[0])\n | lookup eventtypes on op\n | project-away op\n // --\n // Calculate Object\n | extend\n SplitObject = extract_all(@'^(.*?)[\\\\/](.*)$', OfficeObjectId)[0]\n | extend \n Object = case (\n SplitObject[0] == OrganizationName, SplitObject[1], \n OfficeObjectId == \"\", SplitOp[1],\n OfficeObjectId\n )\n | project-away SplitOp, OfficeObjectId\n // --\n // Calculate source IP address and port\n | extend \n SplitIpAddr = extract_all(@'^\\[?(.*?)\\]?:(\\d+)$', ClientIP)[0]\n | extend \n SrcIpAddr = iff (SplitIpAddr[1] == \"\", ClientIP, SplitIpAddr[0]),\n SrcPortNumber = toint(iff (SplitIpAddr[1] == \"\", \"\", SplitIpAddr[1]))\n | parse UserId with ActorUsername \" (\" ActingAppName \")\"\n | extend \n ActorUsernameType = iff (ActorUsername == \"\", \"UPN\", \"Windows\"),\n ActorUsername = iff (ActorUsername == \"\", UserId, ActorUsername),\n ActingAppType = iff (ActingAppName == \"\", \"\", \"Process\")\n | project-rename\n SrcDescription = OriginatingServer,\n NewValue = Parameters \n | project-away SplitObject, UserKey, SplitIpAddr, ClientIP, UserId\n | project-rename\n HttpUserAgent = UserAgent, \n ActorOriginalUserType = UserType,\n ActorScopeId = OrganizationId,\n ActorScope = OrganizationName,\n EventOriginalUid = SourceRecordId\n | lookup usertypes on ActorOriginalUserType\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Exchange 365',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n TargetAppName = 'Exchange 365',\n TargetAppType = 'SaaS application',\n EventResult = iff(ResultStatus == \"True\", \"Success\", \"Failure\")\n | project-away \n ResultStatus\n | extend\n EventSeverity = iff(EventResult == \"Failure\", \"Low\", \"Informational\")\n // -- Aliases\n | extend \n User=ActorUsername,\n IpAddr = SrcIpAddr,\n Value = NewValue,\n Application = TargetAppName,\n Dst = TargetAppName,\n Src = coalesce (SrcIpAddr, SrcDescription),\n Dvc = TargetAppName,\n // -- Entity identifier explicit aliases\n ActorUserUpn = iif (ActorUsernameType == \"UPN\", ActorUsername, \"\"),\n ActorWindowsUsername = iif (ActorUsernameType == \"Windows\", ActorUsername, \"\")\n };\n parser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Microsoft Exchange 365 administrative activity", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventMicrosoftExchangeAdmin365", + "query": "let usertypes=datatable (ActorOriginalUserType:string, ActorUserType:string)\n[\n // Regular, Regular\n \"Admin\", \"Admin\"\n , \"DcAdmin\", \"Admin\"\n , \"System\", \"System\"\n , \"Application\", \"Application\"\n , \"ServicePrincipal\", \"Service Principal\"\n , \"CustomPolicy\", \"Other\"\n , \"SystemPolicy\", \"Other\"\n , \"Reserved\", \"Other\"\n];\nlet eventtypes=datatable (op:string, EventType:string)\n[\n \"Remove\", \"Delete\",\n \"New\", \"Create\",\n \"Add\", \"Create\",\n \"Enable\", \"Enable\",\n \"Install\", \"Install\",\n \"Set\", \"Set\",\n \"Disable\", \"Disable\",\n \"disable\", \"Disable\"\n];\nlet parser=(disabled:bool=false){\n OfficeActivity\n | where not(disabled)\n | where RecordType in ('ExchangeAdmin')\n | project Operation, ResultStatus, Parameters, OrganizationName, OrganizationId, OfficeObjectId, ClientIP, UserId, UserKey, UserAgent, UserType, TimeGenerated, OriginatingServer, SourceRecordId, Type, _ResourceId\n | extend \n SplitOp = split (Operation,\"-\")\n | extend\n op=tostring(SplitOp[0])\n | lookup eventtypes on op\n | project-away op\n // --\n // Calculate Object\n | extend\n SplitObject = extract_all(@'^(.*?)[\\\\/](.*)$', OfficeObjectId)[0]\n | extend \n Object = case (\n SplitObject[0] == OrganizationName, SplitObject[1], \n OfficeObjectId == \"\", SplitOp[1],\n OfficeObjectId\n )\n | project-away SplitOp, OfficeObjectId\n // --\n // Calculate source IP address and port\n | extend \n SplitIpAddr = extract_all(@'^\\[?(.*?)\\]?:(\\d+)$', ClientIP)[0]\n | extend \n SrcIpAddr = iff (SplitIpAddr[1] == \"\", ClientIP, SplitIpAddr[0]),\n SrcPortNumber = toint(iff (SplitIpAddr[1] == \"\", \"\", SplitIpAddr[1]))\n | parse UserId with ActorUsername \" (\" ActingAppName \")\"\n | extend \n ActorUsernameType = iff (ActorUsername == \"\", \"UPN\", \"Windows\"),\n ActorUsername = iff (ActorUsername == \"\", UserId, ActorUsername),\n ActingAppType = iff (ActingAppName == \"\", \"\", \"Process\")\n | project-rename\n SrcDescription = OriginatingServer,\n NewValue = Parameters \n | project-away SplitObject, UserKey, SplitIpAddr, ClientIP, UserId\n | project-rename\n HttpUserAgent = UserAgent, \n ActorOriginalUserType = UserType,\n ActorScopeId = OrganizationId,\n ActorScope = OrganizationName,\n EventOriginalUid = SourceRecordId\n | lookup usertypes on ActorOriginalUserType\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Exchange 365',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n TargetAppName = 'Exchange 365',\n TargetAppType = 'SaaS application',\n EventResult = iff(ResultStatus == \"True\", \"Success\", \"Failure\")\n | project-away \n ResultStatus\n | extend\n EventSeverity = iff(EventResult == \"Failure\", \"Low\", \"Informational\")\n // -- Aliases\n | extend \n User=ActorUsername,\n IpAddr = SrcIpAddr,\n Value = NewValue,\n Application = TargetAppName,\n Dst = TargetAppName,\n Src = coalesce (SrcIpAddr, SrcDescription),\n Dvc = TargetAppName,\n // -- Entity identifier explicit aliases\n ActorUserUpn = iif (ActorUsernameType == \"UPN\", ActorUsername, \"\"),\n ActorWindowsUsername = iif (ActorUsernameType == \"Windows\", ActorUsername, \"\")\n };\n parser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftSecurityEvents/ASimAuditEventMicrosoftSecurityEvents.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftSecurityEvents/ASimAuditEventMicrosoftSecurityEvents.json index be994c442df..161fdc34df2 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftSecurityEvents/ASimAuditEventMicrosoftSecurityEvents.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftSecurityEvents/ASimAuditEventMicrosoftSecurityEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventMicrosoftSecurityEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventMicrosoftSecurityEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Microsoft Windows Events audit events", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventMicrosoftSecurityEvents", - "query": "let parser = (disabled: bool = false) {\n // Parsed Events Ids\n let ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\n // Eventlog Event Ids\n let EventlogEventIds = dynamic([1102]);\n // Scheduled Task Event Ids\n let ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\n // Active Directory Replica Source Naming Context Event Ids\n let ActiveDirectoryReplicaIds = dynamic([4929]);\n // Firewall Event Ids\n let FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\n // Service Event Ids\n let ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \n // Directory Service Object Ids\n let DirectoryServiceIds = dynamic([5136]);\n // Clear Audit Log Event\n let AuditLogClearedEventID = dynamic([1102]); \n // EventID Lookup\n let EventIDLookup = datatable(\n EventID: int,\n Operation: string,\n EventType: string,\n Object: string,\n ObjectType: string,\n EventResult: string\n )\n [ \n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n ];\n let ParsedEvents =\n union\n (\n // SecurityEvents\n SecurityEvent\n | where not(disabled)\n | where EventID in(ParsedEventIds)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | parse-kv EventData as \n (\n SubjectUserSid: string,\n SubjectUserName: string,\n SubjectDomainName: string,\n SubjectLogonId: string,\n TaskName: string,\n TaskContent: string,\n TaskContentNew: string,\n ClientProcessId: string,\n DestinationDRA: string,\n SourceDRA: string,\n SourceAddr: string,\n ObjectDN: string,\n AttributeValue: string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-away EventData\n ),\n (\n SecurityEvent\n | where not(disabled)\n | where EventID in (AuditLogClearedEventID) and EventSourceName == \"Microsoft-Windows-Eventlog\"\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | extend Parsed_EventData = parse_xml(EventData)\n | extend\n SubjectUserSid = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectUserSid),\n SubjectUserName = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectUserName),\n SubjectDomainName = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectDomainName),\n SubjectLogonId = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectLogonId)\n | project-away EventData, Parsed_EventData\n )\n | lookup EventIDLookup on EventID\n ;\n // Parse EventLog\n let EventLog = ParsedEvents\n | where EventID in(EventlogEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n // Parse Scheduled Task\n let ScheduledTask = ParsedEvents\n | where EventID in(ScheduledTaskEventIds)\n | extend \n Object = TaskName,\n NewValue = coalesce(\n TaskContent,\n TaskContentNew\n )\n | extend \n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ADR\n let ActiveDirectoryReplica = ParsedEvents\n | where EventID in(ActiveDirectoryReplicaIds)\n | extend \n NewValue = SourceDRA,\n OldValue = DestinationDRA,\n SrcFQDN = SourceAddr\n | extend \n Value = NewValue,\n Object = OldValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse WindowsFirewall\n let WindowsFirewall = ParsedEvents\n | where EventID in(FirewallEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ServiceEvent\n let ServiceEvent = ParsedEvents\n | where EventID in(ServiceEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse DirectoryService\n let DirectoryService = ParsedEvents\n | where EventID in(DirectoryServiceIds)\n | extend \n Object = ObjectDN\n | project-rename \n NewValue = AttributeValue\n | extend\n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN\n ;\n // Union Events\n union\n EventLog,\n ScheduledTask,\n ActiveDirectoryReplica,\n WindowsFirewall,\n ServiceEvent,\n DirectoryService\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | project-rename \n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId,\n ActingAppId = ClientProcessId,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Security Events',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n EventOriginalType = tostring(EventID),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\n ActingAppType = \"Process\"\n | extend\n User = ActorUsername,\n Dvc = DvcFQDN\n | project-away Subject*, EventID, Computer\n };\n parser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Microsoft Windows Events audit events", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventMicrosoftSecurityEvents", + "query": "let parser = (disabled: bool = false) {\n // Parsed Events Ids\n let ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\n // Eventlog Event Ids\n let EventlogEventIds = dynamic([1102]);\n // Scheduled Task Event Ids\n let ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\n // Active Directory Replica Source Naming Context Event Ids\n let ActiveDirectoryReplicaIds = dynamic([4929]);\n // Firewall Event Ids\n let FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\n // Service Event Ids\n let ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \n // Directory Service Object Ids\n let DirectoryServiceIds = dynamic([5136]);\n // Clear Audit Log Event\n let AuditLogClearedEventID = dynamic([1102]); \n // EventID Lookup\n let EventIDLookup = datatable(\n EventID: int,\n Operation: string,\n EventType: string,\n Object: string,\n ObjectType: string,\n EventResult: string\n )\n [ \n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n ];\n let ParsedEvents =\n union\n (\n // SecurityEvents\n SecurityEvent\n | where not(disabled)\n | where EventID in(ParsedEventIds)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | parse-kv EventData as \n (\n SubjectUserSid: string,\n SubjectUserName: string,\n SubjectDomainName: string,\n SubjectLogonId: string,\n TaskName: string,\n TaskContent: string,\n TaskContentNew: string,\n ClientProcessId: string,\n DestinationDRA: string,\n SourceDRA: string,\n SourceAddr: string,\n ObjectDN: string,\n AttributeValue: string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-away EventData\n ),\n (\n SecurityEvent\n | where not(disabled)\n | where EventID in (AuditLogClearedEventID) and EventSourceName == \"Microsoft-Windows-Eventlog\"\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | extend Parsed_EventData = parse_xml(EventData)\n | extend\n SubjectUserSid = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectUserSid),\n SubjectUserName = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectUserName),\n SubjectDomainName = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectDomainName),\n SubjectLogonId = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectLogonId)\n | project-away EventData, Parsed_EventData\n )\n | lookup EventIDLookup on EventID\n ;\n // Parse EventLog\n let EventLog = ParsedEvents\n | where EventID in(EventlogEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n // Parse Scheduled Task\n let ScheduledTask = ParsedEvents\n | where EventID in(ScheduledTaskEventIds)\n | extend \n Object = TaskName,\n NewValue = coalesce(\n TaskContent,\n TaskContentNew\n )\n | extend \n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ADR\n let ActiveDirectoryReplica = ParsedEvents\n | where EventID in(ActiveDirectoryReplicaIds)\n | extend \n NewValue = SourceDRA,\n OldValue = DestinationDRA,\n SrcFQDN = SourceAddr\n | extend \n Value = NewValue,\n Object = OldValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse WindowsFirewall\n let WindowsFirewall = ParsedEvents\n | where EventID in(FirewallEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ServiceEvent\n let ServiceEvent = ParsedEvents\n | where EventID in(ServiceEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse DirectoryService\n let DirectoryService = ParsedEvents\n | where EventID in(DirectoryServiceIds)\n | extend \n Object = ObjectDN\n | project-rename \n NewValue = AttributeValue\n | extend\n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN\n ;\n // Union Events\n union\n EventLog,\n ScheduledTask,\n ActiveDirectoryReplica,\n WindowsFirewall,\n ServiceEvent,\n DirectoryService\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | project-rename \n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId,\n ActingAppId = ClientProcessId,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Security Events',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n EventOriginalType = tostring(EventID),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\n ActingAppType = \"Process\"\n | extend\n User = ActorUsername,\n Dvc = DvcFQDN\n | project-away Subject*, EventID, Computer\n };\n parser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftWindowsEvents/ASimAuditEventMicrosoftWindowsEvents.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftWindowsEvents/ASimAuditEventMicrosoftWindowsEvents.json index 547ac47bac8..1b9e9da427b 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftWindowsEvents/ASimAuditEventMicrosoftWindowsEvents.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftWindowsEvents/ASimAuditEventMicrosoftWindowsEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventMicrosoftWindowsEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventMicrosoftWindowsEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Microsoft Windows Events audit events", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventMicrosoftWindowsEvents", - "query": "let parser = (disabled: bool = false) {\n // Parsed Events Ids\n let ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\n // Eventlog Event Ids\n let EventlogEventIds = dynamic([1102]);\n // Scheduled Task Event Ids\n let ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\n // Active Directory Replica Source Naming Context Event Ids\n let ActiveDirectoryReplicaIds = dynamic([4929]);\n // Firewall Event Ids\n let FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\n // Service Event Ids\n let ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \n // Directory Service Object Ids\n let DirectoryServiceIds = dynamic([5136]);\n // Clear Audit Log Event\n let AuditLogClearedEventID = dynamic([1102]); \n // EventID Lookup\n let EventIDLookup = datatable(\n EventID: int,\n Operation: string,\n EventType: string,\n Object: string,\n ObjectType: string,\n EventResult: string\n )\n [ \n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n ];\n let ParsedEvents =\n union\n (\n WindowsEvent\n | where not(disabled)\n | where EventID in(ParsedEventIds)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | extend\n SubjectUserSid = tostring(EventData.SubjectUserSid),\n SubjectUserName = tostring(EventData.SubjectUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectLogonId = tostring(EventData.SubjectLogonId),\n TaskName = tostring(EventData.TaskName),\n TaskContent = tostring(EventData.TaskContent),\n TaskContentNew = tostring(EventData.TaskContentNew),\n ClientProcessId = tostring(EventData.ClientProcessId),\n DestinationDRA = tostring(EventData.DestinationDRA),\n SourceDRA = tostring(EventData.SourceDRA),\n SourceAddr = tostring(EventData.SourceAddr),\n ObjectDN = tostring(EventData.ObjectDN),\n AttributeValue = tostring(EventData.AttributeValue)\n | project-away EventData\n ),\n (\n WindowsEvent\n | where not(disabled)\n | where EventID in (AuditLogClearedEventID) and Provider == \"Microsoft-Windows-Eventlog\"\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | extend\n SubjectUserSid = tostring(EventData.SubjectUserSid),\n SubjectUserName = tostring(EventData.SubjectUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectLogonId = tostring(EventData.SubjectLogonId)\n | project-away EventData\n )\n | lookup EventIDLookup on EventID\n ;\n // Parse EventLog\n let EventLog = ParsedEvents\n | where EventID in(EventlogEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n // Parse Scheduled Task\n let ScheduledTask = ParsedEvents\n | where EventID in(ScheduledTaskEventIds)\n | extend \n Object = TaskName,\n NewValue = coalesce(\n TaskContent,\n TaskContentNew\n )\n | extend \n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ADR\n let ActiveDirectoryReplica = ParsedEvents\n | where EventID in(ActiveDirectoryReplicaIds)\n | extend \n NewValue = SourceDRA,\n OldValue = DestinationDRA,\n SrcFQDN = SourceAddr\n | extend \n Value = NewValue,\n Object = OldValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse WindowsFirewall\n let WindowsFirewall = ParsedEvents\n | where EventID in(FirewallEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ServiceEvent\n let ServiceEvent = ParsedEvents\n | where EventID in(ServiceEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse DirectoryService\n let DirectoryService = ParsedEvents\n | where EventID in(DirectoryServiceIds)\n | extend \n Object = ObjectDN\n | project-rename \n NewValue = AttributeValue\n | extend\n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN\n ;\n // Union Events\n union\n EventLog,\n ScheduledTask,\n ActiveDirectoryReplica,\n WindowsFirewall,\n ServiceEvent,\n DirectoryService\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | project-rename \n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId,\n ActingAppId = ClientProcessId,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Security Events',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n EventOriginalType = tostring(EventID),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\n ActingAppType = \"Process\"\n | extend\n User = ActorUsername,\n Dvc = DvcFQDN\n | project-away Subject*, EventID, Computer\n };\n parser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Microsoft Windows Events audit events", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventMicrosoftWindowsEvents", + "query": "let parser = (disabled: bool = false) {\n // Parsed Events Ids\n let ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\n // Eventlog Event Ids\n let EventlogEventIds = dynamic([1102]);\n // Scheduled Task Event Ids\n let ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\n // Active Directory Replica Source Naming Context Event Ids\n let ActiveDirectoryReplicaIds = dynamic([4929]);\n // Firewall Event Ids\n let FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\n // Service Event Ids\n let ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \n // Directory Service Object Ids\n let DirectoryServiceIds = dynamic([5136]);\n // Clear Audit Log Event\n let AuditLogClearedEventID = dynamic([1102]); \n // EventID Lookup\n let EventIDLookup = datatable(\n EventID: int,\n Operation: string,\n EventType: string,\n Object: string,\n ObjectType: string,\n EventResult: string\n )\n [ \n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n ];\n let ParsedEvents =\n union\n (\n WindowsEvent\n | where not(disabled)\n | where EventID in(ParsedEventIds)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | extend\n SubjectUserSid = tostring(EventData.SubjectUserSid),\n SubjectUserName = tostring(EventData.SubjectUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectLogonId = tostring(EventData.SubjectLogonId),\n TaskName = tostring(EventData.TaskName),\n TaskContent = tostring(EventData.TaskContent),\n TaskContentNew = tostring(EventData.TaskContentNew),\n ClientProcessId = tostring(EventData.ClientProcessId),\n DestinationDRA = tostring(EventData.DestinationDRA),\n SourceDRA = tostring(EventData.SourceDRA),\n SourceAddr = tostring(EventData.SourceAddr),\n ObjectDN = tostring(EventData.ObjectDN),\n AttributeValue = tostring(EventData.AttributeValue)\n | project-away EventData\n ),\n (\n WindowsEvent\n | where not(disabled)\n | where EventID in (AuditLogClearedEventID) and Provider == \"Microsoft-Windows-Eventlog\"\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | extend\n SubjectUserSid = tostring(EventData.SubjectUserSid),\n SubjectUserName = tostring(EventData.SubjectUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectLogonId = tostring(EventData.SubjectLogonId)\n | project-away EventData\n )\n | lookup EventIDLookup on EventID\n ;\n // Parse EventLog\n let EventLog = ParsedEvents\n | where EventID in(EventlogEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n // Parse Scheduled Task\n let ScheduledTask = ParsedEvents\n | where EventID in(ScheduledTaskEventIds)\n | extend \n Object = TaskName,\n NewValue = coalesce(\n TaskContent,\n TaskContentNew\n )\n | extend \n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ADR\n let ActiveDirectoryReplica = ParsedEvents\n | where EventID in(ActiveDirectoryReplicaIds)\n | extend \n NewValue = SourceDRA,\n OldValue = DestinationDRA,\n SrcFQDN = SourceAddr\n | extend \n Value = NewValue,\n Object = OldValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse WindowsFirewall\n let WindowsFirewall = ParsedEvents\n | where EventID in(FirewallEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ServiceEvent\n let ServiceEvent = ParsedEvents\n | where EventID in(ServiceEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse DirectoryService\n let DirectoryService = ParsedEvents\n | where EventID in(DirectoryServiceIds)\n | extend \n Object = ObjectDN\n | project-rename \n NewValue = AttributeValue\n | extend\n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN\n ;\n // Union Events\n union\n EventLog,\n ScheduledTask,\n ActiveDirectoryReplica,\n WindowsFirewall,\n ServiceEvent,\n DirectoryService\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | project-rename \n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId,\n ActingAppId = ClientProcessId,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Security Events',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n EventOriginalType = tostring(EventID),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\n ActingAppType = \"Process\"\n | extend\n User = ActorUsername,\n Dvc = DvcFQDN\n | project-away Subject*, EventID, Computer\n };\n parser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventSentinelOne/ASimAuditEventSentinelOne.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventSentinelOne/ASimAuditEventSentinelOne.json index f89a67bcae3..889fbe25144 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventSentinelOne/ASimAuditEventSentinelOne.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventSentinelOne/ASimAuditEventSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventSentinelOne", - "query": "let EventFieldsLookup = datatable(\n activityType_d: real,\n Operation: string,\n EventType_activity: string,\n EventSubType: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 39, \"Research Settings Modified\", \"\", \"\", \"Success\", \"Research Settings\", \"Policy Rule\",\n 41, \"Learning Mode Settings Modified\", \"Set\", \"\", \"Success\", \"Mitigation policy\", \"Policy Rule\",\n 44, \"Auto decommission On\", \"Enable\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n 45, \"Auto decommission Off\", \"Disable\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n 46, \"Auto Decommission Period Modified\", \"Set\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n 56, \"Auto Mitigation Actions Modified\", \"Set\", \"\", \"Success\", \"Mitigation action\", \"Other\",\n 57, \"Quarantine Network Settings Modified\", \"\", \"\", \"Success\", \"NetworkSettings\", \"Configuration Atom\",\n 68, \"Engine Modified In Policy\", \"Set\", \"\", \"Success\", \"Engine Policy\", \"Policy Rule\",\n 69, \"Mitigation Policy Modified\", \"Set\", \"\", \"Success\", \"Threat Mitigation Policy\", \"Policy Rule\",\n 70, \"Policy Setting - Agent Notification On Suspicious Modified\", \"\", \"\", \"Success\", \"Agent notification\", \"Service\",\n 82, \"Monitor On Execute\", \"\", \"\", \"Success\", \"On execute setting\", \"Configuration Atom\",\n 83, \"Monitor On Write\", \"\", \"\", \"Success\", \"On write setting\", \"Configuration Atom\",\n 105, \"Deep Visibility Settings Modified\", \"\", \"\", \"Success\", \"Deep Visibility Setting\", \"Configuration Atom\",\n 116, \"Policy Settings Modified\", \"Disable\", \"\", \"Success\", \"Policy Settings\", \"Policy Rule\",\n 150, \"Live Security Updates Policy Modified\", \"\", \"\", \"Success\", \"Live Security Updates Policy\", \"Policy Rule\",\n 151, \"Live Security Updates Policy Inheritance Setting Changed\", \"Set\", \"\", \"Success\", \"Live Security Updates Policy\", \"Policy Rule\",\n 200, \"File Upload Settings Modified\", \"Set\", \"\", \"Success\", \"Binary Vault Settings\", \"Configuration Atom\",\n 201, \"File Upload Enabled/Disabled\", \"\", \"\", \"Success\", \"Binary Vault\", \"Policy Rule\",\n 4004, \"Policy Setting - Show Suspicious Activities Configuration Enabled\", \"Enable\", \"\", \"Success\", \"Policy Setting\", \"Policy Rule\",\n 4005, \"Policy Setting - Show Suspicious Activities Configuration Disabled\", \"Disable\", \"\", \"Success\", \"Policy Setting\", \"Policy Rule\",\n 4104, \"STAR Manual Response Marked Event As Malicious\", \"Set\", \"\", \"Success\", \"computerName\", \"Other\",\n 4105, \"STAR Manual Response Marked Event As Suspicious\", \"Set\", \"\", \"Success\", \"computerName\", \"Other\",\n 5012, \"Group Token Regenerated\", \"Create\", \"\", \"Success\", \"Token\", \"Policy Rule\",\n 5020, \"Site Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5021, \"Site Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5022, \"Site Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5024, \"Site Policy Reverted\", \"\", \"\", \"Success\", \"\", \"Other\",\n 5025, \"Site Marked As Expired\", \"Disable\", \"\", \"Success\", \"\", \"Other\",\n 5026, \"Site Duplicated\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5027, \"Site Token Regenerated\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 6000, \"Mobile Policy updated\", \"Set\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n 6001, \"Mobile Policy created\", \"Create\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n 6002, \"Mobile Policy removed\", \"Delete\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n 6010, \"UEM Connection created\", \"Create\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n 6011, \"UEM Connection updated\", \"Set\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n 6012, \"UEM Connection Removed\", \"Delete\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n 73, \"Scan New Agents Changed\", \"\", \"\", \"Success\", \"Scan new agents Setting\", \"Configuration Atom\",\n 76, \"Anti Tampering Modified\", \"\", \"\", \"Success\", \"Anti tampering setting\", \"Configuration Atom\",\n 77, \"Agent UI Settings Modified\", \"Set \", \"\", \"Success\", \"Agent UI setting\", \"Configuration Atom\",\n 78, \"Snapshots Settings Modified\", \"\", \"\", \"Success\", \"Snapshots setting\", \"Configuration Atom\",\n 79, \"Agent Logging Modified\", \"\", \"\", \"Success\", \"Agent logging setting\", \"Configuration Atom\",\n 84, \"Deep Visibility Settings Modified\", \"\", \"\", \"Success\", \"Deep Visibility setting\", \"Configuration Atom\",\n 87, \"Remote Shell Settings Modified\", \"\", \"\", \"Success\", \"Remote Shell Settings\", \"Configuration Atom\",\n 2100, \"Upgrade Policy - Concurrency Limit Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n 2101, \"Upgrade Policy - Concurrency Limit Inheritance Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n 2111, \"Upgrade Policy - Maintenance Window Time Inheritance Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n ];\n let EventFieldsLookupMachineActivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_machineactivity: string,\n EventSubType_machineactivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 52, \"User Approved Agent Uninstall Request\", \"Other\", \"Approve\", \"Success\", \"Agent\", \"Service\",\n 53, \"User Rejected Agent Uninstall Request\", \"Other\", \"Reject\", \"Failure\", \"Agent\", \"Service\",\n 54, \"User Decommissioned Agent\", \"Disable\", \"\", \"Success\", \"Agent\", \"Service\",\n 55, \"User Recommissioned Agent\", \"Enable\", \"\", \"Success\", \"Agent\", \"Service\",\n 61, \"User Disconnected Agent From Network\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 62, \"User Reconnected Agent to Network\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 63, \"User Shutdown Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 93, \"User Reset Agent's Local Config\", \"Set\", \"\", \"Success\", \"Local config\", \"Configuration Atom\",\n 95, \"User Moved Agent to Group\", \"Other\", \"Move\", \"Success\", \"Agent\", \"Service\",\n 117, \"User Disabled Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 118, \"User Enabled Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 4100, \"User Marked Deep Visibility Event As Threat\", \"Set\", \"\", \"Success\", \"Deep Visibility Event\", \"Other\",\n 4101, \"User Marked Deep Visibility Event As Suspicious\", \"Set\", \"\", \"Success\", \"Deep Visibility Event\", \"Other\",\n ];\n let EventFieldsLookupAccountActivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_accountactivity: string,\n EventSubType_accountactivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 130, \"Opt-in To EA program\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 131, \"Opt-out From EA Program\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5040, \"Account Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5041, \"Account Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5042, \"Account Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5044, \"Account Policy Reverted\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 7200, \"Add cloud account\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 7201, \"Disable cloud Account\", \"Disable\", \"\", \"Success\", \"\", \"Other\",\n 7202, \"Enable cloud Account\", \"Enable\", \"\", \"Success\", \"\", \"Other\"\n ];\n let EventFieldsLookup_useractivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_useractivity: string,\n EventSubType_useractivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 88, \"User Remote Shell Modified\", \"\", \"\", \"Success\", \"Remote Shell\", \"Configuration Atom\",\n 114, \"API Token Revoked\", \"Disable\", \"\", \"Success\", \"API Token\", \"Service\"\n ];\n let EventFieldsLookup_otheractivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_otheractivity: string,\n EventSubType_otheractivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 2, \"Hash Defined as Malicious By Cloud\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 40, \"Cloud Intelligence Settings Modified\", \"\", \"\", \"Success\", \"Cloud Intelligence Settings\", \"Policy Rule\",\n 58, \"Notification Option Level Modified\", \"Set\", \"\", \"Success\", \"Notification Level\", \"Service\",\n 59, \"Event Severity Level Modified\", \"Set\", \"\", \"Success\", \"EventSeverity Level\", \"Other\",\n 60, \"Notification - Recipients Configuration Modified\", \"Set\", \"\", \"Success\", \"Recipients configuration\", \"Policy Rule\",\n 101, \"User Changed Agent's Customer Identifier\", \"Set\", \"\", \"Success\", \"Customer Identifier string\", \"Configuration Atom\",\n 106, \"User Commanded Agents To Move To Another Console\", \"Execute\", \"\", \"Failure\", \"Agents\", \"Service\",\n 107, \"User Created RBAC Role\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 108, \"User Edited RBAC Role\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 109, \"User Deleted RBAC Role\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 112, \"API token Generated\", \"Create\", \"\", \"Success\", \"API Token\", \"Service\",\n 113, \"API Token Revoked\", \"Disable\", \"\", \"Success\", \"API Token\", \"Service\",\n 129, \"Allowed Domains Settings Changed\", \"Set\", \"\", \"Success\", \"User Domain Setting\", \"Other\",\n 1501, \"Location Created\", \"Create\", \"\", \"Success\", \"\", \"Service\",\n 1502, \"Location Copied\", \"Set\", \"Copy\", \"Success\", \"\", \"Service\",\n 1503, \"Location Modified\", \"Set\", \"\", \"Success\", \"\", \"Service\",\n 1504, \"Location Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Service\",\n 2011, \"User Issued Kill Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2012, \"User Issued Remediate Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2013, \"User Issued Rollback Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2014, \"User Issued Quarantine Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2015, \"User Issued Unquarantine Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2016, \"User Marked Application As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2028, \"Threat Incident Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2029, \"Ticket Number Changes\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2030, \"Analyst Verdict Changes\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2036, \"Threat Confidence Level Changed By Agent\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2037, \"Threat Confidence Level Changed By Cloud\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 3001, \"User Added Hash Exclusion\", \"Set\", \"\", \"Success\", \"Hash\", \"Other\",\n 3002, \"User Added Blocklist Hash\", \"Set\", \"\", \"Success\", \"Hash\", \"Other\",\n 3008, \"New Path Exclusion\", \"Create\", \"\", \"Success\", \"Path\", \"Other\",\n 3009, \"New Signer Identity Exclusion\", \"Create\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n 3010, \"New File Type Exclusion\", \"Create\", \"\", \"Success\", \"File Type\", \"Other\",\n 3011, \"New Browser Type Exclusion\", \"Create\", \"\", \"Success\", \"Browser Type\", \"Other\",\n 3012, \"Path Exclusion Modified\", \"Set\", \"\", \"Success\", \"Path\", \"Other\",\n 3013, \"Signer Identity Exclusion Modified\", \"Set\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n 3014, \"File Type Exclusion Modified\", \"Set\", \"\", \"Success\", \"File Type\", \"Other\",\n 3015, \"Browser Type Exclusion Modified\", \"Set\", \"\", \"Success\", \"Browser Type\", \"Other\",\n 3016, \"Path Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Path\", \"Other\",\n 3017, \"Signer Identity Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n 3018, \"File Type Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"File Type\", \"Other\",\n 3019, \"Browser Type Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Browser Type\", \"Other\",\n 3020, \"User Deleted Hash From Blocklist\", \"Delete\", \"\", \"Success\", \"Hash\", \"Other\",\n 3021, \"User Deleted Hash Exclusion\", \"Delete\", \"\", \"Success\", \"Hash\", \"Other\",\n 3100, \"User Added Package\", \"Create\", \"\", \"Success\", \"Package\", \"Other\",\n 3101, \"User Modified Package\", \"Set\", \"\", \"Success\", \"Package\", \"Other\",\n 3102, \"User Deleted Package\", \"Delete\", \"\", \"Success\", \"Package\", \"Other\",\n 3103, \"Package Deleted By System - Too Many Packages\", \"Delete\", \"\", \"Success\", \"Package\", \"Other\",\n 3500, \"User Toggled Ranger Status\", \"Set\", \"\", \"Success\", \"Ranger Settings\", \"Other\",\n 3501, \"Ranger Settings Modified\", \"Set\", \"\", \"Success\", \"Ranger Settings\", \"Configuration Atom\",\n 3502, \"Ranger Network Settings Modified\", \"Set\", \"\", \"Success\", \"Ranger Network Setting\", \"Other\",\n 3506, \"Ranger - Device Review Modified\", \"Set\", \"\", \"Success\", \"Device Review\", \"Other\",\n 3507, \"Ranger - Device Tag Modified On Host\", \"Set\", \"\", \"Success\", \"Device Tag\", \"Other\",\n 3521, \"Ranger Deploy Initiated\", \"Initialize\", \"\", \"Success\", \"Ranger Deploy\", \"Other\",\n 3525, \"Ranger Deploy - Credential Created\", \"Create\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n 3526, \"Ranger Deploy - Credential Deleted\", \"Delete\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n 3527, \"Ranger Deploy - Credential Overridden\", \"Set\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n 3530, \"Ranger Labels Updated\", \"Set\", \"\", \"Success\", \"Ranger Labels\", \"Other\",\n 3531, \"Ranger labels reverted\", \"Set\", \"\", \"Success\", \"Ranger Labels\", \"Other\",\n 3600, \"Custom Rules - User Created A Rule\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3601, \"Custom Rules - User Changed A Rule\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3602, \"Custom Rules - User Deleted A Rule\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3603, \"Custom Rules - Rule Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3604, \"Custom Rules - Rule Status Change Failed\", \"Set\", \"\", \"Failure\", \"\", \"Policy Rule\",\n 3626, \"User 2FA Email Verification Changed\", \"Set\", \"\", \"Success\", \"\", \"Service\",\n 3628, \"2FA Code Verification\", \"Set\", \"\", \"Success\", \"2FA\", \"Service\",\n 3641, \"Ranger self Provisioning Default Features Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 3650, \"Tag Manager - User Created New Tag\", \"Create\", \"\", \"Success\", \"Tag\", \"Other\",\n 3651, \"Tag Manager - User Modified Tag\", \"Set\", \"\", \"Success\", \"Tag\", \"Other\",\n 3652, \"Tag Manager - User Deleted Tag\", \"Delete\", \"\", \"Success\", \"Tag\", \"Other\",\n 3653, \"Tag Manager - User Attached Tag\", \"Other\", \"Attach\", \"Success\", \"Tags\", \"Other\",\n 3654, \"Tag Manager - User Detached Tag\", \"Detach\", \"\", \"Success\", \"Tags\", \"Other\", \n 3750, \"Auto-Upgrade Policy Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3751, \"Auto-Upgrade Policy Disabled\", \"Disable\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3752, \"Auto-Upgrade Policy Activated\", \"Enable\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3753, \"Auto-Upgrade Policy Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3754, \"Auto-Upgrade Policy Reordered\", \"Other\", \"Reorder\", \"Success\", \"\", \"Policy Rule\",\n 3755, \"Upgrade Policy Inheritance Setting Changed\", \"Set\", \"\", \"Success\", \"Upgrade Policy\", \"Policy Rule\",\n 3756, \"Auto-Upgrade Policy Edited\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3767, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3768, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3769, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3770, \"Local Upgrade Authorization Expiry Date Changed\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3771, \"Local Upgrade Authorization Expiry Date Changed\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3772, \"Local Upgrade Unauthorized\", \"Other\", \"Unauthorize\", \"Failure\", \"Local Upgrade Authorization\", \"Service\",\n 3773, \"Local Upgrade Authorization Inherits from Site Level\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3774, \"Local Upgrade Authorization Inherits from Site Level\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 4001, \"Suspicious Threat Was Marked As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4002, \"Suspicious Threat Was Resolved\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4006, \"Remember Me Length Modified\", \"Set\", \"\", \"Success\", \"Stay Sign in Duration\", \"Policy Rule\",\n 4007, \"Suspicious Threat Was Marked As Benign\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4008, \"Threat Mitigation Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4009, \"Process Was Marked As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4011, \"Suspicious Threat Was Unresolved\", \"Set\", \"\", \"Failure\", \"\", \"Other\",\n 4012, \"UI Inactivity Timeout Modified\", \"Set\", \"\", \"Success\", \"Inactivity timeout\", \"Configuration Atom\",\n 5242, \"Ranger - Device Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5243, \"Ranger - Device Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5244, \"Ranger - Device Tag Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5250, \"Firewall Control Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5251, \"Firewall Control Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5252, \"Firewall Control Tag Updated\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5253, \"Network Quarantine Control Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5254, \"Network Quarantine Control Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5255, \"Network Quarantine Control Tag Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5256, \"Firewall Control Tag Added/Removed From Rule\", \"\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5257, \"Firewall Control Tag Inherited\", \"Set\", \"\", \"Success\", \"Firewall Control tags\", \"Other\",\n 5258, \"Network Quarantine Control Tag Added/Removed From Rule\", \"\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5259, \"Network Quarantine Control Tag Inherited\", \"Set\", \"\", \"Success\", \"Network Quarantine Control Tag\", \"Other\",\n 7500, \"Remote Ops Password Configured\", \"Set\", \"\", \"Success\", \"Remote Ops password configuration\", \"Configuration Atom\",\n 7501, \"Remote Ops Password Deleted\", \"Delete\", \"\", \"Success\", \"Remote Ops password configuration\", \"Configuration Atom\",\n 7602, \"User Edited Run Script Guardrails\", \"Set\", \"\", \"Success\", \"Guardrails\", \"Service\",\n 7603, \"User Enabled Run Script Guardrails\", \"Enable\", \"\", \"Success\", \"Guardrails\", \"Service\",\n 7604, \"User Disabled Run Script Guardrails\", \"Disable\", \"\", \"Success\", \"Guardrails\", \"Service\",\n 5120, \"Device Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5121, \"Device Rule Modified\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5122, \"Device Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5123, \"Device Rules Reordered\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5124, \"Device Rules Settings Modified\", \"Set\", \"\", \"Success\", \"Device Control settings\", \"Policy Rule\",\n 5129, \"Device Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5220, \"Firewall Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5221, \"Firewall Rule Modified\", \"Set/Other\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5222, \"Firewall Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5225, \"Firewall Control Settings Modified\", \"Set\", \"\", \"Success\", \"Firewall Rule\", \"Policy Rule\",\n 5226, \"Firewall Rules Reordered\", \"Set\", \"\", \"Success\", \"Firewall Rule\", \"Policy Rule\",\n 5231, \"Firewall Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5234, \"Network Quarantine Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5235, \"Network Quarantine Rule Modified\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5236, \"Network Quarantine Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5237, \"Network Quarantine Control Settings Modified\", \"Set\", \"\", \"Success\", \"Network Quarantine Rule\", \"Policy Rule\",\n 5238, \"Network Quarantine Rules Reordered\", \"Set\", \"\", \"Success\", \"Network Quarantine Rule\", \"Policy Rule\",\n 5241, \"Network Quarantine Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 6030, \"Mobile Device Updated\", \"Other\", \"\", \"Success\", \"Device\", \"Other\",\n 6053, \"Mobile Incident Resolved\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 6054, \"Mobile Incident Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 6055, \"Mobile Incident Analyst Verdict Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\"\n ];\n let EventTypeLookup_onoff = datatable(\n field: string,\n EventType_field: string,\n NewValue_field: string\n )\n [\n \"true\", \"Enable\", \"on\",\n \"false\", \"Disable\", \"off\"\n ];\n let EventTypeLookup_enableddisabled = datatable(\n field: string,\n EventType_fieldenableddisabled: string,\n NewValue_fieldenableddisabled: string\n )\n [\n \"true\", \"Enable\", \"enabled\",\n \"false\", \"Disable\", \"disabled\"\n ];\n let EventSeverityLookup = datatable (EventResult: string, EventSeverity_lookup: string)\n [\n \"Success\", \"Informational\",\n \"Failure\", \"Low\"\n ];\n let EventSeverityLookup_activity = datatable (activityType_d: real, EventSeverity_activity: string)\n [\n 4100, \"Medium\",\n 4101, \"High\",\n 2016, \"Medium\",\n 2028, \"Low\",\n 4001, \"Medium\",\n 4002, \"Low\",\n 4007, \"Low\",\n 4008, \"Medium\",\n 4009, \"Medium\",\n 4011, \"High\",\n 2, \"Medium\",\n 2011, \"Low\",\n 2012, \"Low\",\n 2013, \"Medium\",\n 2014, \"Low\",\n 2015, \"Low\",\n 4002, \"Low\",\n 4104, \"High\",\n 4105, \"Medium\"\n ];\n let ThreatConfidenceLookup_undefined = datatable(\n threatInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n )\n [\n \"false_positive\", 5,\n \"undefined\", 15,\n \"suspicious\", 25,\n \"true_positive\", 33 \n ];\n let ThreatConfidenceLookup_suspicious = datatable(\n threatInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n )\n [\n \"false_positive\", 40,\n \"undefined\", 50,\n \"suspicious\", 60,\n \"true_positive\", 67 \n ];\n let ThreatConfidenceLookup_malicious = datatable(\n threatInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n )\n [\n \"false_positive\", 75,\n \"undefined\", 80,\n \"suspicious\", 90,\n \"true_positive\", 100 \n ];\n let parser = (disabled: bool=false) {\n let RawGroupSiteActivityIds = dynamic([39, 41, 44, 45, 46, 56, 57, 68, 69, 70, 82, 83, 105, 116, 150, 151, 200, 201, 4004, 4005, 4104, 4105, 5012, 5020, 5021, 5022, 5024, 5025, 5026, 5027, 6000, 6001, 6002, 6010, 6011, 6012, 73, 76, 77, 78, 79, 84, 87, 2100, 2101, 2111]);\n let RawOtherActivityIds = dynamic([2, 40, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);\n let activitydata = SentinelOne_CL\n | where not(disabled) and event_name_s == \"Activities.\"\n | project-away\n threatInfo_confidenceLevel_s,\n threatInfo_analystVerdict_s,\n threatInfo_threatName_s,\n threatInfo_incidentStatus_s,\n threatInfo_identifiedAt_t,\n threatInfo_updatedAt_t,\n threatInfo_threatId_s,\n mitigationStatus_s;\n let rawgroupsiteactivitydata = activitydata\n | where activityType_d in (RawGroupSiteActivityIds)\n | parse-kv DataFields_s as (username: string, userName: string, userFullName: string, newValue: string, policyEnabled: string, siteName: string, oldValue: string, ipAddress: string, oldSiteName: string, policy: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | parse-kv policy as (id: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | project-rename ObjectId = id\n | lookup EventFieldsLookup on activityType_d;\n let groupsiteactivitydata_onoff = rawgroupsiteactivitydata\n | where activityType_d in(39, 41, 57, 105, 200, 73, 76, 78, 79, 84, 87, 150)\n | lookup EventTypeLookup_onoff on $left.newValue == $right.field\n | lookup EventTypeLookup_onoff on $left.policyEnabled == $right.field\n | extend\n EventType = coalesce(EventType_field, EventType_field1),\n NewValue = coalesce(NewValue_field, NewValue_field1);\n let groupsiteactivitydata_enabledisabled = rawgroupsiteactivitydata\n | where activityType_d in (70, 82, 83, 201)\n | lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field\n | extend\n EventType = EventType_fieldenableddisabled,\n NewValue = NewValue_fieldenableddisabled;\n let groupsiteactivitydata_other = rawgroupsiteactivitydata\n | where activityType_d !in(39, 41, 57, 105, 200, 73, 76, 78, 79, 84, 87, 150, 70, 82, 83, 201)\n | extend EventType = EventType_activity;\n let groupsiteactivitydata = union\n groupsiteactivitydata_onoff,\n groupsiteactivitydata_enabledisabled,\n groupsiteactivitydata_other\n | extend\n ActorUsername = coalesce(username, userName, userFullName),\n Object = coalesce(Object, siteName, oldSiteName),\n NewValue = coalesce(NewValue, newValue),\n OldValue = oldValue;\n let machineactivitydata = activitydata\n | where activityType_d in (52, 53, 54, 55, 61, 62, 63, 93, 95, 117, 118, 4100, 4101)\n | parse-kv DataFields_s as (username: string, userName: string, computerName: string, threatClassification: string, ipAddress: string, groupName: string, targetGroupName: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookupMachineActivity on activityType_d\n | extend\n EventType = EventType_machineactivity,\n EventSubType = EventSubType_machineactivity,\n ThreatCategory_datafields = threatClassification,\n OldValue = groupName,\n NewValue = targetGroupName,\n ObjectId = agentId_s\n | extend ActorUsername = coalesce(username, userName)\n | invoke _ASIM_ResolveDvcFQDN('computerName');\n let accountactivitydata = activitydata\n | where activityType_d in (130, 131, 5040, 5041, 5042, 5044, 7200, 7201, 7202, 7203)\n | parse-kv DataFields_s as (username: string, accountName: string, cloudProviderAccountName: string, ipAddress: string, accountId: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookupAccountActivity on activityType_d\n | extend\n EventType = EventType_accountactivity,\n EventSubType = EventSubType_accountactivity,\n Object = coalesce(accountName, cloudProviderAccountName),\n ObjectId = accountId;\n let useractivitydata = activitydata\n | where activityType_d in (88, 114)\n | parse-kv DataFields_s as (username: string, byUser: string, newValue: string, ipAddress: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookup_useractivity on activityType_d\n | lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field\n | extend\n ActorUsername = byUser,\n EventType = coalesce(EventType_useractivity, EventType_fieldenableddisabled),\n EventSubType = EventSubType_useractivity,\n NewValue = NewValue_fieldenableddisabled;\n let rawotheractivitydata = activitydata\n | where activityType_d in (RawOtherActivityIds)\n | parse-kv DataFields_s as (username: string, userName: string, email: string, globalTwoFaEnabled: string, cloudIntelligenceOn: string, fileDisplayName: string, roleName: string, oldIncidentStatusTitle: string, oldTicketId: string, oldAnalystVerdictTitle: string, oldConfidenceLevel: string, previous: string, oldStatus: string, oldTagName: string, oldTagDescription: string, newIncidentStatusTitle: string, newTicketId: string, newAnalystVerdictTitle: string, newConfidenceLevel: string, newStatus: string, current: string, Status: string, newTagName: string, newTagDescription: string, value: string, rulesAdded: string, rulesRemoved: string, tagsAdded: string, tagsRemoved: string, incidentName: string, ruleName: string, deviceId: string, ip: string, externalIp: string, affectedDevices: string, featureValue: string, featureName: string, recoveryEmail: string, policyName: string, tagName: string, gatewayExternalIp: string, gatewayMac: string, threatClassification: string, ipAddress: string, applicationPath: string, externalId: string, consoleUrl: string, ruleId: string, policyId: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookup_otheractivity on activityType_d\n | lookup EventTypeLookup_onoff on $left.cloudIntelligenceOn == $right.field\n | lookup EventTypeLookup_onoff on $left.globalTwoFaEnabled == $right.field\n | extend\n ActorUsername = coalesce(username, userName),\n EventType = coalesce(EventType_otheractivity, EventType_field, EventType_field1),\n EventSubType = EventSubType_otheractivity,\n Object = coalesce(Object, fileDisplayName, applicationPath, roleName, ruleName, incidentName, recoveryEmail, featureName, policyName, tagName),\n NewValue = coalesce(newIncidentStatusTitle, newTicketId, newAnalystVerdictTitle, newConfidenceLevel, newStatus, current, Status, newTagName, newTagDescription, featureValue),\n OldValue = coalesce(oldIncidentStatusTitle, oldTicketId, oldAnalystVerdictTitle, oldConfidenceLevel, oldStatus, previous, oldTagName, oldTagDescription),\n TargetIpAddr = coalesce(externalIp, ip, gatewayExternalIp),\n ThreatCategory_datafields = threatClassification,\n RuleName = ruleName,\n TargetDvcId = deviceId,\n ObjectId = coalesce(ruleId, policyId, externalId, deviceId)\n | invoke _ASIM_ResolveDstFQDN('affectedDevices')\n | project-rename\n TargetHostname = DstHostname,\n TargetDomain = DstDomain,\n TargetDomainType = DstDomainType,\n TargetFQDN = DstFQDN,\n TargetUrl = consoleUrl;\n let parsedotheractivitydata_eventtype = rawotheractivitydata\n | where activityType_d in (5256, 5258)\n | extend EventType = case(\n isnotempty(rulesAdded) or isnotempty(tagsAdded),\n \"Create\",\n isnotempty(rulesRemoved) or isnotempty(tagsRemoved),\n \"Delete\",\n \"Set\"\n );\n let parsedotheractivitydata_objectvalue = rawotheractivitydata\n | where activityType_d in (3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3650, 3651, 3652, 3653, 3654)\n | extend Object = strcat(Object, ' ', value);\n let parsedotheractivitydata_severity = rawotheractivitydata\n | where activityType_d in (2036, 2037, 2030)\n | extend EventSeverity_specific = case(\n primaryDescription_s has_any (\"to malicious\", \"to True positive\"),\n \"High\", \n primaryDescription_s has_any (\"to suspicious\", \"to Undefined\"),\n \"Medium\",\n primaryDescription_s has \"to False positive\",\n \"Low\",\n \"Informational\"\n );\n let ParsedActivitydata = union\n groupsiteactivitydata,\n machineactivitydata,\n accountactivitydata,\n useractivitydata,\n rawotheractivitydata,\n parsedotheractivitydata_eventtype,\n parsedotheractivitydata_objectvalue\n | where activityType_d !in(2030, 2036, 2037)\n | lookup EventSeverityLookup on EventResult\n | lookup EventSeverityLookup_activity on activityType_d;\n let UnParsedActivitydatawithThreat = union ParsedActivitydata, parsedotheractivitydata_severity\n | where isnotempty(threatId_s)\n | join kind=inner (SentinelOne_CL\n | where event_name_s == \"Threats.\"\n | project\n TimeGenerated,\n threatInfo_confidenceLevel_s,\n threatInfo_analystVerdict_s,\n threatInfo_threatName_s,\n threatInfo_incidentStatus_s,\n threatInfo_identifiedAt_t,\n threatInfo_updatedAt_t,\n threatInfo_threatId_s,\n mitigationStatus_s)\n on $left.threatId_s == $right.threatInfo_threatId_s\n | where TimeGenerated1 >= TimeGenerated\n | summarize arg_min(TimeGenerated1, *) by activityType_d, threatId_s, createdAt_t, TimeGenerated;\n let undefineddata = UnParsedActivitydatawithThreat\n | where threatInfo_confidenceLevel_s == \"Undefined\"\n | lookup ThreatConfidenceLookup_undefined on threatInfo_analystVerdict_s;\n let suspiciousdata = UnParsedActivitydatawithThreat\n | where threatInfo_confidenceLevel_s == \"suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on threatInfo_analystVerdict_s;\n let maliciousdata = UnParsedActivitydatawithThreat\n | where threatInfo_confidenceLevel_s == \"malicious\"\n | lookup ThreatConfidenceLookup_malicious on threatInfo_analystVerdict_s;\n let ParsedActivitydatawithThreat = union undefineddata, suspiciousdata, maliciousdata\n | extend\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious),\n AdditionalFields = bag_pack(\n \"threatUpdatedAt\",\n threatInfo_updatedAt_t,\n \"threatAnalystVerdict\",\n threatInfo_analystVerdict_s,\n \"threatIncidentStatus\",\n threatInfo_incidentStatus_s,\n \"mitigationStatus\",\n mitigationStatus_s\n )\n | project-rename\n ThreatId = threatId_s,\n ThreatName = threatInfo_threatName_s,\n ThreatFirstReportedTime = threatInfo_identifiedAt_t,\n ThreatCategory_threats = threatInfo_classification_s,\n ThreatOriginalConfidence = threatInfo_confidenceLevel_s;\n let ParsedActivitydatawithoutThreat = ParsedActivitydata\n | where isempty(threatId_s);\n union ParsedActivitydatawithThreat, ParsedActivitydatawithoutThreat\n | extend \n EventSeverity = coalesce(EventSeverity_specific, EventSeverity_activity, EventSeverity_lookup),\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\",\n EventCount = toint(1),\n AdditionalFields = bag_merge(AdditionalFields, todynamic(DataFields_s)),\n EventOriginalType = tostring(toint(activityType_d)),\n SrcIpAddr = iff(ipAddress != \"null\", ipAddress, \"\"),\n DvcAction = iff(EventResult == \"Success\", \"Allow\", \"Deny\"),\n ThreatCategory = coalesce(ThreatCategory_datafields, ThreatCategory_threats)\n | project-rename\n EventStartTime = createdAt_t,\n EventUid = _ItemId,\n EventMessage = primaryDescription_s,\n ActorUserId = userId_s,\n DvcId = agentId_s,\n EventOriginalUid = activityUuid_g\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"Other\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetDvcIdType = iff(isnotempty(TargetDvcId), \"Other\", \"\"),\n ValueType = iff(isnotempty(NewValue), \"Other\", \"\")\n | extend\n EventEndTime = EventStartTime,\n User = ActorUsername,\n IpAddr = SrcIpAddr,\n Dvc = coalesce(DvcHostname, DvcId, EventProduct),\n Dst = coalesce(TargetHostname, TargetIpAddr),\n Src = SrcIpAddr,\n Rule = RuleName,\n Value = NewValue\n | project-away\n *_d,\n *_s,\n *_t,\n *_g,\n *_b,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n username,\n userName,\n userFullName,\n newValue,\n policyEnabled,\n siteName,\n oldValue,\n computerName,\n accountName,\n cloudProviderAccountName,\n email,\n globalTwoFaEnabled,\n cloudIntelligenceOn,\n fileDisplayName,\n roleName,\n oldIncidentStatusTitle,\n oldTicketId,\n oldAnalystVerdictTitle,\n oldConfidenceLevel,\n previous,\n oldStatus,\n oldTagName,\n oldTagDescription,\n newIncidentStatusTitle,\n newTicketId,\n newAnalystVerdictTitle,\n newConfidenceLevel,\n newStatus,\n current,\n Status,\n newTagName,\n newTagDescription,\n value,\n rulesAdded,\n rulesRemoved,\n tagsAdded,\n tagsRemoved,\n incidentName,\n ruleName,\n deviceId,\n ip,\n externalIp,\n affectedDevices,\n featureValue,\n featureName,\n recoveryEmail,\n policyName,\n policy,\n tagName,\n gatewayExternalIp,\n gatewayMac,\n threatClassification,\n applicationPath,\n externalId,\n groupName,\n oldSiteName,\n targetGroupName,\n ipAddress,\n EventType_*,\n EventSubType_*,\n EventSeverity_*,\n NewValue_*,\n _ResourceId,\n TimeGenerated1,\n ThreatCategory_*,\n ThreatConfidence_*,\n accountId,\n policyId,\n ruleId,\n byUser\n };\n parser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventSentinelOne", + "query": "let EventFieldsLookup = datatable(\n activityType_d: real,\n Operation: string,\n EventType_activity: string,\n EventSubType: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 39, \"Research Settings Modified\", \"\", \"\", \"Success\", \"Research Settings\", \"Policy Rule\",\n 41, \"Learning Mode Settings Modified\", \"Set\", \"\", \"Success\", \"Mitigation policy\", \"Policy Rule\",\n 44, \"Auto decommission On\", \"Enable\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n 45, \"Auto decommission Off\", \"Disable\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n 46, \"Auto Decommission Period Modified\", \"Set\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n 56, \"Auto Mitigation Actions Modified\", \"Set\", \"\", \"Success\", \"Mitigation action\", \"Other\",\n 57, \"Quarantine Network Settings Modified\", \"\", \"\", \"Success\", \"NetworkSettings\", \"Configuration Atom\",\n 68, \"Engine Modified In Policy\", \"Set\", \"\", \"Success\", \"Engine Policy\", \"Policy Rule\",\n 69, \"Mitigation Policy Modified\", \"Set\", \"\", \"Success\", \"Threat Mitigation Policy\", \"Policy Rule\",\n 70, \"Policy Setting - Agent Notification On Suspicious Modified\", \"\", \"\", \"Success\", \"Agent notification\", \"Service\",\n 82, \"Monitor On Execute\", \"\", \"\", \"Success\", \"On execute setting\", \"Configuration Atom\",\n 83, \"Monitor On Write\", \"\", \"\", \"Success\", \"On write setting\", \"Configuration Atom\",\n 105, \"Deep Visibility Settings Modified\", \"\", \"\", \"Success\", \"Deep Visibility Setting\", \"Configuration Atom\",\n 116, \"Policy Settings Modified\", \"Disable\", \"\", \"Success\", \"Policy Settings\", \"Policy Rule\",\n 150, \"Live Security Updates Policy Modified\", \"\", \"\", \"Success\", \"Live Security Updates Policy\", \"Policy Rule\",\n 151, \"Live Security Updates Policy Inheritance Setting Changed\", \"Set\", \"\", \"Success\", \"Live Security Updates Policy\", \"Policy Rule\",\n 200, \"File Upload Settings Modified\", \"Set\", \"\", \"Success\", \"Binary Vault Settings\", \"Configuration Atom\",\n 201, \"File Upload Enabled/Disabled\", \"\", \"\", \"Success\", \"Binary Vault\", \"Policy Rule\",\n 4004, \"Policy Setting - Show Suspicious Activities Configuration Enabled\", \"Enable\", \"\", \"Success\", \"Policy Setting\", \"Policy Rule\",\n 4005, \"Policy Setting - Show Suspicious Activities Configuration Disabled\", \"Disable\", \"\", \"Success\", \"Policy Setting\", \"Policy Rule\",\n 4104, \"STAR Manual Response Marked Event As Malicious\", \"Set\", \"\", \"Success\", \"computerName\", \"Other\",\n 4105, \"STAR Manual Response Marked Event As Suspicious\", \"Set\", \"\", \"Success\", \"computerName\", \"Other\",\n 5012, \"Group Token Regenerated\", \"Create\", \"\", \"Success\", \"Token\", \"Policy Rule\",\n 5020, \"Site Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5021, \"Site Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5022, \"Site Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5024, \"Site Policy Reverted\", \"\", \"\", \"Success\", \"\", \"Other\",\n 5025, \"Site Marked As Expired\", \"Disable\", \"\", \"Success\", \"\", \"Other\",\n 5026, \"Site Duplicated\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5027, \"Site Token Regenerated\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 6000, \"Mobile Policy updated\", \"Set\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n 6001, \"Mobile Policy created\", \"Create\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n 6002, \"Mobile Policy removed\", \"Delete\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n 6010, \"UEM Connection created\", \"Create\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n 6011, \"UEM Connection updated\", \"Set\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n 6012, \"UEM Connection Removed\", \"Delete\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n 73, \"Scan New Agents Changed\", \"\", \"\", \"Success\", \"Scan new agents Setting\", \"Configuration Atom\",\n 76, \"Anti Tampering Modified\", \"\", \"\", \"Success\", \"Anti tampering setting\", \"Configuration Atom\",\n 77, \"Agent UI Settings Modified\", \"Set \", \"\", \"Success\", \"Agent UI setting\", \"Configuration Atom\",\n 78, \"Snapshots Settings Modified\", \"\", \"\", \"Success\", \"Snapshots setting\", \"Configuration Atom\",\n 79, \"Agent Logging Modified\", \"\", \"\", \"Success\", \"Agent logging setting\", \"Configuration Atom\",\n 84, \"Deep Visibility Settings Modified\", \"\", \"\", \"Success\", \"Deep Visibility setting\", \"Configuration Atom\",\n 87, \"Remote Shell Settings Modified\", \"\", \"\", \"Success\", \"Remote Shell Settings\", \"Configuration Atom\",\n 2100, \"Upgrade Policy - Concurrency Limit Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n 2101, \"Upgrade Policy - Concurrency Limit Inheritance Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n 2111, \"Upgrade Policy - Maintenance Window Time Inheritance Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n ];\n let EventFieldsLookupMachineActivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_machineactivity: string,\n EventSubType_machineactivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 52, \"User Approved Agent Uninstall Request\", \"Other\", \"Approve\", \"Success\", \"Agent\", \"Service\",\n 53, \"User Rejected Agent Uninstall Request\", \"Other\", \"Reject\", \"Failure\", \"Agent\", \"Service\",\n 54, \"User Decommissioned Agent\", \"Disable\", \"\", \"Success\", \"Agent\", \"Service\",\n 55, \"User Recommissioned Agent\", \"Enable\", \"\", \"Success\", \"Agent\", \"Service\",\n 61, \"User Disconnected Agent From Network\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 62, \"User Reconnected Agent to Network\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 63, \"User Shutdown Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 93, \"User Reset Agent's Local Config\", \"Set\", \"\", \"Success\", \"Local config\", \"Configuration Atom\",\n 95, \"User Moved Agent to Group\", \"Other\", \"Move\", \"Success\", \"Agent\", \"Service\",\n 117, \"User Disabled Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 118, \"User Enabled Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 4100, \"User Marked Deep Visibility Event As Threat\", \"Set\", \"\", \"Success\", \"Deep Visibility Event\", \"Other\",\n 4101, \"User Marked Deep Visibility Event As Suspicious\", \"Set\", \"\", \"Success\", \"Deep Visibility Event\", \"Other\",\n ];\n let EventFieldsLookupAccountActivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_accountactivity: string,\n EventSubType_accountactivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 130, \"Opt-in To EA program\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 131, \"Opt-out From EA Program\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5040, \"Account Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5041, \"Account Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5042, \"Account Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5044, \"Account Policy Reverted\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 7200, \"Add cloud account\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 7201, \"Disable cloud Account\", \"Disable\", \"\", \"Success\", \"\", \"Other\",\n 7202, \"Enable cloud Account\", \"Enable\", \"\", \"Success\", \"\", \"Other\"\n ];\n let EventFieldsLookup_useractivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_useractivity: string,\n EventSubType_useractivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 88, \"User Remote Shell Modified\", \"\", \"\", \"Success\", \"Remote Shell\", \"Configuration Atom\",\n 114, \"API Token Revoked\", \"Disable\", \"\", \"Success\", \"API Token\", \"Service\"\n ];\n let EventFieldsLookup_otheractivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_otheractivity: string,\n EventSubType_otheractivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 2, \"Hash Defined as Malicious By Cloud\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 40, \"Cloud Intelligence Settings Modified\", \"\", \"\", \"Success\", \"Cloud Intelligence Settings\", \"Policy Rule\",\n 58, \"Notification Option Level Modified\", \"Set\", \"\", \"Success\", \"Notification Level\", \"Service\",\n 59, \"Event Severity Level Modified\", \"Set\", \"\", \"Success\", \"EventSeverity Level\", \"Other\",\n 60, \"Notification - Recipients Configuration Modified\", \"Set\", \"\", \"Success\", \"Recipients configuration\", \"Policy Rule\",\n 101, \"User Changed Agent's Customer Identifier\", \"Set\", \"\", \"Success\", \"Customer Identifier string\", \"Configuration Atom\",\n 106, \"User Commanded Agents To Move To Another Console\", \"Execute\", \"\", \"Failure\", \"Agents\", \"Service\",\n 107, \"User Created RBAC Role\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 108, \"User Edited RBAC Role\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 109, \"User Deleted RBAC Role\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 112, \"API token Generated\", \"Create\", \"\", \"Success\", \"API Token\", \"Service\",\n 113, \"API Token Revoked\", \"Disable\", \"\", \"Success\", \"API Token\", \"Service\",\n 129, \"Allowed Domains Settings Changed\", \"Set\", \"\", \"Success\", \"User Domain Setting\", \"Other\",\n 1501, \"Location Created\", \"Create\", \"\", \"Success\", \"\", \"Service\",\n 1502, \"Location Copied\", \"Set\", \"Copy\", \"Success\", \"\", \"Service\",\n 1503, \"Location Modified\", \"Set\", \"\", \"Success\", \"\", \"Service\",\n 1504, \"Location Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Service\",\n 2011, \"User Issued Kill Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2012, \"User Issued Remediate Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2013, \"User Issued Rollback Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2014, \"User Issued Quarantine Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2015, \"User Issued Unquarantine Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2016, \"User Marked Application As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2028, \"Threat Incident Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2029, \"Ticket Number Changes\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2030, \"Analyst Verdict Changes\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2036, \"Threat Confidence Level Changed By Agent\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2037, \"Threat Confidence Level Changed By Cloud\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 3001, \"User Added Hash Exclusion\", \"Set\", \"\", \"Success\", \"Hash\", \"Other\",\n 3002, \"User Added Blocklist Hash\", \"Set\", \"\", \"Success\", \"Hash\", \"Other\",\n 3008, \"New Path Exclusion\", \"Create\", \"\", \"Success\", \"Path\", \"Other\",\n 3009, \"New Signer Identity Exclusion\", \"Create\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n 3010, \"New File Type Exclusion\", \"Create\", \"\", \"Success\", \"File Type\", \"Other\",\n 3011, \"New Browser Type Exclusion\", \"Create\", \"\", \"Success\", \"Browser Type\", \"Other\",\n 3012, \"Path Exclusion Modified\", \"Set\", \"\", \"Success\", \"Path\", \"Other\",\n 3013, \"Signer Identity Exclusion Modified\", \"Set\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n 3014, \"File Type Exclusion Modified\", \"Set\", \"\", \"Success\", \"File Type\", \"Other\",\n 3015, \"Browser Type Exclusion Modified\", \"Set\", \"\", \"Success\", \"Browser Type\", \"Other\",\n 3016, \"Path Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Path\", \"Other\",\n 3017, \"Signer Identity Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n 3018, \"File Type Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"File Type\", \"Other\",\n 3019, \"Browser Type Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Browser Type\", \"Other\",\n 3020, \"User Deleted Hash From Blocklist\", \"Delete\", \"\", \"Success\", \"Hash\", \"Other\",\n 3021, \"User Deleted Hash Exclusion\", \"Delete\", \"\", \"Success\", \"Hash\", \"Other\",\n 3100, \"User Added Package\", \"Create\", \"\", \"Success\", \"Package\", \"Other\",\n 3101, \"User Modified Package\", \"Set\", \"\", \"Success\", \"Package\", \"Other\",\n 3102, \"User Deleted Package\", \"Delete\", \"\", \"Success\", \"Package\", \"Other\",\n 3103, \"Package Deleted By System - Too Many Packages\", \"Delete\", \"\", \"Success\", \"Package\", \"Other\",\n 3500, \"User Toggled Ranger Status\", \"Set\", \"\", \"Success\", \"Ranger Settings\", \"Other\",\n 3501, \"Ranger Settings Modified\", \"Set\", \"\", \"Success\", \"Ranger Settings\", \"Configuration Atom\",\n 3502, \"Ranger Network Settings Modified\", \"Set\", \"\", \"Success\", \"Ranger Network Setting\", \"Other\",\n 3506, \"Ranger - Device Review Modified\", \"Set\", \"\", \"Success\", \"Device Review\", \"Other\",\n 3507, \"Ranger - Device Tag Modified On Host\", \"Set\", \"\", \"Success\", \"Device Tag\", \"Other\",\n 3521, \"Ranger Deploy Initiated\", \"Initialize\", \"\", \"Success\", \"Ranger Deploy\", \"Other\",\n 3525, \"Ranger Deploy - Credential Created\", \"Create\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n 3526, \"Ranger Deploy - Credential Deleted\", \"Delete\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n 3527, \"Ranger Deploy - Credential Overridden\", \"Set\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n 3530, \"Ranger Labels Updated\", \"Set\", \"\", \"Success\", \"Ranger Labels\", \"Other\",\n 3531, \"Ranger labels reverted\", \"Set\", \"\", \"Success\", \"Ranger Labels\", \"Other\",\n 3600, \"Custom Rules - User Created A Rule\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3601, \"Custom Rules - User Changed A Rule\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3602, \"Custom Rules - User Deleted A Rule\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3603, \"Custom Rules - Rule Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3604, \"Custom Rules - Rule Status Change Failed\", \"Set\", \"\", \"Failure\", \"\", \"Policy Rule\",\n 3626, \"User 2FA Email Verification Changed\", \"Set\", \"\", \"Success\", \"\", \"Service\",\n 3628, \"2FA Code Verification\", \"Set\", \"\", \"Success\", \"2FA\", \"Service\",\n 3641, \"Ranger self Provisioning Default Features Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 3650, \"Tag Manager - User Created New Tag\", \"Create\", \"\", \"Success\", \"Tag\", \"Other\",\n 3651, \"Tag Manager - User Modified Tag\", \"Set\", \"\", \"Success\", \"Tag\", \"Other\",\n 3652, \"Tag Manager - User Deleted Tag\", \"Delete\", \"\", \"Success\", \"Tag\", \"Other\",\n 3653, \"Tag Manager - User Attached Tag\", \"Other\", \"Attach\", \"Success\", \"Tags\", \"Other\",\n 3654, \"Tag Manager - User Detached Tag\", \"Detach\", \"\", \"Success\", \"Tags\", \"Other\", \n 3750, \"Auto-Upgrade Policy Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3751, \"Auto-Upgrade Policy Disabled\", \"Disable\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3752, \"Auto-Upgrade Policy Activated\", \"Enable\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3753, \"Auto-Upgrade Policy Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3754, \"Auto-Upgrade Policy Reordered\", \"Other\", \"Reorder\", \"Success\", \"\", \"Policy Rule\",\n 3755, \"Upgrade Policy Inheritance Setting Changed\", \"Set\", \"\", \"Success\", \"Upgrade Policy\", \"Policy Rule\",\n 3756, \"Auto-Upgrade Policy Edited\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3767, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3768, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3769, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3770, \"Local Upgrade Authorization Expiry Date Changed\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3771, \"Local Upgrade Authorization Expiry Date Changed\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3772, \"Local Upgrade Unauthorized\", \"Other\", \"Unauthorize\", \"Failure\", \"Local Upgrade Authorization\", \"Service\",\n 3773, \"Local Upgrade Authorization Inherits from Site Level\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3774, \"Local Upgrade Authorization Inherits from Site Level\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 4001, \"Suspicious Threat Was Marked As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4002, \"Suspicious Threat Was Resolved\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4006, \"Remember Me Length Modified\", \"Set\", \"\", \"Success\", \"Stay Sign in Duration\", \"Policy Rule\",\n 4007, \"Suspicious Threat Was Marked As Benign\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4008, \"Threat Mitigation Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4009, \"Process Was Marked As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4011, \"Suspicious Threat Was Unresolved\", \"Set\", \"\", \"Failure\", \"\", \"Other\",\n 4012, \"UI Inactivity Timeout Modified\", \"Set\", \"\", \"Success\", \"Inactivity timeout\", \"Configuration Atom\",\n 5242, \"Ranger - Device Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5243, \"Ranger - Device Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5244, \"Ranger - Device Tag Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5250, \"Firewall Control Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5251, \"Firewall Control Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5252, \"Firewall Control Tag Updated\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5253, \"Network Quarantine Control Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5254, \"Network Quarantine Control Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5255, \"Network Quarantine Control Tag Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5256, \"Firewall Control Tag Added/Removed From Rule\", \"\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5257, \"Firewall Control Tag Inherited\", \"Set\", \"\", \"Success\", \"Firewall Control tags\", \"Other\",\n 5258, \"Network Quarantine Control Tag Added/Removed From Rule\", \"\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5259, \"Network Quarantine Control Tag Inherited\", \"Set\", \"\", \"Success\", \"Network Quarantine Control Tag\", \"Other\",\n 7500, \"Remote Ops Password Configured\", \"Set\", \"\", \"Success\", \"Remote Ops password configuration\", \"Configuration Atom\",\n 7501, \"Remote Ops Password Deleted\", \"Delete\", \"\", \"Success\", \"Remote Ops password configuration\", \"Configuration Atom\",\n 7602, \"User Edited Run Script Guardrails\", \"Set\", \"\", \"Success\", \"Guardrails\", \"Service\",\n 7603, \"User Enabled Run Script Guardrails\", \"Enable\", \"\", \"Success\", \"Guardrails\", \"Service\",\n 7604, \"User Disabled Run Script Guardrails\", \"Disable\", \"\", \"Success\", \"Guardrails\", \"Service\",\n 5120, \"Device Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5121, \"Device Rule Modified\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5122, \"Device Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5123, \"Device Rules Reordered\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5124, \"Device Rules Settings Modified\", \"Set\", \"\", \"Success\", \"Device Control settings\", \"Policy Rule\",\n 5129, \"Device Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5220, \"Firewall Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5221, \"Firewall Rule Modified\", \"Set/Other\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5222, \"Firewall Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5225, \"Firewall Control Settings Modified\", \"Set\", \"\", \"Success\", \"Firewall Rule\", \"Policy Rule\",\n 5226, \"Firewall Rules Reordered\", \"Set\", \"\", \"Success\", \"Firewall Rule\", \"Policy Rule\",\n 5231, \"Firewall Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5234, \"Network Quarantine Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5235, \"Network Quarantine Rule Modified\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5236, \"Network Quarantine Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5237, \"Network Quarantine Control Settings Modified\", \"Set\", \"\", \"Success\", \"Network Quarantine Rule\", \"Policy Rule\",\n 5238, \"Network Quarantine Rules Reordered\", \"Set\", \"\", \"Success\", \"Network Quarantine Rule\", \"Policy Rule\",\n 5241, \"Network Quarantine Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 6030, \"Mobile Device Updated\", \"Other\", \"\", \"Success\", \"Device\", \"Other\",\n 6053, \"Mobile Incident Resolved\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 6054, \"Mobile Incident Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 6055, \"Mobile Incident Analyst Verdict Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\"\n ];\n let EventTypeLookup_onoff = datatable(\n field: string,\n EventType_field: string,\n NewValue_field: string\n )\n [\n \"true\", \"Enable\", \"on\",\n \"false\", \"Disable\", \"off\"\n ];\n let EventTypeLookup_enableddisabled = datatable(\n field: string,\n EventType_fieldenableddisabled: string,\n NewValue_fieldenableddisabled: string\n )\n [\n \"true\", \"Enable\", \"enabled\",\n \"false\", \"Disable\", \"disabled\"\n ];\n let EventSeverityLookup = datatable (EventResult: string, EventSeverity_lookup: string)\n [\n \"Success\", \"Informational\",\n \"Failure\", \"Low\"\n ];\n let EventSeverityLookup_activity = datatable (activityType_d: real, EventSeverity_activity: string)\n [\n 4100, \"Medium\",\n 4101, \"High\",\n 2016, \"Medium\",\n 2028, \"Low\",\n 4001, \"Medium\",\n 4002, \"Low\",\n 4007, \"Low\",\n 4008, \"Medium\",\n 4009, \"Medium\",\n 4011, \"High\",\n 2, \"Medium\",\n 2011, \"Low\",\n 2012, \"Low\",\n 2013, \"Medium\",\n 2014, \"Low\",\n 2015, \"Low\",\n 4002, \"Low\",\n 4104, \"High\",\n 4105, \"Medium\"\n ];\n let ThreatConfidenceLookup_undefined = datatable(\n threatInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n )\n [\n \"false_positive\", 5,\n \"undefined\", 15,\n \"suspicious\", 25,\n \"true_positive\", 33 \n ];\n let ThreatConfidenceLookup_suspicious = datatable(\n threatInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n )\n [\n \"false_positive\", 40,\n \"undefined\", 50,\n \"suspicious\", 60,\n \"true_positive\", 67 \n ];\n let ThreatConfidenceLookup_malicious = datatable(\n threatInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n )\n [\n \"false_positive\", 75,\n \"undefined\", 80,\n \"suspicious\", 90,\n \"true_positive\", 100 \n ];\n let parser = (disabled: bool=false) {\n let RawGroupSiteActivityIds = dynamic([39, 41, 44, 45, 46, 56, 57, 68, 69, 70, 82, 83, 105, 116, 150, 151, 200, 201, 4004, 4005, 4104, 4105, 5012, 5020, 5021, 5022, 5024, 5025, 5026, 5027, 6000, 6001, 6002, 6010, 6011, 6012, 73, 76, 77, 78, 79, 84, 87, 2100, 2101, 2111]);\n let RawOtherActivityIds = dynamic([2, 40, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);\n let activitydata = SentinelOne_CL\n | where not(disabled) and event_name_s == \"Activities.\"\n | project-away\n threatInfo_confidenceLevel_s,\n threatInfo_analystVerdict_s,\n threatInfo_threatName_s,\n threatInfo_incidentStatus_s,\n threatInfo_identifiedAt_t,\n threatInfo_updatedAt_t,\n threatInfo_threatId_s,\n mitigationStatus_s;\n let rawgroupsiteactivitydata = activitydata\n | where activityType_d in (RawGroupSiteActivityIds)\n | parse-kv DataFields_s as (username: string, userName: string, userFullName: string, newValue: string, policyEnabled: string, siteName: string, oldValue: string, ipAddress: string, oldSiteName: string, policy: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | parse-kv policy as (id: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | project-rename ObjectId = id\n | lookup EventFieldsLookup on activityType_d;\n let groupsiteactivitydata_onoff = rawgroupsiteactivitydata\n | where activityType_d in(39, 41, 57, 105, 200, 73, 76, 78, 79, 84, 87, 150)\n | lookup EventTypeLookup_onoff on $left.newValue == $right.field\n | lookup EventTypeLookup_onoff on $left.policyEnabled == $right.field\n | extend\n EventType = coalesce(EventType_field, EventType_field1),\n NewValue = coalesce(NewValue_field, NewValue_field1);\n let groupsiteactivitydata_enabledisabled = rawgroupsiteactivitydata\n | where activityType_d in (70, 82, 83, 201)\n | lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field\n | extend\n EventType = EventType_fieldenableddisabled,\n NewValue = NewValue_fieldenableddisabled;\n let groupsiteactivitydata_other = rawgroupsiteactivitydata\n | where activityType_d !in(39, 41, 57, 105, 200, 73, 76, 78, 79, 84, 87, 150, 70, 82, 83, 201)\n | extend EventType = EventType_activity;\n let groupsiteactivitydata = union\n groupsiteactivitydata_onoff,\n groupsiteactivitydata_enabledisabled,\n groupsiteactivitydata_other\n | extend\n ActorUsername = coalesce(username, userName, userFullName),\n Object = coalesce(Object, siteName, oldSiteName),\n NewValue = coalesce(NewValue, newValue),\n OldValue = oldValue;\n let machineactivitydata = activitydata\n | where activityType_d in (52, 53, 54, 55, 61, 62, 63, 93, 95, 117, 118, 4100, 4101)\n | parse-kv DataFields_s as (username: string, userName: string, computerName: string, threatClassification: string, ipAddress: string, groupName: string, targetGroupName: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookupMachineActivity on activityType_d\n | extend\n EventType = EventType_machineactivity,\n EventSubType = EventSubType_machineactivity,\n ThreatCategory_datafields = threatClassification,\n OldValue = groupName,\n NewValue = targetGroupName,\n ObjectId = agentId_s\n | extend ActorUsername = coalesce(username, userName)\n | invoke _ASIM_ResolveDvcFQDN('computerName');\n let accountactivitydata = activitydata\n | where activityType_d in (130, 131, 5040, 5041, 5042, 5044, 7200, 7201, 7202, 7203)\n | parse-kv DataFields_s as (username: string, accountName: string, cloudProviderAccountName: string, ipAddress: string, accountId: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookupAccountActivity on activityType_d\n | extend\n EventType = EventType_accountactivity,\n EventSubType = EventSubType_accountactivity,\n Object = coalesce(accountName, cloudProviderAccountName),\n ObjectId = accountId;\n let useractivitydata = activitydata\n | where activityType_d in (88, 114)\n | parse-kv DataFields_s as (username: string, byUser: string, newValue: string, ipAddress: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookup_useractivity on activityType_d\n | lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field\n | extend\n ActorUsername = byUser,\n EventType = coalesce(EventType_useractivity, EventType_fieldenableddisabled),\n EventSubType = EventSubType_useractivity,\n NewValue = NewValue_fieldenableddisabled;\n let rawotheractivitydata = activitydata\n | where activityType_d in (RawOtherActivityIds)\n | parse-kv DataFields_s as (username: string, userName: string, email: string, globalTwoFaEnabled: string, cloudIntelligenceOn: string, fileDisplayName: string, roleName: string, oldIncidentStatusTitle: string, oldTicketId: string, oldAnalystVerdictTitle: string, oldConfidenceLevel: string, previous: string, oldStatus: string, oldTagName: string, oldTagDescription: string, newIncidentStatusTitle: string, newTicketId: string, newAnalystVerdictTitle: string, newConfidenceLevel: string, newStatus: string, current: string, Status: string, newTagName: string, newTagDescription: string, value: string, rulesAdded: string, rulesRemoved: string, tagsAdded: string, tagsRemoved: string, incidentName: string, ruleName: string, deviceId: string, ip: string, externalIp: string, affectedDevices: string, featureValue: string, featureName: string, recoveryEmail: string, policyName: string, tagName: string, gatewayExternalIp: string, gatewayMac: string, threatClassification: string, ipAddress: string, applicationPath: string, externalId: string, consoleUrl: string, ruleId: string, policyId: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookup_otheractivity on activityType_d\n | lookup EventTypeLookup_onoff on $left.cloudIntelligenceOn == $right.field\n | lookup EventTypeLookup_onoff on $left.globalTwoFaEnabled == $right.field\n | extend\n ActorUsername = coalesce(username, userName),\n EventType = coalesce(EventType_otheractivity, EventType_field, EventType_field1),\n EventSubType = EventSubType_otheractivity,\n Object = coalesce(Object, fileDisplayName, applicationPath, roleName, ruleName, incidentName, recoveryEmail, featureName, policyName, tagName),\n NewValue = coalesce(newIncidentStatusTitle, newTicketId, newAnalystVerdictTitle, newConfidenceLevel, newStatus, current, Status, newTagName, newTagDescription, featureValue),\n OldValue = coalesce(oldIncidentStatusTitle, oldTicketId, oldAnalystVerdictTitle, oldConfidenceLevel, oldStatus, previous, oldTagName, oldTagDescription),\n TargetIpAddr = coalesce(externalIp, ip, gatewayExternalIp),\n ThreatCategory_datafields = threatClassification,\n RuleName = ruleName,\n TargetDvcId = deviceId,\n ObjectId = coalesce(ruleId, policyId, externalId, deviceId)\n | invoke _ASIM_ResolveDstFQDN('affectedDevices')\n | project-rename\n TargetHostname = DstHostname,\n TargetDomain = DstDomain,\n TargetDomainType = DstDomainType,\n TargetFQDN = DstFQDN,\n TargetUrl = consoleUrl;\n let parsedotheractivitydata_eventtype = rawotheractivitydata\n | where activityType_d in (5256, 5258)\n | extend EventType = case(\n isnotempty(rulesAdded) or isnotempty(tagsAdded),\n \"Create\",\n isnotempty(rulesRemoved) or isnotempty(tagsRemoved),\n \"Delete\",\n \"Set\"\n );\n let parsedotheractivitydata_objectvalue = rawotheractivitydata\n | where activityType_d in (3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3650, 3651, 3652, 3653, 3654)\n | extend Object = strcat(Object, ' ', value);\n let parsedotheractivitydata_severity = rawotheractivitydata\n | where activityType_d in (2036, 2037, 2030)\n | extend EventSeverity_specific = case(\n primaryDescription_s has_any (\"to malicious\", \"to True positive\"),\n \"High\", \n primaryDescription_s has_any (\"to suspicious\", \"to Undefined\"),\n \"Medium\",\n primaryDescription_s has \"to False positive\",\n \"Low\",\n \"Informational\"\n );\n let ParsedActivitydata = union\n groupsiteactivitydata,\n machineactivitydata,\n accountactivitydata,\n useractivitydata,\n rawotheractivitydata,\n parsedotheractivitydata_eventtype,\n parsedotheractivitydata_objectvalue\n | where activityType_d !in(2030, 2036, 2037)\n | lookup EventSeverityLookup on EventResult\n | lookup EventSeverityLookup_activity on activityType_d;\n let UnParsedActivitydatawithThreat = union ParsedActivitydata, parsedotheractivitydata_severity\n | where isnotempty(threatId_s)\n | join kind=inner (SentinelOne_CL\n | where event_name_s == \"Threats.\"\n | project\n TimeGenerated,\n threatInfo_confidenceLevel_s,\n threatInfo_analystVerdict_s,\n threatInfo_threatName_s,\n threatInfo_incidentStatus_s,\n threatInfo_identifiedAt_t,\n threatInfo_updatedAt_t,\n threatInfo_threatId_s,\n mitigationStatus_s)\n on $left.threatId_s == $right.threatInfo_threatId_s\n | where TimeGenerated1 >= TimeGenerated\n | summarize arg_min(TimeGenerated1, *) by activityType_d, threatId_s, createdAt_t, TimeGenerated;\n let undefineddata = UnParsedActivitydatawithThreat\n | where threatInfo_confidenceLevel_s == \"Undefined\"\n | lookup ThreatConfidenceLookup_undefined on threatInfo_analystVerdict_s;\n let suspiciousdata = UnParsedActivitydatawithThreat\n | where threatInfo_confidenceLevel_s == \"suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on threatInfo_analystVerdict_s;\n let maliciousdata = UnParsedActivitydatawithThreat\n | where threatInfo_confidenceLevel_s == \"malicious\"\n | lookup ThreatConfidenceLookup_malicious on threatInfo_analystVerdict_s;\n let ParsedActivitydatawithThreat = union undefineddata, suspiciousdata, maliciousdata\n | extend\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious),\n AdditionalFields = bag_pack(\n \"threatUpdatedAt\",\n threatInfo_updatedAt_t,\n \"threatAnalystVerdict\",\n threatInfo_analystVerdict_s,\n \"threatIncidentStatus\",\n threatInfo_incidentStatus_s,\n \"mitigationStatus\",\n mitigationStatus_s\n )\n | project-rename\n ThreatId = threatId_s,\n ThreatName = threatInfo_threatName_s,\n ThreatFirstReportedTime = threatInfo_identifiedAt_t,\n ThreatCategory_threats = threatInfo_classification_s,\n ThreatOriginalConfidence = threatInfo_confidenceLevel_s;\n let ParsedActivitydatawithoutThreat = ParsedActivitydata\n | where isempty(threatId_s);\n union ParsedActivitydatawithThreat, ParsedActivitydatawithoutThreat\n | extend \n EventSeverity = coalesce(EventSeverity_specific, EventSeverity_activity, EventSeverity_lookup),\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\",\n EventCount = toint(1),\n AdditionalFields = bag_merge(AdditionalFields, todynamic(DataFields_s)),\n EventOriginalType = tostring(toint(activityType_d)),\n SrcIpAddr = iff(ipAddress != \"null\", ipAddress, \"\"),\n DvcAction = iff(EventResult == \"Success\", \"Allow\", \"Deny\"),\n ThreatCategory = coalesce(ThreatCategory_datafields, ThreatCategory_threats)\n | project-rename\n EventStartTime = createdAt_t,\n EventUid = _ItemId,\n EventMessage = primaryDescription_s,\n ActorUserId = userId_s,\n DvcId = agentId_s,\n EventOriginalUid = activityUuid_g\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"Other\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetDvcIdType = iff(isnotempty(TargetDvcId), \"Other\", \"\"),\n ValueType = iff(isnotempty(NewValue), \"Other\", \"\")\n | extend\n EventEndTime = EventStartTime,\n User = ActorUsername,\n IpAddr = SrcIpAddr,\n Dvc = coalesce(DvcHostname, DvcId, EventProduct),\n Dst = coalesce(TargetHostname, TargetIpAddr),\n Src = SrcIpAddr,\n Rule = RuleName,\n Value = NewValue\n | project-away\n *_d,\n *_s,\n *_t,\n *_g,\n *_b,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n username,\n userName,\n userFullName,\n newValue,\n policyEnabled,\n siteName,\n oldValue,\n computerName,\n accountName,\n cloudProviderAccountName,\n email,\n globalTwoFaEnabled,\n cloudIntelligenceOn,\n fileDisplayName,\n roleName,\n oldIncidentStatusTitle,\n oldTicketId,\n oldAnalystVerdictTitle,\n oldConfidenceLevel,\n previous,\n oldStatus,\n oldTagName,\n oldTagDescription,\n newIncidentStatusTitle,\n newTicketId,\n newAnalystVerdictTitle,\n newConfidenceLevel,\n newStatus,\n current,\n Status,\n newTagName,\n newTagDescription,\n value,\n rulesAdded,\n rulesRemoved,\n tagsAdded,\n tagsRemoved,\n incidentName,\n ruleName,\n deviceId,\n ip,\n externalIp,\n affectedDevices,\n featureValue,\n featureName,\n recoveryEmail,\n policyName,\n policy,\n tagName,\n gatewayExternalIp,\n gatewayMac,\n threatClassification,\n applicationPath,\n externalId,\n groupName,\n oldSiteName,\n targetGroupName,\n ipAddress,\n EventType_*,\n EventSubType_*,\n EventSeverity_*,\n NewValue_*,\n _ResourceId,\n TimeGenerated1,\n ThreatCategory_*,\n ThreatConfidence_*,\n accountId,\n policyId,\n ruleId,\n byUser\n };\n parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventVMwareCarbonBlackCloud/ASimAuditEventVMwareCarbonBlackCloud.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventVMwareCarbonBlackCloud/ASimAuditEventVMwareCarbonBlackCloud.json index 877acdb8692..01f0ed391b8 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventVMwareCarbonBlackCloud/ASimAuditEventVMwareCarbonBlackCloud.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventVMwareCarbonBlackCloud/ASimAuditEventVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventVMwareCarbonBlackCloud", - "query": "let EventTypeLookup = datatable(temp_type: string, EventType: string)[\n\"created\", \"Create\",\n\"updated\", \"Set\",\n\"deleted\", \"Delete\",\n\"added\", \"Create\",\n\"modified\", \"Set\"\n];\nlet parser = (disabled: bool=false) {\n let allData = CarbonBlackAuditLogs_CL\n | where not(disabled)\n | where not(description_s has_any (\"logged in\", \"login\"));\n let Enabled = allData\n | where description_s has_cs \"Enabled\"\n | parse description_s with \"Enabled \" temp_object1: string \" in policy \" temp_restmessage1: string\n | parse description_s with \"Enabled \" temp_object2: string \" with \" temp_restmessage2: string\n | parse description_s with temp_object3: string \" Enabled \" temp_restmessage3: string\n | extend\n EventType = \"Enable\",\n Operation = description_s,\n Object = coalesce(temp_object1, temp_object2, temp_object3),\n ObjectType = iff(description_s has \"policy\", \"Policy Rule\", \"Configuration Atom\"),\n EventSeverity1 = iff(description_s has \"Sensor Bypass\", \"Low\", \"Informational\");\n let Set = allData\n | where description_s startswith \"Set\"\n | parse description_s with \"Set \" temp_field_s: string \" to \" NewValue: string \" for device(s): \" temp_deviceid_s: string\n | parse temp_deviceid_s with TargetFQDN: string \" (ID: \" TargetDvcId: string \")\" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n Object = temp_field_s,\n EventType = \"Set\",\n Operation = strcat(\"Set \", temp_field_s, \" to \", NewValue),\n ObjectType = \"Configuration Atom\",\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s);\n let AlertNotify = allData\n | where description_s has \"alert notification\"\n | parse-kv description_s as (name: string) with (pair_delimiter=\" \", kv_delimiter=\":\")\n | parse description_s with temp_type: string \" alert notification \" temp_restmessage: string\n | extend\n Operation = strcat(temp_type, \" alert notification\"),\n temp_type = tolower(temp_type),\n Object = coalesce(name, \"alert notification\"),\n ObjectType = \"Service\"\n | lookup EventTypeLookup on temp_type;\n let CustomRole = allData\n | where description_s has \"custom role\"\n | parse description_s with temp_type1: string \" custom role \" temp_rolename1: string \" (psc:role:\" temp_roleid1: string \")\" temp_restmessage1: string \n | parse description_s with * \" role \" temp_rolename2: string \" (psc:role:\" temp_roleid2: string \") \" temp_type2: string \" with\" temp_restmessage2: string\n | extend\n temp_type = tolower(coalesce(temp_type1, temp_type2)),\n Object = coalesce(temp_rolename1, temp_rolename2),\n ObjectType = \"Other\"\n | lookup EventTypeLookup on temp_type\n | extend\n Operation = strcat(temp_type, \" custom role \", Object),\n AdditionalFields = bag_pack(\"role id\", coalesce(temp_roleid1, temp_roleid2));\n let Policy = allData\n | where description_s startswith \"Policy\"\n | parse description_s with \"Policy \" temp_policyname1: string \" (ID: \" temp_policyid1 \") \" temp_type1: string \" successfully\"\n | parse description_s with \"Policy \" temp_policyname2: string \" (ID: \" temp_policyid2: string \") \" temp_type2: string \" and renamed to \" NewValue: string \" (ID: \" temp_restmessage2: string\n | parse description_s with \"Policy \" temp_policyname3: string \" (ID: \" temp_policyid3 \") \" temp_type3: string\n | extend\n Object = coalesce(temp_policyname1, temp_policyname2, temp_policyname3),\n ObjectType = \"Policy Rule\",\n temp_type = replace_regex(coalesce(temp_type1, temp_type2, temp_type3), @'[is,was]* (\\S+)', @'\\1'),\n OldValue = temp_policyname2,\n AdditionalFields = bag_pack(\"policy id\", coalesce(temp_policyid1, temp_policyid2, temp_policyid3))\n | lookup EventTypeLookup on temp_type\n | extend\n Operation = iff(isnotempty(temp_type2), strcat(\"Policy \", Object, \" \", temp_type, \" and renamed to \", NewValue), strcat(\"Policy \", Object, \" \", temp_type));\n let Changed = allData\n | where description_s startswith \"Changed policy\"\n | parse description_s with temp_operation_s: string \" to \" NewValue: string \")\" * \"device(s): \" temp_deviceid_s: string \n | extend\n EventType = \"Set\",\n Operation = strcat(temp_operation_s, \" to \", NewValue),\n Object = NewValue,\n ObjectType = \"Policy Rule\",\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s),\n TargetDvcId = iff(temp_deviceid_s contains ',', split(temp_deviceid_s, ',', 0), temp_deviceid_s);\n let ParamsUpdated = allData\n | where description_s startswith \"Parameters updated\"\n | parse description_s with \"Parameters updated for \" temp_config1: string \" (ID: \" temp_configid1: string \") for policy \" temp_policyname1: string \" (ID: \" temp_policyid1: string \")\" temp_restmessage1: string\n | parse description_s with \"Parameters updated for \" temp_config2: string \" (ID: \" temp_configid2: string \") for policy with ID \" temp_policyid2: string\n | extend\n temp_operation = coalesce(temp_config1, temp_config2),\n temp_configid = coalesce(temp_configid1, temp_configid2)\n | extend\n EventType = \"Set\", \n Operation = strcat(\"Parameters updated for \", temp_operation, \" for policy \", temp_policyname1, tostring(split(temp_policyid2, \"{\")[0])),\n Object = strcat(\"Policy \", coalesce(temp_policyname1, temp_policyid2)),\n ObjectType = \"Policy Rule\",\n AdditionalFields = bag_pack(\"config id\", temp_configid);\n let Reputation = allData\n | where description_s has_cs \"Reputation\"\n | parse description_s with \"User \" * \" \" temp_type1: string \" Reputation\" * \" for Organization ID \" temp_orgid1: string \" of type \" temp_reptype1: string \" to \" temp_list1: string \" with content: \" temp_content1: string \" | \" temp_restmessage1: string\n | parse description_s with \"User \" * \" \" temp_type2: string \" Reputation\" * \" for Organization ID \" temp_orgid2: string \": \" temp_content2: string \" | \" temp_restmessage2: string\n | extend\n temp_type = coalesce(temp_type1, temp_type2),\n Object = iff(isnotempty(temp_reptype1), strcat(\"Reputation Override of type \", temp_reptype1), \"Reputation Override\"),\n ObjectType = \"Configuration Atom\"\n | lookup EventTypeLookup on temp_type\n | extend\n Operation = strcat(temp_type, \" \", Object),\n ActorScopeId = coalesce(temp_orgid1, temp_orgid2),\n AdditionalFields = bag_pack(\"reputation value\", coalesce(temp_content1, temp_content2));\n let PolicyUpdateApplied = allData\n | where description_s has \"Policy update applied\"\n | parse description_s with * \"policy to \" Object: string\n | extend\n EventType = \"Set\",\n Operation = \"Policy update applied\",\n ObjectType = \"Policy Rule\",\n OriginalObjectType = \"Policy\"\n ;\n let auto_deletion = allData\n | where description_s has_all (\"auto-deletion\", \"devices\")\n | parse description_s with TargetFQDN: string \" \" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Delete\",\n Operation = \"auto-deletion\",\n Object = TargetFQDN,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let Hash_Deleted = allData\n | where description_s startswith \"Hash - \"\n | parse description_s with \"Hash - \" HashName_s: string \" \" * \"on device \" TargetFQDN: string\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Delete\",\n Operation = \"Delete Request\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\";\n let Failure_Deleting_Hash = allData\n | where description_s startswith \"Failure deleting hash\"\n | parse description_s with \"Failure deleting hash '\" HashName_s: string \"'\" * \"device '\" TargetDvcId: string \"'\" * \"Reason: \" EventResultDetails: string\n | extend\n EventType = \"Delete\",\n Operation = \"Deleting hash\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\",\n EventResult = \"Failure\";\n let Delete_Hash = allData\n | where description_s startswith \"Delete Hash\"\n | parse description_s with \"Delete Hash \" HashName_s: string \" \" * \"device(s): \" temp_deviceid_s: string\n | extend\n EventType = \"Delete\",\n Operation = \"Delete Hash\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\",\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s),\n TargetDvcId = iff(temp_deviceid_s contains ',', split(temp_deviceid_s, ',', 0), temp_deviceid_s);\n let Success_Deleting_Hash = allData\n | where description_s startswith \"Success deleting hash\"\n | parse description_s with \"Success deleting hash '\" HashName_s: string \"'\" * \"device '\" TargetDvcId: string \"'\" * \"Reason: \" EventResultDetails: string\n | extend\n EventType = \"Delete\",\n Operation = \"Deleting hash\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\",\n EventResult = \"Success\";\n let DeviceUninstalled = allData\n | where description_s has_all (\"Device\", \"uninstalled\")\n | parse description_s with \"Device \" TargetFQDN: string \" with deviceId \" TargetDvcId: string \" \" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Uninstall\",\n Operation = \"Uninstall\",\n Object = TargetFQDN,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let DeviceReset = allData\n | where description_s startswith (\"Device reset requested\")\n | parse description_s with \"Device reset requested on device \" TargetDvcId: string\n | extend \n EventType = \"Set\",\n Operation = \"Device reset\",\n Object = TargetDvcId,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let CreateOrModifyPolicy = allData\n | where description_s startswith \"Request received to\"\n | parse description_s with * \"policy \" Object: string\n | extend\n EventType = case(\n description_s has \"modify policy\",\n \"Set\", \n description_s has \"create new policy\",\n \"Create\",\n \"\"\n ),\n Operation = case(\n description_s has \"modify policy\",\n \"modify policy\", \n description_s has \"create new policy\",\n \"create new policy\",\n \"\"\n ),\n Object = replace_string(Object, \"- \", \"\"),\n ObjectType = \"Policy Rule\",\n OriginalObjectType = \"Policy\";\n let LogsRequested = allData\n | where description_s startswith (\"Logs requested\")\n | parse description_s with \"Logs requested for device \" TargetDvcId: string\n | extend \n EventType = \"Read\",\n Operation = \"Logs requested\",\n Object = TargetDvcId,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let Re_Registration = allData\n | where description_s startswith \"Re-registration of device\"\n | parse description_s with \"Re-registration of device\" TargetFQDN: string \" of \" TargetDvcId: string \" device completed\" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Enable\",\n Operation = \"Re-registration of device\",\n Object = TargetFQDN,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n union\n Enabled,\n Set,\n AlertNotify,\n CustomRole,\n Policy,\n Changed,\n ParamsUpdated,\n Reputation,\n PolicyUpdateApplied,\n auto_deletion,\n Hash_Deleted,\n Failure_Deleting_Hash,\n Delete_Hash,\n Success_Deleting_Hash,\n DeviceUninstalled,\n DeviceReset,\n CreateOrModifyPolicy,\n LogsRequested,\n Re_Registration\n | extend\n EventStartTime = unixtime_milliseconds_todatetime(eventTime_d),\n EventSeverity = coalesce(EventSeverity1, \"Informational\"),\n AdditionalFields = bag_merge(AdditionalFields, bag_pack(\"flagged\", flagged_b, \"request url\", requestUrl_s))\n | extend\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\",\n EventVendor = \"VMware\",\n EventResult = iif(isnotempty(EventResult), EventResult, \"Success\"),\n EventCount = int(1)\n | project-rename\n ActorUsername = loginName_s,\n EventUid = _ItemId,\n SrcIpAddr = clientIp_s,\n EventMessage = description_s,\n EventOriginalUid = eventId_g,\n ActorScope = orgName_s\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n TargetDvcIdType = iff(isnotempty(TargetDvcId), \"Other\", \"\"),\n EventEndTime = EventStartTime,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n User = ActorUsername,\n Value = NewValue,\n ValueType = iff(isnotempty(NewValue), \"Other\", \"\")\n | project-away \n *_s,\n *_d,\n *_b,\n temp*,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n _ResourceId,\n name,\n EventSeverity1\n};\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventVMwareCarbonBlackCloud", + "query": "let EventTypeLookup = datatable(temp_type: string, EventType: string)[\n\"created\", \"Create\",\n\"updated\", \"Set\",\n\"deleted\", \"Delete\",\n\"added\", \"Create\",\n\"modified\", \"Set\"\n];\nlet parser = (disabled: bool=false) {\n let allData = CarbonBlackAuditLogs_CL\n | where not(disabled)\n | where not(description_s has_any (\"logged in\", \"login\"));\n let Enabled = allData\n | where description_s has_cs \"Enabled\"\n | parse description_s with \"Enabled \" temp_object1: string \" in policy \" temp_restmessage1: string\n | parse description_s with \"Enabled \" temp_object2: string \" with \" temp_restmessage2: string\n | parse description_s with temp_object3: string \" Enabled \" temp_restmessage3: string\n | extend\n EventType = \"Enable\",\n Operation = description_s,\n Object = coalesce(temp_object1, temp_object2, temp_object3),\n ObjectType = iff(description_s has \"policy\", \"Policy Rule\", \"Configuration Atom\"),\n EventSeverity1 = iff(description_s has \"Sensor Bypass\", \"Low\", \"Informational\");\n let Set = allData\n | where description_s startswith \"Set\"\n | parse description_s with \"Set \" temp_field_s: string \" to \" NewValue: string \" for device(s): \" temp_deviceid_s: string\n | parse temp_deviceid_s with TargetFQDN: string \" (ID: \" TargetDvcId: string \")\" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n Object = temp_field_s,\n EventType = \"Set\",\n Operation = strcat(\"Set \", temp_field_s, \" to \", NewValue),\n ObjectType = \"Configuration Atom\",\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s);\n let AlertNotify = allData\n | where description_s has \"alert notification\"\n | parse-kv description_s as (name: string) with (pair_delimiter=\" \", kv_delimiter=\":\")\n | parse description_s with temp_type: string \" alert notification \" temp_restmessage: string\n | extend\n Operation = strcat(temp_type, \" alert notification\"),\n temp_type = tolower(temp_type),\n Object = coalesce(name, \"alert notification\"),\n ObjectType = \"Service\"\n | lookup EventTypeLookup on temp_type;\n let CustomRole = allData\n | where description_s has \"custom role\"\n | parse description_s with temp_type1: string \" custom role \" temp_rolename1: string \" (psc:role:\" temp_roleid1: string \")\" temp_restmessage1: string \n | parse description_s with * \" role \" temp_rolename2: string \" (psc:role:\" temp_roleid2: string \") \" temp_type2: string \" with\" temp_restmessage2: string\n | extend\n temp_type = tolower(coalesce(temp_type1, temp_type2)),\n Object = coalesce(temp_rolename1, temp_rolename2),\n ObjectType = \"Other\"\n | lookup EventTypeLookup on temp_type\n | extend\n Operation = strcat(temp_type, \" custom role \", Object),\n AdditionalFields = bag_pack(\"role id\", coalesce(temp_roleid1, temp_roleid2));\n let Policy = allData\n | where description_s startswith \"Policy\"\n | parse description_s with \"Policy \" temp_policyname1: string \" (ID: \" temp_policyid1 \") \" temp_type1: string \" successfully\"\n | parse description_s with \"Policy \" temp_policyname2: string \" (ID: \" temp_policyid2: string \") \" temp_type2: string \" and renamed to \" NewValue: string \" (ID: \" temp_restmessage2: string\n | parse description_s with \"Policy \" temp_policyname3: string \" (ID: \" temp_policyid3 \") \" temp_type3: string\n | extend\n Object = coalesce(temp_policyname1, temp_policyname2, temp_policyname3),\n ObjectType = \"Policy Rule\",\n temp_type = replace_regex(coalesce(temp_type1, temp_type2, temp_type3), @'[is,was]* (\\S+)', @'\\1'),\n OldValue = temp_policyname2,\n AdditionalFields = bag_pack(\"policy id\", coalesce(temp_policyid1, temp_policyid2, temp_policyid3))\n | lookup EventTypeLookup on temp_type\n | extend\n Operation = iff(isnotempty(temp_type2), strcat(\"Policy \", Object, \" \", temp_type, \" and renamed to \", NewValue), strcat(\"Policy \", Object, \" \", temp_type));\n let Changed = allData\n | where description_s startswith \"Changed policy\"\n | parse description_s with temp_operation_s: string \" to \" NewValue: string \")\" * \"device(s): \" temp_deviceid_s: string \n | extend\n EventType = \"Set\",\n Operation = strcat(temp_operation_s, \" to \", NewValue),\n Object = NewValue,\n ObjectType = \"Policy Rule\",\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s),\n TargetDvcId = iff(temp_deviceid_s contains ',', split(temp_deviceid_s, ',', 0), temp_deviceid_s);\n let ParamsUpdated = allData\n | where description_s startswith \"Parameters updated\"\n | parse description_s with \"Parameters updated for \" temp_config1: string \" (ID: \" temp_configid1: string \") for policy \" temp_policyname1: string \" (ID: \" temp_policyid1: string \")\" temp_restmessage1: string\n | parse description_s with \"Parameters updated for \" temp_config2: string \" (ID: \" temp_configid2: string \") for policy with ID \" temp_policyid2: string\n | extend\n temp_operation = coalesce(temp_config1, temp_config2),\n temp_configid = coalesce(temp_configid1, temp_configid2)\n | extend\n EventType = \"Set\", \n Operation = strcat(\"Parameters updated for \", temp_operation, \" for policy \", temp_policyname1, tostring(split(temp_policyid2, \"{\")[0])),\n Object = strcat(\"Policy \", coalesce(temp_policyname1, temp_policyid2)),\n ObjectType = \"Policy Rule\",\n AdditionalFields = bag_pack(\"config id\", temp_configid);\n let Reputation = allData\n | where description_s has_cs \"Reputation\"\n | parse description_s with \"User \" * \" \" temp_type1: string \" Reputation\" * \" for Organization ID \" temp_orgid1: string \" of type \" temp_reptype1: string \" to \" temp_list1: string \" with content: \" temp_content1: string \" | \" temp_restmessage1: string\n | parse description_s with \"User \" * \" \" temp_type2: string \" Reputation\" * \" for Organization ID \" temp_orgid2: string \": \" temp_content2: string \" | \" temp_restmessage2: string\n | extend\n temp_type = coalesce(temp_type1, temp_type2),\n Object = iff(isnotempty(temp_reptype1), strcat(\"Reputation Override of type \", temp_reptype1), \"Reputation Override\"),\n ObjectType = \"Configuration Atom\"\n | lookup EventTypeLookup on temp_type\n | extend\n Operation = strcat(temp_type, \" \", Object),\n ActorScopeId = coalesce(temp_orgid1, temp_orgid2),\n AdditionalFields = bag_pack(\"reputation value\", coalesce(temp_content1, temp_content2));\n let PolicyUpdateApplied = allData\n | where description_s has \"Policy update applied\"\n | parse description_s with * \"policy to \" Object: string\n | extend\n EventType = \"Set\",\n Operation = \"Policy update applied\",\n ObjectType = \"Policy Rule\",\n OriginalObjectType = \"Policy\"\n ;\n let auto_deletion = allData\n | where description_s has_all (\"auto-deletion\", \"devices\")\n | parse description_s with TargetFQDN: string \" \" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Delete\",\n Operation = \"auto-deletion\",\n Object = TargetFQDN,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let Hash_Deleted = allData\n | where description_s startswith \"Hash - \"\n | parse description_s with \"Hash - \" HashName_s: string \" \" * \"on device \" TargetFQDN: string\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Delete\",\n Operation = \"Delete Request\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\";\n let Failure_Deleting_Hash = allData\n | where description_s startswith \"Failure deleting hash\"\n | parse description_s with \"Failure deleting hash '\" HashName_s: string \"'\" * \"device '\" TargetDvcId: string \"'\" * \"Reason: \" EventResultDetails: string\n | extend\n EventType = \"Delete\",\n Operation = \"Deleting hash\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\",\n EventResult = \"Failure\";\n let Delete_Hash = allData\n | where description_s startswith \"Delete Hash\"\n | parse description_s with \"Delete Hash \" HashName_s: string \" \" * \"device(s): \" temp_deviceid_s: string\n | extend\n EventType = \"Delete\",\n Operation = \"Delete Hash\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\",\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s),\n TargetDvcId = iff(temp_deviceid_s contains ',', split(temp_deviceid_s, ',', 0), temp_deviceid_s);\n let Success_Deleting_Hash = allData\n | where description_s startswith \"Success deleting hash\"\n | parse description_s with \"Success deleting hash '\" HashName_s: string \"'\" * \"device '\" TargetDvcId: string \"'\" * \"Reason: \" EventResultDetails: string\n | extend\n EventType = \"Delete\",\n Operation = \"Deleting hash\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\",\n EventResult = \"Success\";\n let DeviceUninstalled = allData\n | where description_s has_all (\"Device\", \"uninstalled\")\n | parse description_s with \"Device \" TargetFQDN: string \" with deviceId \" TargetDvcId: string \" \" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Uninstall\",\n Operation = \"Uninstall\",\n Object = TargetFQDN,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let DeviceReset = allData\n | where description_s startswith (\"Device reset requested\")\n | parse description_s with \"Device reset requested on device \" TargetDvcId: string\n | extend \n EventType = \"Set\",\n Operation = \"Device reset\",\n Object = TargetDvcId,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let CreateOrModifyPolicy = allData\n | where description_s startswith \"Request received to\"\n | parse description_s with * \"policy \" Object: string\n | extend\n EventType = case(\n description_s has \"modify policy\",\n \"Set\", \n description_s has \"create new policy\",\n \"Create\",\n \"\"\n ),\n Operation = case(\n description_s has \"modify policy\",\n \"modify policy\", \n description_s has \"create new policy\",\n \"create new policy\",\n \"\"\n ),\n Object = replace_string(Object, \"- \", \"\"),\n ObjectType = \"Policy Rule\",\n OriginalObjectType = \"Policy\";\n let LogsRequested = allData\n | where description_s startswith (\"Logs requested\")\n | parse description_s with \"Logs requested for device \" TargetDvcId: string\n | extend \n EventType = \"Read\",\n Operation = \"Logs requested\",\n Object = TargetDvcId,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let Re_Registration = allData\n | where description_s startswith \"Re-registration of device\"\n | parse description_s with \"Re-registration of device\" TargetFQDN: string \" of \" TargetDvcId: string \" device completed\" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Enable\",\n Operation = \"Re-registration of device\",\n Object = TargetFQDN,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n union\n Enabled,\n Set,\n AlertNotify,\n CustomRole,\n Policy,\n Changed,\n ParamsUpdated,\n Reputation,\n PolicyUpdateApplied,\n auto_deletion,\n Hash_Deleted,\n Failure_Deleting_Hash,\n Delete_Hash,\n Success_Deleting_Hash,\n DeviceUninstalled,\n DeviceReset,\n CreateOrModifyPolicy,\n LogsRequested,\n Re_Registration\n | extend\n EventStartTime = unixtime_milliseconds_todatetime(eventTime_d),\n EventSeverity = coalesce(EventSeverity1, \"Informational\"),\n AdditionalFields = bag_merge(AdditionalFields, bag_pack(\"flagged\", flagged_b, \"request url\", requestUrl_s))\n | extend\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\",\n EventVendor = \"VMware\",\n EventResult = iif(isnotempty(EventResult), EventResult, \"Success\"),\n EventCount = int(1)\n | project-rename\n ActorUsername = loginName_s,\n EventUid = _ItemId,\n SrcIpAddr = clientIp_s,\n EventMessage = description_s,\n EventOriginalUid = eventId_g,\n ActorScope = orgName_s\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n TargetDvcIdType = iff(isnotempty(TargetDvcId), \"Other\", \"\"),\n EventEndTime = EventStartTime,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n User = ActorUsername,\n Value = NewValue,\n ValueType = iff(isnotempty(NewValue), \"Other\", \"\")\n | project-away \n *_s,\n *_d,\n *_b,\n temp*,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n _ResourceId,\n name,\n EventSeverity1\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventVectraXDRAudit/ASimAuditEventVectraXDRAudit.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventVectraXDRAudit/ASimAuditEventVectraXDRAudit.json index 1cac4446d1a..da4763366fa 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventVectraXDRAudit/ASimAuditEventVectraXDRAudit.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventVectraXDRAudit/ASimAuditEventVectraXDRAudit.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventVectraXDRAudit')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventVectraXDRAudit", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Vectra XDR Audit Logs Event", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventVectraXDRAudit", - "query": "let parser = (disabled:bool = false)\n{\n Audits_Data_CL\n | where not(disabled) and event_action_s !in (\"login\",\"logout\")\n | extend\n EventEndTime = event_timestamp_t,\n EventProduct = 'XDR',\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventStartTime = event_timestamp_t,\n EventType = \"Other\",\n EventVendor = 'Vectra',\n Type = \"Audit Log\",\n EventUid = tostring(toint(id_d)),\n ActorUserId = tostring(toint(user_id_d)),\n ActorUserIdType = \"UID\",\n ActorUsernameType = \"UPN\",\n EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\")\n | project-rename\n Dvc = source_ip_s,\n Operation = event_action_s,\n ActorUsername = username_s,\n Object = event_object_s,\n ActorOriginalUserType = user_type_s,\n EventMessage = Message,\n EventProductVersion = version_s\n | extend User = ActorUsername\n | project-away\n id_d, user_id_d, user_role_s, result_status_s,event_timestamp_t, event_data_s, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\n};\nparser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Vectra XDR Audit Logs Event", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventVectraXDRAudit", + "query": "let parser = (disabled:bool = false)\n{\n Audits_Data_CL\n | where not(disabled) and event_action_s !in (\"login\",\"logout\")\n | extend\n EventEndTime = event_timestamp_t,\n EventProduct = 'XDR',\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventStartTime = event_timestamp_t,\n EventType = \"Other\",\n EventVendor = 'Vectra',\n Type = \"Audit Log\",\n EventUid = tostring(toint(id_d)),\n ActorUserId = tostring(toint(user_id_d)),\n ActorUserIdType = \"UID\",\n ActorUsernameType = \"UPN\",\n EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\")\n | project-rename\n Dvc = source_ip_s,\n Operation = event_action_s,\n ActorUsername = username_s,\n Object = event_object_s,\n ActorOriginalUserType = user_type_s,\n EventMessage = Message,\n EventProductVersion = version_s\n | extend User = ActorUsername\n | project-away\n id_d, user_id_d, user_role_s, result_status_s,event_timestamp_t, event_data_s, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\n};\nparser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/FullDeploymentAuditEvent.json b/Parsers/ASimAuditEvent/ARM/FullDeploymentAuditEvent.json index 312bc6857ec..68deeacbfbb 100644 --- a/Parsers/ASimAuditEvent/ARM/FullDeploymentAuditEvent.json +++ b/Parsers/ASimAuditEvent/ARM/FullDeploymentAuditEvent.json @@ -178,6 +178,46 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuditEventIllumioSaaSCore", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/ASimAuditEventIllumioSaaSCore/ASimAuditEventIllumioSaaSCore.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuditEventInfobloxBloxOne", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/ASimAuditEventInfobloxBloxOne/ASimAuditEventInfobloxBloxOne.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -498,6 +538,46 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuditEventIllumioSaaSCore", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/vimAuditEventIllumioSaaSCore/vimAuditEventIllumioSaaSCore.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuditEventInfobloxBloxOne", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/vimAuditEventInfobloxBloxOne/vimAuditEventInfobloxBloxOne.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", diff --git a/Parsers/ASimAuditEvent/ARM/imAuditEvent/imAuditEvent.json b/Parsers/ASimAuditEvent/ARM/imAuditEvent/imAuditEvent.json index 25f572416b7..a7956316c4d 100644 --- a/Parsers/ASimAuditEvent/ARM/imAuditEvent/imAuditEvent.json +++ b/Parsers/ASimAuditEvent/ARM/imAuditEvent/imAuditEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/imAuditEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "imAuditEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit event ASIM filtering parser.", - "category": "ASIM", - "FunctionAlias": "imAuditEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n | where SearchKey in ('Any', 'ExcludevimAuditEvent')\n | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludevimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuditEventEmpty,\n vimAuditEventMicrosoftExchangeAdmin365 (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers)))),\n vimAuditEventMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftWindowsEvents' in (DisabledParsers)))),\n vimAuditEventMicrosoftSecurityEvents (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftSecurityEvents' in (DisabledParsers)))),\n vimAuditEventMicrosoftEvent (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftEvents' in (DisabledParsers)))),\n vimAuditEventAzureActivity (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventAzureActivity' in (DisabledParsers)))),\n vimAuditEventCiscoMeraki (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCiscoMeraki' in (DisabledParsers)))),\n vimAuditEventCiscoMerakiSyslog (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCiscoMerakiSyslog' in (DisabledParsers)))),\n vimAuditEventBarracudaWAF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, operation_has_any=operation_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventBarracudaWAF' in (DisabledParsers)))),\n vimAuditEventBarracudaCEF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, operation_has_any=operation_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventBarracudaCEF' in (DisabledParsers)))),\n vimAuditEventCiscoISE (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCiscoISE' in (DisabledParsers)))),\n vimAuditEventVectraXDRAudit (starttime=starttime, endtime=endtime, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventVectraXDRAudit' in (DisabledParsers)))),\n vimAuditEventSentinelOne (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventSentinelOne' in (DisabledParsers)))),\n vimAuditEventCrowdStrikeFalconHost(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCrowdStrikeFalconHost' in (DisabledParsers)))),\n vimAuditEventVMwareCarbonBlackCloud(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers))))\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit event ASIM filtering parser.", + "category": "ASIM", + "FunctionAlias": "imAuditEvent", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n | where SearchKey in ('Any', 'ExcludevimAuditEvent')\n | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludevimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuditEventEmpty,\n vimAuditEventMicrosoftExchangeAdmin365 (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers)))),\n vimAuditEventMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftWindowsEvents' in (DisabledParsers)))),\n vimAuditEventMicrosoftSecurityEvents (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftSecurityEvents' in (DisabledParsers)))),\n vimAuditEventMicrosoftEvent (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftEvents' in (DisabledParsers)))),\n vimAuditEventAzureActivity (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventAzureActivity' in (DisabledParsers)))),\n vimAuditEventCiscoMeraki (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCiscoMeraki' in (DisabledParsers)))),\n vimAuditEventCiscoMerakiSyslog (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCiscoMerakiSyslog' in (DisabledParsers)))),\n vimAuditEventBarracudaWAF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, operation_has_any=operation_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventBarracudaWAF' in (DisabledParsers)))),\n vimAuditEventBarracudaCEF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, operation_has_any=operation_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventBarracudaCEF' in (DisabledParsers)))),\n vimAuditEventCiscoISE (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCiscoISE' in (DisabledParsers)))),\n vimAuditEventVectraXDRAudit (starttime=starttime, endtime=endtime, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventVectraXDRAudit' in (DisabledParsers)))),\n vimAuditEventSentinelOne (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventSentinelOne' in (DisabledParsers)))),\n vimAuditEventCrowdStrikeFalconHost(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCrowdStrikeFalconHost' in (DisabledParsers)))),\n vimAuditEventVMwareCarbonBlackCloud(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers)))),\n vimAuditEventInfbloxBloxOne(starttime=starttime, endtime=endtime, eventresult=eventresult,operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventInfbloxBloxOne' in (DisabledParsers)))),\n vimAuditEventIllumioSaaSCore(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventIllumioSaaSCore' in (DisabledParsers))))\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventAzureAdminActivity/vimAuditEventAzureAdminActivity.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventAzureAdminActivity/vimAuditEventAzureAdminActivity.json index 8858e09deff..c47a9bac814 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventAzureAdminActivity/vimAuditEventAzureAdminActivity.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventAzureAdminActivity/vimAuditEventAzureAdminActivity.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventAzureActivity')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventAzureActivity", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM filtering parser for Azure administrative activity", - "category": "ASIM", - "FunctionAlias": "vimAuditEventAzureActivity", - "query": "let parser= (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n eventresult:string='*',\n actorusername_has_any:dynamic=dynamic([]),\n eventtype_in:dynamic=dynamic([]),\n operation_has_any:dynamic=dynamic([]),\n object_has_any:dynamic=dynamic([]),\n newvalue_has_any:dynamic=dynamic([]),\n disabled:bool = false\n ){\n let AzureActivityOperationLookup = datatable (op:string, EventType:string) \n [\n 'ACTION', 'Execute',\n 'WRITE', 'Set',\n 'DELETE', 'Delete'\n ];\n let AzureActivityStatusLookup = datatable (ActivityStatusValue:string, ActivitySubstatusValue:string, EventResult:string, EventResultDetails:string) \n [\n \"Accept\",\"Accepted\",\"Success\",\"\",\n \"Accept\",\"Created\",\"Success\",\"\",\n \"Accept\",\"OK\",\"Success\",\"\",\n \"Accept\",\"\",\"Success\",\"\",\n \"Accepted\",\"\",\"Success\",\"\",\n \"Active\",\"\",\"Success\",\"Active\",\n \"Failed\",\"\",\"Failure\",\"\",\n \"Failure\",\"BadRequest\",\"Failure\",\"Bad Request\",\n \"Failure\",\"Conflict\",\"Failure\",\"Bad Request\",\n \"Failure\",\"Forbidden\",\"Failure\",\"Unauthorized\",\n \"Failure\",\"InternalServerError\",\"Failure\",\"Internal error\",\n \"Failure\",\"MethodNotAllowed\",\"Failure\",\"Bad Request\",\n \"Failure\",\"NotFound\",\"Failure\",\"Not found\",\n \"Failure\",\"Unauthorized\",\"Failure\",\"Unauthorized\",\n \"Failure\",\"\",\"Failure\",\"\",\n \"In Progress\",\"\",\"Success\",\"In Progress\",\n \"Resolved\",\"\",\"Success\",\"\",\n \"Start\",\"\",\"Success\",\"Start\",\n \"Started\",\"\",\"Success\",\"Start\",\n \"Succeeded\",\"\",\"Success\",\"\",\n \"Success\",\"Created\",\"Success\",\"\",\n \"Success\",\"NoContent\",\"Success\",\"\",\n \"Success\",\"OK\",\"Success\",\"\",\n \"Success\",\"\",\"Success\",\"\",\n \"Updated\",\"\",\"Success\",\"\",\n \"Succeeded\",\"OK\",\"Success\",\"\",\n \"Accepted\",\"Accepted\",\"Success\",\"\",\n \"Accepted\",\"OK\",\"Success\",\"\",\n \"Failed\",\"Forbidden\",\"Failure\",\"Unauthorized\",\n \"Succeeded\",\"Created\",\"Success\",\"\",\n \"Failed\",\"BadRequest\",\"Failure\",\"Bad request\",\n \"Accepted\",\"Created\",\"Success\",\"\",\n \"Failed\",\"Conflict\",\"Failure\",\"Bad request\",\n \"Failed\",\"MethodNotAllowed\",\"Failure\",\"Bad request\",\n \"Failure\",\"BadGateway\",\"Failure\",\"Bad request\",\n \"Succeeded\",\"NoContent\",\"Success\",\"\",\n \"Failure\",\"ServiceUnavailable\",\"Failure\",\"Internal error\",\n \"Failure\",\"GatewayTimeout\",\"Failure\",\"Internal error\",\n \"Failed\",\"NotFound\",\"Failure\",\"Not found\",\n \"Failed\",\"BadGateway\",\"Failure\",\"Bad request\",\n \"Failure\",\"UnsupportedMediaType\",\"Failure\",\"Bad request\",\n \"Failed\",\"Unauthorized\",\"Failure\",\"Unauthorized\",\n \"Cancel\",\"\",\"Failure\",\"Cancelled\"\n ];\n AzureActivity \n | where not(disabled)\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(newvalue_has_any) == 0)\n | where CategoryValue == \"Administrative\"\n | project-away HTTPRequest, Level, SourceSystem, EventSubmissionTimestamp, TenantId, OperationId, Hierarchy, Category, ResourceId, ResourceProvider, Resource\n | where \n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(CallerIpAddress,srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or Caller has_any (actorusername_has_any))\n and (array_length(operation_has_any) == 0 or OperationNameValue has_any (operation_has_any))\n and (array_length(object_has_any) == 0 or Properties has_any (object_has_any))\n // --\n // Calculate and filter by EventType\n | extend op = toupper(tostring(split(OperationNameValue,\"/\")[-1]))\n | lookup AzureActivityOperationLookup on op\n | extend EventType = iff (EventType == \"\", \"Other\", EventType)\n | where array_length(eventtype_in) == 0 or EventType in (eventtype_in)\n | project-away op\n // --\n // Calculate EventResult, EventResultDetails, and EventResultOriginalDetails\n | extend\n EventOriginalResultDetails = strcat (\n ActivityStatusValue, \n iff (ActivitySubstatusValue !=\"\", strcat(' [', ActivitySubstatusValue, ']'), \"\")\n )\n | extend \n ActivitySubstatusValue = iff (ActivitySubstatusValue matches regex \"\\\\d+\", \"\", ActivitySubstatusValue)\n | lookup AzureActivityStatusLookup on ActivityStatusValue, ActivitySubstatusValue\n | extend EventResult = iff(EventResult == \"\", \"Other\", EventResult)\n | where eventresult == \"*\" or (EventResult == eventresult) // Not optimized\n | extend EventSeverity = iff(EventResult == \"Failure\", \"Low\", \"Informational\")\n | project-away ActivityStatus*, ActivitySubstatus* // \n | project-rename \n Operation = OperationNameValue,\n SrcIpAddr = CallerIpAddress,\n EventOriginalUid = EventDataId,\n ActorSessionId = CorrelationId,\n EventOriginalType = CategoryValue\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Azure',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n ObjectType = \"Cloud Resource\",\n TargetAppName = \"Azure\",\n TargetAppType = \"CSP\"\n // --\n // Calculate Actor\n | extend \n Caller = iff(Caller == \"Microsoft.RecoveryServices\", \"\", Caller)\n | extend \n ActorUsernameType = iff (Caller has \"@\", \"UPN\", \"\")\n | extend \n ActorUsername = iff (ActorUsernameType == \"UPN\", Caller, \"\"),\n ActorUserId = iff (ActorUsernameType != \"UPN\", Caller, \"\")\n | extend\n ActorUserIdType = iff (ActorUserId != \"\", \"AADID\", \"\")\n | project-away Caller\n // --\n // Calculate Object\n | extend \n entity = tostring(Properties_d.entity), \n resource = tostring(Properties_d.resource),\n entity_name = tostring(Properties_d.[\"Entity Name\"])\n | extend Object = case ( \n entity != \"\", entity,\n strcat (\"/subscriptions/\", SubscriptionId, \"/resourceGroups/\", ResourceGroup, \"/providers/\", ResourceProviderValue, \"/\",resource, iff (entity_name != \"\", strcat(\"/\", entity_name), \"\"))\n )\n | project-away entity, resource,entity_name, _SubscriptionId, SubscriptionId, ResourceGroup, ResourceProviderValue\n // Aliases\n | extend AdditionalFields = pack_dictionary(\"Authorization\", Authorization_d, \"Claims\", Claims_d, \"Error\", Properties_d.statusMessage)\n // -- Aliases\n | extend \n IpAddr = SrcIpAddr,\n User = ActorUsername,\n Application = TargetAppName,\n Dst = TargetAppName,\n Src = SrcIpAddr,\n // -- Entity identifier explicit aliases\n ActorUserUpn = ActorUsername,\n ActorUserAadId = ActorUserId\n | project-away OperationName, Properties*, Authorization*, Claims*\n // -- Properties*\n};\nparser\n(\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM filtering parser for Azure administrative activity", + "category": "ASIM", + "FunctionAlias": "vimAuditEventAzureActivity", + "query": "let parser= (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n eventresult:string='*',\n actorusername_has_any:dynamic=dynamic([]),\n eventtype_in:dynamic=dynamic([]),\n operation_has_any:dynamic=dynamic([]),\n object_has_any:dynamic=dynamic([]),\n newvalue_has_any:dynamic=dynamic([]),\n disabled:bool = false\n ){\n let AzureActivityOperationLookup = datatable (op:string, EventType:string) \n [\n 'ACTION', 'Execute',\n 'WRITE', 'Set',\n 'DELETE', 'Delete'\n ];\n let AzureActivityStatusLookup = datatable (ActivityStatusValue:string, ActivitySubstatusValue:string, EventResult:string, EventResultDetails:string) \n [\n \"Accept\",\"Accepted\",\"Success\",\"\",\n \"Accept\",\"Created\",\"Success\",\"\",\n \"Accept\",\"OK\",\"Success\",\"\",\n \"Accept\",\"\",\"Success\",\"\",\n \"Accepted\",\"\",\"Success\",\"\",\n \"Active\",\"\",\"Success\",\"Active\",\n \"Failed\",\"\",\"Failure\",\"\",\n \"Failure\",\"BadRequest\",\"Failure\",\"Bad Request\",\n \"Failure\",\"Conflict\",\"Failure\",\"Bad Request\",\n \"Failure\",\"Forbidden\",\"Failure\",\"Unauthorized\",\n \"Failure\",\"InternalServerError\",\"Failure\",\"Internal error\",\n \"Failure\",\"MethodNotAllowed\",\"Failure\",\"Bad Request\",\n \"Failure\",\"NotFound\",\"Failure\",\"Not found\",\n \"Failure\",\"Unauthorized\",\"Failure\",\"Unauthorized\",\n \"Failure\",\"\",\"Failure\",\"\",\n \"In Progress\",\"\",\"Success\",\"In Progress\",\n \"Resolved\",\"\",\"Success\",\"\",\n \"Start\",\"\",\"Success\",\"Start\",\n \"Started\",\"\",\"Success\",\"Start\",\n \"Succeeded\",\"\",\"Success\",\"\",\n \"Success\",\"Created\",\"Success\",\"\",\n \"Success\",\"NoContent\",\"Success\",\"\",\n \"Success\",\"OK\",\"Success\",\"\",\n \"Success\",\"\",\"Success\",\"\",\n \"Updated\",\"\",\"Success\",\"\",\n \"Succeeded\",\"OK\",\"Success\",\"\",\n \"Accepted\",\"Accepted\",\"Success\",\"\",\n \"Accepted\",\"OK\",\"Success\",\"\",\n \"Failed\",\"Forbidden\",\"Failure\",\"Unauthorized\",\n \"Succeeded\",\"Created\",\"Success\",\"\",\n \"Failed\",\"BadRequest\",\"Failure\",\"Bad request\",\n \"Accepted\",\"Created\",\"Success\",\"\",\n \"Failed\",\"Conflict\",\"Failure\",\"Bad request\",\n \"Failed\",\"MethodNotAllowed\",\"Failure\",\"Bad request\",\n \"Failure\",\"BadGateway\",\"Failure\",\"Bad request\",\n \"Succeeded\",\"NoContent\",\"Success\",\"\",\n \"Failure\",\"ServiceUnavailable\",\"Failure\",\"Internal error\",\n \"Failure\",\"GatewayTimeout\",\"Failure\",\"Internal error\",\n \"Failed\",\"NotFound\",\"Failure\",\"Not found\",\n \"Failed\",\"BadGateway\",\"Failure\",\"Bad request\",\n \"Failure\",\"UnsupportedMediaType\",\"Failure\",\"Bad request\",\n \"Failed\",\"Unauthorized\",\"Failure\",\"Unauthorized\",\n \"Cancel\",\"\",\"Failure\",\"Cancelled\"\n ];\n AzureActivity \n | where not(disabled)\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(newvalue_has_any) == 0)\n | where CategoryValue == \"Administrative\"\n | project-away HTTPRequest, Level, SourceSystem, EventSubmissionTimestamp, TenantId, OperationId, Hierarchy, Category, ResourceId, ResourceProvider, Resource\n | where \n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(CallerIpAddress,srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or Caller has_any (actorusername_has_any))\n and (array_length(operation_has_any) == 0 or OperationNameValue has_any (operation_has_any))\n and (array_length(object_has_any) == 0 or Properties has_any (object_has_any))\n // --\n // Calculate and filter by EventType\n | extend op = toupper(tostring(split(OperationNameValue,\"/\")[-1]))\n | lookup AzureActivityOperationLookup on op\n | extend EventType = iff (EventType == \"\", \"Other\", EventType)\n | where array_length(eventtype_in) == 0 or EventType in (eventtype_in)\n | project-away op\n // --\n // Calculate EventResult, EventResultDetails, and EventResultOriginalDetails\n | extend\n EventOriginalResultDetails = strcat (\n ActivityStatusValue, \n iff (ActivitySubstatusValue !=\"\", strcat(' [', ActivitySubstatusValue, ']'), \"\")\n )\n | extend \n ActivitySubstatusValue = iff (ActivitySubstatusValue matches regex \"\\\\d+\", \"\", ActivitySubstatusValue)\n | lookup AzureActivityStatusLookup on ActivityStatusValue, ActivitySubstatusValue\n | extend EventResult = iff(EventResult == \"\", \"Other\", EventResult)\n | where eventresult == \"*\" or (EventResult == eventresult) // Not optimized\n | extend EventSeverity = iff(EventResult == \"Failure\", \"Low\", \"Informational\")\n | project-away ActivityStatus*, ActivitySubstatus* // \n | project-rename \n Operation = OperationNameValue,\n SrcIpAddr = CallerIpAddress,\n EventOriginalUid = EventDataId,\n ActorSessionId = CorrelationId,\n EventOriginalType = CategoryValue\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Azure',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n ObjectType = \"Cloud Resource\",\n TargetAppName = \"Azure\",\n TargetAppType = \"CSP\"\n // --\n // Calculate Actor\n | extend \n Caller = iff(Caller == \"Microsoft.RecoveryServices\", \"\", Caller)\n | extend \n ActorUsernameType = iff (Caller has \"@\", \"UPN\", \"\")\n | extend \n ActorUsername = iff (ActorUsernameType == \"UPN\", Caller, \"\"),\n ActorUserId = iff (ActorUsernameType != \"UPN\", Caller, \"\")\n | extend\n ActorUserIdType = iff (ActorUserId != \"\", \"AADID\", \"\")\n | project-away Caller\n // --\n // Calculate Object\n | extend \n entity = tostring(Properties_d.entity), \n resource = tostring(Properties_d.resource),\n entity_name = tostring(Properties_d.[\"Entity Name\"])\n | extend Object = case ( \n entity != \"\", entity,\n strcat (\"/subscriptions/\", SubscriptionId, \"/resourceGroups/\", ResourceGroup, \"/providers/\", ResourceProviderValue, \"/\",resource, iff (entity_name != \"\", strcat(\"/\", entity_name), \"\"))\n )\n | project-away entity, resource,entity_name, _SubscriptionId, SubscriptionId, ResourceGroup, ResourceProviderValue\n // Aliases\n | extend AdditionalFields = pack_dictionary(\"Authorization\", Authorization_d, \"Claims\", Claims_d, \"Error\", Properties_d.statusMessage)\n // -- Aliases\n | extend \n IpAddr = SrcIpAddr,\n User = ActorUsername,\n Application = TargetAppName,\n Dst = TargetAppName,\n Src = SrcIpAddr,\n // -- Entity identifier explicit aliases\n ActorUserUpn = ActorUsername,\n ActorUserAadId = ActorUserId\n | project-away OperationName, Properties*, Authorization*, Claims*\n // -- Properties*\n};\nparser\n(\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventBarracudaCEF/vimAuditEventBarracudaCEF.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventBarracudaCEF/vimAuditEventBarracudaCEF.json index 127468691a6..bfbbf59444d 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventBarracudaCEF/vimAuditEventBarracudaCEF.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventBarracudaCEF/vimAuditEventBarracudaCEF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventBarracudaCEF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventBarracudaCEF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Barracuda WAF", - "category": "ASIM", - "FunctionAlias": "vimAuditEventBarracudaCEF", - "query": "let EventTypeLookup = datatable (\n ChangeType_s: string,\n EventType_lookup: string\n)\n [\n \"SET\", \"Set\",\n \"ADD\", \"Create\",\n \"DEL\", \"Delete\",\n \"NONE\", \"Other\",\n \"\", \"Other\"\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet ObjectTypeLookup = datatable (ObjectType_s: string, ObjectType: string)[\n \"global\", \"Other\",\n \"Services\", \"Service\",\n \"web_firewall_policy\", \"Policy Rule\",\n \"service\", \"Service\",\n \"json_url_profile\", \"Other\",\n \"server\", \"Service\",\n \"header_acl\", \"Directory Service Object\",\n \"virtual_ip_config_address\", \"Configuration Atom\",\n \"aps_req_rewrite_policy\", \"Policy Rule\",\n \"aps_url_acl\", \"Directory Service Object\",\n \"websocket_security_policy\", \"Policy Rule\",\n \"aps_ftp_acl\", \"Directory Service Object\",\n \"user_system_ip\", \"Configuration Atom\",\n \"syslog_server\", \"Service\",\n \"attack_action\", \"Configuration Atom\",\n \"global_adr\", \"Configuration Atom\",\n \"aps_content_protection\", \"Other\"\n];\nlet parser = (\n disabled: bool=false,\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n eventresult: string='*',\n newvalue_has_any: dynamic=dynamic([]),\n operation_has_any: dynamic=dynamic([]))\n {\n let BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"AUDIT\" \n and (toupper(ProcessName) !in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n | extend\n Operation = ProcessName,\n EventResult = \"Success\"\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(newvalue_has_any) == 0 or DeviceCustomString1 has_any (newvalue_has_any))\n | parse trim(@'[^\\w(\")]+', Message) with * \"Reason=\" Reason:string \n | extend Reason = trim(@'(\")', Reason)\n | extend \n EventResultDetails = Reason\n | lookup EventTypeLookup on $left.EventOutcome == $right.ChangeType_s\n | extend EventType = EventType_lookup\n | where array_length(eventtype_in) == 0 or EventType in (eventtype_in)\n | extend \n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | lookup ObjectTypeLookup on $left.FileType == $right.ObjectType_s\n | extend\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventVendor = \"Barracuda\",\n EventProduct = \"WAF\",\n EventCount = toint(1)\n | extend\n Dvc = DeviceName, \n Operation = ProcessName,\n DvcIpAddr = DeviceAddress,\n NewValue = DeviceCustomString1,\n SrcIpAddr = SourceIP,\n EventMessage = Message,\n OldValue = DeviceCustomString2,\n DvcHostname = DeviceName,\n ActorUsername = DestinationUserName,\n Object = FileName,\n EventUid = _ItemId,\n ThreatConfidence = toint(ThreatConfidence),\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime)))\n | extend\n Src = SrcIpAddr,\n ActorUsernameType = iff(isnotempty(ActorUsername),\"Simple\",\"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n User = ActorUsername,\n Value = NewValue,\n EventEndTime = EventStartTime\n | extend\n IpAddr = SrcIpAddr,\n ValueType = iff(isnotempty(Value),\"Other\",\"\")\n | project-away\n EventType_lookup,\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId,CollectorHostName,\n _ItemId;\n BarracudaCEF\n };\n parser(\n disabled=disabled,\n starttime=starttime,\n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n eventtype_in=eventtype_in,\n eventresult=eventresult,\n newvalue_has_any=newvalue_has_any,\n operation_has_any=operation_has_any\n )", - "version": 1, - "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',newvalue_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([])" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "vimAuditEventBarracudaCEF", + "query": "let EventTypeLookup = datatable (\n ChangeType_s: string,\n EventType_lookup: string\n)\n [\n \"SET\", \"Set\",\n \"ADD\", \"Create\",\n \"DEL\", \"Delete\",\n \"NONE\", \"Other\",\n \"\", \"Other\"\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet ObjectTypeLookup = datatable (ObjectType_s: string, ObjectType: string)[\n \"global\", \"Other\",\n \"Services\", \"Service\",\n \"web_firewall_policy\", \"Policy Rule\",\n \"service\", \"Service\",\n \"json_url_profile\", \"Other\",\n \"server\", \"Service\",\n \"header_acl\", \"Directory Service Object\",\n \"virtual_ip_config_address\", \"Configuration Atom\",\n \"aps_req_rewrite_policy\", \"Policy Rule\",\n \"aps_url_acl\", \"Directory Service Object\",\n \"websocket_security_policy\", \"Policy Rule\",\n \"aps_ftp_acl\", \"Directory Service Object\",\n \"user_system_ip\", \"Configuration Atom\",\n \"syslog_server\", \"Service\",\n \"attack_action\", \"Configuration Atom\",\n \"global_adr\", \"Configuration Atom\",\n \"aps_content_protection\", \"Other\"\n];\nlet parser = (\n disabled: bool=false,\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n eventresult: string='*',\n newvalue_has_any: dynamic=dynamic([]),\n operation_has_any: dynamic=dynamic([]))\n {\n let BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"AUDIT\" \n and (toupper(ProcessName) !in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n | extend\n Operation = ProcessName,\n EventResult = \"Success\"\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(newvalue_has_any) == 0 or DeviceCustomString1 has_any (newvalue_has_any))\n | parse trim(@'[^\\w(\")]+', Message) with * \"Reason=\" Reason:string \n | extend Reason = trim(@'(\")', Reason)\n | extend \n EventResultDetails = Reason\n | lookup EventTypeLookup on $left.EventOutcome == $right.ChangeType_s\n | extend EventType = EventType_lookup\n | where array_length(eventtype_in) == 0 or EventType in (eventtype_in)\n | extend \n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | lookup ObjectTypeLookup on $left.FileType == $right.ObjectType_s\n | extend\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventVendor = \"Barracuda\",\n EventProduct = \"WAF\",\n EventCount = toint(1)\n | extend\n Dvc = DeviceName, \n Operation = ProcessName,\n DvcIpAddr = DeviceAddress,\n NewValue = DeviceCustomString1,\n SrcIpAddr = SourceIP,\n EventMessage = Message,\n OldValue = DeviceCustomString2,\n DvcHostname = DeviceName,\n ActorUsername = DestinationUserName,\n Object = FileName,\n EventUid = _ItemId,\n ThreatConfidence = toint(ThreatConfidence),\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime)))\n | extend\n Src = SrcIpAddr,\n ActorUsernameType = iff(isnotempty(ActorUsername),\"Simple\",\"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n User = ActorUsername,\n Value = NewValue,\n EventEndTime = EventStartTime\n | extend\n IpAddr = SrcIpAddr,\n ValueType = iff(isnotempty(Value),\"Other\",\"\")\n | project-away\n EventType_lookup,\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId,CollectorHostName,\n _ItemId;\n BarracudaCEF\n };\n parser(\n disabled=disabled,\n starttime=starttime,\n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n eventtype_in=eventtype_in,\n eventresult=eventresult,\n newvalue_has_any=newvalue_has_any,\n operation_has_any=operation_has_any\n )", + "version": 1, + "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',newvalue_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([])" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventBarracudaWAF/vimAuditEventBarracudaWAF.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventBarracudaWAF/vimAuditEventBarracudaWAF.json index c966eb9b2f0..7e4ef8ccfc2 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventBarracudaWAF/vimAuditEventBarracudaWAF.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventBarracudaWAF/vimAuditEventBarracudaWAF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventBarracudaWAF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventBarracudaWAF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Barracuda WAF", - "category": "ASIM", - "FunctionAlias": "vimAuditEventBarracudaWAF", - "query": "let barracudaSchema = datatable(\n LogType_s: string,\n UnitName_s: string,\n EventName_s: string,\n DeviceReceiptTime_s: string,\n ChangeType_s: string,\n CommandName_s: string,\n Severity_s: string,\n LoginIP_s: string,\n NewValue_s: string,\n HostIP_s: string,\n host_s: string,\n OldValue_s: string,\n EventMessage_s: string,\n AdminName_s: string,\n ObjectType_s: string,\n ObjectName_s: string,\n TimeTaken_d: real,\n _ResourceId: string,\n RawData: string,\n SourceIP: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string,\n TimeGenerated: datetime\n)[];\nlet EventTypeLookup = datatable (\n ChangeType_s: string,\n EventType_lookup: string\n)\n [\n \"SET\", \"Set\",\n \"ADD\", \"Create\",\n \"DEL\", \"Delete\",\n \"NONE\", \"Other\",\n \"\", \"Other\"\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet ObjectTypeLookup = datatable (ObjectType_s: string, ObjectType: string)[\n \"global\", \"Other\",\n \"Services\", \"Service\",\n \"web_firewall_policy\", \"Policy Rule\",\n \"service\", \"Service\",\n \"json_url_profile\", \"Other\",\n \"server\", \"Service\",\n \"header_acl\", \"Directory Service Object\",\n \"virtual_ip_config_address\", \"Configuration Atom\",\n \"aps_req_rewrite_policy\", \"Policy Rule\",\n \"aps_url_acl\", \"Directory Service Object\",\n \"websocket_security_policy\", \"Policy Rule\",\n \"aps_ftp_acl\", \"Directory Service Object\",\n \"user_system_ip\", \"Configuration Atom\",\n \"syslog_server\", \"Service\",\n \"attack_action\", \"Configuration Atom\",\n \"global_adr\", \"Configuration Atom\",\n \"aps_content_protection\", \"Other\"\n];\nlet parser = (\n disabled: bool=false,\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n eventresult: string='*',\n newvalue_has_any: dynamic=dynamic([]),\n operation_has_any: dynamic=dynamic([]))\n {\n let BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) \n | where LogType_s == \"AUDIT\" and EventName_s !in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\")\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(LoginIP_s, srcipaddr_has_any_prefix))\n | extend\n Operation = CommandName_s,\n EventResult = \"Success\"\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(newvalue_has_any) == 0 or NewValue_s has_any (newvalue_has_any))\n | parse trim(@'[^\\w(\")]+', EventMessage_s) with * \"Reason=\" Reason:string\n | extend Reason = trim(@'(\")', Reason)\n | extend\n EventResultDetails = Reason\n | lookup EventTypeLookup on ChangeType_s\n | extend EventType = EventType_lookup\n | where array_length(eventtype_in) == 0 or EventType in (eventtype_in)\n | extend \n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | lookup ObjectTypeLookup on ObjectType_s\n | extend\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventVendor = \"Barracuda\",\n EventProduct = \"WAF\",\n EventCount = toint(1)\n | extend\n Dvc = UnitName_s,\n DvcIpAddr = HostIP_s,\n NewValue = NewValue_s,\n SrcIpAddr = LoginIP_s,\n EventMessage = EventMessage_s,\n OldValue = OldValue_s,\n DvcHostname = host_s,\n ActorUsername = AdminName_s,\n Object = ObjectName_s,\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)))\n | extend\n Src = SrcIpAddr,\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n User = ActorUsername,\n Value = NewValue,\n EventEndTime = EventStartTime\n | extend\n IpAddr = SrcIpAddr,\n ValueType = iff(isnotempty(Value),\"Other\",\"\")\n | project-away\n *_d,\n *_s,\n EventType_lookup,\n Reason,\n _ResourceId,\n severity,\n RawData,\n SourceIP,\n Message,\n Computer,\n MG,\n ManagementGroupName,\n TenantId,\n SourceSystem;\n BarracudaCustom\n };\n parser(\n disabled=disabled,\n starttime=starttime,\n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n eventtype_in=eventtype_in,\n eventresult=eventresult,\n newvalue_has_any=newvalue_has_any,\n operation_has_any=operation_has_any\n )", - "version": 1, - "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',newvalue_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([])" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "vimAuditEventBarracudaWAF", + "query": "let barracudaSchema = datatable(\n LogType_s: string,\n UnitName_s: string,\n EventName_s: string,\n DeviceReceiptTime_s: string,\n ChangeType_s: string,\n CommandName_s: string,\n Severity_s: string,\n LoginIP_s: string,\n NewValue_s: string,\n HostIP_s: string,\n host_s: string,\n OldValue_s: string,\n EventMessage_s: string,\n AdminName_s: string,\n ObjectType_s: string,\n ObjectName_s: string,\n TimeTaken_d: real,\n _ResourceId: string,\n RawData: string,\n SourceIP: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string,\n TimeGenerated: datetime\n)[];\nlet EventTypeLookup = datatable (\n ChangeType_s: string,\n EventType_lookup: string\n)\n [\n \"SET\", \"Set\",\n \"ADD\", \"Create\",\n \"DEL\", \"Delete\",\n \"NONE\", \"Other\",\n \"\", \"Other\"\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet ObjectTypeLookup = datatable (ObjectType_s: string, ObjectType: string)[\n \"global\", \"Other\",\n \"Services\", \"Service\",\n \"web_firewall_policy\", \"Policy Rule\",\n \"service\", \"Service\",\n \"json_url_profile\", \"Other\",\n \"server\", \"Service\",\n \"header_acl\", \"Directory Service Object\",\n \"virtual_ip_config_address\", \"Configuration Atom\",\n \"aps_req_rewrite_policy\", \"Policy Rule\",\n \"aps_url_acl\", \"Directory Service Object\",\n \"websocket_security_policy\", \"Policy Rule\",\n \"aps_ftp_acl\", \"Directory Service Object\",\n \"user_system_ip\", \"Configuration Atom\",\n \"syslog_server\", \"Service\",\n \"attack_action\", \"Configuration Atom\",\n \"global_adr\", \"Configuration Atom\",\n \"aps_content_protection\", \"Other\"\n];\nlet parser = (\n disabled: bool=false,\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n eventresult: string='*',\n newvalue_has_any: dynamic=dynamic([]),\n operation_has_any: dynamic=dynamic([]))\n {\n let BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) \n | where LogType_s == \"AUDIT\" and EventName_s !in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\")\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(LoginIP_s, srcipaddr_has_any_prefix))\n | extend\n Operation = CommandName_s,\n EventResult = \"Success\"\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(newvalue_has_any) == 0 or NewValue_s has_any (newvalue_has_any))\n | parse trim(@'[^\\w(\")]+', EventMessage_s) with * \"Reason=\" Reason:string\n | extend Reason = trim(@'(\")', Reason)\n | extend\n EventResultDetails = Reason\n | lookup EventTypeLookup on ChangeType_s\n | extend EventType = EventType_lookup\n | where array_length(eventtype_in) == 0 or EventType in (eventtype_in)\n | extend \n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | lookup ObjectTypeLookup on ObjectType_s\n | extend\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventVendor = \"Barracuda\",\n EventProduct = \"WAF\",\n EventCount = toint(1)\n | extend\n Dvc = UnitName_s,\n DvcIpAddr = HostIP_s,\n NewValue = NewValue_s,\n SrcIpAddr = LoginIP_s,\n EventMessage = EventMessage_s,\n OldValue = OldValue_s,\n DvcHostname = host_s,\n ActorUsername = AdminName_s,\n Object = ObjectName_s,\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)))\n | extend\n Src = SrcIpAddr,\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n User = ActorUsername,\n Value = NewValue,\n EventEndTime = EventStartTime\n | extend\n IpAddr = SrcIpAddr,\n ValueType = iff(isnotempty(Value),\"Other\",\"\")\n | project-away\n *_d,\n *_s,\n EventType_lookup,\n Reason,\n _ResourceId,\n severity,\n RawData,\n SourceIP,\n Message,\n Computer,\n MG,\n ManagementGroupName,\n TenantId,\n SourceSystem;\n BarracudaCustom\n };\n parser(\n disabled=disabled,\n starttime=starttime,\n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n eventtype_in=eventtype_in,\n eventresult=eventresult,\n newvalue_has_any=newvalue_has_any,\n operation_has_any=operation_has_any\n )", + "version": 1, + "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',newvalue_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([])" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoISE/vimAuditEventCiscoISE.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoISE/vimAuditEventCiscoISE.json index 67a6342fc9d..44a72b29fa0 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoISE/vimAuditEventCiscoISE.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoISE/vimAuditEventCiscoISE.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventCiscoISE')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventCiscoISE", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM filtering parser for Cisco ISE", - "category": "ASIM", - "FunctionAlias": "vimAuditEventCiscoISE", - "query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventType: string,\nEventResult: string,\nEventOriginalSeverity: string,\nEventSeverity: string,\nObject: string,\nOperation: string,\nEventMessage: string\n)[\n\"52000\", \"Create\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Added configuration\", \"Added configuration\",\n\"52001\", \"Set\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Changed configuration\", \"Changed configuration\",\n\"52002\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Deleted configuration\", \"Deleted configuration\",\n\"52003\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Deregister Node\", \"One of the ISE instances in the deployment has been de-registered.\",\n\"52004\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Register Node\", \"A new ISE instance has been registered and has joined the deployment.\",\n\"52005\", \"Enable\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Activate Node\", \"An ISE instance has been activated to receive updates from the Primary node.\",\n\"52006\", \"Disable\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Deactivate ISE Node\", \"An ISE instance has been deactivated and will no longer receive updates from the Primary node.\",\n\"52007\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Force Full replication\", \"A Force Full replication has been issued for an ISE instance.\",\n\"52008\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Replacement Register Handler\", \"A new ISE instance has joined the deployment through hardware replacement.\",\n\"52009\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Promote Node\", \"A Secondary node has been promoted to be the Primary node of the deployment.\",\n\"52013\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Hardware Replacement\", \"A new ISE instance has joined the deployment through hardware replacement.\",\n\"52015\", \"Enable\", \"Success\", \"NOTICE\", \"Informational\", \"LogCollector Target\", \"Enable LogCollector Target\", \"Enable the deployment Log Collector target.\",\n\"52016\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"LogCollector Node\", \"Select LogCollector Node\", \"The Log Collector node for the deployment has been selected.\",\n\"52017\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Apply software update\", \"Apply a software update to the selected ISE instances.\",\n\"52030\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Full replication succeeded\", \"Full replication was completed successfully\",\n\"52031\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Full replication failed\", \"Failed to complete full replication\",\n\"52033\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Registration succeeded\", \"Registration with the primary node was completed successfully\",\n\"52035\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Registration failed\", \"Failed to perform the full replication requested by the primary instance\",\n\"52038\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Registration succeeded\", \"The ISE instance was successfully joined to a distributed ISE deployment\",\n\"52039\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Registration failed\", \"The ISE instance was unable to join a distributed deployment\",\n\"52042\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Primary instance\", \"Demotion succeeded\", \"Demotion of the existing primary instance was completed successfully\",\n\"52043\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Primary instance\", \"Demotion failed\", \"Demotion of the existing primary instance failed\",\n\"52045\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Secondary instance\", \"Promotion succeeded\", \"Promotion of the secondary instance was completed successfully\",\n\"52046\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Secondary instance\", \"Promotion failed\", \"Promotion of a secondary instance failed\",\n\"52072\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Deregister succeeded\", \"Deregistration was completed successfully\",\n\"52073\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Deregister failed\", \"Deregistration failed\",\n\"52078\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Delete node failed\", \"Failed to delete the ISE secondary instance in inactive mode from the deployment\",\n\"52079\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"ISE secondary instance\", \"Delete node succeeded\", \"The ISE primary instance successfully deleted the secondary instance in inactive mode\",\n\"52080\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Delete node failed\", \"Failed to delete the ISE secondary instance in inactive mode from the primary instance\",\n\"52082\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Backup failed\", \"An immediate backup for the secondary instance failed\",\n\"52084\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE primary instance\", \"Backup succeeded\", \"An immediate backup for the primary instance was completed successfully\",\n\"52085\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE primary instance\", \"Backup failed\", \"An immediate backup for the primary failed\",\n\"52091\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Update bundle\", \"Software update failed\", \"Software update download of update bundle failed\",\n\"52092\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Software update succeeded\", \"The software update was completed successfully\",\n\"52093\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Software update failed\", \"The software update failed\",\n\"57000\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Log file(s)\", \"Deleted rolled-over local log file(s)\", \"Deleted rolled-over local log file(s)\",\n\"58001\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process started\", \"An ISE process has started\",\n\"58002\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process stopped\", \"An ISE process has stopped\",\n\"58003\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE processes\", \"ISE processes started\", \"All ISE processes have started\",\n\"58004\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE processes\", \"ISE processes stopped\", \"All ISE processes have stopped\",\n\"58005\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process was restarted by watchdog service\", \"The watchdog service has restarted an ISE process\",\n\"60000\", \"Install\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Patch installation completed successfully on the node\", \"Patch installation completed successfully on the node\",\n\"60001\", \"Install\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Patch installation failed on the node\", \"Patch installation failed on the node\",\n\"60002\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Patch rollback completed successfully on the node\", \"Patch rollback completed successfully on the node\",\n\"60003\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Patch rollback failed on the node\", \"Patch rollback failed on the node\",\n\"60050\", \"Create\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node added to deployment successfully\", \"Node added to deployment successfully\",\n\"60051\", \"Create\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to add node to deployment\", \"Failed to add node to deployment\",\n\"60052\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node removed from deployment\", \"Node removed from deployment\",\n\"60053\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to remove node from deployment\", \"Failed to remove node from deployment\",\n\"60054\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node updated successfully\", \"Node updated successfully\",\n\"60055\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to update node\", \"Failed to update node\",\n\"60056\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Cluster\", \"The runtime status of the node group has changed\", \"There is a change in the cluster state\",\n\"60057\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"PSN node\", \"A PSN node went down\", \"One of the PSN nodes in the node group has gone down\",\n\"60058\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Heartbeat System\", \"The initial status of the heartbeat system\", \"The initial status of the heartbeat system\",\n\"60059\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node has successfully registered with MnT\", \"Node has successfully registered with MnT\",\n\"60060\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Policy Service nodes\", \"Administrator invoked OCSP Clear Cache operation for all Policy Service nodes\", \"The ISE Administrator invoked OCSP Clear Cache operation for all Policy Service nodes\",\n\"60061\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Policy Service nodes\", \"OCSP Clear Cache operation completed successfully\", \"OCSP Clear Cache operation completed successfully on all Policy Service nodes\",\n\"60062\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Policy Service nodes\", \"OCSP Clear Cache operation terminated with error\", \"OCSP Clear Cache clear operation terminated with error on one or more Policy Service nodes\",\n\"60063\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE secondary node\", \"Replication to node completed successfully\", \"Replication of data to secondary node completed successfully\",\n\"60064\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary node\", \"Replication to node failed\", \"Replication of data to secondary node failed\",\n\"60068\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - manual download initiated\", \"The Profiler Feed Service has begun the check and download of new and/or updated Profiles in response to Administrator's request\",\n\"60069\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - Profiles Downloaded\", \"The Profiler Feed Service has downloaded new and/or updated Profiles\",\n\"60070\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - No Profiles Downloaded\", \"The Profiler Feed Service found no new and/or updated Profiles to download\",\n\"60083\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"Syslog Server\", \"Syslog Server configuration change\", \"Syslog Server configuration change has occurred\",\n\"60084\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI user\", \"ADEOS CLI user configuration change\", \"Configuration change occurred for ADEOS CLI user\",\n\"60085\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS Repository\", \"ADEOS Repository configuration change\", \"Configuration change occurred for ADEOS repository\",\n\"60086\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS SSH Service\", \"ADEOS SSH Service configuration change\", \"Configuration change occurred for ADEOS SSH Service\",\n\"60087\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS Maximum SSH CLI sessions\", \"ADEOS Maximum SSH CLI sessions configuration change\", \"Configuration change occurred for ADEOS Maximum CLI sessions\",\n\"60088\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS SNMP agent\", \"ADEOS SNMP agent configuration change\", \"Configuration change occurred for ADEOS SNMP agent\",\n\"60089\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI kron scheduler\", \"ADEOS CLI kron scheduler policy configuration change\", \"Configuration change occurred for ADEOS CLI kron scheduler policy\",\n\"60090\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI kron scheduler\", \"ADEOS CLI kron scheduler occurence configuration change\", \"Configuration change occurred for ADEOS CLI kron scheduler occurence\",\n\"60091\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI pre-login banner\", \"ADEOS CLI pre-login banner configuration change\", \"Configuration change occurred for ADEOS CLI pre-login banner\",\n\"60092\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI post-login banner\", \"ADEOS CLI post-login banner configuration change\", \"Configuration change occurred for ADEOS CLI post-login banner\",\n\"60094\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Backup has completed successfully\", \"ISE Backup has completed successfully\",\n\"60095\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Backup has failed\", \"ISE Backup has failed\",\n\"60097\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Log Backup has completed successfully\", \"ISE Log Backup has completed successfully\",\n\"60098\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Log Backup has failed\", \"ISE Log Backup has failed\",\n\"60100\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Restore has completed successfully\", \"ISE Restore has completed successfully\",\n\"60101\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Restore has failed\", \"ISE Restore has failed\",\n\"60102\", \"Install\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application installation completed successfully\", \"Application installation completed successfully\",\n\"60103\", \"Install\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application installation failed\", \"Application installation failed\",\n\"60105\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application remove completed successfully\", \"Application remove completed successfully\",\n\"60106\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application remove failed\", \"Application remove failed\",\n\"60107\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application upgrade failed\", \"Application upgrade failed\",\n\"60111\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application patch remove has completed successfully\", \"Application patch remove has completed successfully\",\n\"60112\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application patch remove has failed\", \"Application patch remove has failed\",\n\"60113\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE server\", \"ISE server reload has been initiated\", \"ISE server reload has been initiated\",\n\"60114\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE server\", \"ISE server shutdown has been initiated\", \"ISE server shutdown has been initiated\",\n\"60118\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"File\", \"ADEOS CLI user has used delete CLI to delete file\", \"ADEOS CLI user has used delete CLI to delete file\",\n\"60119\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"File\", \"ADEOS CLI user has used copy CLI to copy file\", \"ADEOS CLI user has used copy CLI to copy file\",\n\"60120\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"Directory\", \"ADEOS CLI user has used mkdir CLI to create a directory\", \"ADEOS CLI user has used mkdir CLI to create a directory\",\n\"60121\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has copied out running system configuration\", \"ADEOS CLI user has copied out running system configuration\",\n\"60122\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has copied in system configuration\", \"ADEOS CLI user has copied in system configuration\",\n\"60123\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has saved running system configuration\", \"ADEOS CLI user has saved running system configuration\",\n\"60126\", \"Install\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application patch installation failed\", \"Application patch installation failed\",\n\"60128\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"File\", \"Failure occurred trying to copy file in from ADEOS CLI\", \"Failure occurred trying to copy file in from ADEOS CLI\",\n\"60129\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"File\", \"Failure occurred trying to copy file out from ADEOS CLI\", \"Failure occurred trying to copy file out from ADEOS CLI\",\n\"60130\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE Backup\", \"ISE Scheduled Backup has been configured\", \"ISE Scheduled Backup has been configured\",\n\"60131\", \"Create\", \"Success\", \"INFO\", \"Informational\", \"ISE Support bundle\", \"ISE Support bundle has been created from web UI\", \"ISE Support bundle has been created from web UI\",\n\"60132\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE Support bundle\", \"ISE Support bundle has been deleted from web UI\", \"ISE Support bundle has been deleted from web UI\",\n\"60133\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE Support bundle\", \"ISE Support bundle generation from web UI has failed\", \"ISE Support bundle generation from web UI has failed\",\n\"60153\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Certificate\", \"Certificate has been exported\", \"Certificate has been exported\",\n\"60166\", \"Other\", \"\", \"WARN\", \"Informational\", \"Certificate\", \"Certificate will expire soon\", \"Certificate Expiration warning\",\n\"60167\", \"Other\", \"\", \"WARN\", \"Informational\", \"Certificate\", \"Certificate has expired\", \"Certificate has expired\",\n\"60172\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Alarm(s) has/have been acknowledged\", \"These alarms are acknowledged and will not be displayed on the Dashboard\",\n\"60173\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Outdated alarms are purged\", \"Only latest 15000 alarms would be retained and rest of them are purged\",\n\"60187\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application upgrade succeeded\", \"Application upgrade succeeded\",\n\"60189\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Terminal Session timeout has been modified\", \"Configuration change occurred for ADEOS CLI Terminal Session timeout\",\n\"60193\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"RSA key configuration has been modified\", \"Configuration change occurred for ADEOS CLI RSA key\",\n\"60194\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Host key configuration has been modified\", \"Configuration change occurred for ADEOS CLI host key\",\n\"60197\", \"Disable\", \"Success\", \"NOTICE\", \"Informational\", \"Certificate\", \"Revoked ISE CA issued Certificate.\", \"Certificate issued to Endpoint by ISE CA is revoked by Administrator\",\n\"60198\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"MnT\", \"MnT purge event occurred\", \"MnT purge event occurred\",\n\"60199\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"An IP-SGT mapping was deployed successfully\", \"An IP-SGT mapping was deployed successfully to a TrustSec device\",\n\"60200\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"An IP-SGT mapping has failed deploying\", \"An IP-SGT mapping has failed deploying to a TrustSec device\",\n\"60201\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"IP-SGT deployment to TrustSec device was successful\", \"IP-SGT deployment to TrustSec device was successful\",\n\"60202\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"IP-SGT deployment to TrustSec device failed\", \"IP-SGT deployment to TrustSec device failed\",\n\"60207\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Logging loglevel configuration has been modified\", \"Configuration change occurred for ADEOS CLI logging loglevel\",\n\"60208\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Root CA certificate has been replaced\", \"Root CA certificate has been replaced\",\n\"60209\", \"Enable\", \"Success\", \"INFO\", \"Informational\", \"CA service\", \"CA service enabled\", \"CA service enabled\",\n\"60210\", \"Disable\", \"Success\", \"INFO\", \"Informational\", \"CA service\", \"CA service disabled\", \"CA service disabled\",\n\"60213\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"CA keys were replaced by import operation\", \"CA keys were replaced by import operation\",\n\"60214\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"CA keys were exported\", \"CA keys were exported\",\n\"60215\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Endpoint certs were marked expired\", \"Endpoint certs were marked expired by daily scheduled job\",\n\"60216\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Endpoint certs were purged\", \"Endpoint certs were purged by daily scheduled job\",\n\"60451\", \"Enable\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Telemetry is enabled on this deployment\", \"Telemetry is enabled on this deployment\",\n\"60452\", \"Disable\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Telemetry is disabled on this deployment\", \"Telemetry is disabled on this deployment\",\n\"61002\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SGT from IEPG\", \"ISE has learned a new SGT from IEPG\",\n\"61003\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has propagated a new EEPG to APIC\", \"ISE has propagated a new EEPG to APIC.\",\n\"61004\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SXP mapping from APIC endpoint\", \"ISE has learned a new SXP mapping from APIC endpoint\",\n\"61005\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has propagated a new endpoint(SXP mapping) to APIC\", \"ISE has propagated a new endpoint(SXP mapping) to APIC\",\n\"61006\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SGT\", \"ISE has removed an SGT due to deleted IEPG\", \"ISE has removed an SGT due to deleted IEPG\",\n\"61007\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed EEPG from APIC due to SGT deletion\", \"ISE has removed EEPG from APIC due to SGT deletion\",\n\"61008\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed an SXP mapping due to endpoint deletion on APIC\", \"ISE has removed an SXP mapping due to endpoint deletion on APIC\",\n\"61009\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed endpoint APIC due to SXP mapping removal a new SXP mapping to APIC\", \"ISE has removed endpoint APIC due to SXP mapping removal a new SXP mapping to APIC\",\n\"61016\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh EPG subscriber against APIC\", \"ISE failed to refresh EPG subscriber against APIC\",\n\"61017\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh endpoint subscriber against APIC\", \"ISE failed to refresh endpoint subscriber against APIC\",\n\"61018\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh EEPG subscriber against APIC\", \"ISE failed to refresh EEPG subscriber against APIC\",\n\"61020\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh L3EXTOUT subscriber against APIC\", \"ISE failed to refresh L3EXTOUT subscriber against APIC\",\n\"61022\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to propagate SGT to EEPG\", \"ISE has failed to propagate SGT to EEPG\",\n\"61023\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to learn IEPG from APIC\", \"ISE has failed to learn IEPG from APIC\",\n\"61024\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to parse VRF for EPG\", \"ISE has failed to parse VRF for EPG\",\n\"61030\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"TrustSec deploy verification was canceled.\", \"TrustSec deployment verification process was canceled as a new TrustSec deploy started.\",\n\"61033\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"TrustSec deployment verification process succeeded.\", \"ISE trustsec configuration was successfully deployed to all network access devices.\",\n\"61034\", \"Other\", \"\", \"INFO\", \"Low\", \"ISE instance\", \"Maximum resource limit reached.\", \"Maximum resource limit reached.\",\n\"61051\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Synflood-limit configured\", \"Synflood-limit configured\",\n\"61052\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Rate-limit configured\", \"Rate-limit configured\",\n\"61100\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new tenant from ACI\", \"ISE has learned a new tenant from ACI\",\n\"61101\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI tenant\", \"ISE has removed ACI tenant\", \"ISE has removed ACI tenant\",\n\"61102\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn new tenant from ACI in ISE\", \"Failed to learn new tenant from ACI in ISE\",\n\"61103\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to remove ACI tenant in ISE\", \"Failed to remove ACI tenant in ISE\",\n\"61104\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new tenant from SDA\", \"ISE has learned a new tenant from SDA\",\n\"61105\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new VN info\", \"IISE has learned a new VN info\",\n\"61106\", \"Create\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to create VN info in ISE\", \"Failed to create VN info in ISE\",\n\"61107\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"VN info is updated in ISE\", \"VN info is updated in ISE\",\n\"61108\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to update VN info in ISE\", \"Failed to update VN info in ISE\",\n\"61109\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI tenant\", \"VN info is deleted in ISE\", \"VN info is deleted in ISE\",\n\"61110\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to deleted VN info in ISE\", \"Failed to deleted VN info in ISE\",\n\"61111\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Domain registration process failed\", \"Domain registration process failed\",\n\"61114\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Domain registration completed successfully\", \"Domain registration completed successfully\",\n\"61115\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Domain registration failed\", \"Domain registration failed\",\n\"61116\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ACI certificate\", \"Unable to store ACI certificate\", \"Unable to store ACI certificate\",\n\"61117\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ACI connector\", \"ACI connector started successfully\", \"ACI connector started successfully\",\n\"61118\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ACI connector\", \"Failed to start ACI connector\", \"Failed to start ACI connector\",\n\"61120\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI certificate\", \"Successfully deleted ACI certificate from ISE\", \"Successfully deleted ACI certificate from ISE\",\n\"61121\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI certificate\", \"Failed to delete ACI certificate from ISE\", \"Failed to delete ACI certificate from ISE\",\n\"61122\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI keystore\", \"Failed to delete ACI keystore\", \"Failed to delete ACI keystore\",\n\"61123\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new ACI domain\", \"ISE has learned a new ACI domain\",\n\"61124\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn a new ACI domain\", \"Failed to learn a new ACI domain\",\n\"61125\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI domain\", \"ISE has removed ACI domain\", \"ISE has removed ACI domain\",\n\"61126\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI domain\", \"Failed to remove ACI domain\", \"Failed to remove ACI domain\",\n\"61127\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SDA domain\", \"ISE has learned a new SDA domain\",\n\"61128\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn a new SDA domain\", \"Failed to learn a new SDA domain\",\n\"61129\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SDA domain\", \"ISE has removed SDA domain\", \"ISE has removed SDA domain\",\n\"61130\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"SDA domain\", \"Failed to remove SDA domain\", \"Failed to remove SDA domain\",\n\"61158\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE failed in receiving SDA SXP configuration\", \"ISE failed in receiving SDA SXP configuration\",\n\"61160\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE failed to publish Gateway advertisement message to ACI\", \"ISE failed to publish Gateway advertisement message to ACI\",\n\"61161\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE learned new SXP Listener\", \"ISE learned new SXP Listener\",\n\"61162\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE updates VN defined for SXP Listener\", \"ISE updates VN defined for SXP Listener\",\n\"61163\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE learned new VN defined for SXP Listener\", \"ISE learned new VN defined for SXP Listener\",\n\"61164\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE updates SXP Listener\", \"ISE updates SXP Listener\",\n\"61165\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE removed all SXP connections related to SXP Listener\", \"ISE removed all SXP connections related to SXP Listener\",\n\"61166\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ACI\", \"ACI published Gateway advertisement message to SDA\", \"ACI published Gateway advertisement message to SDA\",\n\"61167\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Send ACI Gateway advertisement message to ISE\", \"Send ACI Gateway advertisement message to ISE\",\n\"61168\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to send ACI Gateway advertisement message to ISE\", \"Failed to send ACI Gateway advertisement message to ISE/SDA\",\n\"61169\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Successfully Send ACI Gateway advertisement message\", \"Successfully Send ACI Gateway advertisement message\",\n\"61234\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE instance\", \"Got event with unknown properties\", \"Got event with unknown properties\",\n\"62000\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Agentless script execute completed\", \"Agentless script execute completed\",\n\"62001\", \"Execute\", \"Failure\", \"WARN\", \"Low\", \"ISE instance\", \"Agentless script execute failed\", \"Agentless script execute failed\",\n\"62002\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Agentless script upload completed\", \"Agentless script upload completed\",\n\"62003\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"ISE instance\", \"Agentless script upload failed\", \"Agentless script upload failed\",\n\"61300\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Network Access policy request\", \"Network Access policy request\",\n\"61301\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Device Admin policy request\", \"Device Admin policy request\",\n\"61302\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Policy component request\", \"Policy component request\",\n\"60467\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"OCSP Certificate renewal failed\", \"OCSP Certificate renewal failed.\",\n\"60468\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Root CA Regeneration failed\", \"Regeneration of Root CA failed.\",\n\"62008\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync service starts\", \"Meraki connector sync service starts\",\n\"62009\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync service stops\", \"Meraki connector sync service stops\",\n\"62010\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync service failure\", \"Meraki connector sync service failure\",\n\"62011\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync cycle starts\", \"Meraki connector sync cycle starts\",\n\"62012\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync cycle stops\", \"Meraki connector sync cycle stops\",\n\"62013\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync cycle failure\", \"Meraki connector sync cycle failure\",\n\"62014\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync operation success\", \"Meraki connector sync operation success\",\n\"62015\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync operation failure\", \"Meraki connector sync operation failure\",\n\"62016\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Port 2484 opened for Data Connect\", \"Port 2484 opened for Data Connect\",\n\"62017\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Data Connect port 2484 closed\", \"Data Connect port 2484 closed\"\n];\nlet CiscoISEAuditParser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n eventresult: string='*',\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n operation_has_any: dynamic=dynamic([]),\n object_has_any: dynamic=dynamic([]),\n newvalue_has_any: dynamic=dynamic([]),\n disabled: bool = false\n) {\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | where (eventresult == \"*\" or eventresult == EventResult)\n and (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | summarize make_set(EventOriginalType));\nSyslog\n| where not(disabled)\n//***************************** **************************\n| where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n//***************************** *************************\n| where ProcessName has_any (\"CISE\", \"CSCO\")\n| parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n| where EventOriginalType in (EventOriginalTypeList)\n| where \n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or SyslogMessage has_any (actorusername_has_any))\n and (array_length(operation_has_any) == 0 or SyslogMessage has_any (operation_has_any))\n and (array_length(newvalue_has_any) == 0 or SyslogMessage has_any (newvalue_has_any))\n| project\n TimeGenerated,\n EventTime,\n EventOriginalType,\n Computer,\n HostName,\n HostIP,\n SyslogMessage\n| lookup EventFieldsLookup on EventOriginalType\n| parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n| project-rename\n SrcIpAddr=['Remote-Address']\n , TargetIpAddr =['Device IP Address']\n| where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n| extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n| extend ActorUsername = coalesce(['User-Name'], UserName, User)\n| extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) \n| where (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))\n| extend \n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer)) \n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"AuditEvent\"\n , EventSchemaVersion = \"0.1.0\"\n , ObjectType = \"Configuration Atom\"\n , TargetAppName = \"ISE\"\n , TargetAppType = \"Service\"\n// ***************** ********************\n| extend \n Dvc = coalesce(DvcIpAddr, DvcHostname)\n , Application = TargetAppName\n , IpAddr = coalesce(SrcIpAddr, TargetIpAddr)\n , Dst = TargetIpAddr\n , Src = SrcIpAddr\n , User = ActorUsername\n// ***************** *******************\n| project-away\n EventTime,\n Computer,\n HostName,\n SyslogMessage,\n NetworkDeviceName,\n ['User-Name'],\n UserName\n};\nCiscoISEAuditParser(\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM filtering parser for Cisco ISE", + "category": "ASIM", + "FunctionAlias": "vimAuditEventCiscoISE", + "query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventType: string,\nEventResult: string,\nEventOriginalSeverity: string,\nEventSeverity: string,\nObject: string,\nOperation: string,\nEventMessage: string\n)[\n\"52000\", \"Create\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Added configuration\", \"Added configuration\",\n\"52001\", \"Set\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Changed configuration\", \"Changed configuration\",\n\"52002\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Deleted configuration\", \"Deleted configuration\",\n\"52003\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Deregister Node\", \"One of the ISE instances in the deployment has been de-registered.\",\n\"52004\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Register Node\", \"A new ISE instance has been registered and has joined the deployment.\",\n\"52005\", \"Enable\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Activate Node\", \"An ISE instance has been activated to receive updates from the Primary node.\",\n\"52006\", \"Disable\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Deactivate ISE Node\", \"An ISE instance has been deactivated and will no longer receive updates from the Primary node.\",\n\"52007\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Force Full replication\", \"A Force Full replication has been issued for an ISE instance.\",\n\"52008\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Replacement Register Handler\", \"A new ISE instance has joined the deployment through hardware replacement.\",\n\"52009\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Promote Node\", \"A Secondary node has been promoted to be the Primary node of the deployment.\",\n\"52013\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Hardware Replacement\", \"A new ISE instance has joined the deployment through hardware replacement.\",\n\"52015\", \"Enable\", \"Success\", \"NOTICE\", \"Informational\", \"LogCollector Target\", \"Enable LogCollector Target\", \"Enable the deployment Log Collector target.\",\n\"52016\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"LogCollector Node\", \"Select LogCollector Node\", \"The Log Collector node for the deployment has been selected.\",\n\"52017\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Apply software update\", \"Apply a software update to the selected ISE instances.\",\n\"52030\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Full replication succeeded\", \"Full replication was completed successfully\",\n\"52031\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Full replication failed\", \"Failed to complete full replication\",\n\"52033\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Registration succeeded\", \"Registration with the primary node was completed successfully\",\n\"52035\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Registration failed\", \"Failed to perform the full replication requested by the primary instance\",\n\"52038\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Registration succeeded\", \"The ISE instance was successfully joined to a distributed ISE deployment\",\n\"52039\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Registration failed\", \"The ISE instance was unable to join a distributed deployment\",\n\"52042\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Primary instance\", \"Demotion succeeded\", \"Demotion of the existing primary instance was completed successfully\",\n\"52043\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Primary instance\", \"Demotion failed\", \"Demotion of the existing primary instance failed\",\n\"52045\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Secondary instance\", \"Promotion succeeded\", \"Promotion of the secondary instance was completed successfully\",\n\"52046\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Secondary instance\", \"Promotion failed\", \"Promotion of a secondary instance failed\",\n\"52072\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Deregister succeeded\", \"Deregistration was completed successfully\",\n\"52073\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Deregister failed\", \"Deregistration failed\",\n\"52078\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Delete node failed\", \"Failed to delete the ISE secondary instance in inactive mode from the deployment\",\n\"52079\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"ISE secondary instance\", \"Delete node succeeded\", \"The ISE primary instance successfully deleted the secondary instance in inactive mode\",\n\"52080\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Delete node failed\", \"Failed to delete the ISE secondary instance in inactive mode from the primary instance\",\n\"52082\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Backup failed\", \"An immediate backup for the secondary instance failed\",\n\"52084\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE primary instance\", \"Backup succeeded\", \"An immediate backup for the primary instance was completed successfully\",\n\"52085\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE primary instance\", \"Backup failed\", \"An immediate backup for the primary failed\",\n\"52091\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Update bundle\", \"Software update failed\", \"Software update download of update bundle failed\",\n\"52092\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Software update succeeded\", \"The software update was completed successfully\",\n\"52093\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Software update failed\", \"The software update failed\",\n\"57000\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Log file(s)\", \"Deleted rolled-over local log file(s)\", \"Deleted rolled-over local log file(s)\",\n\"58001\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process started\", \"An ISE process has started\",\n\"58002\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process stopped\", \"An ISE process has stopped\",\n\"58003\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE processes\", \"ISE processes started\", \"All ISE processes have started\",\n\"58004\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE processes\", \"ISE processes stopped\", \"All ISE processes have stopped\",\n\"58005\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process was restarted by watchdog service\", \"The watchdog service has restarted an ISE process\",\n\"60000\", \"Install\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Patch installation completed successfully on the node\", \"Patch installation completed successfully on the node\",\n\"60001\", \"Install\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Patch installation failed on the node\", \"Patch installation failed on the node\",\n\"60002\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Patch rollback completed successfully on the node\", \"Patch rollback completed successfully on the node\",\n\"60003\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Patch rollback failed on the node\", \"Patch rollback failed on the node\",\n\"60050\", \"Create\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node added to deployment successfully\", \"Node added to deployment successfully\",\n\"60051\", \"Create\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to add node to deployment\", \"Failed to add node to deployment\",\n\"60052\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node removed from deployment\", \"Node removed from deployment\",\n\"60053\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to remove node from deployment\", \"Failed to remove node from deployment\",\n\"60054\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node updated successfully\", \"Node updated successfully\",\n\"60055\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to update node\", \"Failed to update node\",\n\"60056\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Cluster\", \"The runtime status of the node group has changed\", \"There is a change in the cluster state\",\n\"60057\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"PSN node\", \"A PSN node went down\", \"One of the PSN nodes in the node group has gone down\",\n\"60058\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Heartbeat System\", \"The initial status of the heartbeat system\", \"The initial status of the heartbeat system\",\n\"60059\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node has successfully registered with MnT\", \"Node has successfully registered with MnT\",\n\"60060\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Policy Service nodes\", \"Administrator invoked OCSP Clear Cache operation for all Policy Service nodes\", \"The ISE Administrator invoked OCSP Clear Cache operation for all Policy Service nodes\",\n\"60061\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Policy Service nodes\", \"OCSP Clear Cache operation completed successfully\", \"OCSP Clear Cache operation completed successfully on all Policy Service nodes\",\n\"60062\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Policy Service nodes\", \"OCSP Clear Cache operation terminated with error\", \"OCSP Clear Cache clear operation terminated with error on one or more Policy Service nodes\",\n\"60063\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE secondary node\", \"Replication to node completed successfully\", \"Replication of data to secondary node completed successfully\",\n\"60064\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary node\", \"Replication to node failed\", \"Replication of data to secondary node failed\",\n\"60068\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - manual download initiated\", \"The Profiler Feed Service has begun the check and download of new and/or updated Profiles in response to Administrator's request\",\n\"60069\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - Profiles Downloaded\", \"The Profiler Feed Service has downloaded new and/or updated Profiles\",\n\"60070\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - No Profiles Downloaded\", \"The Profiler Feed Service found no new and/or updated Profiles to download\",\n\"60083\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"Syslog Server\", \"Syslog Server configuration change\", \"Syslog Server configuration change has occurred\",\n\"60084\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI user\", \"ADEOS CLI user configuration change\", \"Configuration change occurred for ADEOS CLI user\",\n\"60085\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS Repository\", \"ADEOS Repository configuration change\", \"Configuration change occurred for ADEOS repository\",\n\"60086\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS SSH Service\", \"ADEOS SSH Service configuration change\", \"Configuration change occurred for ADEOS SSH Service\",\n\"60087\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS Maximum SSH CLI sessions\", \"ADEOS Maximum SSH CLI sessions configuration change\", \"Configuration change occurred for ADEOS Maximum CLI sessions\",\n\"60088\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS SNMP agent\", \"ADEOS SNMP agent configuration change\", \"Configuration change occurred for ADEOS SNMP agent\",\n\"60089\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI kron scheduler\", \"ADEOS CLI kron scheduler policy configuration change\", \"Configuration change occurred for ADEOS CLI kron scheduler policy\",\n\"60090\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI kron scheduler\", \"ADEOS CLI kron scheduler occurence configuration change\", \"Configuration change occurred for ADEOS CLI kron scheduler occurence\",\n\"60091\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI pre-login banner\", \"ADEOS CLI pre-login banner configuration change\", \"Configuration change occurred for ADEOS CLI pre-login banner\",\n\"60092\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI post-login banner\", \"ADEOS CLI post-login banner configuration change\", \"Configuration change occurred for ADEOS CLI post-login banner\",\n\"60094\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Backup has completed successfully\", \"ISE Backup has completed successfully\",\n\"60095\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Backup has failed\", \"ISE Backup has failed\",\n\"60097\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Log Backup has completed successfully\", \"ISE Log Backup has completed successfully\",\n\"60098\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Log Backup has failed\", \"ISE Log Backup has failed\",\n\"60100\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Restore has completed successfully\", \"ISE Restore has completed successfully\",\n\"60101\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Restore has failed\", \"ISE Restore has failed\",\n\"60102\", \"Install\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application installation completed successfully\", \"Application installation completed successfully\",\n\"60103\", \"Install\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application installation failed\", \"Application installation failed\",\n\"60105\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application remove completed successfully\", \"Application remove completed successfully\",\n\"60106\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application remove failed\", \"Application remove failed\",\n\"60107\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application upgrade failed\", \"Application upgrade failed\",\n\"60111\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application patch remove has completed successfully\", \"Application patch remove has completed successfully\",\n\"60112\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application patch remove has failed\", \"Application patch remove has failed\",\n\"60113\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE server\", \"ISE server reload has been initiated\", \"ISE server reload has been initiated\",\n\"60114\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE server\", \"ISE server shutdown has been initiated\", \"ISE server shutdown has been initiated\",\n\"60118\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"File\", \"ADEOS CLI user has used delete CLI to delete file\", \"ADEOS CLI user has used delete CLI to delete file\",\n\"60119\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"File\", \"ADEOS CLI user has used copy CLI to copy file\", \"ADEOS CLI user has used copy CLI to copy file\",\n\"60120\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"Directory\", \"ADEOS CLI user has used mkdir CLI to create a directory\", \"ADEOS CLI user has used mkdir CLI to create a directory\",\n\"60121\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has copied out running system configuration\", \"ADEOS CLI user has copied out running system configuration\",\n\"60122\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has copied in system configuration\", \"ADEOS CLI user has copied in system configuration\",\n\"60123\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has saved running system configuration\", \"ADEOS CLI user has saved running system configuration\",\n\"60126\", \"Install\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application patch installation failed\", \"Application patch installation failed\",\n\"60128\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"File\", \"Failure occurred trying to copy file in from ADEOS CLI\", \"Failure occurred trying to copy file in from ADEOS CLI\",\n\"60129\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"File\", \"Failure occurred trying to copy file out from ADEOS CLI\", \"Failure occurred trying to copy file out from ADEOS CLI\",\n\"60130\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE Backup\", \"ISE Scheduled Backup has been configured\", \"ISE Scheduled Backup has been configured\",\n\"60131\", \"Create\", \"Success\", \"INFO\", \"Informational\", \"ISE Support bundle\", \"ISE Support bundle has been created from web UI\", \"ISE Support bundle has been created from web UI\",\n\"60132\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE Support bundle\", \"ISE Support bundle has been deleted from web UI\", \"ISE Support bundle has been deleted from web UI\",\n\"60133\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE Support bundle\", \"ISE Support bundle generation from web UI has failed\", \"ISE Support bundle generation from web UI has failed\",\n\"60153\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Certificate\", \"Certificate has been exported\", \"Certificate has been exported\",\n\"60166\", \"Other\", \"\", \"WARN\", \"Informational\", \"Certificate\", \"Certificate will expire soon\", \"Certificate Expiration warning\",\n\"60167\", \"Other\", \"\", \"WARN\", \"Informational\", \"Certificate\", \"Certificate has expired\", \"Certificate has expired\",\n\"60172\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Alarm(s) has/have been acknowledged\", \"These alarms are acknowledged and will not be displayed on the Dashboard\",\n\"60173\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Outdated alarms are purged\", \"Only latest 15000 alarms would be retained and rest of them are purged\",\n\"60187\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application upgrade succeeded\", \"Application upgrade succeeded\",\n\"60189\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Terminal Session timeout has been modified\", \"Configuration change occurred for ADEOS CLI Terminal Session timeout\",\n\"60193\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"RSA key configuration has been modified\", \"Configuration change occurred for ADEOS CLI RSA key\",\n\"60194\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Host key configuration has been modified\", \"Configuration change occurred for ADEOS CLI host key\",\n\"60197\", \"Disable\", \"Success\", \"NOTICE\", \"Informational\", \"Certificate\", \"Revoked ISE CA issued Certificate.\", \"Certificate issued to Endpoint by ISE CA is revoked by Administrator\",\n\"60198\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"MnT\", \"MnT purge event occurred\", \"MnT purge event occurred\",\n\"60199\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"An IP-SGT mapping was deployed successfully\", \"An IP-SGT mapping was deployed successfully to a TrustSec device\",\n\"60200\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"An IP-SGT mapping has failed deploying\", \"An IP-SGT mapping has failed deploying to a TrustSec device\",\n\"60201\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"IP-SGT deployment to TrustSec device was successful\", \"IP-SGT deployment to TrustSec device was successful\",\n\"60202\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"IP-SGT deployment to TrustSec device failed\", \"IP-SGT deployment to TrustSec device failed\",\n\"60207\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Logging loglevel configuration has been modified\", \"Configuration change occurred for ADEOS CLI logging loglevel\",\n\"60208\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Root CA certificate has been replaced\", \"Root CA certificate has been replaced\",\n\"60209\", \"Enable\", \"Success\", \"INFO\", \"Informational\", \"CA service\", \"CA service enabled\", \"CA service enabled\",\n\"60210\", \"Disable\", \"Success\", \"INFO\", \"Informational\", \"CA service\", \"CA service disabled\", \"CA service disabled\",\n\"60213\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"CA keys were replaced by import operation\", \"CA keys were replaced by import operation\",\n\"60214\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"CA keys were exported\", \"CA keys were exported\",\n\"60215\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Endpoint certs were marked expired\", \"Endpoint certs were marked expired by daily scheduled job\",\n\"60216\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Endpoint certs were purged\", \"Endpoint certs were purged by daily scheduled job\",\n\"60451\", \"Enable\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Telemetry is enabled on this deployment\", \"Telemetry is enabled on this deployment\",\n\"60452\", \"Disable\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Telemetry is disabled on this deployment\", \"Telemetry is disabled on this deployment\",\n\"61002\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SGT from IEPG\", \"ISE has learned a new SGT from IEPG\",\n\"61003\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has propagated a new EEPG to APIC\", \"ISE has propagated a new EEPG to APIC.\",\n\"61004\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SXP mapping from APIC endpoint\", \"ISE has learned a new SXP mapping from APIC endpoint\",\n\"61005\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has propagated a new endpoint(SXP mapping) to APIC\", \"ISE has propagated a new endpoint(SXP mapping) to APIC\",\n\"61006\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SGT\", \"ISE has removed an SGT due to deleted IEPG\", \"ISE has removed an SGT due to deleted IEPG\",\n\"61007\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed EEPG from APIC due to SGT deletion\", \"ISE has removed EEPG from APIC due to SGT deletion\",\n\"61008\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed an SXP mapping due to endpoint deletion on APIC\", \"ISE has removed an SXP mapping due to endpoint deletion on APIC\",\n\"61009\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed endpoint APIC due to SXP mapping removal a new SXP mapping to APIC\", \"ISE has removed endpoint APIC due to SXP mapping removal a new SXP mapping to APIC\",\n\"61016\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh EPG subscriber against APIC\", \"ISE failed to refresh EPG subscriber against APIC\",\n\"61017\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh endpoint subscriber against APIC\", \"ISE failed to refresh endpoint subscriber against APIC\",\n\"61018\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh EEPG subscriber against APIC\", \"ISE failed to refresh EEPG subscriber against APIC\",\n\"61020\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh L3EXTOUT subscriber against APIC\", \"ISE failed to refresh L3EXTOUT subscriber against APIC\",\n\"61022\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to propagate SGT to EEPG\", \"ISE has failed to propagate SGT to EEPG\",\n\"61023\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to learn IEPG from APIC\", \"ISE has failed to learn IEPG from APIC\",\n\"61024\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to parse VRF for EPG\", \"ISE has failed to parse VRF for EPG\",\n\"61030\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"TrustSec deploy verification was canceled.\", \"TrustSec deployment verification process was canceled as a new TrustSec deploy started.\",\n\"61033\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"TrustSec deployment verification process succeeded.\", \"ISE trustsec configuration was successfully deployed to all network access devices.\",\n\"61034\", \"Other\", \"\", \"INFO\", \"Low\", \"ISE instance\", \"Maximum resource limit reached.\", \"Maximum resource limit reached.\",\n\"61051\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Synflood-limit configured\", \"Synflood-limit configured\",\n\"61052\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Rate-limit configured\", \"Rate-limit configured\",\n\"61100\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new tenant from ACI\", \"ISE has learned a new tenant from ACI\",\n\"61101\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI tenant\", \"ISE has removed ACI tenant\", \"ISE has removed ACI tenant\",\n\"61102\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn new tenant from ACI in ISE\", \"Failed to learn new tenant from ACI in ISE\",\n\"61103\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to remove ACI tenant in ISE\", \"Failed to remove ACI tenant in ISE\",\n\"61104\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new tenant from SDA\", \"ISE has learned a new tenant from SDA\",\n\"61105\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new VN info\", \"IISE has learned a new VN info\",\n\"61106\", \"Create\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to create VN info in ISE\", \"Failed to create VN info in ISE\",\n\"61107\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"VN info is updated in ISE\", \"VN info is updated in ISE\",\n\"61108\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to update VN info in ISE\", \"Failed to update VN info in ISE\",\n\"61109\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI tenant\", \"VN info is deleted in ISE\", \"VN info is deleted in ISE\",\n\"61110\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to deleted VN info in ISE\", \"Failed to deleted VN info in ISE\",\n\"61111\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Domain registration process failed\", \"Domain registration process failed\",\n\"61114\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Domain registration completed successfully\", \"Domain registration completed successfully\",\n\"61115\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Domain registration failed\", \"Domain registration failed\",\n\"61116\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ACI certificate\", \"Unable to store ACI certificate\", \"Unable to store ACI certificate\",\n\"61117\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ACI connector\", \"ACI connector started successfully\", \"ACI connector started successfully\",\n\"61118\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ACI connector\", \"Failed to start ACI connector\", \"Failed to start ACI connector\",\n\"61120\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI certificate\", \"Successfully deleted ACI certificate from ISE\", \"Successfully deleted ACI certificate from ISE\",\n\"61121\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI certificate\", \"Failed to delete ACI certificate from ISE\", \"Failed to delete ACI certificate from ISE\",\n\"61122\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI keystore\", \"Failed to delete ACI keystore\", \"Failed to delete ACI keystore\",\n\"61123\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new ACI domain\", \"ISE has learned a new ACI domain\",\n\"61124\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn a new ACI domain\", \"Failed to learn a new ACI domain\",\n\"61125\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI domain\", \"ISE has removed ACI domain\", \"ISE has removed ACI domain\",\n\"61126\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI domain\", \"Failed to remove ACI domain\", \"Failed to remove ACI domain\",\n\"61127\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SDA domain\", \"ISE has learned a new SDA domain\",\n\"61128\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn a new SDA domain\", \"Failed to learn a new SDA domain\",\n\"61129\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SDA domain\", \"ISE has removed SDA domain\", \"ISE has removed SDA domain\",\n\"61130\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"SDA domain\", \"Failed to remove SDA domain\", \"Failed to remove SDA domain\",\n\"61158\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE failed in receiving SDA SXP configuration\", \"ISE failed in receiving SDA SXP configuration\",\n\"61160\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE failed to publish Gateway advertisement message to ACI\", \"ISE failed to publish Gateway advertisement message to ACI\",\n\"61161\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE learned new SXP Listener\", \"ISE learned new SXP Listener\",\n\"61162\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE updates VN defined for SXP Listener\", \"ISE updates VN defined for SXP Listener\",\n\"61163\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE learned new VN defined for SXP Listener\", \"ISE learned new VN defined for SXP Listener\",\n\"61164\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE updates SXP Listener\", \"ISE updates SXP Listener\",\n\"61165\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE removed all SXP connections related to SXP Listener\", \"ISE removed all SXP connections related to SXP Listener\",\n\"61166\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ACI\", \"ACI published Gateway advertisement message to SDA\", \"ACI published Gateway advertisement message to SDA\",\n\"61167\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Send ACI Gateway advertisement message to ISE\", \"Send ACI Gateway advertisement message to ISE\",\n\"61168\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to send ACI Gateway advertisement message to ISE\", \"Failed to send ACI Gateway advertisement message to ISE/SDA\",\n\"61169\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Successfully Send ACI Gateway advertisement message\", \"Successfully Send ACI Gateway advertisement message\",\n\"61234\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE instance\", \"Got event with unknown properties\", \"Got event with unknown properties\",\n\"62000\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Agentless script execute completed\", \"Agentless script execute completed\",\n\"62001\", \"Execute\", \"Failure\", \"WARN\", \"Low\", \"ISE instance\", \"Agentless script execute failed\", \"Agentless script execute failed\",\n\"62002\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Agentless script upload completed\", \"Agentless script upload completed\",\n\"62003\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"ISE instance\", \"Agentless script upload failed\", \"Agentless script upload failed\",\n\"61300\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Network Access policy request\", \"Network Access policy request\",\n\"61301\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Device Admin policy request\", \"Device Admin policy request\",\n\"61302\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Policy component request\", \"Policy component request\",\n\"60467\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"OCSP Certificate renewal failed\", \"OCSP Certificate renewal failed.\",\n\"60468\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Root CA Regeneration failed\", \"Regeneration of Root CA failed.\",\n\"62008\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync service starts\", \"Meraki connector sync service starts\",\n\"62009\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync service stops\", \"Meraki connector sync service stops\",\n\"62010\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync service failure\", \"Meraki connector sync service failure\",\n\"62011\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync cycle starts\", \"Meraki connector sync cycle starts\",\n\"62012\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync cycle stops\", \"Meraki connector sync cycle stops\",\n\"62013\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync cycle failure\", \"Meraki connector sync cycle failure\",\n\"62014\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync operation success\", \"Meraki connector sync operation success\",\n\"62015\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync operation failure\", \"Meraki connector sync operation failure\",\n\"62016\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Port 2484 opened for Data Connect\", \"Port 2484 opened for Data Connect\",\n\"62017\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Data Connect port 2484 closed\", \"Data Connect port 2484 closed\"\n];\nlet CiscoISEAuditParser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n eventresult: string='*',\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n operation_has_any: dynamic=dynamic([]),\n object_has_any: dynamic=dynamic([]),\n newvalue_has_any: dynamic=dynamic([]),\n disabled: bool = false\n) {\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | where (eventresult == \"*\" or eventresult == EventResult)\n and (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | summarize make_set(EventOriginalType));\nSyslog\n| where not(disabled)\n//***************************** **************************\n| where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n//***************************** *************************\n| where ProcessName has_any (\"CISE\", \"CSCO\")\n| parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n| where EventOriginalType in (EventOriginalTypeList)\n| where \n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or SyslogMessage has_any (actorusername_has_any))\n and (array_length(operation_has_any) == 0 or SyslogMessage has_any (operation_has_any))\n and (array_length(newvalue_has_any) == 0 or SyslogMessage has_any (newvalue_has_any))\n| project\n TimeGenerated,\n EventTime,\n EventOriginalType,\n Computer,\n HostName,\n HostIP,\n SyslogMessage\n| lookup EventFieldsLookup on EventOriginalType\n| parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n| project-rename\n SrcIpAddr=['Remote-Address']\n , TargetIpAddr =['Device IP Address']\n| where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n| extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n| extend ActorUsername = coalesce(['User-Name'], UserName, User)\n| extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) \n| where (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))\n| extend \n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer)) \n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"AuditEvent\"\n , EventSchemaVersion = \"0.1.0\"\n , ObjectType = \"Configuration Atom\"\n , TargetAppName = \"ISE\"\n , TargetAppType = \"Service\"\n// ***************** ********************\n| extend \n Dvc = coalesce(DvcIpAddr, DvcHostname)\n , Application = TargetAppName\n , IpAddr = coalesce(SrcIpAddr, TargetIpAddr)\n , Dst = TargetIpAddr\n , Src = SrcIpAddr\n , User = ActorUsername\n// ***************** *******************\n| project-away\n EventTime,\n Computer,\n HostName,\n SyslogMessage,\n NetworkDeviceName,\n ['User-Name'],\n UserName\n};\nCiscoISEAuditParser(\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoMeraki/vimAuditEventCiscoMeraki.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoMeraki/vimAuditEventCiscoMeraki.json index 5e2892d8927..ea949b61d9b 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoMeraki/vimAuditEventCiscoMeraki.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoMeraki/vimAuditEventCiscoMeraki.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventCiscoMeraki')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventCiscoMeraki", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "vimAuditEventCiscoMeraki", - "query": "let EventFieldsLookup = datatable(TempOperation: string, Operation: string, EventResult: string, EventType: string)\n[\n \"vpn_connectivity_change\", \"VPN connectivity change\",\"Success\", \"Set\",\n \"purging ISAKMP-SA\", \"Purging ISAKMP-SA\",\"Partial\", \"Delete\",\n \"purged ISAKMP-SA\", \"Purged ISAKMP-SA\",\"Success\", \"Delete\",\n \"ISAKMP-SA deleted\", \"ISAKMP-SA deleted\",\"Success\", \"Delete\",\n \"IPsec-SA request\", \"IPsec-SA request queued\",\"Failure\", \"Other\",\n \"failed to get sainfo\", \"Failed to get sainfo\",\"Failure\", \"Other\",\n \"failed to pre-process ph2 packet\", \"Failed to pre-process ph2 packet\",\"Failure\", \"Other\",\n \"phase2 negotiation failed\", \"Phase2 negotiation failed\",\"Failure\", \"Other\",\n \"initiate new phase 1 negotiation\", \"Initiate new phase 1 negotiation\",\"Success\", \"Initialize\",\n \"ISAKMP-SA established\", \"ISAKMP-SA established\",\"Success\", \"Create\",\n \"initiate new phase 2 negotiation\", \"Initiate new phase 2 negotiation\",\"Partial\", \"Initialize\",\n \"IPsec-SA established\", \"IPsec-SA established\",\"Success\", \"Create\",\n \"STP role\", \"Spanning-tree interface role change\",\"Success\", \"Set\",\n \"STP BPDU\", \"Spanning-tree guard state change\", \"\", \"\",\n \"VRRP transition\", \"VRRP transition\",\"Success\", \"Set\",\n \"port status change\", \"Port status change\", \"\", \"\"\n];\nlet EventSeverityLookup=datatable(EventResult: string, EventSeverity: string)[\n \"Success\", \"Informational\",\n \"Partial\", \"Informational\",\n \"Failure\", \"Low\"\n];\nlet parser=(disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) {\nlet allData = union isfuzzy=true\n (\n meraki_CL\n | project-rename LogMessage = Message\n );\nlet PreFilteredData = allData\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and array_length(newvalue_has_any) == 0\n and array_length(object_has_any) == 0\n and array_length(actorusername_has_any) == 0\n and LogMessage has \"events\"\n and (LogMessage has_any (\"vpn_connectivity_change\", \"status changed\", \"VRRP active\", \"VRRP passive\") or LogMessage has_cs \"Site-to-site\" or LogMessage has_cs \"Port\")\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\";\nlet SiteToSiteData = PreFilteredData\n | where Substring has_cs \"Site-to-site\";\nlet SiteToSite_deleted = SiteToSiteData\n | where Substring has \"ISAKMP-SA deleted\"\n | extend TempOperation = \"ISAKMP-SA deleted\"\n | parse Substring with * \" deleted \" temp_deletedSrcIp:string \"-\" temp_deletedTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_deletedSrcIp,\n temp_targetipport = temp_deletedTargetIp;\nlet SiteToSite_negotiation = SiteToSiteData\n | where Substring has_any(\"initiate new phase 1 negotiation\", \"initiate new phase 2 negotiation\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \": \" temp_negotiationSrcIp:string \"<=>\" temp_negotiationTargetIp:string\n | extend temp_srcipport = temp_negotiationSrcIp,\n temp_targetipport = temp_negotiationTargetIp;\nlet SiteToSite_ESP = SiteToSiteData\n | where Substring has \"phase2 negotiation failed due to time up waiting for phase1\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" due to \" EventResultDetails \" ESP \" temp_espSrcIp:string \"->\" temp_espTargetIp:string\n | extend temp_srcipport = temp_espSrcIp,\n temp_targetipport = temp_espTargetIp;\nlet SiteToSite_tunnel = SiteToSiteData\n | where Substring has \"IPsec-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \":\" * \"Tunnel \" temp_tunnelSrcIp:string \"->\" temp_tunnelTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_tunnelSrcIp,\n temp_targetipport = temp_tunnelTargetIp;\nlet SiteToSite_ISAKMPestablished = SiteToSiteData\n | where Substring has \"ISAKMP-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" established \" temp_estSrcIp:string \"-\" temp_estTargetIp:string \" \" temp_restmessage:string\n | extend TempOperation = strcat(TempOperation, ' ', 'established'),\n temp_srcipport = temp_estSrcIp,\n temp_targetipport = temp_estTargetIp;\nlet SiteToSite_IPsecSArequest = SiteToSiteData\n | where Substring has \"IPsec-SA request\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" for \" temp_forTaregtSrcIp:string \" \" * \" due to\" EventResultDetails:string\n | extend temp_targetipport = temp_forTaregtSrcIp;\nlet SiteToSite_purging = SiteToSiteData\n | where Substring has_any(\"purging ISAKMP-SA\", \"purged ISAKMP-SA\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" spi=\" temp_restmessage:string;\nlet SiteToSite_failed = SiteToSiteData\n | where Substring has_any (\"failed to get sainfo\", \"failed to pre-process ph2 packet\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string\n | extend TempOperation = tostring(split(TempOperation, ' (')[0]);\nlet VPNConnectivityChangeData = PreFilteredData\n | where Substring has \"vpn_connectivity_change\"\n | parse-kv Substring as (type: string, peer_contact: string, connectivity: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend type = trim('\"', type),\n connectivity = trim('\"', connectivity)\n | extend TempOperation = type,\n temp_srcipport = peer_contact;\nlet StatusChangedData = PreFilteredData\n | where Substring has \"status changed\"\n | parse Substring with * \"port \" port:string \" \" portnextpart:string\n | extend TempOperation = \"port status change\";\nlet PortData = PreFilteredData\n | where Substring has_cs \"Port\"\n | parse Substring with * \"Port \" Port1:string \" received an \" TempOperation1:string \" from \" STPMac:string \" \" temp_restmessage:string\n | parse Substring with * \"Port \" Port2:string \" changed \" TempOperation2:string \" from \" PortNextPart:string\n | extend Port = coalesce(Port1,Port2)\n | extend TempOperation = coalesce(TempOperation1, TempOperation2);\nlet VRRPData = PreFilteredData\n | where Substring has_any(\"VRRP active\", \"VRRP passive\")\n | extend TempOperation = \"VRRP transition\";\nunion VPNConnectivityChangeData, StatusChangedData, PortData, VRRPData, SiteToSite_deleted, SiteToSite_ESP, SiteToSite_failed, SiteToSite_IPsecSArequest, SiteToSite_ISAKMPestablished, SiteToSite_negotiation, SiteToSite_purging, SiteToSite_tunnel\n | lookup EventFieldsLookup on TempOperation\n | where (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n | extend EventResult = case(\n (Operation == \"Port status change\" and Substring has \"from Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"connected\", \"forwarding\")),\n \"Success\",\n (Operation == \"Port status change\" and Substring has \"to Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"disconnected\", \"error disabled\", \"blocked\", \"disabled\", \"not configured\")),\n \"Failure\",\n Operation has_cs \"Spanning-tree guard state change\" and Substring has \"learning\",\n \"Partial\",\n EventResult\n )\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n | extend EventType = case(Operation in(\"Port status change\", \"Spanning-tree guard state change\") and EventResult == \"Success\", \"Enable\",\n (Operation == \"Port status change\" and EventResult == \"Failure\") or (Operation == \"Spanning-tree guard state change\" and EventResult in (\"Partial\", \"Failure\")), \"Disable\",\n EventType\n )\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | extend \n temp_srcipport = iff(temp_srcipport has \"]\" and temp_srcipport !has \":\", trim(']', temp_srcipport), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"]\" and temp_targetipport !has \":\", trim(']', temp_targetipport), temp_targetipport)\n | extend \n temp_srcipport = iff(temp_srcipport has \"[\" and temp_srcipport !has \":\", replace_string(temp_srcipport,'[',':'), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"[\" and temp_targetipport !has \":\", replace_string(temp_targetipport,'[',':'), temp_targetipport),\n DvcMacAddr = iff(Operation == \"Spanning-tree guard state change\" and isnotempty(STPMac) and STPMac matches regex \"([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4})\\'*\", STPMac, \"\")\n | extend temp_srcipport = iff(isempty(DvcMacAddr) and isnotempty(STPMac) and Operation == \"Spanning-tree guard state change\", STPMac, temp_srcipport)\n | extend\n temp_srcipport = trim(\"'\", temp_srcipport),\n temp_targetipport = trim(\"'\", temp_targetipport)\n | extend \n temp_srcipport = trim('\"', temp_srcipport),\n temp_targetipport = trim('\"', temp_targetipport)\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\n | extend SrcIpAddr = iff(temp_srcipport has \".\", split(temp_srcipport, \":\")[0], coalesce(temp_srcip, temp_srcipport))\n | extend\n temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)\n | where (array_length(srcipaddr_has_any_prefix) == 0 or temp_SrcMatch)\n | parse temp_targetipport with * \"[\" temp_targetip \"]:\" temp_targetport\n | extend TargetIpAddr = iff(temp_targetipport has \".\", split(temp_targetipport, \":\")[0], coalesce(temp_targetip, temp_targetipport))\n | extend TargetPortNumber = iff(TargetIpAddr has \".\", toint(split(temp_targetipport, \":\")[1]), toint(coalesce(temp_targetport, \"\")))\n | extend SrcPortNumber = case(\n isnotempty(temp_srcipport),\n iff(SrcIpAddr has \".\", toint(split(temp_srcipport, \":\")[1]), toint(coalesce(temp_srcport, \"\"))),\n Substring has_cs \"Port\",\n toint(Port),\n Operation == \"Port status change\",\n toint(port),\n int(null)\n )\n | lookup EventSeverityLookup on EventResult\n | extend\n EventResultDetails = case(\n Operation == \"VPN connectivity change\" and isnotempty(connectivity), strcat(\"connectivity=\", connectivity),\n Operation == \"IPsec-SA request queued\" or Operation == \"Phase2 negotiation failed\", split(Substring, 'due to')[1], \n Substring has \"Site-to-site\", split(Substring, 'Site-to-site ')[1],\n Substring\n ),\n EventMessage = Substring,\n EventOriginalType = LogType,\n EventUid = _ResourceId\n | extend Device = tostring(Parser[1])\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime, \n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n TempOperation*,\n temp*,\n STPMac,\n peer_contact,\n connectivity,\n Port*,\n port,\n portnextpart,\n LogType,\n type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n ManagementGroupName,\n RawData\n};\nparser(disabled=disabled, starttime=starttime, endtime=endtime, eventresult=eventresult, operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any)", - "version": 1, - "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',actorusername_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([])" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "vimAuditEventCiscoMeraki", + "query": "let EventFieldsLookup = datatable(TempOperation: string, Operation: string, EventResult: string, EventType: string)\n[\n \"vpn_connectivity_change\", \"VPN connectivity change\",\"Success\", \"Set\",\n \"purging ISAKMP-SA\", \"Purging ISAKMP-SA\",\"Partial\", \"Delete\",\n \"purged ISAKMP-SA\", \"Purged ISAKMP-SA\",\"Success\", \"Delete\",\n \"ISAKMP-SA deleted\", \"ISAKMP-SA deleted\",\"Success\", \"Delete\",\n \"IPsec-SA request\", \"IPsec-SA request queued\",\"Failure\", \"Other\",\n \"failed to get sainfo\", \"Failed to get sainfo\",\"Failure\", \"Other\",\n \"failed to pre-process ph2 packet\", \"Failed to pre-process ph2 packet\",\"Failure\", \"Other\",\n \"phase2 negotiation failed\", \"Phase2 negotiation failed\",\"Failure\", \"Other\",\n \"initiate new phase 1 negotiation\", \"Initiate new phase 1 negotiation\",\"Success\", \"Initialize\",\n \"ISAKMP-SA established\", \"ISAKMP-SA established\",\"Success\", \"Create\",\n \"initiate new phase 2 negotiation\", \"Initiate new phase 2 negotiation\",\"Partial\", \"Initialize\",\n \"IPsec-SA established\", \"IPsec-SA established\",\"Success\", \"Create\",\n \"STP role\", \"Spanning-tree interface role change\",\"Success\", \"Set\",\n \"STP BPDU\", \"Spanning-tree guard state change\", \"\", \"\",\n \"VRRP transition\", \"VRRP transition\",\"Success\", \"Set\",\n \"port status change\", \"Port status change\", \"\", \"\"\n];\nlet EventSeverityLookup=datatable(EventResult: string, EventSeverity: string)[\n \"Success\", \"Informational\",\n \"Partial\", \"Informational\",\n \"Failure\", \"Low\"\n];\nlet parser=(disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) {\nlet allData = union isfuzzy=true\n (\n meraki_CL\n | project-rename LogMessage = Message\n );\nlet PreFilteredData = allData\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and array_length(newvalue_has_any) == 0\n and array_length(object_has_any) == 0\n and array_length(actorusername_has_any) == 0\n and LogMessage has \"events\"\n and (LogMessage has_any (\"vpn_connectivity_change\", \"status changed\", \"VRRP active\", \"VRRP passive\") or LogMessage has_cs \"Site-to-site\" or LogMessage has_cs \"Port\")\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\";\nlet SiteToSiteData = PreFilteredData\n | where Substring has_cs \"Site-to-site\";\nlet SiteToSite_deleted = SiteToSiteData\n | where Substring has \"ISAKMP-SA deleted\"\n | extend TempOperation = \"ISAKMP-SA deleted\"\n | parse Substring with * \" deleted \" temp_deletedSrcIp:string \"-\" temp_deletedTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_deletedSrcIp,\n temp_targetipport = temp_deletedTargetIp;\nlet SiteToSite_negotiation = SiteToSiteData\n | where Substring has_any(\"initiate new phase 1 negotiation\", \"initiate new phase 2 negotiation\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \": \" temp_negotiationSrcIp:string \"<=>\" temp_negotiationTargetIp:string\n | extend temp_srcipport = temp_negotiationSrcIp,\n temp_targetipport = temp_negotiationTargetIp;\nlet SiteToSite_ESP = SiteToSiteData\n | where Substring has \"phase2 negotiation failed due to time up waiting for phase1\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" due to \" EventResultDetails \" ESP \" temp_espSrcIp:string \"->\" temp_espTargetIp:string\n | extend temp_srcipport = temp_espSrcIp,\n temp_targetipport = temp_espTargetIp;\nlet SiteToSite_tunnel = SiteToSiteData\n | where Substring has \"IPsec-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \":\" * \"Tunnel \" temp_tunnelSrcIp:string \"->\" temp_tunnelTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_tunnelSrcIp,\n temp_targetipport = temp_tunnelTargetIp;\nlet SiteToSite_ISAKMPestablished = SiteToSiteData\n | where Substring has \"ISAKMP-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" established \" temp_estSrcIp:string \"-\" temp_estTargetIp:string \" \" temp_restmessage:string\n | extend TempOperation = strcat(TempOperation, ' ', 'established'),\n temp_srcipport = temp_estSrcIp,\n temp_targetipport = temp_estTargetIp;\nlet SiteToSite_IPsecSArequest = SiteToSiteData\n | where Substring has \"IPsec-SA request\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" for \" temp_forTaregtSrcIp:string \" \" * \" due to\" EventResultDetails:string\n | extend temp_targetipport = temp_forTaregtSrcIp;\nlet SiteToSite_purging = SiteToSiteData\n | where Substring has_any(\"purging ISAKMP-SA\", \"purged ISAKMP-SA\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" spi=\" temp_restmessage:string;\nlet SiteToSite_failed = SiteToSiteData\n | where Substring has_any (\"failed to get sainfo\", \"failed to pre-process ph2 packet\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string\n | extend TempOperation = tostring(split(TempOperation, ' (')[0]);\nlet VPNConnectivityChangeData = PreFilteredData\n | where Substring has \"vpn_connectivity_change\"\n | parse-kv Substring as (type: string, peer_contact: string, connectivity: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend type = trim('\"', type),\n connectivity = trim('\"', connectivity)\n | extend TempOperation = type,\n temp_srcipport = peer_contact;\nlet StatusChangedData = PreFilteredData\n | where Substring has \"status changed\"\n | parse Substring with * \"port \" port:string \" \" portnextpart:string\n | extend TempOperation = \"port status change\";\nlet PortData = PreFilteredData\n | where Substring has_cs \"Port\"\n | parse Substring with * \"Port \" Port1:string \" received an \" TempOperation1:string \" from \" STPMac:string \" \" temp_restmessage:string\n | parse Substring with * \"Port \" Port2:string \" changed \" TempOperation2:string \" from \" PortNextPart:string\n | extend Port = coalesce(Port1,Port2)\n | extend TempOperation = coalesce(TempOperation1, TempOperation2);\nlet VRRPData = PreFilteredData\n | where Substring has_any(\"VRRP active\", \"VRRP passive\")\n | extend TempOperation = \"VRRP transition\";\nunion VPNConnectivityChangeData, StatusChangedData, PortData, VRRPData, SiteToSite_deleted, SiteToSite_ESP, SiteToSite_failed, SiteToSite_IPsecSArequest, SiteToSite_ISAKMPestablished, SiteToSite_negotiation, SiteToSite_purging, SiteToSite_tunnel\n | lookup EventFieldsLookup on TempOperation\n | where (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n | extend EventResult = case(\n (Operation == \"Port status change\" and Substring has \"from Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"connected\", \"forwarding\")),\n \"Success\",\n (Operation == \"Port status change\" and Substring has \"to Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"disconnected\", \"error disabled\", \"blocked\", \"disabled\", \"not configured\")),\n \"Failure\",\n Operation has_cs \"Spanning-tree guard state change\" and Substring has \"learning\",\n \"Partial\",\n EventResult\n )\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n | extend EventType = case(Operation in(\"Port status change\", \"Spanning-tree guard state change\") and EventResult == \"Success\", \"Enable\",\n (Operation == \"Port status change\" and EventResult == \"Failure\") or (Operation == \"Spanning-tree guard state change\" and EventResult in (\"Partial\", \"Failure\")), \"Disable\",\n EventType\n )\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | extend \n temp_srcipport = iff(temp_srcipport has \"]\" and temp_srcipport !has \":\", trim(']', temp_srcipport), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"]\" and temp_targetipport !has \":\", trim(']', temp_targetipport), temp_targetipport)\n | extend \n temp_srcipport = iff(temp_srcipport has \"[\" and temp_srcipport !has \":\", replace_string(temp_srcipport,'[',':'), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"[\" and temp_targetipport !has \":\", replace_string(temp_targetipport,'[',':'), temp_targetipport),\n DvcMacAddr = iff(Operation == \"Spanning-tree guard state change\" and isnotempty(STPMac) and STPMac matches regex \"([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4})\\'*\", STPMac, \"\")\n | extend temp_srcipport = iff(isempty(DvcMacAddr) and isnotempty(STPMac) and Operation == \"Spanning-tree guard state change\", STPMac, temp_srcipport)\n | extend\n temp_srcipport = trim(\"'\", temp_srcipport),\n temp_targetipport = trim(\"'\", temp_targetipport)\n | extend \n temp_srcipport = trim('\"', temp_srcipport),\n temp_targetipport = trim('\"', temp_targetipport)\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\n | extend SrcIpAddr = iff(temp_srcipport has \".\", split(temp_srcipport, \":\")[0], coalesce(temp_srcip, temp_srcipport))\n | extend\n temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)\n | where (array_length(srcipaddr_has_any_prefix) == 0 or temp_SrcMatch)\n | parse temp_targetipport with * \"[\" temp_targetip \"]:\" temp_targetport\n | extend TargetIpAddr = iff(temp_targetipport has \".\", split(temp_targetipport, \":\")[0], coalesce(temp_targetip, temp_targetipport))\n | extend TargetPortNumber = iff(TargetIpAddr has \".\", toint(split(temp_targetipport, \":\")[1]), toint(coalesce(temp_targetport, \"\")))\n | extend SrcPortNumber = case(\n isnotempty(temp_srcipport),\n iff(SrcIpAddr has \".\", toint(split(temp_srcipport, \":\")[1]), toint(coalesce(temp_srcport, \"\"))),\n Substring has_cs \"Port\",\n toint(Port),\n Operation == \"Port status change\",\n toint(port),\n int(null)\n )\n | lookup EventSeverityLookup on EventResult\n | extend\n EventResultDetails = case(\n Operation == \"VPN connectivity change\" and isnotempty(connectivity), strcat(\"connectivity=\", connectivity),\n Operation == \"IPsec-SA request queued\" or Operation == \"Phase2 negotiation failed\", split(Substring, 'due to')[1], \n Substring has \"Site-to-site\", split(Substring, 'Site-to-site ')[1],\n Substring\n ),\n EventMessage = Substring,\n EventOriginalType = LogType,\n EventUid = _ResourceId\n | extend Device = tostring(Parser[1])\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime, \n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n TempOperation*,\n temp*,\n STPMac,\n peer_contact,\n connectivity,\n Port*,\n port,\n portnextpart,\n LogType,\n type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n ManagementGroupName,\n RawData\n};\nparser(disabled=disabled, starttime=starttime, endtime=endtime, eventresult=eventresult, operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any)", + "version": 1, + "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',actorusername_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([])" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoMerakiSyslog/vimAuditEventCiscoMerakiSyslog.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoMerakiSyslog/vimAuditEventCiscoMerakiSyslog.json index ea10486a776..9f941a8e541 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoMerakiSyslog/vimAuditEventCiscoMerakiSyslog.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoMerakiSyslog/vimAuditEventCiscoMerakiSyslog.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventCiscoMerakiSyslog')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventCiscoMerakiSyslog", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "vimAuditEventCiscoMerakiSyslog", - "query": "let EventFieldsLookup = datatable(TempOperation: string, Operation: string, EventResult: string, EventType: string)\n[\n \"vpn_connectivity_change\", \"VPN connectivity change\",\"Success\", \"Set\",\n \"purging ISAKMP-SA\", \"Purging ISAKMP-SA\",\"Partial\", \"Delete\",\n \"purged ISAKMP-SA\", \"Purged ISAKMP-SA\",\"Success\", \"Delete\",\n \"ISAKMP-SA deleted\", \"ISAKMP-SA deleted\",\"Success\", \"Delete\",\n \"IPsec-SA request\", \"IPsec-SA request queued\",\"Failure\", \"Other\",\n \"failed to get sainfo\", \"Failed to get sainfo\",\"Failure\", \"Other\",\n \"failed to pre-process ph2 packet\", \"Failed to pre-process ph2 packet\",\"Failure\", \"Other\",\n \"phase2 negotiation failed\", \"Phase2 negotiation failed\",\"Failure\", \"Other\",\n \"initiate new phase 1 negotiation\", \"Initiate new phase 1 negotiation\",\"Success\", \"Initialize\",\n \"ISAKMP-SA established\", \"ISAKMP-SA established\",\"Success\", \"Create\",\n \"initiate new phase 2 negotiation\", \"Initiate new phase 2 negotiation\",\"Partial\", \"Initialize\",\n \"IPsec-SA established\", \"IPsec-SA established\",\"Success\", \"Create\",\n \"STP role\", \"Spanning-tree interface role change\",\"Success\", \"Set\",\n \"STP BPDU\", \"Spanning-tree guard state change\", \"\", \"\",\n \"VRRP transition\", \"VRRP transition\",\"Success\", \"Set\",\n \"port status change\", \"Port status change\", \"\", \"\"\n];\nlet EventSeverityLookup=datatable(EventResult: string, EventSeverity: string)[\n \"Success\", \"Informational\",\n \"Partial\", \"Informational\",\n \"Failure\", \"Low\"\n];\nlet parser=(disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) {\nlet allData = union isfuzzy=true\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\nlet PreFilteredData = allData\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and array_length(newvalue_has_any) == 0\n and array_length(object_has_any) == 0\n and array_length(actorusername_has_any) == 0\n and LogMessage has \"events\"\n and (LogMessage has_any (\"vpn_connectivity_change\", \"status changed\", \"VRRP active\", \"VRRP passive\") or LogMessage has_cs \"Site-to-site\" or LogMessage has_cs \"Port\")\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\";\nlet SiteToSiteData = PreFilteredData\n | where Substring has_cs \"Site-to-site\";\nlet SiteToSite_deleted = SiteToSiteData\n | where Substring has \"ISAKMP-SA deleted\"\n | extend TempOperation = \"ISAKMP-SA deleted\"\n | parse Substring with * \" deleted \" temp_deletedSrcIp:string \"-\" temp_deletedTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_deletedSrcIp,\n temp_targetipport = temp_deletedTargetIp;\nlet SiteToSite_negotiation = SiteToSiteData\n | where Substring has_any(\"initiate new phase 1 negotiation\", \"initiate new phase 2 negotiation\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \": \" temp_negotiationSrcIp:string \"<=>\" temp_negotiationTargetIp:string\n | extend temp_srcipport = temp_negotiationSrcIp,\n temp_targetipport = temp_negotiationTargetIp;\nlet SiteToSite_ESP = SiteToSiteData\n | where Substring has \"phase2 negotiation failed due to time up waiting for phase1\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" due to \" EventResultDetails \" ESP \" temp_espSrcIp:string \"->\" temp_espTargetIp:string\n | extend temp_srcipport = temp_espSrcIp,\n temp_targetipport = temp_espTargetIp;\nlet SiteToSite_tunnel = SiteToSiteData\n | where Substring has \"IPsec-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \":\" * \"Tunnel \" temp_tunnelSrcIp:string \"->\" temp_tunnelTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_tunnelSrcIp,\n temp_targetipport = temp_tunnelTargetIp;\nlet SiteToSite_ISAKMPestablished = SiteToSiteData\n | where Substring has \"ISAKMP-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" established \" temp_estSrcIp:string \"-\" temp_estTargetIp:string \" \" temp_restmessage:string\n | extend TempOperation = strcat(TempOperation, ' ', 'established'),\n temp_srcipport = temp_estSrcIp,\n temp_targetipport = temp_estTargetIp;\nlet SiteToSite_IPsecSArequest = SiteToSiteData\n | where Substring has \"IPsec-SA request\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" for \" temp_forTaregtSrcIp:string \" \" * \" due to\" EventResultDetails:string\n | extend temp_targetipport = temp_forTaregtSrcIp;\nlet SiteToSite_purging = SiteToSiteData\n | where Substring has_any(\"purging ISAKMP-SA\", \"purged ISAKMP-SA\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" spi=\" temp_restmessage:string;\nlet SiteToSite_failed = SiteToSiteData\n | where Substring has_any (\"failed to get sainfo\", \"failed to pre-process ph2 packet\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string\n | extend TempOperation = tostring(split(TempOperation, ' (')[0]);\nlet VPNConnectivityChangeData = PreFilteredData\n | where Substring has \"vpn_connectivity_change\"\n | parse-kv Substring as (type: string, peer_contact: string, connectivity: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend type = trim('\"', type),\n connectivity = trim('\"', connectivity)\n | extend TempOperation = type,\n temp_srcipport = peer_contact;\nlet StatusChangedData = PreFilteredData\n | where Substring has \"status changed\"\n | parse Substring with * \"port \" port:string \" \" portnextpart:string\n | extend TempOperation = \"port status change\";\nlet PortData = PreFilteredData\n | where Substring has_cs \"Port\"\n | parse Substring with * \"Port \" Port1:string \" received an \" TempOperation1:string \" from \" STPMac:string \" \" temp_restmessage:string\n | parse Substring with * \"Port \" Port2:string \" changed \" TempOperation2:string \" from \" PortNextPart:string\n | extend Port = coalesce(Port1,Port2)\n | extend TempOperation = coalesce(TempOperation1, TempOperation2);\nlet VRRPData = PreFilteredData\n | where Substring has_any(\"VRRP active\", \"VRRP passive\")\n | extend TempOperation = \"VRRP transition\";\nunion VPNConnectivityChangeData, StatusChangedData, PortData, VRRPData, SiteToSite_deleted, SiteToSite_ESP, SiteToSite_failed, SiteToSite_IPsecSArequest, SiteToSite_ISAKMPestablished, SiteToSite_negotiation, SiteToSite_purging, SiteToSite_tunnel\n | lookup EventFieldsLookup on TempOperation\n | where (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n | extend EventResult = case(\n (Operation == \"Port status change\" and Substring has \"from Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"connected\", \"forwarding\")),\n \"Success\",\n (Operation == \"Port status change\" and Substring has \"to Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"disconnected\", \"error disabled\", \"blocked\", \"disabled\", \"not configured\")),\n \"Failure\",\n Operation has_cs \"Spanning-tree guard state change\" and Substring has \"learning\",\n \"Partial\",\n EventResult\n )\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n | extend EventType = case(Operation in(\"Port status change\", \"Spanning-tree guard state change\") and EventResult == \"Success\", \"Enable\",\n (Operation == \"Port status change\" and EventResult == \"Failure\") or (Operation == \"Spanning-tree guard state change\" and EventResult in (\"Partial\", \"Failure\")), \"Disable\",\n EventType\n )\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | extend \n temp_srcipport = iff(temp_srcipport has \"]\" and temp_srcipport !has \":\", trim(']', temp_srcipport), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"]\" and temp_targetipport !has \":\", trim(']', temp_targetipport), temp_targetipport)\n | extend \n temp_srcipport = iff(temp_srcipport has \"[\" and temp_srcipport !has \":\", replace_string(temp_srcipport,'[',':'), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"[\" and temp_targetipport !has \":\", replace_string(temp_targetipport,'[',':'), temp_targetipport),\n DvcMacAddr = iff(Operation == \"Spanning-tree guard state change\" and isnotempty(STPMac) and STPMac matches regex \"([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4})\\'*\", STPMac, \"\")\n | extend temp_srcipport = iff(isempty(DvcMacAddr) and isnotempty(STPMac) and Operation == \"Spanning-tree guard state change\", STPMac, temp_srcipport)\n | extend\n temp_srcipport = trim(\"'\", temp_srcipport),\n temp_targetipport = trim(\"'\", temp_targetipport)\n | extend \n temp_srcipport = trim('\"', temp_srcipport),\n temp_targetipport = trim('\"', temp_targetipport)\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\n | extend SrcIpAddr = iff(temp_srcipport has \".\", split(temp_srcipport, \":\")[0], coalesce(temp_srcip, temp_srcipport))\n | extend\n temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)\n | where (array_length(srcipaddr_has_any_prefix) == 0 or temp_SrcMatch)\n | parse temp_targetipport with * \"[\" temp_targetip \"]:\" temp_targetport\n | extend TargetIpAddr = iff(temp_targetipport has \".\", split(temp_targetipport, \":\")[0], coalesce(temp_targetip, temp_targetipport))\n | extend TargetPortNumber = iff(TargetIpAddr has \".\", toint(split(temp_targetipport, \":\")[1]), toint(coalesce(temp_targetport, \"\")))\n | extend SrcPortNumber = case(\n isnotempty(temp_srcipport),\n iff(SrcIpAddr has \".\", toint(split(temp_srcipport, \":\")[1]), toint(coalesce(temp_srcport, \"\"))),\n Substring has_cs \"Port\",\n toint(Port),\n Operation == \"Port status change\",\n toint(port),\n int(null)\n )\n | lookup EventSeverityLookup on EventResult\n | extend\n EventResultDetails = case(\n Operation == \"VPN connectivity change\" and isnotempty(connectivity), strcat(\"connectivity=\", connectivity),\n Operation == \"IPsec-SA request queued\" or Operation == \"Phase2 negotiation failed\", split(Substring, 'due to')[1], \n Substring has \"Site-to-site\", split(Substring, 'Site-to-site ')[1],\n Substring\n ),\n EventMessage = Substring,\n EventOriginalType = LogType,\n EventUid = _ResourceId\n | extend Device = tostring(Parser[1])\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime, \n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n TempOperation*,\n temp*,\n STPMac,\n peer_contact,\n connectivity,\n Port*,\n port,\n portnextpart,\n LogType,\n type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName,CollectorHostName\n};\nparser(disabled=disabled, starttime=starttime, endtime=endtime, eventresult=eventresult, operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any)", - "version": 1, - "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',actorusername_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([])" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "vimAuditEventCiscoMerakiSyslog", + "query": "let EventFieldsLookup = datatable(TempOperation: string, Operation: string, EventResult: string, EventType: string)\n[\n \"vpn_connectivity_change\", \"VPN connectivity change\",\"Success\", \"Set\",\n \"purging ISAKMP-SA\", \"Purging ISAKMP-SA\",\"Partial\", \"Delete\",\n \"purged ISAKMP-SA\", \"Purged ISAKMP-SA\",\"Success\", \"Delete\",\n \"ISAKMP-SA deleted\", \"ISAKMP-SA deleted\",\"Success\", \"Delete\",\n \"IPsec-SA request\", \"IPsec-SA request queued\",\"Failure\", \"Other\",\n \"failed to get sainfo\", \"Failed to get sainfo\",\"Failure\", \"Other\",\n \"failed to pre-process ph2 packet\", \"Failed to pre-process ph2 packet\",\"Failure\", \"Other\",\n \"phase2 negotiation failed\", \"Phase2 negotiation failed\",\"Failure\", \"Other\",\n \"initiate new phase 1 negotiation\", \"Initiate new phase 1 negotiation\",\"Success\", \"Initialize\",\n \"ISAKMP-SA established\", \"ISAKMP-SA established\",\"Success\", \"Create\",\n \"initiate new phase 2 negotiation\", \"Initiate new phase 2 negotiation\",\"Partial\", \"Initialize\",\n \"IPsec-SA established\", \"IPsec-SA established\",\"Success\", \"Create\",\n \"STP role\", \"Spanning-tree interface role change\",\"Success\", \"Set\",\n \"STP BPDU\", \"Spanning-tree guard state change\", \"\", \"\",\n \"VRRP transition\", \"VRRP transition\",\"Success\", \"Set\",\n \"port status change\", \"Port status change\", \"\", \"\"\n];\nlet EventSeverityLookup=datatable(EventResult: string, EventSeverity: string)[\n \"Success\", \"Informational\",\n \"Partial\", \"Informational\",\n \"Failure\", \"Low\"\n];\nlet parser=(disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) {\nlet allData = union isfuzzy=true\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\nlet PreFilteredData = allData\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and array_length(newvalue_has_any) == 0\n and array_length(object_has_any) == 0\n and array_length(actorusername_has_any) == 0\n and LogMessage has \"events\"\n and (LogMessage has_any (\"vpn_connectivity_change\", \"status changed\", \"VRRP active\", \"VRRP passive\") or LogMessage has_cs \"Site-to-site\" or LogMessage has_cs \"Port\")\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\";\nlet SiteToSiteData = PreFilteredData\n | where Substring has_cs \"Site-to-site\";\nlet SiteToSite_deleted = SiteToSiteData\n | where Substring has \"ISAKMP-SA deleted\"\n | extend TempOperation = \"ISAKMP-SA deleted\"\n | parse Substring with * \" deleted \" temp_deletedSrcIp:string \"-\" temp_deletedTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_deletedSrcIp,\n temp_targetipport = temp_deletedTargetIp;\nlet SiteToSite_negotiation = SiteToSiteData\n | where Substring has_any(\"initiate new phase 1 negotiation\", \"initiate new phase 2 negotiation\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \": \" temp_negotiationSrcIp:string \"<=>\" temp_negotiationTargetIp:string\n | extend temp_srcipport = temp_negotiationSrcIp,\n temp_targetipport = temp_negotiationTargetIp;\nlet SiteToSite_ESP = SiteToSiteData\n | where Substring has \"phase2 negotiation failed due to time up waiting for phase1\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" due to \" EventResultDetails \" ESP \" temp_espSrcIp:string \"->\" temp_espTargetIp:string\n | extend temp_srcipport = temp_espSrcIp,\n temp_targetipport = temp_espTargetIp;\nlet SiteToSite_tunnel = SiteToSiteData\n | where Substring has \"IPsec-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \":\" * \"Tunnel \" temp_tunnelSrcIp:string \"->\" temp_tunnelTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_tunnelSrcIp,\n temp_targetipport = temp_tunnelTargetIp;\nlet SiteToSite_ISAKMPestablished = SiteToSiteData\n | where Substring has \"ISAKMP-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" established \" temp_estSrcIp:string \"-\" temp_estTargetIp:string \" \" temp_restmessage:string\n | extend TempOperation = strcat(TempOperation, ' ', 'established'),\n temp_srcipport = temp_estSrcIp,\n temp_targetipport = temp_estTargetIp;\nlet SiteToSite_IPsecSArequest = SiteToSiteData\n | where Substring has \"IPsec-SA request\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" for \" temp_forTaregtSrcIp:string \" \" * \" due to\" EventResultDetails:string\n | extend temp_targetipport = temp_forTaregtSrcIp;\nlet SiteToSite_purging = SiteToSiteData\n | where Substring has_any(\"purging ISAKMP-SA\", \"purged ISAKMP-SA\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" spi=\" temp_restmessage:string;\nlet SiteToSite_failed = SiteToSiteData\n | where Substring has_any (\"failed to get sainfo\", \"failed to pre-process ph2 packet\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string\n | extend TempOperation = tostring(split(TempOperation, ' (')[0]);\nlet VPNConnectivityChangeData = PreFilteredData\n | where Substring has \"vpn_connectivity_change\"\n | parse-kv Substring as (type: string, peer_contact: string, connectivity: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend type = trim('\"', type),\n connectivity = trim('\"', connectivity)\n | extend TempOperation = type,\n temp_srcipport = peer_contact;\nlet StatusChangedData = PreFilteredData\n | where Substring has \"status changed\"\n | parse Substring with * \"port \" port:string \" \" portnextpart:string\n | extend TempOperation = \"port status change\";\nlet PortData = PreFilteredData\n | where Substring has_cs \"Port\"\n | parse Substring with * \"Port \" Port1:string \" received an \" TempOperation1:string \" from \" STPMac:string \" \" temp_restmessage:string\n | parse Substring with * \"Port \" Port2:string \" changed \" TempOperation2:string \" from \" PortNextPart:string\n | extend Port = coalesce(Port1,Port2)\n | extend TempOperation = coalesce(TempOperation1, TempOperation2);\nlet VRRPData = PreFilteredData\n | where Substring has_any(\"VRRP active\", \"VRRP passive\")\n | extend TempOperation = \"VRRP transition\";\nunion VPNConnectivityChangeData, StatusChangedData, PortData, VRRPData, SiteToSite_deleted, SiteToSite_ESP, SiteToSite_failed, SiteToSite_IPsecSArequest, SiteToSite_ISAKMPestablished, SiteToSite_negotiation, SiteToSite_purging, SiteToSite_tunnel\n | lookup EventFieldsLookup on TempOperation\n | where (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n | extend EventResult = case(\n (Operation == \"Port status change\" and Substring has \"from Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"connected\", \"forwarding\")),\n \"Success\",\n (Operation == \"Port status change\" and Substring has \"to Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"disconnected\", \"error disabled\", \"blocked\", \"disabled\", \"not configured\")),\n \"Failure\",\n Operation has_cs \"Spanning-tree guard state change\" and Substring has \"learning\",\n \"Partial\",\n EventResult\n )\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n | extend EventType = case(Operation in(\"Port status change\", \"Spanning-tree guard state change\") and EventResult == \"Success\", \"Enable\",\n (Operation == \"Port status change\" and EventResult == \"Failure\") or (Operation == \"Spanning-tree guard state change\" and EventResult in (\"Partial\", \"Failure\")), \"Disable\",\n EventType\n )\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | extend \n temp_srcipport = iff(temp_srcipport has \"]\" and temp_srcipport !has \":\", trim(']', temp_srcipport), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"]\" and temp_targetipport !has \":\", trim(']', temp_targetipport), temp_targetipport)\n | extend \n temp_srcipport = iff(temp_srcipport has \"[\" and temp_srcipport !has \":\", replace_string(temp_srcipport,'[',':'), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"[\" and temp_targetipport !has \":\", replace_string(temp_targetipport,'[',':'), temp_targetipport),\n DvcMacAddr = iff(Operation == \"Spanning-tree guard state change\" and isnotempty(STPMac) and STPMac matches regex \"([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4})\\'*\", STPMac, \"\")\n | extend temp_srcipport = iff(isempty(DvcMacAddr) and isnotempty(STPMac) and Operation == \"Spanning-tree guard state change\", STPMac, temp_srcipport)\n | extend\n temp_srcipport = trim(\"'\", temp_srcipport),\n temp_targetipport = trim(\"'\", temp_targetipport)\n | extend \n temp_srcipport = trim('\"', temp_srcipport),\n temp_targetipport = trim('\"', temp_targetipport)\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\n | extend SrcIpAddr = iff(temp_srcipport has \".\", split(temp_srcipport, \":\")[0], coalesce(temp_srcip, temp_srcipport))\n | extend\n temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)\n | where (array_length(srcipaddr_has_any_prefix) == 0 or temp_SrcMatch)\n | parse temp_targetipport with * \"[\" temp_targetip \"]:\" temp_targetport\n | extend TargetIpAddr = iff(temp_targetipport has \".\", split(temp_targetipport, \":\")[0], coalesce(temp_targetip, temp_targetipport))\n | extend TargetPortNumber = iff(TargetIpAddr has \".\", toint(split(temp_targetipport, \":\")[1]), toint(coalesce(temp_targetport, \"\")))\n | extend SrcPortNumber = case(\n isnotempty(temp_srcipport),\n iff(SrcIpAddr has \".\", toint(split(temp_srcipport, \":\")[1]), toint(coalesce(temp_srcport, \"\"))),\n Substring has_cs \"Port\",\n toint(Port),\n Operation == \"Port status change\",\n toint(port),\n int(null)\n )\n | lookup EventSeverityLookup on EventResult\n | extend\n EventResultDetails = case(\n Operation == \"VPN connectivity change\" and isnotempty(connectivity), strcat(\"connectivity=\", connectivity),\n Operation == \"IPsec-SA request queued\" or Operation == \"Phase2 negotiation failed\", split(Substring, 'due to')[1], \n Substring has \"Site-to-site\", split(Substring, 'Site-to-site ')[1],\n Substring\n ),\n EventMessage = Substring,\n EventOriginalType = LogType,\n EventUid = _ResourceId\n | extend Device = tostring(Parser[1])\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime, \n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n TempOperation*,\n temp*,\n STPMac,\n peer_contact,\n connectivity,\n Port*,\n port,\n portnextpart,\n LogType,\n type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName,CollectorHostName\n};\nparser(disabled=disabled, starttime=starttime, endtime=endtime, eventresult=eventresult, operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any)", + "version": 1, + "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',actorusername_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([])" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventCrowdStrikeFalconHost/vimAuditEventCrowdStrikeFalconHost.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventCrowdStrikeFalconHost/vimAuditEventCrowdStrikeFalconHost.json index cbec74f8dcf..1a8f88a04a5 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventCrowdStrikeFalconHost/vimAuditEventCrowdStrikeFalconHost.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventCrowdStrikeFalconHost/vimAuditEventCrowdStrikeFalconHost.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventCrowdStrikeFalconHost')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventCrowdStrikeFalconHost", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for CrowdStrike Falcon Endpoint Protection", - "category": "ASIM", - "FunctionAlias": "vimAuditEventCrowdStrikeFalconHost", - "query": "let EventFieldsLookup = datatable(\n Activity: string,\n Operation: string,\n EventType_lookup: string,\n EventSubType: string,\n Object: string,\n ObjectType: string\n) \n [\n \"delete_report_execution\", \"Delete Report Execution\", \"Delete\", \"\", \"Report Execution\", \"Scheduled Task\",\n \"delete_scheduled_report\", \"Delete Scheduled Report\", \"Delete\", \"\", \"Scheduled Report\", \"Scheduled Task\",\n \"update_scheduled_report\", \"Update Scheduled Report\", \"Set\", \"\", \"Scheduled Report\", \"Scheduled Task\",\n \"create_scheduled_report\", \"Create Scheduled Report\", \"Create\", \"\", \"Scheduled Report\", \"Scheduled Task\",\n \"update_class_action\", \"Update Class Action\", \"Set\", \"\", \"Class Action\", \"Other\",\n \"update_policy\", \"Update Policy\", \"Set\", \"\", \"Policy\", \"Policy Rule\",\n \"enable_policy\", \"Enable Policy\", \"Enable\", \"\", \"Policy\", \"Policy Rule\",\n \"create_policy\", \"Create Policy\", \"Create\", \"\", \"Policy\", \"Policy Rule\",\n \"remove_rule_group\", \"Remove Rule Group\", \"Other\", \"Remove\", \"Rule Group\", \"Service\",\n \"create_rule_group\", \"Create Rule Group\", \"Create\", \"\", \"Rule Group\", \"Service\",\n \"delete_rule_group\", \"Delete Rule Group\", \"Delete\", \"\", \"Rule Group\", \"Service\",\n \"add_rule_group\", \"Add Rule Group\", \"Other\", \"Add\", \"Rule Group\", \"Service\",\n \"delete_rule\", \"Delete Rule\", \"Delete\", \"\", \"Rule\", \"Policy Rule\",\n \"update_rule\", \"Update Rule\", \"Set\", \"\", \"Rule\", \"Policy Rule\",\n \"create_rule\", \"Create Rule\", \"Create\", \"\", \"Rule\", \"Policy Rule\",\n \"disable_policy\", \"Disable Policy\", \"Disable\", \"\", \"Policy\", \"Policy Rule\",\n \"delete_policy\", \"Delete Policy\", \"Delete\", \"\", \"Policy\", \"Policy Rule\",\n \"update_priority\", \"Update Priority\", \"Set\", \"\", \"Policy\", \"Policy Rule\",\n \"assign_policy\", \"Assign Policy\", \"Other\", \"Assign\", \"Policy\", \"Policy Rule\",\n \"remove_policy\", \"Remove Policy\", \"Other\", \"Remove\", \"Policy\", \"Policy Rule\",\n \"ip_rules_added\", \"IP Rules Added\", \"Create\", \"\", \"Rule\", \"Other\",\n \"ip_rules_removed\", \"IP Rules Removed\", \"Delete\", \"\", \"Rule\", \"Other\",\n \"hide_host_requested\", \"Hide Host Requested\", \"Delete\", \"\", \"Host\", \"Other\",\n \"mobile_hide_host_requested\", \"Mobile Hide Host Requested\", \"Delete\", \"\", \"Mobile Host\", \"Other\",\n \"CreateAPIClient\", \"Create API Client\", \"Create\", \"\", \"API Client\", \"Service\",\n \"UpdateAPIClient\", \"Update API Client\", \"Set\", \"\", \"API Client\", \"Service\"\n];\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet UserAuditActivities = dynamic([\"delete_report_execution\", \"delete_scheduled_report\", \"update_scheduled_report\", \"create_scheduled_report\", \"update_class_action\", \"update_policy\", \"enable_policy\", \"create_policy\", \"remove_rule_group\", \"create_rule_group\", \"delete_rule_group\", \"add_rule_group\", \"delete_rule\", \"update_rule\", \"create_rule\", \"disable_policy\", \"delete_policy\", \"update_priority\", \"assign_policy\", \"remove_policy\", \"ip_rules_added\", \"ip_rules_removed\", \"hide_host_requested\", \"mobile_hide_host_requested\"]);\nlet AuthAuditActivities = dynamic([\"CreateAPIClient\", \"UpdateAPIClient\"]);\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n eventtype_in: dynamic=dynamic([]), \n eventresult: string='*', \n actorusername_has_any: dynamic=dynamic([]), \n operation_has_any: dynamic=dynamic([]), \n object_has_any: dynamic=dynamic([]), \n newvalue_has_any: dynamic=dynamic([]), \n disabled: bool = false\n ) {\n CommonSecurityLog\n | where not(disabled)\n | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)) \n | where (DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\")\n | where (DeviceEventClassID == \"UserActivityAuditEvent\" and Activity in (UserAuditActivities)) or (DeviceEventCategory == \"AuthActivityAuditEvent\" and Activity in (AuthAuditActivities))\n | where array_length(newvalue_has_any) == 0 \n and array_length(srcipaddr_has_any_prefix) == 0\n and (array_length(actorusername_has_any) == 0 or DestinationUserName has_any (actorusername_has_any))\n and (array_length(object_has_any) == 0 or Activity has_any (object_has_any))\n | lookup EventFieldsLookup on Activity\n | lookup EventSeverityLookup on LogSeverity\n | extend EventType = EventType_lookup\n | where (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n | extend \n EventStartTime = case(\n DeviceEventClassID == \"UserActivityAuditEvent\",\n unixtime_milliseconds_todatetime(tolong(ReceiptTime)),\n DeviceEventCategory == \"AuthActivityAuditEvent\",\n todatetime(DeviceCustomDate1),\n datetime(null)\n ),\n EventOriginalType = case(\n DeviceEventClassID == \"UserActivityAuditEvent\",\n DeviceEventClassID,\n DeviceEventCategory == \"AuthActivityAuditEvent\",\n DeviceEventCategory,\n \"\"\n ),\n EventResult = iff(EventOutcome == \"false\", \"Failure\", \"Success\"),\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\",\n EventCount = int(1),\n DvcAction = \"Allowed\",\n EventProduct = \"FalconHost\",\n EventVendor = \"CrowdStrike\"\n | project-rename\n ActorUsername = DestinationUserName,\n EventUid = _ItemId,\n DvcIpAddr = DestinationTranslatedAddress,\n EventOriginalSeverity = LogSeverity,\n EventProductVersion = DeviceVersion,\n TargetAppName = ProcessName,\n EventOriginalResultDetails = EventOutcome,\n EventOriginalSubType = Activity\n | extend\n EventEndTime = EventStartTime,\n Application = TargetAppName,\n TargetIpAddr = DvcIpAddr,\n User = ActorUsername,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n TargetAppType = iff(isnotempty(TargetAppName), \"Service\", \"\")\n | extend\n Dvc = coalesce(DvcIpAddr, EventProduct),\n Dst = TargetIpAddr\n | project-away \n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message,\n IndicatorThreatType,\n EventType_*\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n eventtype_in=eventtype_in, \n eventresult=eventresult, \n actorusername_has_any=actorusername_has_any, \n operation_has_any=operation_has_any, \n object_has_any=object_has_any, \n newvalue_has_any=newvalue_has_any, \n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for CrowdStrike Falcon Endpoint Protection", + "category": "ASIM", + "FunctionAlias": "vimAuditEventCrowdStrikeFalconHost", + "query": "let EventFieldsLookup = datatable(\n Activity: string,\n Operation: string,\n EventType_lookup: string,\n EventSubType: string,\n Object: string,\n ObjectType: string\n) \n [\n \"delete_report_execution\", \"Delete Report Execution\", \"Delete\", \"\", \"Report Execution\", \"Scheduled Task\",\n \"delete_scheduled_report\", \"Delete Scheduled Report\", \"Delete\", \"\", \"Scheduled Report\", \"Scheduled Task\",\n \"update_scheduled_report\", \"Update Scheduled Report\", \"Set\", \"\", \"Scheduled Report\", \"Scheduled Task\",\n \"create_scheduled_report\", \"Create Scheduled Report\", \"Create\", \"\", \"Scheduled Report\", \"Scheduled Task\",\n \"update_class_action\", \"Update Class Action\", \"Set\", \"\", \"Class Action\", \"Other\",\n \"update_policy\", \"Update Policy\", \"Set\", \"\", \"Policy\", \"Policy Rule\",\n \"enable_policy\", \"Enable Policy\", \"Enable\", \"\", \"Policy\", \"Policy Rule\",\n \"create_policy\", \"Create Policy\", \"Create\", \"\", \"Policy\", \"Policy Rule\",\n \"remove_rule_group\", \"Remove Rule Group\", \"Other\", \"Remove\", \"Rule Group\", \"Service\",\n \"create_rule_group\", \"Create Rule Group\", \"Create\", \"\", \"Rule Group\", \"Service\",\n \"delete_rule_group\", \"Delete Rule Group\", \"Delete\", \"\", \"Rule Group\", \"Service\",\n \"add_rule_group\", \"Add Rule Group\", \"Other\", \"Add\", \"Rule Group\", \"Service\",\n \"delete_rule\", \"Delete Rule\", \"Delete\", \"\", \"Rule\", \"Policy Rule\",\n \"update_rule\", \"Update Rule\", \"Set\", \"\", \"Rule\", \"Policy Rule\",\n \"create_rule\", \"Create Rule\", \"Create\", \"\", \"Rule\", \"Policy Rule\",\n \"disable_policy\", \"Disable Policy\", \"Disable\", \"\", \"Policy\", \"Policy Rule\",\n \"delete_policy\", \"Delete Policy\", \"Delete\", \"\", \"Policy\", \"Policy Rule\",\n \"update_priority\", \"Update Priority\", \"Set\", \"\", \"Policy\", \"Policy Rule\",\n \"assign_policy\", \"Assign Policy\", \"Other\", \"Assign\", \"Policy\", \"Policy Rule\",\n \"remove_policy\", \"Remove Policy\", \"Other\", \"Remove\", \"Policy\", \"Policy Rule\",\n \"ip_rules_added\", \"IP Rules Added\", \"Create\", \"\", \"Rule\", \"Other\",\n \"ip_rules_removed\", \"IP Rules Removed\", \"Delete\", \"\", \"Rule\", \"Other\",\n \"hide_host_requested\", \"Hide Host Requested\", \"Delete\", \"\", \"Host\", \"Other\",\n \"mobile_hide_host_requested\", \"Mobile Hide Host Requested\", \"Delete\", \"\", \"Mobile Host\", \"Other\",\n \"CreateAPIClient\", \"Create API Client\", \"Create\", \"\", \"API Client\", \"Service\",\n \"UpdateAPIClient\", \"Update API Client\", \"Set\", \"\", \"API Client\", \"Service\"\n];\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet UserAuditActivities = dynamic([\"delete_report_execution\", \"delete_scheduled_report\", \"update_scheduled_report\", \"create_scheduled_report\", \"update_class_action\", \"update_policy\", \"enable_policy\", \"create_policy\", \"remove_rule_group\", \"create_rule_group\", \"delete_rule_group\", \"add_rule_group\", \"delete_rule\", \"update_rule\", \"create_rule\", \"disable_policy\", \"delete_policy\", \"update_priority\", \"assign_policy\", \"remove_policy\", \"ip_rules_added\", \"ip_rules_removed\", \"hide_host_requested\", \"mobile_hide_host_requested\"]);\nlet AuthAuditActivities = dynamic([\"CreateAPIClient\", \"UpdateAPIClient\"]);\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n eventtype_in: dynamic=dynamic([]), \n eventresult: string='*', \n actorusername_has_any: dynamic=dynamic([]), \n operation_has_any: dynamic=dynamic([]), \n object_has_any: dynamic=dynamic([]), \n newvalue_has_any: dynamic=dynamic([]), \n disabled: bool = false\n ) {\n CommonSecurityLog\n | where not(disabled)\n | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)) \n | where (DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\")\n | where (DeviceEventClassID == \"UserActivityAuditEvent\" and Activity in (UserAuditActivities)) or (DeviceEventCategory == \"AuthActivityAuditEvent\" and Activity in (AuthAuditActivities))\n | where array_length(newvalue_has_any) == 0 \n and array_length(srcipaddr_has_any_prefix) == 0\n and (array_length(actorusername_has_any) == 0 or DestinationUserName has_any (actorusername_has_any))\n and (array_length(object_has_any) == 0 or Activity has_any (object_has_any))\n | lookup EventFieldsLookup on Activity\n | lookup EventSeverityLookup on LogSeverity\n | extend EventType = EventType_lookup\n | where (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n | extend \n EventStartTime = case(\n DeviceEventClassID == \"UserActivityAuditEvent\",\n unixtime_milliseconds_todatetime(tolong(ReceiptTime)),\n DeviceEventCategory == \"AuthActivityAuditEvent\",\n todatetime(DeviceCustomDate1),\n datetime(null)\n ),\n EventOriginalType = case(\n DeviceEventClassID == \"UserActivityAuditEvent\",\n DeviceEventClassID,\n DeviceEventCategory == \"AuthActivityAuditEvent\",\n DeviceEventCategory,\n \"\"\n ),\n EventResult = iff(EventOutcome == \"false\", \"Failure\", \"Success\"),\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\",\n EventCount = int(1),\n DvcAction = \"Allowed\",\n EventProduct = \"FalconHost\",\n EventVendor = \"CrowdStrike\"\n | project-rename\n ActorUsername = DestinationUserName,\n EventUid = _ItemId,\n DvcIpAddr = DestinationTranslatedAddress,\n EventOriginalSeverity = LogSeverity,\n EventProductVersion = DeviceVersion,\n TargetAppName = ProcessName,\n EventOriginalResultDetails = EventOutcome,\n EventOriginalSubType = Activity\n | extend\n EventEndTime = EventStartTime,\n Application = TargetAppName,\n TargetIpAddr = DvcIpAddr,\n User = ActorUsername,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n TargetAppType = iff(isnotempty(TargetAppName), \"Service\", \"\")\n | extend\n Dvc = coalesce(DvcIpAddr, EventProduct),\n Dst = TargetIpAddr\n | project-away \n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message,\n IndicatorThreatType,\n EventType_*\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n eventtype_in=eventtype_in, \n eventresult=eventresult, \n actorusername_has_any=actorusername_has_any, \n operation_has_any=operation_has_any, \n object_has_any=object_has_any, \n newvalue_has_any=newvalue_has_any, \n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventEmpty/vimAuditEventEmpty.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventEmpty/vimAuditEventEmpty.json index 7aeb9107ea1..3e52575bfc7 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventEmpty/vimAuditEventEmpty.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventEmpty/vimAuditEventEmpty.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventEmpty')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventEmpty", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit event ASIM schema function", - "category": "ASIM", - "FunctionAlias": "vimAuditEventEmpty", - "query": "let EmptyAuditEvents =datatable (\n ActorUserType:string,\n ActorUsernameType:string,\n ActorUserIdType:string,\n EventResult:string,\n EventType:string,\n EventSchema:string,\n ValueType:string,\n EventSeverity:string,\n EventVendor:string,\n EventProduct:string,\n SrcDvcIdType:string,\n TargetDvcIdType:string,\n SrcDomainType:string,\n TargetDomainType:string,\n SrcDeviceType:string,\n TargetDeviceType:string,\n ObjectType:string,\n OriginalObjectType:string,\n TargetAppType:string,\n TargetOriginalAppType:string,\n ActingAppType:string,\n ActingOriginalAppType:string,\n ThreatConfidence:int,\n SrcGeoCountry:string,\n TargetGeoCountry:string,\n EventSubType:string,\n EventResultDetails:string,\n SrcHostname:string,\n TargetHostname:string,\n SrcIpAddr:string,\n TargetIpAddr:string,\n SrcGeoRegion:string,\n SrcGeoCity:string,\n TargetGeoRegion:string,\n TargetGeoCity:string,\n ThreatRiskLevel:int,\n EventSchemaVersion:string,\n EventReportUrl:string,\n User:string,\n ActorUsername:string,\n Application:string,\n Process:string,\n Operation:string,\n Object:string,\n ObjectId:string,\n OldValue:string,\n NewValue:string,\n Value:string,\n TimeGenerated:datetime,\n _ResourceId:string,\n Type:string,\n AdditionalFields:dynamic,\n EventMessage:string,\n EventCount:int,\n EventStartTime:datetime,\n EventEndTime:datetime,\n EventOriginalUid:string,\n EventOriginalType:string,\n EventOriginalSubType:string,\n EventOriginalResultDetails:string,\n EventOriginalSeverity:string,\n EventProductVersion:string,\n EventOwner:string,\n Rule:string,\n RuleName:string,\n RuleNumber:int,\n ThreatId:string,\n ThreatName:string,\n ThreatCategory:string,\n ThreatOriginalRiskLevel:string,\n ThreatOriginalConfidence:string,\n ThreatIsActive:bool,\n ThreatIpAddr:string,\n ThreatField:string,\n ThreatFirstReportedTime:datetime,\n ThreatLastReportedTime:datetime,\n ActorUserId:string,\n ActorScopeId:string,\n ActorScope:string,\n ActorOriginalUserType:string,\n ActorSessionId:string,\n TargetAppId:string,\n TargetAppName:string,\n TargetUrl:string,\n ActingAppId:string,\n ActingAppName:string,\n HttpUserAgent:string,\n Src:string,\n SrcPortNumber:int,\n SrcDomain:string,\n SrcFQDN:string,\n SrcDvcDescription:string,\n SrcDvcId:string,\n SrcDvcScopeId:string,\n SrcDvcScope:string,\n SrcGeoLatitude:real,\n SrcGeoLongitude:real,\n Dst:string,\n TargetPortNumber:int,\n TargetDomain:string,\n TargetFQDN:string,\n TargetDvcDescription:string,\n TargetDvcId:string,\n TargetDvcScopeId:string,\n TargetDvcScope:string,\n TargetGeoLatitude:real,\n TargetGeoLongitude:real\n , Dvc: string\t\n , DvcId: string\n , DvcIpAddr: string\t\n , DvcHostname: string\n , DvcDomain:string\n , DvcDomainType:string\n , DvcFQDN:string\n , DvcDescription:string\n , DvcIdType:string\n , DvcMacAddr:string\n , DvcZone:string\n , DvcOs:string\n , DvcOsVersion:string\n , DvcAction:string\n , DvcOriginalAction:string\n , DvcScope:string\n , DvcScopeOd:string\n)[];\nEmptyAuditEvents", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit event ASIM schema function", + "category": "ASIM", + "FunctionAlias": "vimAuditEventEmpty", + "query": "let EmptyAuditEvents =datatable (\n ActorUserType:string,\n ActorUsernameType:string,\n ActorUserIdType:string,\n EventResult:string,\n EventType:string,\n EventSchema:string,\n ValueType:string,\n EventSeverity:string,\n EventVendor:string,\n EventProduct:string,\n SrcDvcIdType:string,\n TargetDvcIdType:string,\n SrcDomainType:string,\n TargetDomainType:string,\n SrcDeviceType:string,\n TargetDeviceType:string,\n ObjectType:string,\n OriginalObjectType:string,\n TargetAppType:string,\n TargetOriginalAppType:string,\n ActingAppType:string,\n ActingOriginalAppType:string,\n ThreatConfidence:int,\n SrcGeoCountry:string,\n TargetGeoCountry:string,\n EventSubType:string,\n EventResultDetails:string,\n SrcHostname:string,\n TargetHostname:string,\n SrcIpAddr:string,\n TargetIpAddr:string,\n SrcGeoRegion:string,\n SrcGeoCity:string,\n TargetGeoRegion:string,\n TargetGeoCity:string,\n ThreatRiskLevel:int,\n EventSchemaVersion:string,\n EventReportUrl:string,\n User:string,\n ActorUsername:string,\n Application:string,\n Process:string,\n Operation:string,\n Object:string,\n ObjectId:string,\n OldValue:string,\n NewValue:string,\n Value:string,\n TimeGenerated:datetime,\n _ResourceId:string,\n Type:string,\n AdditionalFields:dynamic,\n EventMessage:string,\n EventCount:int,\n EventStartTime:datetime,\n EventEndTime:datetime,\n EventOriginalUid:string,\n EventOriginalType:string,\n EventOriginalSubType:string,\n EventOriginalResultDetails:string,\n EventOriginalSeverity:string,\n EventProductVersion:string,\n EventOwner:string,\n Rule:string,\n RuleName:string,\n RuleNumber:int,\n ThreatId:string,\n ThreatName:string,\n ThreatCategory:string,\n ThreatOriginalRiskLevel:string,\n ThreatOriginalConfidence:string,\n ThreatIsActive:bool,\n ThreatIpAddr:string,\n ThreatField:string,\n ThreatFirstReportedTime:datetime,\n ThreatLastReportedTime:datetime,\n ActorUserId:string,\n ActorScopeId:string,\n ActorScope:string,\n ActorOriginalUserType:string,\n ActorSessionId:string,\n TargetAppId:string,\n TargetAppName:string,\n TargetUrl:string,\n ActingAppId:string,\n ActingAppName:string,\n HttpUserAgent:string,\n Src:string,\n SrcPortNumber:int,\n SrcDomain:string,\n SrcFQDN:string,\n SrcDvcDescription:string,\n SrcDvcId:string,\n SrcDvcScopeId:string,\n SrcDvcScope:string,\n SrcGeoLatitude:real,\n SrcGeoLongitude:real,\n Dst:string,\n TargetPortNumber:int,\n TargetDomain:string,\n TargetFQDN:string,\n TargetDvcDescription:string,\n TargetDvcId:string,\n TargetDvcScopeId:string,\n TargetDvcScope:string,\n TargetGeoLatitude:real,\n TargetGeoLongitude:real\n , Dvc: string\t\n , DvcId: string\n , DvcIpAddr: string\t\n , DvcHostname: string\n , DvcDomain:string\n , DvcDomainType:string\n , DvcFQDN:string\n , DvcDescription:string\n , DvcIdType:string\n , DvcMacAddr:string\n , DvcZone:string\n , DvcOs:string\n , DvcOsVersion:string\n , DvcAction:string\n , DvcOriginalAction:string\n , DvcScope:string\n , DvcScopeOd:string\n)[];\nEmptyAuditEvents", + "version": 1 + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventIllumioSaaSCore/README.md b/Parsers/ASimAuditEvent/ARM/vimAuditEventIllumioSaaSCore/README.md new file mode 100644 index 00000000000..3ba1867f7d5 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventIllumioSaaSCore/README.md @@ -0,0 +1,18 @@ +# Illumio Core ASIM AuditEvent Normalization Parser + +ARM template for ASIM AuditEvent schema parser for Illumio Core. + +This ASIM parser supports normalizing Illumio Core audit events logs ingested in 'Illumio_Auditable_Events_CL' table to the ASIM Audit Event schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventIllumioSaaSCore%2FvimAuditEventIllumioSaaSCore.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventIllumioSaaSCore%2FvimAuditEventIllumioSaaSCore.json) diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventIllumioSaaSCore/vimAuditEventIllumioSaaSCore.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventIllumioSaaSCore/vimAuditEventIllumioSaaSCore.json new file mode 100644 index 00000000000..eb9b91471d3 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventIllumioSaaSCore/vimAuditEventIllumioSaaSCore.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventIllumioSaaSCore')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Illumio SaaS Core audit events", + "category": "ASIM", + "FunctionAlias": "vimAuditEventIllumioSaaSCore", + "query": "let EventTypeLookup = datatable(\n event_type: string, // what Illumio sends\n Operation: string,\n ObjectType:string, // an enumerated list [ Configuration Atom, Policy Rule, Cloud Resource, Other],\n Object:string,\n EventType: string, // an enumerated list [ Set, Read, Create, Delete, Execute, Install, Clear, Enable, Disable, Other ] event type\n) \n[\n 'access_restriction.create', 'Access restriction created', 'Cloud Resource', 'Access_restriction', 'Create',\n 'access_restriction.delete', 'Access restriction deleted', 'Cloud Resource', 'Access_restriction', 'Delete',\n 'access_restriction.update', 'Access restriction updated', 'Cloud Resource', 'Access_restriction', 'Set',\n 'agent.activate', 'Agent paired', 'Cloud Resource', 'Agent', 'Other',\n 'agent.activate_clone', 'Agent clone activated', 'Cloud Resource', 'Agent', 'Other',\n 'agent.clone_detected', 'Agent clone detected', 'Cloud Resource', 'Agent', 'Other',\n 'agent.deactivate', 'Agent unpaired', 'Cloud Resource', 'Agent', 'Other',\n 'agent.generate_maintenance_token', 'Generate maintenance token for any agent', 'Cloud Resource', 'Agent', 'Other',\n 'agent.goodbye', 'Agent disconnected', 'Cloud Resource', 'Agent', 'Other',\n 'agent.machine_identifier', 'Agent machine identifiers updated', 'Cloud Resource', 'Agent', 'Other',\n 'agent.refresh_token', 'Agent refreshed token', 'Cloud Resource', 'Agent', 'Other',\n 'agent.refresh_policy', 'Success or failure to apply policy on VEN', 'Cloud Resource', 'Agent', 'Other',\n 'agent.request_upgrade', 'VEN upgrade request sent', 'Cloud Resource', 'Agent', 'Other',\n 'agent.service_not_available', 'Agent reported a service not running', 'Cloud Resource', 'Agent', 'Other',\n 'agent.suspend', 'Agent suspended', 'Cloud Resource', 'Agent', 'Other',\n 'agent.tampering', 'Agent firewall tampered', 'Cloud Resource', 'Agent', 'Other',\n 'agent.unsuspend', 'Agent unsuspended', 'Cloud Resource', 'Agent', 'Other',\n 'agent.update', 'Agent properties updated.', 'Cloud Resource', 'Agent', 'Set',\n 'agent.update_interactive_users', 'Agent interactive users updated', 'Cloud Resource', 'Agent', 'Set',\n 'agent.update_iptables_href', 'Agent updated existing iptables href', 'Cloud Resource', 'Agent', 'Set',\n 'agent.update_running_containers', 'Agent updated existing containers', 'Cloud Resource', 'Agent', 'Set',\n 'agent.upload_existing_ip_table_rules', 'Agent existing IP tables uploaded', 'Cloud Resource', 'Agent', 'Other',\n 'agent.upload_support_report', 'Agent support report uploaded', 'Cloud Resource', 'Agent', 'Other',\n 'agent_support_report_request.create', 'Agent support report request created', 'Cloud Resource', 'Agent_support_report_request', 'Create',\n 'agent_support_report_request.delete', 'Agent support report request deleted', 'Cloud Resource', 'Agent_support_report_request', 'Delete',\n 'agents.clear_conditions', 'Condition cleared from a list of VENs', 'Cloud Resource', 'Agents', 'Other',\n 'agents.unpair', 'Multiple agents unpaired', 'Cloud Resource', 'Agents', 'Other',\n 'api_key.create', 'API key created', 'Cloud Resource', 'Api_key', 'Create',\n 'api_key.delete', 'API key deleted', 'Cloud Resource', 'Api_key', 'Delete',\n 'api_key.update', 'API key updated', 'Cloud Resource', 'Api_key', 'Set',\n 'auth_security_principal.create', 'RBAC auth security principal created', 'Cloud Resource', 'Auth_security_principal', 'Create',\n 'auth_security_principal.delete', 'RBAC auth security principal deleted', 'Cloud Resource', 'Auth_security_principal', 'Delete',\n 'auth_security_principal.update', 'RBAC auth security principal updated', 'Cloud Resource', 'Auth_security_principal', 'Set',\n 'authentication_settings.update', 'Authentication settings updated', 'Other', 'Authentication_settings', 'Set',\n 'cluster.create', 'PCE cluster created', 'Cloud Resource', 'Cluster', 'Create',\n 'cluster.delete', 'PCE cluster deleted', 'Cloud Resource', 'Cluster', 'Delete',\n 'cluster.update', 'PCE cluster updated', 'Cloud Resource', 'Cluster', 'Set',\n 'container_workload.update', 'Container workload updated', 'Cloud Resource', 'Container_workload', 'Set',\n 'container_cluster.create', 'Container cluster created', 'Cloud Resource', 'Container_cluster', 'Create',\n 'container_cluster.delete', 'Container cluster deleted', 'Cloud Resource', 'Container_cluster', 'Delete',\n 'container_cluster.update', 'Container cluster updated', 'Cloud Resource', 'Container_cluster', 'Set',\n 'container_cluster.update_label_map', 'Container cluster label mappings updated all at once', 'Cloud Resource', 'Container_cluster', 'Set',\n 'container_cluster.update_services', 'Container cluster services updated, created, or deleted by Kubelink', 'Cloud Resource', 'Container_cluster', 'Set',\n 'container_workload_profile.create', 'Container workload profile created', 'Cloud Resource', 'Container_workload_profile', 'Create',\n 'container_workload_profile.delete', 'Container workload profile deleted', 'Cloud Resource', 'Container_workload_profile', 'Delete',\n 'container_workload_profile.update', 'Container workload profile updated', 'Cloud Resource', 'Container_workload_profile', 'Set',\n 'database.temp_table_autocleanup_started', 'DB temp table cleanup started', 'Other', 'Database', 'Other',\n 'database.temp_table_autocleanup_completed', 'DB temp table cleanup completed', 'Other', 'Database', 'Other',\n 'domain.create', 'Domain created', 'Other', 'Domain', 'Create',\n 'domain.delete', 'Domain deleted', 'Other', 'Domain', 'Delete',\n 'domain.update', 'Domain updated', 'Other', 'Domain', 'Set',\n 'enforcement_boundary.create', 'Enforcement boundary created', 'Cloud Resource', 'Enforcement_boundary', 'Create',\n 'enforcement_boundary.delete', 'Enforcement boundary deleted', 'Cloud Resource', 'Enforcement_boundary', 'Delete',\n 'enforcement_boundary.update', 'Enforcement boundary updated', 'Cloud Resource', 'Enforcement_boundary', 'Set',\n 'event_settings.update', 'Event settings updated', 'Other', 'Event_settings', 'Set',\n 'firewall_settings.update', 'Global policy settings updated', 'Other', 'Firewall_settings', 'Set',\n 'group.create', 'Group created', 'Other', 'Group', 'Create',\n 'group.update', 'Group updated', 'Other', 'Group', 'Set',\n 'ip_list.create', 'IP list created', 'Cloud Resource', 'Ip_list', 'Create',\n 'ip_list.delete', 'IP list deleted', 'Cloud Resource', 'Ip_list', 'Delete',\n 'ip_list.update', 'IP list updated', 'Cloud Resource', 'Ip_list', 'Set',\n 'ip_lists.delete', 'IP lists deleted', 'Cloud Resource', 'Ip_lists', 'Delete',\n 'ip_tables_rule.create', 'IP tables rules created', 'Cloud Resource', 'Ip_tables_rule', 'Create',\n 'ip_tables_rule.delete', 'IP tables rules deleted', 'Cloud Resource', 'Ip_tables_rule', 'Delete',\n 'ip_tables_rule.update', 'IP tables rules updated', 'Cloud Resource', 'Ip_tables_rule', 'Set',\n 'job.delete', 'Job deleted', 'Other', 'Job', 'Delete',\n 'label.create', 'Label created', 'Cloud Resource', 'Label', 'Create',\n 'label.delete', 'Label deleted', 'Cloud Resource', 'Label', 'Delete',\n 'label.update', 'Label updated', 'Cloud Resource', 'Label', 'Set',\n 'label_group.create', 'Label group created', 'Cloud Resource', 'Label_group', 'Create',\n 'label_group.delete', 'Label group deleted', 'Cloud Resource', 'Label_group', 'Delete',\n 'label_group.update', 'Label group updated', 'Cloud Resource', 'Label_group', 'Set',\n 'labels.delete', 'Labels deleted', 'Cloud Resource', 'Labels', 'Delete',\n 'ldap_config.create', 'LDAP configuration created', 'Other', 'Ldap_config', 'Create',\n 'ldap_config.delete', 'LDAP configuration deleted', 'Other', 'Ldap_config', 'Delete',\n 'ldap_config.update', 'LDAP configuration updated', 'Other', 'Ldap_config', 'Set',\n 'ldap_config.verify_connection', 'LDAP server connection verified', 'Other', 'Ldap_config', 'Other',\n 'license.delete', 'License deleted', 'Other', 'License', 'Delete',\n 'license.update', 'License updated', 'Other', 'License', 'Set',\n 'login_proxy_ldap_config.create', 'Interservice call to login service to create LDAP config', 'Other', 'Login_proxy_ldap_config', 'Create',\n 'login_proxy_ldap_config.delete', 'Interservice call to login service to delete LDAP config', 'Other', 'Login_proxy_ldap_config', 'Delete',\n 'login_proxy_ldap_config.update', 'Interservice call to login service to update LDAP config', 'Other', 'Login_proxy_ldap_config', 'Set',\n 'login_proxy_ldap_config.verify_connection', 'Interservice call to login service to verify connection to the LDAP server', 'Other', 'Login_proxy_ldap_config', 'Other',\n 'login_proxy_msp_tenants.create', 'New MSP tenant created', 'Other', 'Login_proxy_msp_tenants', 'Create',\n 'login_proxy_msp_tenants.delete', 'MSP tenant deleted', 'Other', 'Login_proxy_msp_tenants', 'Delete',\n 'login_proxy_msp_tenants.update', 'MSP tenant updated', 'Other', 'Login_proxy_msp_tenants', 'Set',\n 'login_proxy_orgs.create', 'New managed organization created', 'Other', 'Login_proxy_orgs', 'Create',\n 'login_proxy_orgs.delete', 'Managed organization deleted', 'Other', 'Login_proxy_orgs', 'Delete',\n 'login_proxy_orgs.update', 'Managed organization updated', 'Other', 'Login_proxy_orgs', 'Set',\n 'lost_agent.found', 'Lost agent found', 'Cloud Resource', 'Lost_agent', 'Other',\n 'network.create', 'Network created', 'Cloud Resource', 'Network', 'Create',\n 'network.delete', 'Network deleted', 'Cloud Resource', 'Network', 'Delete',\n 'network.update', 'Network updated', 'Cloud Resource', 'Network', 'Set',\n 'network_device.ack_enforcement_instructions_applied', 'Enforcement instruction applied to a network device', 'Cloud Resource', 'Network_device', 'Other',\n 'network_device.assign_workload', 'Existing or new unmanaged workload assigned to a network device', 'Cloud Resource', 'Network_device', 'Other',\n 'network_device.create', 'Network device created', 'Cloud Resource', 'Network_device', 'Create',\n 'network_device.delete', 'Network device deleted', 'Cloud Resource', 'Network_device', 'Delete',\n 'network_device.update', 'Network device updated', 'Cloud Resource', 'Network_device', 'Set',\n 'network_devices.ack_multi_enforcement_instructions_applied', 'Enforcement instructions applied to multiple network devices', 'Cloud Resource', 'Network_devices', 'Other',\n 'network_endpoint.create', 'Network endpoint created', 'Cloud Resource', 'Network_endpoint', 'Create',\n 'network_endpoint.delete', 'Network endpoint deleted', 'Cloud Resource', 'Network_endpoint', 'Delete',\n 'network_endpoint.update', 'Network endpoint updated', 'Cloud Resource', 'Network_endpoint', 'Set',\n 'network_enforcement_node.activate', 'Network enforcement node activated', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.clear_conditions', 'Network enforcement node conditions cleared', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.deactivate', 'Network enforcement node deactivated', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.degraded', 'Network enforcement node failed or primary lost connectivity to secondary', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.missed_heartbeats', 'Network enforcement node did not heartbeat for more than 15 minutes', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.missed_heartbeats_check', 'Network enforcement node missed heartbeats check', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.network_devices_network_endpoints_workloads', 'Workload added to network endpoint', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.policy_ack', 'Network enforcement node acknowledgment of policy', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.request_policy', 'Network enforcement node policy requested', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.update_status', 'Network enforcement node reports when switches are not reachable', 'Cloud Resource', 'Network_enforcement_node', 'Set',\n 'network_enforcement_nodes.clear_conditions', 'A condition was cleared from a list of network enforcement nodes', 'Cloud Resource', 'Network_enforcement_nodes', 'Other',\n 'nfc.activate', 'Network function controller created', 'Other', 'Nfc', 'Other',\n 'nfc.delete', 'Network function controller deleted', 'Other', 'Nfc', 'Delete',\n 'nfc.update_discovered_virtual_servers', 'Network function controller virtual servers discovered', 'Cloud Resource', 'Nfc', 'Set',\n 'nfc.update_policy_status', 'Network function controller policy status', 'Other', 'Nfc', 'Set',\n 'nfc.update_slb_state', 'Network function controller SLB state updated', 'Other', 'Nfc', 'Set',\n 'org.create', 'Organization created', 'Other', 'Org', 'Create',\n 'org.recalc_rules', 'Rules for organization recalculated', 'Other', 'Org', 'Other',\n 'org.update', 'Organization information updated', 'Other', 'Org', 'Set',\n 'pairing_profile.create', 'Pairing profile created', 'Cloud Resource', 'Pairing_profile', 'Create',\n 'pairing_profile.create_pairing_key', 'Pairing profile pairing key created', 'Cloud Resource', 'Pairing_profile', 'Create',\n 'pairing_profile.delete', 'Pairing profile deleted', 'Cloud Resource', 'Pairing_profile', 'Delete',\n 'pairing_profile.update', 'Pairing profile updated', 'Cloud Resource', 'Pairing_profile', 'Set',\n 'pairing_profile.delete_all_pairing_keys', 'Pairing keys deleted from pairing profile', 'Cloud Resource', 'Pairing_profile', 'Delete',\n 'pairing_profiles.delete', 'Pairing profiles deleted', 'Cloud Resource', 'Pairing_profiles', 'Delete',\n 'password_policy.create', 'Password policy created', 'Cloud Resource', 'Password_policy', 'Create',\n 'password_policy.delete', 'Password policy deleted', 'Cloud Resource', 'Password_policy', 'Delete',\n 'password_policy.update', 'Password policy updated', 'Cloud Resource', 'Password_policy', 'Set',\n 'permission.create', 'RBAC permission created', 'Cloud Resource', 'Permission', 'Create',\n 'permission.delete', 'RBAC permission deleted', 'Cloud Resource', 'Permission', 'Delete',\n 'permission.update', 'RBAC permission updated', 'Cloud Resource', 'Permission', 'Set',\n 'radius_config.create', 'Create domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Create',\n 'radius_config.delete', 'Delete domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Delete',\n 'radius_config.update', 'Update domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Set',\n 'radius_config.verify_shared_secret', 'Verify RADIUS shared secret', 'Cloud Resource', 'Radius_config', 'Other',\n 'request.authentication_failed', 'API request authentication failed', 'Other', 'Request', 'Other',\n 'request.authorization_failed', 'API request authorization failed', 'Other', 'Request', 'Other',\n 'request.internal_server_error', 'API request failed due to internal server error', 'Other', 'Request', 'Other',\n 'request.service_unavailable', 'API request failed due to unavailable service', 'Other', 'Request', 'Other',\n 'request.unknown_server_error', 'API request failed due to unknown server error', 'Other', 'Request', 'Other',\n 'resource.create', 'Login resource created', 'Other', 'Resource', 'Create',\n 'resource.delete', 'Login resource deleted', 'Other', 'Resource', 'Delete',\n 'resource.update', 'Login resource updated', 'Other', 'Resource', 'Set',\n 'rule_set.create', 'Rule set created', 'Policy Rule', 'Rule_set', 'Create',\n 'rule_set.delete', 'Rule set deleted', 'Policy Rule', 'Rule_set', 'Delete',\n 'rule_set.update', 'Rule set updated', 'Policy Rule', 'Rule_set', 'Set',\n 'rule_sets.delete', 'Rule sets deleted', 'Policy Rule', 'Rule_sets', 'Delete',\n 'saml_acs.update', 'SAML assertion consumer services updated', 'Other', 'Saml_acs', 'Set',\n 'saml_config.create', 'SAML configuration created', 'Cloud Resource', 'Saml_config', 'Create',\n 'saml_config.delete', 'SAML configuration deleted', 'Cloud Resource', 'Saml_config', 'Delete',\n 'saml_config.pce_signing_cert', 'Generate a new cert for signing SAML AuthN requests', 'Cloud Resource', 'Saml_config', 'Other',\n 'saml_config.update', 'SAML configuration updated', 'Cloud Resource', 'Saml_config', 'Set',\n 'saml_sp_config.create', 'SAML Service Provider created', 'Cloud Resource', 'Saml_sp_config', 'Create',\n 'saml_sp_config.delete', 'SAML Service Provider deleted', 'Cloud Resource', 'Saml_sp_config', 'Delete',\n 'saml_sp_config.update', 'SAML Service Provider updated', 'Cloud Resource', 'Saml_sp_config', 'Set',\n 'sec_policy.create', 'Security policy created', 'Other', 'Sec_policy', 'Create',\n 'sec_policy_pending.delete', 'Pending security policy deleted', 'Other', 'Sec_policy_pending', 'Delete',\n 'sec_policy.restore', 'Security policy restored', 'Other', 'Sec_policy', 'Other',\n 'sec_rule.create', 'Security policy rules created', 'Policy Rule', 'Sec_rule', 'Create',\n 'sec_rule.delete', 'Security policy rules deleted', 'Policy Rule', 'Sec_rule', 'Delete',\n 'sec_rule.update', 'Security policy rules updated', 'Policy Rule', 'Sec_rule', 'Set',\n 'secure_connect_gateway.create', 'SecureConnect gateway created', 'Other', 'Secure_connect_gateway', 'Create',\n 'secure_connect_gateway.delete', 'SecureConnect gateway deleted', 'Other', 'Secure_connect_gateway', 'Delete',\n 'secure_connect_gateway.update', 'SecureConnect gateway updated', 'Other', 'Secure_connect_gateway', 'Set',\n 'security_principal.create', 'RBAC security principal created', 'Other', 'Security_principal', 'Create',\n 'security_principal.delete', 'RBAC security principal bulk deleted', 'Other', 'Security_principal', 'Delete',\n 'security_principal.update', 'RBAC security principal bulk updated', 'Other', 'Security_principal', 'Set',\n 'security_principals.bulk_create', 'RBAC security principals bulk created', 'Other', 'Security_principals', 'Other',\n 'service.create', 'Service created', 'Other', 'Service', 'Create',\n 'service.delete', 'Service deleted', 'Other', 'Service', 'Delete',\n 'service.update', 'Service updated', 'Other', 'Service', 'Set',\n 'service_account.create', 'Service account created', 'Other', 'Service_account', 'Create',\n 'service_account.delete', 'Service account deleted', 'Other', 'Service_account', 'Delete',\n 'service_account.update', 'Service account updated', 'Other', 'Service_account', 'Set',\n 'service_binding.create', 'Service binding created', 'Other', 'Service_binding', 'Create',\n 'service_binding.delete', 'Service binding created', 'Other', 'Service_binding', 'Delete',\n 'service_bindings.delete', 'Service bindings deleted', 'Other', 'Service_bindings', 'Delete',\n 'service_bindings.delete', 'Service binding deleted', 'Other', 'Service_bindings', 'Delete',\n 'services.delete', 'Services deleted', 'Other', 'Services', 'Delete',\n 'settings.update', 'Explorer settings updated', 'Other', 'Settings', 'Set',\n 'slb.create', 'Server load balancer created', 'Other', 'Slb', 'Create',\n 'slb.delete', 'Server load balancer deleted', 'Other', 'Slb', 'Delete',\n 'slb.update', 'Server load balancer updated', 'Other', 'Slb', 'Set',\n 'support_report.upload', 'Support report uploaded', 'Other', 'Support_report', 'Other',\n 'syslog_destination.create', 'syslog remote destination created', 'Other', 'Syslog_destination', 'Create',\n 'syslog_destination.delete', 'syslog remote destination deleted', 'Other', 'Syslog_destination', 'Delete',\n 'syslog_destination.update', 'syslog remote destination updated', 'Other', 'Syslog_destination', 'Set',\n 'system_task.agent_missed_heartbeats_check', 'Agent missed heartbeats', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_missing_heartbeats_after_upgrade', 'VEN missing heartbeat after upgrade', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_offline_check', 'Agents marked offline', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_self_signed_certs_check', 'VEN self signed certificate housekeeping check', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_settings_invalidation_error_state_check', 'VEN settings invalidation error state check', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_uninstall_timeout', 'VEN uninstall timeout', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.clear_auth_recover_condition', 'Clear VEN authentication recovery condition', 'Other', 'System_task', 'Other',\n 'system_task.compute_policy_for_unmanaged_workloads', 'Compute policy for unmanaged workloads', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.delete_expired_service_account_api_keys', 'An expired service account api_key was successfully deleted', 'Cloud Resource', 'System_task', 'Delete',\n 'system_task.delete_old_cached_perspectives', 'Delete old cached perspectives', 'Other', 'System_task', 'Delete',\n 'system_task.endpoint_offline_check', 'Endpoint marked offline', 'Other', 'System_task', 'Other',\n 'system_task.provision_container_cluster_services', 'Container cluster services provisioned', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.prune_old_log_events', 'Event pruning completed', 'Other', 'System_task', 'Other',\n 'system_task.remove_stale_zone_subsets', 'Stale zone subnets removed', 'Other', 'System_task', 'Other',\n 'system_task.set_server_sync_check', 'Set server synced', 'Other', 'System_task', 'Other',\n 'system_task.vacuum_deactivated_agent_and_deleted_workloads', 'Deactivated and deleted workloads have been vacuumed', 'Cloud Resource', 'System_task', 'Other',\n 'traffic_collector_setting.create', 'Traffic collector setting created', 'Other', 'Traffic_collector_setting', 'Create',\n 'traffic_collector_setting.delete', 'Traffic collector setting deleted', 'Other', 'Traffic_collector_setting', 'Delete',\n 'traffic_collector_setting.update', 'Traffic collector setting updated', 'Other', 'Traffic_collector_setting', 'Set',\n 'trusted_proxy_ips.update', 'Trusted proxy IPs created or updated', 'Other', 'Trusted_proxy_ips', 'Set',\n 'user.accept_invitation', 'User invitation accepted', 'Cloud Resource', 'User', 'Other',\n 'user.authenticate', 'User authenticated', 'Cloud Resource', 'User', 'Other',\n 'user.create', 'User created', 'Cloud Resource', 'User', 'Create',\n 'user.delete', 'User deleted', 'Cloud Resource', 'User', 'Delete',\n 'user.invite', 'User invited', 'Cloud Resource', 'User', 'Other',\n 'user.update', 'User information updated', 'Cloud Resource', 'User', 'Set', \n 'user.reset_password', 'User password reset', 'Cloud Resource', 'User', 'Other',\n 'user.pce_session_terminated', 'User session terminated', 'Cloud Resource', 'User', 'Other',\n 'user.login_session_terminated', 'User login session terminated', 'Cloud Resource', 'User', 'Other',\n 'user.reset_password', 'User password reset', 'Cloud Resource', 'User', 'Other',\n 'user.update', 'User information updated', 'Cloud Resource', 'User', 'Set',\n 'user.update_password', 'User password updated', 'Cloud Resource', 'User', 'Set',\n 'user.use_expired_password', 'User entered expired password', 'Cloud Resource', 'User', 'Other',\n 'user.verify_mfa', 'User verified MFA', 'Cloud Resource', 'User', 'Other',\n 'users.auth_token', 'Auth token returned for user authentication on PCE', 'Other', 'Users', 'Other',\n 'user_local_profile.create', 'User local profile created', 'Other', 'User_local_profile', 'Create',\n 'user_local_profile.delete', 'User local profile deleted', 'Other', 'User_local_profile', 'Delete',\n 'user_local_profile.reinvite', 'User local profile reinvited', 'Other', 'User_local_profile', 'Other',\n 'user_local_profile.update_password', 'User local password updated', 'Other', 'User_local_profile', 'Set',\n 'ven_settings.update', 'VEN settings updated', 'Other', 'Ven_settings', 'Set',\n 'ven_software.upgrade', 'VEN software release upgraded', 'Other', 'Ven_software', 'Set',\n 'ven_software_release.create', 'VEN software release created', 'Other', 'Ven_software_release', 'Create',\n 'ven_software_release.delete', 'VEN software release deleted', 'Other', 'Ven_software_release', 'Delete',\n 'ven_software_release.deploy', 'VEN software release deployed', 'Other', 'Ven_software_release', 'Other',\n 'ven_software_release.update', 'VEN software release updated', 'Other', 'Ven_software_release', 'Set',\n 'ven_software_releases.set_default_version', 'Default VEN software version set', 'Other', 'Ven_software_releases', 'Other',\n 'virtual_server.create', 'Virtual server created', 'Cloud Resource', 'Virtual_server', 'Create',\n 'virtual_server.delete', 'Virtual server created', 'Cloud Resource', 'Virtual_server', 'Delete',\n 'virtual_server.update', 'Virtual server updated', 'Cloud Resource', 'Virtual_server', 'Set',\n 'virtual_service.create', 'Virtual service created', 'Cloud Resource', 'Virtual_service', 'Create',\n 'virtual_service.delete', 'Virtual service deleted', 'Cloud Resource', 'Virtual_service', 'Delete',\n 'virtual_service.update', 'Virtual service updated', 'Cloud Resource', 'Virtual_service', 'Set',\n 'virtual_services.bulk_create', 'Virtual services created in bulk', 'Cloud Resource', 'Virtual_services', 'Other',\n 'virtual_services.bulk_update', 'Virtual services updated in bulk', 'Cloud Resource', 'Virtual_services', 'Other',\n 'vulnerability.create', 'Vulnerability record created', 'Other', 'Vulnerability', 'Create',\n 'vulnerability.delete', 'Vulnerability record deleted', 'Other', 'Vulnerability', 'Delete',\n 'vulnerability.update', 'Vulnerability record updated', 'Other', 'Vulnerability', 'Set',\n 'vulnerability_report.delete', 'Vulnerability report deleted', 'Other', 'Vulnerability_report', 'Delete',\n 'vulnerability_report.update', 'Vulnerability report updated', 'Other', 'Vulnerability_report', 'Set',\n 'workload.create', 'Workload created', 'Cloud Resource', 'Workload', 'Create',\n 'workload.delete', 'Workload deleted', 'Cloud Resource', 'Workload', 'Delete',\n 'workload.online', 'Workload online', 'Cloud Resource', 'Workload', 'Other',\n 'workload.recalc_rules', 'Workload policy recalculated', 'Cloud Resource', 'Workload', 'Other',\n 'workload.redetect_network', 'Workload network redetected', 'Cloud Resource', 'Workload', 'Other',\n 'workload.undelete', 'Workload undeleted', 'Cloud Resource', 'Workload', 'Other',\n 'workload.update', 'Workload settings updated', 'Cloud Resource', 'Workload', 'Set',\n 'workload.upgrade', 'Workload upgraded', 'Cloud Resource', 'Workload', 'Set',\n 'workload_interface.create', 'Workload interface created', 'Cloud Resource', 'Workload_interface', 'Create',\n 'workload_interface.delete', 'Workload interface deleted', 'Cloud Resource', 'Workload_interface', 'Delete',\n 'workload_interface.update', 'Workload interface updated', 'Cloud Resource', 'Workload_interface', 'Set',\n 'workload_interfaces.update', 'Workload interfaces updated', 'Cloud Resource', 'Workload_interfaces', 'Set',\n '', 'For example, IP address changes, new interface added, and interface shut down.', 'Other', '', 'Other',\n 'workload_service_report.update', 'Workload service report updated', 'Cloud Resource', 'Workload_service_report', 'Set',\n 'workload_settings.update', 'Workload settings updated', 'Cloud Resource', 'Workload_settings', 'Set',\n 'workloads.apply_policy', 'Workloads policies applied', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.bulk_create', 'Workloads created in bulk', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.bulk_delete', 'Workloads deleted in bulk', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.bulk_update', 'Workloads updated in bulk', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.remove_labels', 'Workloads labels removed', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.set_flow_reporting_frequency', 'Workload flow reporting frequency changed', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.set_labels', 'Workload labels applied', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.unpair', 'Workloads unpaired', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.update', 'Workloads updated', 'Cloud Resource', 'Workloads', 'Set'\n];\nlet EventSeverityLookup = datatable(\n severity: string,\n EventSeverity: string\n)\n [\n \"err\", \"High\",\n \"info\", \"Informational\",\n \"warning\", \"Medium\"\n];\nlet EventResultLookup = datatable(\n status: string,\n EventResult: string\n)\n [\n \"success\", \"Success\",\n \"failure\", \"Failure\",\n \"\", \"NA\"\n];\nlet parser= (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n eventresult:string='*',\n actorusername_has_any:dynamic=dynamic([]),\n eventtype_in:dynamic=dynamic([]),\n operation_has_any:dynamic=dynamic([]), // not sure if this is required\n object_has_any:dynamic=dynamic([]), // not sure if this is required\n newvalue_has_any:dynamic=dynamic([]), // not mapped yet\n disabled:bool = false\n ){\n Illumio_Auditable_Events_CL \n | where not(disabled) and (event_type !startswith \"user\") // filter out user auth events\n and ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)) \n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(action.src_ip, srcipaddr_has_any_prefix))\n | lookup EventTypeLookup on event_type // fetch Object, ObjectType,EventType, Operation from lookup\n | lookup EventSeverityLookup on severity // fetch EventSeverity from lookup\n | lookup EventResultLookup on status // fetch EventResult from lookup\n | extend temp_resource_changes = parse_json(resource_changes) \n | extend temp_notifications = parse_json(notifications)\n | extend\n NewValue = iff(isnotnull(temp_resource_changes), temp_resource_changes[0].changes, ''),\n EventMessage = iff(isnotnull(temp_resource_changes), temp_resource_changes[0].resource, ''), \n SrcIpAddr = iff(action.src_ip == 'FILTERED', \"\", action.src_ip)\n | extend \n ActorUsername = case(\n isnotnull(created_by.system), \"System\",\n isnotnull(created_by.user), created_by.user.username,\n isnotnull(created_by.agent), created_by.agent.hostname,\n \"Unknown\"\n ) \n | extend ActorUsernameType = \"Simple\" \n // ***** parser filter params *****\n | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in)) \n and (eventresult == \"*\" or EventResult =~ eventresult) and (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any)) \n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n and (array_length(newvalue_has_any) == 0)\n // ***** parser filter params *****\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Core',\n EventVendor = 'Illumio',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n Dvc = pce_fqdn,\n EventType = iff(isnull(EventType), event_type, EventType),\n EventOriginalUid = href,\n EventUid = _ItemId\n //aliases\n | extend \n IpAddr = SrcIpAddr,\n User = ActorUsername,\n Value = NewValue \n | project-away \n event_type, // used by EventType \n severity, // used by EventSeverity \n temp_*, \n resource_changes, // used by NewValue and EventMessage\n notifications,\n version, // simply drop version, no need to translate\n action, //used by src_ip\n status, // used by EventResult\n created_by, // used by ActorUsername and ActorType\n pce_fqdn, // used by Dvc\n href, // used by EventOriginalUid\n TenantId\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventInfobloxBloxOne/README.md b/Parsers/ASimAuditEvent/ARM/vimAuditEventInfobloxBloxOne/README.md new file mode 100644 index 00000000000..47dd35ce110 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventInfobloxBloxOne/README.md @@ -0,0 +1,18 @@ +# Infoblox BloxOne ASIM AuditEvent Normalization Parser + +ARM template for ASIM AuditEvent schema parser for Infoblox BloxOne. + +This ASIM parser supports normalizing AuditEvent logs from Infoblox BloxOne to the ASIM AuditEvent normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventInfobloxBloxOne%2FvimAuditEventInfobloxBloxOne.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventInfobloxBloxOne%2FvimAuditEventInfobloxBloxOne.json) diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventInfobloxBloxOne/vimAuditEventInfobloxBloxOne.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventInfobloxBloxOne/vimAuditEventInfobloxBloxOne.json new file mode 100644 index 00000000000..e50e55aead5 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventInfobloxBloxOne/vimAuditEventInfobloxBloxOne.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventInfbloxBloxOne')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "AuditEvent ASIM parser for Infoblox BloxOne", + "category": "ASIM", + "FunctionAlias": "vimAuditEventInfbloxBloxOne", + "query": "let EventSeverityLookup = datatable (LogSeverity:string, EventSeverity:string)\n [\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Medium\",\n \"5\", \"Medium\",\n \"6\", \"Medium\",\n \"7\", \"High\",\n \"8\", \"High\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet OperationLookup = datatable (DeviceAction:string, Object:string, ObjectType:string)\n[\n \"CreateSecurityPolicy\", \"Security Policy\", \"Policy Role\",\n \"UpdateSecurityPolicy\", \"Security Policy\", \"Policy\",\n \"Create\", \"Network Resource\", \"Service\",\n \"Update\", \"Network Resource\", \"Service\",\n \"Restore\", \"Infoblox Resource\", \"Service\",\n \"CreateOrGetDoHFQDN\", \"DOHFQDN\", \"Service\",\n \"CreateOrUpdateDfpService\", \"Dfp Service\", \"Service\",\n \"MoveToRecyclebin\", \"Recyclebin\", \"Other\",\n \"CreateCategoryFilter\", \"Category Filter\", \"Other\",\n \"GetLookalikeThreatCounts\", \"Lookalike Threat Counts\", \"Other\",\n \"GetLookalikeDomainCounts\", \"Lookalike Domain Counts\", \"Other\",\n \"CreateRoamingDeviceGroup\", \"Roaming Device Group\", \"Configuration Atom\",\n \"UpdatePartialRoamingDeviceGroup\", \"Partial Roaming Device Group\", \"Configuration Atom\"\n];\nlet parser = (disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) {\n CommonSecurityLog\n | where not(disabled) \n and (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and DeviceVendor == \"Infoblox\"\n and DeviceEventClassID has \"AUDIT\"\n and (eventresult == \"*\" or EventOutcome =~ eventresult)\n and (array_length(operation_has_any) == 0 or DeviceAction has_any (operation_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or SourceUserName has_any (actorusername_has_any))\n and array_length(newvalue_has_any) == 0\n | parse-kv AdditionalExtensions as (InfobloxHTTPReqBody:string, InfobloxHTTPRespBody:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | extend EventType = case(\n DeviceAction has_any (\"update\", \"upsert\"),\n \"Set\", \n DeviceAction has \"create\",\n \"Create\",\n DeviceAction has \"delete\",\n \"Delete\",\n \"Other\"\n )\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | lookup EventSeverityLookup on LogSeverity\n | lookup OperationLookup on DeviceAction\n | extend Object = iff(isempty(Object), \"Infoblox Network Resource\", Object),\n ObjectType = iff(isempty(ObjectType), \"Service\", ObjectType)\n | where (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | invoke _ASIM_ResolveDvcFQDN('CollectorHostName')\n | project-rename\n EventResult = EventOutcome,\n Operation = DeviceAction,\n ActorUsername = SourceUserName,\n SrcIpAddr = SourceIP,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message,\n EventOriginalType = DeviceEventClassID,\n EventUid = _ItemId\n | extend\n Dvc = DvcHostname,\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n Src = SrcIpAddr,\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n AdditionalFields = bag_pack(\n \"InfobloxHTTPReqBody\",\n InfobloxHTTPReqBody,\n \"InfobloxHTTPRespBody\",\n InfobloxHTTPRespBody\n ),\n User = ActorUsername,\n IpAddr = SrcIpAddr,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n | extend\n EventCount = toint(1),\n EventProduct = \"BloxOne\",\n EventVendor = \"Infoblox\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Protocol,\n SimplifiedDeviceAction,\n ExternalID,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n StartTime,\n TenantId,\n ReportReferenceLink,\n ReceiptTime,\n Indicator*,\n _ResourceId,\n ThreatConfidence,\n ThreatDescription,\n ThreatSeverity,\n Computer,\n ApplicationProtocol,\n ExtID,\n Reason,\n Activity,\n Infoblox*\n};\nparser(disabled=disabled, starttime=starttime, endtime=endtime, eventresult=eventresult, operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any)\n", + "version": 1, + "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',actorusername_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([])" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftEvent/vimAuditEventMicrosoftEvent.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftEvent/vimAuditEventMicrosoftEvent.json index 7474e0a6d19..8f4cadc29cb 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftEvent/vimAuditEventMicrosoftEvent.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftEvent/vimAuditEventMicrosoftEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventMicrosoftEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventMicrosoftEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM filtering parser for Microsoft Windows Events audit events", - "category": "ASIM", - "FunctionAlias": "vimAuditEventMicrosoftEvent", - "query": "let parser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null),\nsrcipaddr_has_any_prefix: dynamic=dynamic([]), \neventtype_in: dynamic=dynamic([]),\neventresult: string='*',\nactorusername_has_any: dynamic=dynamic([]),\noperation_has_any: dynamic=dynamic([]),\nobject_has_any: dynamic=dynamic([]),\nnewvalue_has_any: dynamic=dynamic([]),\ndisabled: bool = false\n) {\n// Parsed Events Ids\nlet ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\n// Eventlog Event Ids\nlet EventlogEventIds = dynamic([1102]);\n// Scheduled Task Event Ids\nlet ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\n// Active Directory Replica Source Naming Context Event Ids\nlet ActiveDirectoryReplicaIds = dynamic([4929]);\n// Firewall Event Ids\nlet FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\n// Service Event Ids\nlet ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \n// EventID Lookup\n// Directory Service Object Ids\nlet DirectoryServiceIds = dynamic([5136]);\n// Clear Audit Log Event\nlet AuditLogClearedEventID = dynamic([1102]); \nlet EventIDLookup = datatable(\nEventID: int,\nOperation: string,\nEventType: string,\nObject: string,\nObjectType: string,\nEventResult: string\n)\n [ \n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n];\n let FilteredEventIds = toscalar(EventIDLookup \n | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (eventresult == '*' or EventResult == eventresult)\n and EventID != 1102 // Exclude this EventID, we have separate section for including EventID 1102\n | summarize make_set(EventID)\n );\n let ParsedEvents =\n (\n Event\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and EventID in(FilteredEventIds)\n | where (array_length(srcipaddr_has_any_prefix) == 0)\n and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any))\n and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))\n | extend Operation=EventLevelName\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | parse-kv EventData as \n (\n SubjectUserSid: string,\n SubjectUserName: string,\n SubjectDomainName: string,\n SubjectLogonId: string,\n TaskName: string,\n TaskContent: string,\n TaskContentNew: string,\n ClientProcessId: string,\n DestinationDRA: string,\n SourceDRA: string,\n SourceAddr: string,\n ObjectDN: string,\n AttributeValue: string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where \n array_length(actorusername_has_any) == 0 \n or SubjectUserName has_any (actorusername_has_any) \n or SubjectDomainName has_any (actorusername_has_any)\n | project-away EventData\n )\n | lookup EventIDLookup on EventID\n ;\n // Parse EventLog\n let EventLog = ParsedEvents\n | where EventID in(EventlogEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n // Parse Scheduled Task\n let ScheduledTask = ParsedEvents\n | where EventID in(ScheduledTaskEventIds)\n | where (array_length(object_has_any) == 0 or TaskName has_any (object_has_any))\n | extend \n Object = TaskName,\n NewValue = coalesce(\n TaskContent,\n TaskContentNew\n )\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n | extend \n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ADR\n let ActiveDirectoryReplica = ParsedEvents\n | where EventID in(ActiveDirectoryReplicaIds)\n | where (array_length(object_has_any) == 0 or DestinationDRA has_any (object_has_any))\n | extend \n NewValue = SourceDRA,\n OldValue = DestinationDRA,\n SrcFQDN = SourceAddr\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n | extend \n Value = NewValue,\n Object = OldValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse WindowsFirewall\n let WindowsFirewall = ParsedEvents\n | where EventID in(FirewallEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ServiceEvent\n let ServiceEvent = ParsedEvents\n | where EventID in(ServiceEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse DirectoryService\n let DirectoryService = ParsedEvents\n | where EventID in(DirectoryServiceIds)\n and (array_length(object_has_any) == 0 or ObjectDN has_any (object_has_any))\n | extend\n Object = ObjectDN\n | project-rename \n NewValue = AttributeValue\n | extend\n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN\n ;\n // Union Events\n union\n EventLog,\n ScheduledTask,\n ActiveDirectoryReplica,\n WindowsFirewall,\n ServiceEvent,\n DirectoryService\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | project-rename \n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId,\n ActingAppId = ClientProcessId,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Security Events',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n EventOriginalType = tostring(EventID),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\n ActingAppType = \"Process\"\n | extend\n User = ActorUsername,\n Dvc = DvcFQDN\n | project-away Subject*, EventID, Computer,NewValue,ObjectType,Object,OldValue,Value\n};\n parser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n )", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM filtering parser for Microsoft Windows Events audit events", + "category": "ASIM", + "FunctionAlias": "vimAuditEventMicrosoftEvent", + "query": "let parser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null),\nsrcipaddr_has_any_prefix: dynamic=dynamic([]), \neventtype_in: dynamic=dynamic([]),\neventresult: string='*',\nactorusername_has_any: dynamic=dynamic([]),\noperation_has_any: dynamic=dynamic([]),\nobject_has_any: dynamic=dynamic([]),\nnewvalue_has_any: dynamic=dynamic([]),\ndisabled: bool = false\n) {\n// Parsed Events Ids\nlet ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\n// Eventlog Event Ids\nlet EventlogEventIds = dynamic([1102]);\n// Scheduled Task Event Ids\nlet ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\n// Active Directory Replica Source Naming Context Event Ids\nlet ActiveDirectoryReplicaIds = dynamic([4929]);\n// Firewall Event Ids\nlet FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\n// Service Event Ids\nlet ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \n// EventID Lookup\n// Directory Service Object Ids\nlet DirectoryServiceIds = dynamic([5136]);\n// Clear Audit Log Event\nlet AuditLogClearedEventID = dynamic([1102]); \nlet EventIDLookup = datatable(\nEventID: int,\nOperation: string,\nEventType: string,\nObject: string,\nObjectType: string,\nEventResult: string\n)\n [ \n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n];\n let FilteredEventIds = toscalar(EventIDLookup \n | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (eventresult == '*' or EventResult == eventresult)\n and EventID != 1102 // Exclude this EventID, we have separate section for including EventID 1102\n | summarize make_set(EventID)\n );\n let ParsedEvents =\n (\n Event\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and EventID in(FilteredEventIds)\n | where (array_length(srcipaddr_has_any_prefix) == 0)\n and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any))\n and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))\n | extend Operation=EventLevelName\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | parse-kv EventData as \n (\n SubjectUserSid: string,\n SubjectUserName: string,\n SubjectDomainName: string,\n SubjectLogonId: string,\n TaskName: string,\n TaskContent: string,\n TaskContentNew: string,\n ClientProcessId: string,\n DestinationDRA: string,\n SourceDRA: string,\n SourceAddr: string,\n ObjectDN: string,\n AttributeValue: string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where \n array_length(actorusername_has_any) == 0 \n or SubjectUserName has_any (actorusername_has_any) \n or SubjectDomainName has_any (actorusername_has_any)\n | project-away EventData\n )\n | lookup EventIDLookup on EventID\n ;\n // Parse EventLog\n let EventLog = ParsedEvents\n | where EventID in(EventlogEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n // Parse Scheduled Task\n let ScheduledTask = ParsedEvents\n | where EventID in(ScheduledTaskEventIds)\n | where (array_length(object_has_any) == 0 or TaskName has_any (object_has_any))\n | extend \n Object = TaskName,\n NewValue = coalesce(\n TaskContent,\n TaskContentNew\n )\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n | extend \n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ADR\n let ActiveDirectoryReplica = ParsedEvents\n | where EventID in(ActiveDirectoryReplicaIds)\n | where (array_length(object_has_any) == 0 or DestinationDRA has_any (object_has_any))\n | extend \n NewValue = SourceDRA,\n OldValue = DestinationDRA,\n SrcFQDN = SourceAddr\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n | extend \n Value = NewValue,\n Object = OldValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse WindowsFirewall\n let WindowsFirewall = ParsedEvents\n | where EventID in(FirewallEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ServiceEvent\n let ServiceEvent = ParsedEvents\n | where EventID in(ServiceEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse DirectoryService\n let DirectoryService = ParsedEvents\n | where EventID in(DirectoryServiceIds)\n and (array_length(object_has_any) == 0 or ObjectDN has_any (object_has_any))\n | extend\n Object = ObjectDN\n | project-rename \n NewValue = AttributeValue\n | extend\n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN\n ;\n // Union Events\n union\n EventLog,\n ScheduledTask,\n ActiveDirectoryReplica,\n WindowsFirewall,\n ServiceEvent,\n DirectoryService\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | project-rename \n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId,\n ActingAppId = ClientProcessId,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Security Events',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n EventOriginalType = tostring(EventID),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\n ActingAppType = \"Process\"\n | extend\n User = ActorUsername,\n Dvc = DvcFQDN\n | project-away Subject*, EventID, Computer,NewValue,ObjectType,Object,OldValue,Value\n};\n parser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n )", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftExchangeAdmin365/vimAuditEventMicrosoftExchangeAdmin365.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftExchangeAdmin365/vimAuditEventMicrosoftExchangeAdmin365.json index ec5a0d0eeb5..de7b60a0d76 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftExchangeAdmin365/vimAuditEventMicrosoftExchangeAdmin365.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftExchangeAdmin365/vimAuditEventMicrosoftExchangeAdmin365.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventMicrosoftExchangeAdmin365')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventMicrosoftExchangeAdmin365", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM filtering parser for Microsoft Exchange 365 administrative activity", - "category": "ASIM", - "FunctionAlias": "vimAuditEventMicrosoftExchangeAdmin365", - "query": "let usertypes=datatable (ActorOriginalUserType:string, ActorUserType:string)\n[\n // Regular, Regular\n \"Admin\", \"Admin\"\n , \"DcAdmin\", \"Admin\"\n , \"System\", \"System\"\n , \"Application\", \"Application\"\n , \"ServicePrincipal\", \"Service Principal\"\n , \"CustomPolicy\", \"Other\"\n , \"SystemPolicy\", \"Other\"\n , \"Reserved\", \"Other\"\n];\nlet eventtypes=datatable (op:string, EventType:string)\n[\n \"Remove\", \"Delete\",\n \"New\", \"Create\",\n \"Add\", \"Create\",\n \"Enable\", \"Enable\",\n \"Install\", \"Install\",\n \"Set\", \"Set\",\n \"Disable\", \"Disable\",\n \"disable\", \"Disable\"\n];\n let parser= (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n eventresult:string='*',\n actorusername_has_any:dynamic=dynamic([]),\n eventtype_in:dynamic=dynamic([]),\n operation_has_any:dynamic=dynamic([]),\n object_has_any:dynamic=dynamic([]),\n newvalue_has_any:dynamic=dynamic([]),\n disabled:bool = false\n ){\n OfficeActivity\n | where not(disabled)\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where RecordType in ('ExchangeAdmin')\n | where \n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ClientIP,srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or UserId has_any (actorusername_has_any))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(object_has_any) == 0 or OfficeObjectId has_any (object_has_any))\n and (array_length(newvalue_has_any) == 0 or Parameters has_any (newvalue_has_any))\n | project Operation, ResultStatus, Parameters, OrganizationName, OrganizationId, OfficeObjectId, ClientIP, UserId, UserKey, UserAgent, UserType, TimeGenerated, OriginatingServer, SourceRecordId, Type, _ResourceId\n // --\n // Calculate and filter result\n | where (eventresult == \"*\" or (eventresult == \"Success\" and ResultStatus == \"True\"))\n | extend EventResult = iff(ResultStatus == \"True\", \"Success\", \"Failure\")\n // --\n // -- Calculate and filter operation and event type\n | extend \n SplitOp = split (Operation,\"-\")\n | extend\n op=tostring(SplitOp[0])\n | lookup eventtypes on op\n | where array_length(eventtype_in) == 0 or EventType in (eventtype_in)\n | project-away op \n // --\n // Calculate and post-filter source IP address and port\n | extend \n SplitIpAddr = extract_all(@'^\\[?(.*?)\\]?:(\\d+)$', ClientIP)[0]\n | extend \n SrcIpAddr = iff (SplitIpAddr[1] == \"\", ClientIP, SplitIpAddr[0]),\n SrcPortNumber = toint(iff (SplitIpAddr[1] == \"\", \"\", SplitIpAddr[1]))\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr,srcipaddr_has_any_prefix))\n // --\n /// Calculate and post filter actor and acting app\n | parse UserId with ActorUsername \" (\" ActingAppName \")\"\n | extend \n ActorUsernameType = iff (ActorUsername == \"\", \"UPN\", \"Windows\"),\n ActorUsername = iff (ActorUsername == \"\", UserId, ActorUsername),\n ActingAppType = iff (ActingAppName == \"\", \"\", \"Process\")\n | where (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))\n // --\n // Calculate Object\n | extend\n SplitObject = extract_all(@'^(.*?)[\\\\/](.*)$', OfficeObjectId)[0]\n | extend \n Object = case (\n SplitObject[0] == OrganizationName, SplitObject[1], \n OfficeObjectId == \"\", SplitOp[1],\n OfficeObjectId\n )\n | project-away SplitOp, OfficeObjectId\n // --\n | project-rename\n SrcDescription = OriginatingServer,\n NewValue = Parameters \n | project-away SplitObject, UserKey, SplitIpAddr, ClientIP, UserId\n | project-rename\n HttpUserAgent = UserAgent, \n ActorOriginalUserType = UserType,\n ActorScopeId = OrganizationId,\n ActorScope = OrganizationName,\n EventOriginalUid = SourceRecordId\n | lookup usertypes on ActorOriginalUserType\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Exchange 365',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n TargetAppName = 'Exchange 365',\n TargetAppType = 'SaaS application'\n | project-away \n ResultStatus\n | extend\n EventSeverity = iff(EventResult == \"Failure\", \"Low\", \"Informational\")\n // -- Aliases\n | extend \n User=ActorUsername,\n IpAddr = SrcIpAddr,\n Value = NewValue,\n Application = TargetAppName,\n Dst = TargetAppName,\n Src = coalesce (SrcIpAddr, SrcDescription),\n Dvc = TargetAppName,\n // -- Entity identifier explicit aliases\n ActorUserUpn = iif (ActorUsernameType == \"UPN\", ActorUsername, \"\"),\n ActorWindowsUsername = iif (ActorUsernameType == \"Windows\", ActorUsername, \"\")\n };\n parser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n )", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM filtering parser for Microsoft Exchange 365 administrative activity", + "category": "ASIM", + "FunctionAlias": "vimAuditEventMicrosoftExchangeAdmin365", + "query": "let usertypes=datatable (ActorOriginalUserType:string, ActorUserType:string)\n[\n // Regular, Regular\n \"Admin\", \"Admin\"\n , \"DcAdmin\", \"Admin\"\n , \"System\", \"System\"\n , \"Application\", \"Application\"\n , \"ServicePrincipal\", \"Service Principal\"\n , \"CustomPolicy\", \"Other\"\n , \"SystemPolicy\", \"Other\"\n , \"Reserved\", \"Other\"\n];\nlet eventtypes=datatable (op:string, EventType:string)\n[\n \"Remove\", \"Delete\",\n \"New\", \"Create\",\n \"Add\", \"Create\",\n \"Enable\", \"Enable\",\n \"Install\", \"Install\",\n \"Set\", \"Set\",\n \"Disable\", \"Disable\",\n \"disable\", \"Disable\"\n];\n let parser= (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n eventresult:string='*',\n actorusername_has_any:dynamic=dynamic([]),\n eventtype_in:dynamic=dynamic([]),\n operation_has_any:dynamic=dynamic([]),\n object_has_any:dynamic=dynamic([]),\n newvalue_has_any:dynamic=dynamic([]),\n disabled:bool = false\n ){\n OfficeActivity\n | where not(disabled)\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where RecordType in ('ExchangeAdmin')\n | where \n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ClientIP,srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or UserId has_any (actorusername_has_any))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(object_has_any) == 0 or OfficeObjectId has_any (object_has_any))\n and (array_length(newvalue_has_any) == 0 or Parameters has_any (newvalue_has_any))\n | project Operation, ResultStatus, Parameters, OrganizationName, OrganizationId, OfficeObjectId, ClientIP, UserId, UserKey, UserAgent, UserType, TimeGenerated, OriginatingServer, SourceRecordId, Type, _ResourceId\n // --\n // Calculate and filter result\n | where (eventresult == \"*\" or (eventresult == \"Success\" and ResultStatus == \"True\"))\n | extend EventResult = iff(ResultStatus == \"True\", \"Success\", \"Failure\")\n // --\n // -- Calculate and filter operation and event type\n | extend \n SplitOp = split (Operation,\"-\")\n | extend\n op=tostring(SplitOp[0])\n | lookup eventtypes on op\n | where array_length(eventtype_in) == 0 or EventType in (eventtype_in)\n | project-away op \n // --\n // Calculate and post-filter source IP address and port\n | extend \n SplitIpAddr = extract_all(@'^\\[?(.*?)\\]?:(\\d+)$', ClientIP)[0]\n | extend \n SrcIpAddr = iff (SplitIpAddr[1] == \"\", ClientIP, SplitIpAddr[0]),\n SrcPortNumber = toint(iff (SplitIpAddr[1] == \"\", \"\", SplitIpAddr[1]))\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr,srcipaddr_has_any_prefix))\n // --\n /// Calculate and post filter actor and acting app\n | parse UserId with ActorUsername \" (\" ActingAppName \")\"\n | extend \n ActorUsernameType = iff (ActorUsername == \"\", \"UPN\", \"Windows\"),\n ActorUsername = iff (ActorUsername == \"\", UserId, ActorUsername),\n ActingAppType = iff (ActingAppName == \"\", \"\", \"Process\")\n | where (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))\n // --\n // Calculate Object\n | extend\n SplitObject = extract_all(@'^(.*?)[\\\\/](.*)$', OfficeObjectId)[0]\n | extend \n Object = case (\n SplitObject[0] == OrganizationName, SplitObject[1], \n OfficeObjectId == \"\", SplitOp[1],\n OfficeObjectId\n )\n | project-away SplitOp, OfficeObjectId\n // --\n | project-rename\n SrcDescription = OriginatingServer,\n NewValue = Parameters \n | project-away SplitObject, UserKey, SplitIpAddr, ClientIP, UserId\n | project-rename\n HttpUserAgent = UserAgent, \n ActorOriginalUserType = UserType,\n ActorScopeId = OrganizationId,\n ActorScope = OrganizationName,\n EventOriginalUid = SourceRecordId\n | lookup usertypes on ActorOriginalUserType\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Exchange 365',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n TargetAppName = 'Exchange 365',\n TargetAppType = 'SaaS application'\n | project-away \n ResultStatus\n | extend\n EventSeverity = iff(EventResult == \"Failure\", \"Low\", \"Informational\")\n // -- Aliases\n | extend \n User=ActorUsername,\n IpAddr = SrcIpAddr,\n Value = NewValue,\n Application = TargetAppName,\n Dst = TargetAppName,\n Src = coalesce (SrcIpAddr, SrcDescription),\n Dvc = TargetAppName,\n // -- Entity identifier explicit aliases\n ActorUserUpn = iif (ActorUsernameType == \"UPN\", ActorUsername, \"\"),\n ActorWindowsUsername = iif (ActorUsernameType == \"Windows\", ActorUsername, \"\")\n };\n parser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n )", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftSecurityEvents/vimAuditEventMicrosoftSecurityEvents.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftSecurityEvents/vimAuditEventMicrosoftSecurityEvents.json index 5d1d6e660b5..4bcc414ee88 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftSecurityEvents/vimAuditEventMicrosoftSecurityEvents.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftSecurityEvents/vimAuditEventMicrosoftSecurityEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventMicrosoftSecurityEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventMicrosoftSecurityEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM filtering parser for Microsoft Windows Events audit events", - "category": "ASIM", - "FunctionAlias": "vimAuditEventMicrosoftSecurityEvents", - "query": "let parser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null),\nsrcipaddr_has_any_prefix: dynamic=dynamic([]), \neventtype_in: dynamic=dynamic([]),\neventresult: string='*',\nactorusername_has_any: dynamic=dynamic([]),\noperation_has_any: dynamic=dynamic([]),\nobject_has_any: dynamic=dynamic([]),\nnewvalue_has_any: dynamic=dynamic([]),\ndisabled: bool = false\n) {\n// Parsed Events Ids\nlet ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\n// Eventlog Event Ids\nlet EventlogEventIds = dynamic([1102]);\n// Scheduled Task Event Ids\nlet ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\n// Active Directory Replica Source Naming Context Event Ids\nlet ActiveDirectoryReplicaIds = dynamic([4929]);\n// Firewall Event Ids\nlet FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\n// Service Event Ids\nlet ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \n// EventID Lookup\n// Directory Service Object Ids\nlet DirectoryServiceIds = dynamic([5136]);\n// Clear Audit Log Event\nlet AuditLogClearedEventID = dynamic([1102]); \nlet EventIDLookup = datatable(\nEventID: int,\nOperation: string,\nEventType: string,\nObject: string,\nObjectType: string,\nEventResult: string\n)\n [ \n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n];\n let FilteredEventIds = toscalar(EventIDLookup \n | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (eventresult == '*' or EventResult == eventresult)\n and EventID != 1102 // Exclude this EventID, we have separate section for including EventID 1102\n | summarize make_set(EventID)\n );\n let ParsedEvents =\n union\n (\n // SecurityEvents\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and EventID in(FilteredEventIds)\n | where (array_length(srcipaddr_has_any_prefix) == 0)\n and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any))\n and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any)) \n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | parse-kv EventData as \n (\n SubjectUserSid: string,\n SubjectUserName: string,\n SubjectDomainName: string,\n SubjectLogonId: string,\n TaskName: string,\n TaskContent: string,\n TaskContentNew: string,\n ClientProcessId: string,\n DestinationDRA: string,\n SourceDRA: string,\n SourceAddr: string,\n ObjectDN: string,\n AttributeValue: string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where \n array_length(actorusername_has_any) == 0 \n or SubjectUserName has_any (actorusername_has_any) \n or SubjectDomainName has_any (actorusername_has_any)\n | project-away EventData\n ),\n //Section for SecurityEvent(1102)\n (\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID in (AuditLogClearedEventID) and EventSourceName == \"Microsoft-Windows-Eventlog\"\n | where (array_length(srcipaddr_has_any_prefix) == 0)\n and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any))\n and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))\n and (array_length(eventtype_in) == 0 or 'Delete' in (eventtype_in))\n and (array_length(operation_has_any) == 0 or 'Delete Logs' has_any (operation_has_any))\n and (eventresult == '*' or 'Success' =~ eventresult)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | extend Parsed_EventData = parse_xml(EventData)\n | extend\n SubjectUserSid = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectUserSid),\n SubjectUserName = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectUserName),\n SubjectDomainName = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectDomainName),\n SubjectLogonId = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectLogonId)\n | where \n array_length(actorusername_has_any) == 0 \n or SubjectUserName has_any (actorusername_has_any) \n or SubjectDomainName has_any (actorusername_has_any)\n or (strcat(SubjectDomainName, '\\\\', SubjectUserName)) has_any (actorusername_has_any)\n | project-away EventData, Parsed_EventData\n )\n | lookup EventIDLookup on EventID\n ;\n // Parse EventLog\n let EventLog = ParsedEvents\n | where EventID in(EventlogEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n // Parse Scheduled Task\n let ScheduledTask = ParsedEvents\n | where EventID in(ScheduledTaskEventIds)\n | where (array_length(object_has_any) == 0 or TaskName has_any (object_has_any))\n | extend \n Object = TaskName,\n NewValue = coalesce(\n TaskContent,\n TaskContentNew\n )\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n | extend \n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ADR\n let ActiveDirectoryReplica = ParsedEvents\n | where EventID in(ActiveDirectoryReplicaIds)\n | where (array_length(object_has_any) == 0 or DestinationDRA has_any (object_has_any))\n | extend \n NewValue = SourceDRA,\n OldValue = DestinationDRA,\n SrcFQDN = SourceAddr\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n | extend \n Value = NewValue,\n Object = OldValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse WindowsFirewall\n let WindowsFirewall = ParsedEvents\n | where EventID in(FirewallEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ServiceEvent\n let ServiceEvent = ParsedEvents\n | where EventID in(ServiceEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse DirectoryService\n let DirectoryService = ParsedEvents\n | where EventID in(DirectoryServiceIds)\n and (array_length(object_has_any) == 0 or ObjectDN has_any (object_has_any))\n | extend\n Object = ObjectDN\n | project-rename \n NewValue = AttributeValue\n | extend\n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN\n ;\n // Union Events\n union\n EventLog,\n ScheduledTask,\n ActiveDirectoryReplica,\n WindowsFirewall,\n ServiceEvent,\n DirectoryService\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | project-rename \n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId,\n ActingAppId = ClientProcessId,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Security Events',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n EventOriginalType = tostring(EventID),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\n ActingAppType = \"Process\"\n | extend\n User = ActorUsername,\n Dvc = DvcFQDN\n | project-away Subject*, EventID, Computer,NewValue,ObjectType,Object,OldValue,Value\n};\n parser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n )", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM filtering parser for Microsoft Windows Events audit events", + "category": "ASIM", + "FunctionAlias": "vimAuditEventMicrosoftSecurityEvents", + "query": "let parser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null),\nsrcipaddr_has_any_prefix: dynamic=dynamic([]), \neventtype_in: dynamic=dynamic([]),\neventresult: string='*',\nactorusername_has_any: dynamic=dynamic([]),\noperation_has_any: dynamic=dynamic([]),\nobject_has_any: dynamic=dynamic([]),\nnewvalue_has_any: dynamic=dynamic([]),\ndisabled: bool = false\n) {\n// Parsed Events Ids\nlet ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\n// Eventlog Event Ids\nlet EventlogEventIds = dynamic([1102]);\n// Scheduled Task Event Ids\nlet ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\n// Active Directory Replica Source Naming Context Event Ids\nlet ActiveDirectoryReplicaIds = dynamic([4929]);\n// Firewall Event Ids\nlet FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\n// Service Event Ids\nlet ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \n// EventID Lookup\n// Directory Service Object Ids\nlet DirectoryServiceIds = dynamic([5136]);\n// Clear Audit Log Event\nlet AuditLogClearedEventID = dynamic([1102]); \nlet EventIDLookup = datatable(\nEventID: int,\nOperation: string,\nEventType: string,\nObject: string,\nObjectType: string,\nEventResult: string\n)\n [ \n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n];\n let FilteredEventIds = toscalar(EventIDLookup \n | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (eventresult == '*' or EventResult == eventresult)\n and EventID != 1102 // Exclude this EventID, we have separate section for including EventID 1102\n | summarize make_set(EventID)\n );\n let ParsedEvents =\n union\n (\n // SecurityEvents\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and EventID in(FilteredEventIds)\n | where (array_length(srcipaddr_has_any_prefix) == 0)\n and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any))\n and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any)) \n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | parse-kv EventData as \n (\n SubjectUserSid: string,\n SubjectUserName: string,\n SubjectDomainName: string,\n SubjectLogonId: string,\n TaskName: string,\n TaskContent: string,\n TaskContentNew: string,\n ClientProcessId: string,\n DestinationDRA: string,\n SourceDRA: string,\n SourceAddr: string,\n ObjectDN: string,\n AttributeValue: string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where \n array_length(actorusername_has_any) == 0 \n or SubjectUserName has_any (actorusername_has_any) \n or SubjectDomainName has_any (actorusername_has_any)\n | project-away EventData\n ),\n //Section for SecurityEvent(1102)\n (\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID in (AuditLogClearedEventID) and EventSourceName == \"Microsoft-Windows-Eventlog\"\n | where (array_length(srcipaddr_has_any_prefix) == 0)\n and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any))\n and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))\n and (array_length(eventtype_in) == 0 or 'Delete' in (eventtype_in))\n and (array_length(operation_has_any) == 0 or 'Delete Logs' has_any (operation_has_any))\n and (eventresult == '*' or 'Success' =~ eventresult)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | extend Parsed_EventData = parse_xml(EventData)\n | extend\n SubjectUserSid = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectUserSid),\n SubjectUserName = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectUserName),\n SubjectDomainName = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectDomainName),\n SubjectLogonId = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectLogonId)\n | where \n array_length(actorusername_has_any) == 0 \n or SubjectUserName has_any (actorusername_has_any) \n or SubjectDomainName has_any (actorusername_has_any)\n or (strcat(SubjectDomainName, '\\\\', SubjectUserName)) has_any (actorusername_has_any)\n | project-away EventData, Parsed_EventData\n )\n | lookup EventIDLookup on EventID\n ;\n // Parse EventLog\n let EventLog = ParsedEvents\n | where EventID in(EventlogEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n // Parse Scheduled Task\n let ScheduledTask = ParsedEvents\n | where EventID in(ScheduledTaskEventIds)\n | where (array_length(object_has_any) == 0 or TaskName has_any (object_has_any))\n | extend \n Object = TaskName,\n NewValue = coalesce(\n TaskContent,\n TaskContentNew\n )\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n | extend \n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ADR\n let ActiveDirectoryReplica = ParsedEvents\n | where EventID in(ActiveDirectoryReplicaIds)\n | where (array_length(object_has_any) == 0 or DestinationDRA has_any (object_has_any))\n | extend \n NewValue = SourceDRA,\n OldValue = DestinationDRA,\n SrcFQDN = SourceAddr\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n | extend \n Value = NewValue,\n Object = OldValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse WindowsFirewall\n let WindowsFirewall = ParsedEvents\n | where EventID in(FirewallEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ServiceEvent\n let ServiceEvent = ParsedEvents\n | where EventID in(ServiceEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse DirectoryService\n let DirectoryService = ParsedEvents\n | where EventID in(DirectoryServiceIds)\n and (array_length(object_has_any) == 0 or ObjectDN has_any (object_has_any))\n | extend\n Object = ObjectDN\n | project-rename \n NewValue = AttributeValue\n | extend\n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN\n ;\n // Union Events\n union\n EventLog,\n ScheduledTask,\n ActiveDirectoryReplica,\n WindowsFirewall,\n ServiceEvent,\n DirectoryService\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | project-rename \n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId,\n ActingAppId = ClientProcessId,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Security Events',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n EventOriginalType = tostring(EventID),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\n ActingAppType = \"Process\"\n | extend\n User = ActorUsername,\n Dvc = DvcFQDN\n | project-away Subject*, EventID, Computer,NewValue,ObjectType,Object,OldValue,Value\n};\n parser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n )", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftWindowsEvents/vimAuditEventMicrosoftWindowsEvents.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftWindowsEvents/vimAuditEventMicrosoftWindowsEvents.json index beee6baaff6..accc280c47a 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftWindowsEvents/vimAuditEventMicrosoftWindowsEvents.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftWindowsEvents/vimAuditEventMicrosoftWindowsEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventMicrosoftWindowsEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventMicrosoftWindowsEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM filtering parser for Microsoft Windows Events audit events", - "category": "ASIM", - "FunctionAlias": "vimAuditEventMicrosoftWindowsEvents", - "query": "let parser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null),\nsrcipaddr_has_any_prefix: dynamic=dynamic([]), \neventtype_in: dynamic=dynamic([]),\neventresult: string='*',\nactorusername_has_any: dynamic=dynamic([]),\noperation_has_any: dynamic=dynamic([]),\nobject_has_any: dynamic=dynamic([]),\nnewvalue_has_any: dynamic=dynamic([]),\ndisabled: bool = false\n) {\n// Parsed Events Ids\nlet ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\n// Eventlog Event Ids\nlet EventlogEventIds = dynamic([1102]);\n// Scheduled Task Event Ids\nlet ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\n// Active Directory Replica Source Naming Context Event Ids\nlet ActiveDirectoryReplicaIds = dynamic([4929]);\n// Firewall Event Ids\nlet FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\n// Service Event Ids\nlet ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \n// EventID Lookup\n// Directory Service Object Ids\nlet DirectoryServiceIds = dynamic([5136]);\n// Clear Audit Log Event\nlet AuditLogClearedEventID = dynamic([1102]); \nlet EventIDLookup = datatable(\nEventID: int,\nOperation: string,\nEventType: string,\nObject: string,\nObjectType: string,\nEventResult: string\n)\n [ \n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n];\n let FilteredEventIds = toscalar(EventIDLookup \n | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (eventresult == '*' or EventResult == eventresult)\n and EventID != 1102 // Exclude this EventID, we have separate section for including EventID 1102\n | summarize make_set(EventID)\n );\n let ParsedEvents =\n union\n (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and EventID in(FilteredEventIds)\n | where (array_length(srcipaddr_has_any_prefix) == 0)\n and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any)) \n and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | extend\n SubjectUserSid = tostring(EventData.SubjectUserSid),\n SubjectUserName = tostring(EventData.SubjectUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectLogonId = tostring(EventData.SubjectLogonId),\n TaskName = tostring(EventData.TaskName),\n TaskContent = tostring(EventData.TaskContent),\n TaskContentNew = tostring(EventData.TaskContentNew),\n ClientProcessId = tostring(EventData.ClientProcessId),\n DestinationDRA = tostring(EventData.DestinationDRA),\n SourceDRA = tostring(EventData.SourceDRA),\n SourceAddr = tostring(EventData.SourceAddr),\n ObjectDN = tostring(EventData.ObjectDN),\n AttributeValue = tostring(EventData.AttributeValue)\n | where \n array_length(actorusername_has_any) == 0 \n or SubjectUserName has_any (actorusername_has_any) \n or SubjectUserName has_any (actorusername_has_any) \n | project-away EventData\n ),\n (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID in (AuditLogClearedEventID) and Provider == \"Microsoft-Windows-Eventlog\"\n | where (array_length(srcipaddr_has_any_prefix) == 0)\n and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any))\n and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))\n and (array_length(eventtype_in) == 0 or 'Delete' in (eventtype_in))\n and (array_length(operation_has_any) == 0 or 'Delete Logs' has_any (operation_has_any))\n and (eventresult == '*' or 'Success' =~ eventresult)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | extend\n SubjectUserSid = tostring(EventData.SubjectUserSid),\n SubjectUserName = tostring(EventData.SubjectUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectLogonId = tostring(EventData.SubjectLogonId)\n | where \n array_length(actorusername_has_any) == 0 \n or SubjectUserName has_any (actorusername_has_any) \n or SubjectDomainName has_any (actorusername_has_any)\n or (strcat(SubjectDomainName, '\\\\', SubjectUserName)) has_any (actorusername_has_any)\n | project-away EventData\n )\n | lookup EventIDLookup on EventID\n ;\n // Parse EventLog\n let EventLog = ParsedEvents\n | where EventID in(EventlogEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n // Parse Scheduled Task\n let ScheduledTask = ParsedEvents\n | where EventID in(ScheduledTaskEventIds)\n | where (array_length(object_has_any) == 0 or TaskName has_any (object_has_any))\n | extend \n Object = TaskName,\n NewValue = coalesce(\n TaskContent,\n TaskContentNew\n )\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n | extend \n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ADR\n let ActiveDirectoryReplica = ParsedEvents\n | where EventID in(ActiveDirectoryReplicaIds)\n | where (array_length(object_has_any) == 0 or DestinationDRA has_any (object_has_any))\n | extend \n NewValue = SourceDRA,\n OldValue = DestinationDRA,\n SrcFQDN = SourceAddr\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n | extend \n Value = NewValue,\n Object = OldValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse WindowsFirewall\n let WindowsFirewall = ParsedEvents\n | where EventID in(FirewallEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ServiceEvent\n let ServiceEvent = ParsedEvents\n | where EventID in(ServiceEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse DirectoryService\n let DirectoryService = ParsedEvents\n | where EventID in(DirectoryServiceIds)\n and (array_length(object_has_any) == 0 or ObjectDN has_any (object_has_any))\n | extend\n Object = ObjectDN\n | project-rename \n NewValue = AttributeValue\n | extend\n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN\n ;\n // Union Events\n union\n EventLog,\n ScheduledTask,\n ActiveDirectoryReplica,\n WindowsFirewall,\n ServiceEvent,\n DirectoryService\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | project-rename \n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId,\n ActingAppId = ClientProcessId,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Security Events',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n EventOriginalType = tostring(EventID),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\n ActingAppType = \"Process\"\n | extend\n User = ActorUsername,\n Dvc = DvcFQDN\n | project-away Subject*, EventID, Computer\n};\n parser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n )", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM filtering parser for Microsoft Windows Events audit events", + "category": "ASIM", + "FunctionAlias": "vimAuditEventMicrosoftWindowsEvents", + "query": "let parser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null),\nsrcipaddr_has_any_prefix: dynamic=dynamic([]), \neventtype_in: dynamic=dynamic([]),\neventresult: string='*',\nactorusername_has_any: dynamic=dynamic([]),\noperation_has_any: dynamic=dynamic([]),\nobject_has_any: dynamic=dynamic([]),\nnewvalue_has_any: dynamic=dynamic([]),\ndisabled: bool = false\n) {\n// Parsed Events Ids\nlet ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\n// Eventlog Event Ids\nlet EventlogEventIds = dynamic([1102]);\n// Scheduled Task Event Ids\nlet ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\n// Active Directory Replica Source Naming Context Event Ids\nlet ActiveDirectoryReplicaIds = dynamic([4929]);\n// Firewall Event Ids\nlet FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\n// Service Event Ids\nlet ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \n// EventID Lookup\n// Directory Service Object Ids\nlet DirectoryServiceIds = dynamic([5136]);\n// Clear Audit Log Event\nlet AuditLogClearedEventID = dynamic([1102]); \nlet EventIDLookup = datatable(\nEventID: int,\nOperation: string,\nEventType: string,\nObject: string,\nObjectType: string,\nEventResult: string\n)\n [ \n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n];\n let FilteredEventIds = toscalar(EventIDLookup \n | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (eventresult == '*' or EventResult == eventresult)\n and EventID != 1102 // Exclude this EventID, we have separate section for including EventID 1102\n | summarize make_set(EventID)\n );\n let ParsedEvents =\n union\n (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and EventID in(FilteredEventIds)\n | where (array_length(srcipaddr_has_any_prefix) == 0)\n and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any)) \n and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | extend\n SubjectUserSid = tostring(EventData.SubjectUserSid),\n SubjectUserName = tostring(EventData.SubjectUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectLogonId = tostring(EventData.SubjectLogonId),\n TaskName = tostring(EventData.TaskName),\n TaskContent = tostring(EventData.TaskContent),\n TaskContentNew = tostring(EventData.TaskContentNew),\n ClientProcessId = tostring(EventData.ClientProcessId),\n DestinationDRA = tostring(EventData.DestinationDRA),\n SourceDRA = tostring(EventData.SourceDRA),\n SourceAddr = tostring(EventData.SourceAddr),\n ObjectDN = tostring(EventData.ObjectDN),\n AttributeValue = tostring(EventData.AttributeValue)\n | where \n array_length(actorusername_has_any) == 0 \n or SubjectUserName has_any (actorusername_has_any) \n or SubjectUserName has_any (actorusername_has_any) \n | project-away EventData\n ),\n (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID in (AuditLogClearedEventID) and Provider == \"Microsoft-Windows-Eventlog\"\n | where (array_length(srcipaddr_has_any_prefix) == 0)\n and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any))\n and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))\n and (array_length(eventtype_in) == 0 or 'Delete' in (eventtype_in))\n and (array_length(operation_has_any) == 0 or 'Delete Logs' has_any (operation_has_any))\n and (eventresult == '*' or 'Success' =~ eventresult)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | extend\n SubjectUserSid = tostring(EventData.SubjectUserSid),\n SubjectUserName = tostring(EventData.SubjectUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectLogonId = tostring(EventData.SubjectLogonId)\n | where \n array_length(actorusername_has_any) == 0 \n or SubjectUserName has_any (actorusername_has_any) \n or SubjectDomainName has_any (actorusername_has_any)\n or (strcat(SubjectDomainName, '\\\\', SubjectUserName)) has_any (actorusername_has_any)\n | project-away EventData\n )\n | lookup EventIDLookup on EventID\n ;\n // Parse EventLog\n let EventLog = ParsedEvents\n | where EventID in(EventlogEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n // Parse Scheduled Task\n let ScheduledTask = ParsedEvents\n | where EventID in(ScheduledTaskEventIds)\n | where (array_length(object_has_any) == 0 or TaskName has_any (object_has_any))\n | extend \n Object = TaskName,\n NewValue = coalesce(\n TaskContent,\n TaskContentNew\n )\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n | extend \n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ADR\n let ActiveDirectoryReplica = ParsedEvents\n | where EventID in(ActiveDirectoryReplicaIds)\n | where (array_length(object_has_any) == 0 or DestinationDRA has_any (object_has_any))\n | extend \n NewValue = SourceDRA,\n OldValue = DestinationDRA,\n SrcFQDN = SourceAddr\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n | extend \n Value = NewValue,\n Object = OldValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse WindowsFirewall\n let WindowsFirewall = ParsedEvents\n | where EventID in(FirewallEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ServiceEvent\n let ServiceEvent = ParsedEvents\n | where EventID in(ServiceEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse DirectoryService\n let DirectoryService = ParsedEvents\n | where EventID in(DirectoryServiceIds)\n and (array_length(object_has_any) == 0 or ObjectDN has_any (object_has_any))\n | extend\n Object = ObjectDN\n | project-rename \n NewValue = AttributeValue\n | extend\n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN\n ;\n // Union Events\n union\n EventLog,\n ScheduledTask,\n ActiveDirectoryReplica,\n WindowsFirewall,\n ServiceEvent,\n DirectoryService\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | project-rename \n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId,\n ActingAppId = ClientProcessId,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Security Events',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n EventOriginalType = tostring(EventID),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\n ActingAppType = \"Process\"\n | extend\n User = ActorUsername,\n Dvc = DvcFQDN\n | project-away Subject*, EventID, Computer\n};\n parser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n )", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventSentinelOne/vimAuditEventSentinelOne.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventSentinelOne/vimAuditEventSentinelOne.json index c95fc8b1a7a..c0c0af86efc 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventSentinelOne/vimAuditEventSentinelOne.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventSentinelOne/vimAuditEventSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "vimAuditEventSentinelOne", - "query": "let EventFieldsLookup = datatable(\n activityType_d: real,\n Operation: string,\n EventType_activity: string,\n EventSubType: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 39, \"Research Settings Modified\", \"\", \"\", \"Success\", \"Research Settings\", \"Policy Rule\",\n 41, \"Learning Mode Settings Modified\", \"Set\", \"\", \"Success\", \"Mitigation policy\", \"Policy Rule\",\n 44, \"Auto decommission On\", \"Enable\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n 45, \"Auto decommission Off\", \"Disable\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n 46, \"Auto Decommission Period Modified\", \"Set\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n 56, \"Auto Mitigation Actions Modified\", \"Set\", \"\", \"Success\", \"Mitigation action\", \"Other\",\n 57, \"Quarantine Network Settings Modified\", \"\", \"\", \"Success\", \"NetworkSettings\", \"Configuration Atom\",\n 68, \"Engine Modified In Policy\", \"Set\", \"\", \"Success\", \"Engine Policy\", \"Policy Rule\",\n 69, \"Mitigation Policy Modified\", \"Set\", \"\", \"Success\", \"Threat Mitigation Policy\", \"Policy Rule\",\n 70, \"Policy Setting - Agent Notification On Suspicious Modified\", \"\", \"\", \"Success\", \"Agent notification\", \"Service\",\n 82, \"Monitor On Execute\", \"\", \"\", \"Success\", \"On execute setting\", \"Configuration Atom\",\n 83, \"Monitor On Write\", \"\", \"\", \"Success\", \"On write setting\", \"Configuration Atom\",\n 105, \"Deep Visibility Settings Modified\", \"\", \"\", \"Success\", \"Deep Visibility Setting\", \"Configuration Atom\",\n 116, \"Policy Settings Modified\", \"Disable\", \"\", \"Success\", \"Policy Settings\", \"Policy Rule\",\n 150, \"Live Security Updates Policy Modified\", \"\", \"\", \"Success\", \"Live Security Updates Policy\", \"Policy Rule\",\n 151, \"Live Security Updates Policy Inheritance Setting Changed\", \"Set\", \"\", \"Success\", \"Live Security Updates Policy\", \"Policy Rule\",\n 200, \"File Upload Settings Modified\", \"Set\", \"\", \"Success\", \"Binary Vault Settings\", \"Configuration Atom\",\n 201, \"File Upload Enabled/Disabled\", \"\", \"\", \"Success\", \"Binary Vault\", \"Policy Rule\",\n 4004, \"Policy Setting - Show Suspicious Activities Configuration Enabled\", \"Enable\", \"\", \"Success\", \"Policy Setting\", \"Policy Rule\",\n 4005, \"Policy Setting - Show Suspicious Activities Configuration Disabled\", \"Disable\", \"\", \"Success\", \"Policy Setting\", \"Policy Rule\",\n 4104, \"STAR Manual Response Marked Event As Malicious\", \"Set\", \"\", \"Success\", \"computerName\", \"Other\",\n 4105, \"STAR Manual Response Marked Event As Suspicious\", \"Set\", \"\", \"Success\", \"computerName\", \"Other\",\n 5012, \"Group Token Regenerated\", \"Create\", \"\", \"Success\", \"Token\", \"Policy Rule\",\n 5020, \"Site Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5021, \"Site Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5022, \"Site Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5024, \"Site Policy Reverted\", \"\", \"\", \"Success\", \"\", \"Other\",\n 5025, \"Site Marked As Expired\", \"Disable\", \"\", \"Success\", \"\", \"Other\",\n 5026, \"Site Duplicated\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5027, \"Site Token Regenerated\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 6000, \"Mobile Policy updated\", \"Set\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n 6001, \"Mobile Policy created\", \"Create\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n 6002, \"Mobile Policy removed\", \"Delete\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n 6010, \"UEM Connection created\", \"Create\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n 6011, \"UEM Connection updated\", \"Set\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n 6012, \"UEM Connection Removed\", \"Delete\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n 73, \"Scan New Agents Changed\", \"\", \"\", \"Success\", \"Scan new agents Setting\", \"Configuration Atom\",\n 76, \"Anti Tampering Modified\", \"\", \"\", \"Success\", \"Anti tampering setting\", \"Configuration Atom\",\n 77, \"Agent UI Settings Modified\", \"Set \", \"\", \"Success\", \"Agent UI setting\", \"Configuration Atom\",\n 78, \"Snapshots Settings Modified\", \"\", \"\", \"Success\", \"Snapshots setting\", \"Configuration Atom\",\n 79, \"Agent Logging Modified\", \"\", \"\", \"Success\", \"Agent logging setting\", \"Configuration Atom\",\n 84, \"Deep Visibility Settings Modified\", \"\", \"\", \"Success\", \"Deep Visibility setting\", \"Configuration Atom\",\n 87, \"Remote Shell Settings Modified\", \"\", \"\", \"Success\", \"Remote Shell Settings\", \"Configuration Atom\",\n 2100, \"Upgrade Policy - Concurrency Limit Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n 2101, \"Upgrade Policy - Concurrency Limit Inheritance Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n 2111, \"Upgrade Policy - Maintenance Window Time Inheritance Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n ];\n let EventFieldsLookupMachineActivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_machineactivity: string,\n EventSubType_machineactivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 52, \"User Approved Agent Uninstall Request\", \"Other\", \"Approve\", \"Success\", \"Agent\", \"Service\",\n 53, \"User Rejected Agent Uninstall Request\", \"Other\", \"Reject\", \"Failure\", \"Agent\", \"Service\",\n 54, \"User Decommissioned Agent\", \"Disable\", \"\", \"Success\", \"Agent\", \"Service\",\n 55, \"User Recommissioned Agent\", \"Enable\", \"\", \"Success\", \"Agent\", \"Service\",\n 61, \"User Disconnected Agent From Network\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 62, \"User Reconnected Agent to Network\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 63, \"User Shutdown Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 93, \"User Reset Agent's Local Config\", \"Set\", \"\", \"Success\", \"Local config\", \"Configuration Atom\",\n 95, \"User Moved Agent to Group\", \"Other\", \"Move\", \"Success\", \"Agent\", \"Service\",\n 117, \"User Disabled Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 118, \"User Enabled Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 4100, \"User Marked Deep Visibility Event As Threat\", \"Set\", \"\", \"Success\", \"Deep Visibility Event\", \"Other\",\n 4101, \"User Marked Deep Visibility Event As Suspicious\", \"Set\", \"\", \"Success\", \"Deep Visibility Event\", \"Other\",\n ];\n let EventFieldsLookupAccountActivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_accountactivity: string,\n EventSubType_accountactivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 130, \"Opt-in To EA program\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 131, \"Opt-out From EA Program\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5040, \"Account Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5041, \"Account Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5042, \"Account Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5044, \"Account Policy Reverted\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 7200, \"Add cloud account\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 7201, \"Disable cloud Account\", \"Disable\", \"\", \"Success\", \"\", \"Other\",\n 7202, \"Enable cloud Account\", \"Enable\", \"\", \"Success\", \"\", \"Other\"\n ];\n let EventFieldsLookup_useractivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_useractivity: string,\n EventSubType_useractivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 88, \"User Remote Shell Modified\", \"\", \"\", \"Success\", \"Remote Shell\", \"Configuration Atom\",\n 114, \"API Token Revoked\", \"Disable\", \"\", \"Success\", \"API Token\", \"Service\"\n ];\n let EventFieldsLookup_otheractivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_otheractivity: string,\n EventSubType_otheractivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 2, \"Hash Defined as Malicious By Cloud\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 40, \"Cloud Intelligence Settings Modified\", \"\", \"\", \"Success\", \"Cloud Intelligence Settings\", \"Policy Rule\",\n 58, \"Notification Option Level Modified\", \"Set\", \"\", \"Success\", \"Notification Level\", \"Service\",\n 59, \"Event Severity Level Modified\", \"Set\", \"\", \"Success\", \"EventSeverity Level\", \"Other\",\n 60, \"Notification - Recipients Configuration Modified\", \"Set\", \"\", \"Success\", \"Recipients configuration\", \"Policy Rule\",\n 101, \"User Changed Agent's Customer Identifier\", \"Set\", \"\", \"Success\", \"Customer Identifier string\", \"Configuration Atom\",\n 106, \"User Commanded Agents To Move To Another Console\", \"Execute\", \"\", \"Failure\", \"Agents\", \"Service\",\n 107, \"User Created RBAC Role\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 108, \"User Edited RBAC Role\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 109, \"User Deleted RBAC Role\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 112, \"API token Generated\", \"Create\", \"\", \"Success\", \"API Token\", \"Service\",\n 113, \"API Token Revoked\", \"Disable\", \"\", \"Success\", \"API Token\", \"Service\",\n 129, \"Allowed Domains Settings Changed\", \"Set\", \"\", \"Success\", \"User Domain Setting\", \"Other\",\n 1501, \"Location Created\", \"Create\", \"\", \"Success\", \"\", \"Service\",\n 1502, \"Location Copied\", \"Set\", \"Copy\", \"Success\", \"\", \"Service\",\n 1503, \"Location Modified\", \"Set\", \"\", \"Success\", \"\", \"Service\",\n 1504, \"Location Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Service\",\n 2011, \"User Issued Kill Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2012, \"User Issued Remediate Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2013, \"User Issued Rollback Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2014, \"User Issued Quarantine Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2015, \"User Issued Unquarantine Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2016, \"User Marked Application As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2028, \"Threat Incident Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2029, \"Ticket Number Changes\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2030, \"Analyst Verdict Changes\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2036, \"Threat Confidence Level Changed By Agent\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2037, \"Threat Confidence Level Changed By Cloud\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 3001, \"User Added Hash Exclusion\", \"Set\", \"\", \"Success\", \"Hash\", \"Other\",\n 3002, \"User Added Blocklist Hash\", \"Set\", \"\", \"Success\", \"Hash\", \"Other\",\n 3008, \"New Path Exclusion\", \"Create\", \"\", \"Success\", \"Path\", \"Other\",\n 3009, \"New Signer Identity Exclusion\", \"Create\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n 3010, \"New File Type Exclusion\", \"Create\", \"\", \"Success\", \"File Type\", \"Other\",\n 3011, \"New Browser Type Exclusion\", \"Create\", \"\", \"Success\", \"Browser Type\", \"Other\",\n 3012, \"Path Exclusion Modified\", \"Set\", \"\", \"Success\", \"Path\", \"Other\",\n 3013, \"Signer Identity Exclusion Modified\", \"Set\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n 3014, \"File Type Exclusion Modified\", \"Set\", \"\", \"Success\", \"File Type\", \"Other\",\n 3015, \"Browser Type Exclusion Modified\", \"Set\", \"\", \"Success\", \"Browser Type\", \"Other\",\n 3016, \"Path Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Path\", \"Other\",\n 3017, \"Signer Identity Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n 3018, \"File Type Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"File Type\", \"Other\",\n 3019, \"Browser Type Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Browser Type\", \"Other\",\n 3020, \"User Deleted Hash From Blocklist\", \"Delete\", \"\", \"Success\", \"Hash\", \"Other\",\n 3021, \"User Deleted Hash Exclusion\", \"Delete\", \"\", \"Success\", \"Hash\", \"Other\",\n 3100, \"User Added Package\", \"Create\", \"\", \"Success\", \"Package\", \"Other\",\n 3101, \"User Modified Package\", \"Set\", \"\", \"Success\", \"Package\", \"Other\",\n 3102, \"User Deleted Package\", \"Delete\", \"\", \"Success\", \"Package\", \"Other\",\n 3103, \"Package Deleted By System - Too Many Packages\", \"Delete\", \"\", \"Success\", \"Package\", \"Other\",\n 3500, \"User Toggled Ranger Status\", \"Set\", \"\", \"Success\", \"Ranger Settings\", \"Other\",\n 3501, \"Ranger Settings Modified\", \"Set\", \"\", \"Success\", \"Ranger Settings\", \"Configuration Atom\",\n 3502, \"Ranger Network Settings Modified\", \"Set\", \"\", \"Success\", \"Ranger Network Setting\", \"Other\",\n 3506, \"Ranger - Device Review Modified\", \"Set\", \"\", \"Success\", \"Device Review\", \"Other\",\n 3507, \"Ranger - Device Tag Modified On Host\", \"Set\", \"\", \"Success\", \"Device Tag\", \"Other\",\n 3521, \"Ranger Deploy Initiated\", \"Initialize\", \"\", \"Success\", \"Ranger Deploy\", \"Other\",\n 3525, \"Ranger Deploy - Credential Created\", \"Create\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n 3526, \"Ranger Deploy - Credential Deleted\", \"Delete\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n 3527, \"Ranger Deploy - Credential Overridden\", \"Set\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n 3530, \"Ranger Labels Updated\", \"Set\", \"\", \"Success\", \"Ranger Labels\", \"Other\",\n 3531, \"Ranger labels reverted\", \"Set\", \"\", \"Success\", \"Ranger Labels\", \"Other\",\n 3600, \"Custom Rules - User Created A Rule\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3601, \"Custom Rules - User Changed A Rule\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3602, \"Custom Rules - User Deleted A Rule\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3603, \"Custom Rules - Rule Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3604, \"Custom Rules - Rule Status Change Failed\", \"Set\", \"\", \"Failure\", \"\", \"Policy Rule\",\n 3626, \"User 2FA Email Verification Changed\", \"Set\", \"\", \"Success\", \"\", \"Service\",\n 3628, \"2FA Code Verification\", \"Set\", \"\", \"Success\", \"2FA\", \"Service\",\n 3641, \"Ranger self Provisioning Default Features Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 3650, \"Tag Manager - User Created New Tag\", \"Create\", \"\", \"Success\", \"Tag\", \"Other\",\n 3651, \"Tag Manager - User Modified Tag\", \"Set\", \"\", \"Success\", \"Tag\", \"Other\",\n 3652, \"Tag Manager - User Deleted Tag\", \"Delete\", \"\", \"Success\", \"Tag\", \"Other\",\n 3653, \"Tag Manager - User Attached Tag\", \"Other\", \"Attach\", \"Success\", \"Tags\", \"Other\",\n 3654, \"Tag Manager - User Detached Tag\", \"Detach\", \"\", \"Success\", \"Tags\", \"Other\", \n 3750, \"Auto-Upgrade Policy Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3751, \"Auto-Upgrade Policy Disabled\", \"Disable\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3752, \"Auto-Upgrade Policy Activated\", \"Enable\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3753, \"Auto-Upgrade Policy Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3754, \"Auto-Upgrade Policy Reordered\", \"Other\", \"Reorder\", \"Success\", \"\", \"Policy Rule\",\n 3755, \"Upgrade Policy Inheritance Setting Changed\", \"Set\", \"\", \"Success\", \"Upgrade Policy\", \"Policy Rule\",\n 3756, \"Auto-Upgrade Policy Edited\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3767, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3768, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3769, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3770, \"Local Upgrade Authorization Expiry Date Changed\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3771, \"Local Upgrade Authorization Expiry Date Changed\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3772, \"Local Upgrade Unauthorized\", \"Other\", \"Unauthorize\", \"Failure\", \"Local Upgrade Authorization\", \"Service\",\n 3773, \"Local Upgrade Authorization Inherits from Site Level\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3774, \"Local Upgrade Authorization Inherits from Site Level\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 4001, \"Suspicious Threat Was Marked As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4002, \"Suspicious Threat Was Resolved\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4006, \"Remember Me Length Modified\", \"Set\", \"\", \"Success\", \"Stay Sign in Duration\", \"Policy Rule\",\n 4007, \"Suspicious Threat Was Marked As Benign\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4008, \"Threat Mitigation Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4009, \"Process Was Marked As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4011, \"Suspicious Threat Was Unresolved\", \"Set\", \"\", \"Failure\", \"\", \"Other\",\n 4012, \"UI Inactivity Timeout Modified\", \"Set\", \"\", \"Success\", \"Inactivity timeout\", \"Configuration Atom\",\n 5242, \"Ranger - Device Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5243, \"Ranger - Device Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5244, \"Ranger - Device Tag Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5250, \"Firewall Control Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5251, \"Firewall Control Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5252, \"Firewall Control Tag Updated\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5253, \"Network Quarantine Control Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5254, \"Network Quarantine Control Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5255, \"Network Quarantine Control Tag Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5256, \"Firewall Control Tag Added/Removed From Rule\", \"\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5257, \"Firewall Control Tag Inherited\", \"Set\", \"\", \"Success\", \"Firewall Control tags\", \"Other\",\n 5258, \"Network Quarantine Control Tag Added/Removed From Rule\", \"\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5259, \"Network Quarantine Control Tag Inherited\", \"Set\", \"\", \"Success\", \"Network Quarantine Control Tag\", \"Other\",\n 7500, \"Remote Ops Password Configured\", \"Set\", \"\", \"Success\", \"Remote Ops password configuration\", \"Configuration Atom\",\n 7501, \"Remote Ops Password Deleted\", \"Delete\", \"\", \"Success\", \"Remote Ops password configuration\", \"Configuration Atom\",\n 7602, \"User Edited Run Script Guardrails\", \"Set\", \"\", \"Success\", \"Guardrails\", \"Service\",\n 7603, \"User Enabled Run Script Guardrails\", \"Enable\", \"\", \"Success\", \"Guardrails\", \"Service\",\n 7604, \"User Disabled Run Script Guardrails\", \"Disable\", \"\", \"Success\", \"Guardrails\", \"Service\",\n 5120, \"Device Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5121, \"Device Rule Modified\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5122, \"Device Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5123, \"Device Rules Reordered\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5124, \"Device Rules Settings Modified\", \"Set\", \"\", \"Success\", \"Device Control settings\", \"Policy Rule\",\n 5129, \"Device Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5220, \"Firewall Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5221, \"Firewall Rule Modified\", \"Set/Other\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5222, \"Firewall Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5225, \"Firewall Control Settings Modified\", \"Set\", \"\", \"Success\", \"Firewall Rule\", \"Policy Rule\",\n 5226, \"Firewall Rules Reordered\", \"Set\", \"\", \"Success\", \"Firewall Rule\", \"Policy Rule\",\n 5231, \"Firewall Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5234, \"Network Quarantine Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5235, \"Network Quarantine Rule Modified\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5236, \"Network Quarantine Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5237, \"Network Quarantine Control Settings Modified\", \"Set\", \"\", \"Success\", \"Network Quarantine Rule\", \"Policy Rule\",\n 5238, \"Network Quarantine Rules Reordered\", \"Set\", \"\", \"Success\", \"Network Quarantine Rule\", \"Policy Rule\",\n 5241, \"Network Quarantine Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 6030, \"Mobile Device Updated\", \"Other\", \"\", \"Success\", \"Device\", \"Other\",\n 6053, \"Mobile Incident Resolved\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 6054, \"Mobile Incident Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 6055, \"Mobile Incident Analyst Verdict Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\"\n ];\n let EventTypeLookup_onoff = datatable(\n field: string,\n EventType_field: string,\n NewValue_field: string\n )\n [\n \"true\", \"Enable\", \"on\",\n \"false\", \"Disable\", \"off\"\n ];\n let EventTypeLookup_enableddisabled = datatable(\n field: string,\n EventType_fieldenableddisabled: string,\n NewValue_fieldenableddisabled: string\n )\n [\n \"true\", \"Enable\", \"enabled\",\n \"false\", \"Disable\", \"disabled\"\n ];\n let EventSeverityLookup = datatable (EventResult: string, EventSeverity_lookup: string)\n [\n \"Success\", \"Informational\",\n \"Failure\", \"Low\"\n ];\n let EventSeverityLookup_activity = datatable (activityType_d: real, EventSeverity_activity: string)\n [\n 4100, \"Medium\",\n 4101, \"High\",\n 2016, \"Medium\",\n 2028, \"Low\",\n 4001, \"Medium\",\n 4002, \"Low\",\n 4007, \"Low\",\n 4008, \"Medium\",\n 4009, \"Medium\",\n 4011, \"High\",\n 2, \"Medium\",\n 2011, \"Low\",\n 2012, \"Low\",\n 2013, \"Medium\",\n 2014, \"Low\",\n 2015, \"Low\",\n 4002, \"Low\",\n 4104, \"High\",\n 4105, \"Medium\"\n ];\n let ThreatConfidenceLookup_undefined = datatable(\n threatInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n )\n [\n \"false_positive\", 5,\n \"undefined\", 15,\n \"suspicious\", 25,\n \"true_positive\", 33 \n ];\n let ThreatConfidenceLookup_suspicious = datatable(\n threatInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n )\n [\n \"false_positive\", 40,\n \"undefined\", 50,\n \"suspicious\", 60,\n \"true_positive\", 67 \n ];\n let ThreatConfidenceLookup_malicious = datatable(\n threatInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n )\n [\n \"false_positive\", 75,\n \"undefined\", 80,\n \"suspicious\", 90,\n \"true_positive\", 100 \n ];\n let parser=(disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) {\n let AllActivityIdsForAudit = dynamic([39, 41, 44, 45, 46, 56, 57, 68, 69, 70, 82, 83, 105, 116, 150, 151, 200, 201, 4004, 4005, 4104, 4105, 5012, 5020, 5021, 5022, 5024, 5025, 5026, 5027, 6000, 6001, 6002, 6010, 6011, 6012, 73, 76, 77, 78, 79, 84, 87, 2100, 2101, 2111, 52, 53, 54, 55, 61, 62, 63, 93, 95, 117, 118, 4100, 4101, 130, 131, 5040, 5041, 5042, 5044, 7200, 7201, 7202, 7203, 2, 40, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);\n let RawOtherActivityIds = dynamic([2, 40, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);\n let activitydata = SentinelOne_CL\n | where not(disabled) and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) \n and event_name_s == \"Activities.\" \n and activityType_d in (AllActivityIdsForAudit)\n and (array_length(actorusername_has_any) == 0 or primaryDescription_s has_any (actorusername_has_any))\n and (array_length(newvalue_has_any) == 0 or primaryDescription_s has_any (newvalue_has_any) or DataFields_s has_any (newvalue_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DataFields_s, srcipaddr_has_any_prefix))\n | project-away\n threatInfo_confidenceLevel_s,\n threatInfo_analystVerdict_s,\n threatInfo_threatName_s,\n threatInfo_incidentStatus_s,\n threatInfo_identifiedAt_t,\n threatInfo_updatedAt_t,\n threatInfo_threatId_s,\n mitigationStatus_s;\n let rawgroupsiteactivitydata = activitydata\n | where activityType_d in (39, 41, 44, 45, 46, 56, 57, 68, 69, 70, 82, 83, 105, 116, 150, 151, 200, 201, 4004, 4005, 4104, 4105, 5012, 5020, 5021, 5022, 5024, 5025, 5026, 5027, 6000, 6001, 6002, 6010, 6011, 6012, 73, 76, 77, 78, 79, 84, 87, 2100, 2101, 2111)\n | parse-kv DataFields_s as (username: string, userName: string, userFullName: string, newValue: string, policyEnabled: string, siteName: string, oldValue: string, ipAddress: string, oldSiteName: string, policy: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | parse-kv policy as (id: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | project-rename ObjectId = id\n | lookup EventFieldsLookup on activityType_d;\n let groupsiteactivitydata_onoff = rawgroupsiteactivitydata\n | where activityType_d in(39, 41, 57, 105, 200, 73, 76, 78, 79, 84, 87, 150)\n | lookup EventTypeLookup_onoff on $left.newValue == $right.field\n | lookup EventTypeLookup_onoff on $left.policyEnabled == $right.field\n | extend\n EventType = coalesce(EventType_field, EventType_field1),\n NewValue = coalesce(NewValue_field, NewValue_field1);\n let groupsiteactivitydata_enabledisabled = rawgroupsiteactivitydata\n | where activityType_d in (70, 82, 83, 201)\n | lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field\n | extend\n EventType = EventType_fieldenableddisabled,\n NewValue = NewValue_fieldenableddisabled;\n let groupsiteactivitydata_other = rawgroupsiteactivitydata\n | where activityType_d !in(39, 41, 57, 105, 200, 73, 76, 78, 79, 84, 87, 150, 70, 82, 83, 201)\n | extend EventType = EventType_activity;\n let groupsiteactivitydata = union\n groupsiteactivitydata_onoff,\n groupsiteactivitydata_enabledisabled,\n groupsiteactivitydata_other\n | extend\n ActorUsername = coalesce(username, userName, userFullName),\n Object = coalesce(Object, siteName, oldSiteName),\n NewValue = coalesce(NewValue, newValue),\n OldValue = oldValue;\n let machineactivitydata = activitydata\n | where activityType_d in (52, 53, 54, 55, 61, 62, 63, 93, 95, 117, 118, 4100, 4101)\n | parse-kv DataFields_s as (username: string, userName: string, computerName: string, threatClassification: string, ipAddress: string, groupName: string, targetGroupName: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookupMachineActivity on activityType_d\n | extend\n EventType = EventType_machineactivity,\n EventSubType = EventSubType_machineactivity,\n ThreatCategory = threatClassification,\n OldValue = groupName,\n NewValue = targetGroupName,\n ObjectId = agentId_s\n | extend ActorUsername = coalesce(username, userName)\n | invoke _ASIM_ResolveDvcFQDN('computerName');\n let accountactivitydata = activitydata\n | where activityType_d in (130, 131, 5040, 5041, 5042, 5044, 7200, 7201, 7202, 7203)\n | parse-kv DataFields_s as (username: string, accountName: string, cloudProviderAccountName: string, ipAddress: string, accountId: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookupAccountActivity on activityType_d\n | extend\n EventType = EventType_accountactivity,\n EventSubType = EventSubType_accountactivity,\n Object = coalesce(accountName, cloudProviderAccountName),\n ObjectId = accountId;\n let useractivitydata = activitydata\n | where activityType_d in (88, 114)\n | parse-kv DataFields_s as (username: string, byUser: string, newValue: string, ipAddress: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookup_useractivity on activityType_d\n | lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field\n | extend\n ActorUsername = byUser,\n EventType = coalesce(EventType_useractivity, EventType_fieldenableddisabled),\n EventSubType = EventSubType_useractivity,\n NewValue = NewValue_fieldenableddisabled;\n let rawotheractivitydata = activitydata\n | where activityType_d in (RawOtherActivityIds)\n | parse-kv DataFields_s as (username: string, userName: string, email: string, globalTwoFaEnabled: string, cloudIntelligenceOn: string, fileDisplayName: string, roleName: string, oldIncidentStatusTitle: string, oldTicketId: string, oldAnalystVerdictTitle: string, oldConfidenceLevel: string, previous: string, oldStatus: string, oldTagName: string, oldTagDescription: string, newIncidentStatusTitle: string, newTicketId: string, newAnalystVerdictTitle: string, newConfidenceLevel: string, newStatus: string, current: string, Status: string, newTagName: string, newTagDescription: string, value: string, rulesAdded: string, rulesRemoved: string, tagsAdded: string, tagsRemoved: string, incidentName: string, ruleName: string, deviceId: string, ip: string, externalIp: string, affectedDevices: string, featureValue: string, featureName: string, recoveryEmail: string, policyName: string, tagName: string, gatewayExternalIp: string, gatewayMac: string, threatClassification: string, ipAddress: string, applicationPath: string, externalId: string, consoleUrl: string, ruleId: string, policyId: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookup_otheractivity on activityType_d\n | lookup EventTypeLookup_onoff on $left.cloudIntelligenceOn == $right.field\n | lookup EventTypeLookup_onoff on $left.globalTwoFaEnabled == $right.field\n | extend\n ActorUsername = coalesce(username, userName),\n EventType = coalesce(EventType_otheractivity, EventType_field, EventType_field1),\n EventSubType = EventSubType_otheractivity,\n Object = coalesce(Object, fileDisplayName, applicationPath, roleName, ruleName, incidentName, recoveryEmail, featureName, policyName, tagName),\n NewValue = coalesce(newIncidentStatusTitle, newTicketId, newAnalystVerdictTitle, newConfidenceLevel, newStatus, current, Status, newTagName, newTagDescription, featureValue),\n OldValue = coalesce(oldIncidentStatusTitle, oldTicketId, oldAnalystVerdictTitle, oldConfidenceLevel, oldStatus, previous, oldTagName, oldTagDescription),\n TargetIpAddr = coalesce(externalIp, ip, gatewayExternalIp),\n ThreatCategory = threatClassification,\n RuleName = ruleName,\n TargetDvcId = deviceId,\n ObjectId = coalesce(ruleId, policyId, externalId, deviceId)\n | invoke _ASIM_ResolveDstFQDN('affectedDevices')\n | project-rename\n TargetHostname = DstHostname,\n TargetDomain = DstDomain,\n TargetDomainType = DstDomainType,\n TargetFQDN = DstFQDN,\n TargetUrl = consoleUrl;\n let parsedotheractivitydata_eventtype = rawotheractivitydata\n | where activityType_d in (5256, 5258)\n | extend EventType = case(\n isnotempty(rulesAdded) or isnotempty(tagsAdded),\n \"Create\",\n isnotempty(rulesRemoved) or isnotempty(tagsRemoved),\n \"Delete\",\n \"Set\"\n );\n let parsedotheractivitydata_objectvalue = rawotheractivitydata\n | where activityType_d in (3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3650, 3651, 3652, 3653, 3654)\n | extend Object = strcat(Object, ' ', value);\n let parsedotheractivitydata_severity = rawotheractivitydata\n | where activityType_d in (2036, 2037, 2030)\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix))\n | extend EventSeverity_specific = case(\n primaryDescription_s has_any (\"to malicious\", \"to True positive\"),\n \"High\", \n primaryDescription_s has_any (\"to suspicious\", \"to Undefined\"),\n \"Medium\",\n primaryDescription_s has \"to False positive\",\n \"Low\",\n \"Informational\"\n );\n let ParsedActivitydata = union\n groupsiteactivitydata,\n machineactivitydata,\n accountactivitydata,\n useractivitydata,\n rawotheractivitydata,\n parsedotheractivitydata_eventtype,\n parsedotheractivitydata_objectvalue\n | where activityType_d !in(2030, 2036, 2037)\n | lookup EventSeverityLookup on EventResult\n | lookup EventSeverityLookup_activity on activityType_d\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix));\n let UnParsedActivitydatawithThreat = union ParsedActivitydata, parsedotheractivitydata_severity\n | where isnotempty(threatId_s)\n | join kind=inner (SentinelOne_CL\n | where event_name_s == \"Threats.\"\n | project\n TimeGenerated,\n threatInfo_confidenceLevel_s,\n threatInfo_analystVerdict_s,\n threatInfo_threatName_s,\n threatInfo_incidentStatus_s,\n threatInfo_identifiedAt_t,\n threatInfo_updatedAt_t,\n threatInfo_threatId_s,\n mitigationStatus_s)\n on $left.threatId_s == $right.threatInfo_threatId_s\n | where TimeGenerated1 >= TimeGenerated\n | summarize arg_min(TimeGenerated1, *) by activityType_d, threatId_s, createdAt_t, TimeGenerated;\n let undefineddata = UnParsedActivitydatawithThreat\n | where threatInfo_confidenceLevel_s == \"Undefined\"\n | lookup ThreatConfidenceLookup_undefined on threatInfo_analystVerdict_s;\n let suspiciousdata = UnParsedActivitydatawithThreat\n | where threatInfo_confidenceLevel_s == \"suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on threatInfo_analystVerdict_s;\n let maliciousdata = UnParsedActivitydatawithThreat\n | where threatInfo_confidenceLevel_s == \"malicious\"\n | lookup ThreatConfidenceLookup_malicious on threatInfo_analystVerdict_s;\n let ParsedActivitydatawithThreat = union undefineddata, suspiciousdata, maliciousdata\n | extend\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious),\n AdditionalFields = bag_pack(\n \"threatUpdatedAt\",\n threatInfo_updatedAt_t,\n \"threatAnalystVerdict\",\n threatInfo_analystVerdict_s,\n \"threatIncidentStatus\",\n threatInfo_incidentStatus_s,\n \"mitigationStatus\",\n mitigationStatus_s\n )\n | project-rename\n ThreatId = threatId_s,\n ThreatName = threatInfo_threatName_s,\n ThreatFirstReportedTime = threatInfo_identifiedAt_t,\n ThreatCategory_threats = threatInfo_classification_s,\n ThreatOriginalConfidence = threatInfo_confidenceLevel_s;\n let ParsedActivitydatawithoutThreat = ParsedActivitydata\n | where isempty(threatId_s);\n union ParsedActivitydatawithThreat, ParsedActivitydatawithoutThreat\n | extend \n EventSeverity = coalesce(EventSeverity_specific, EventSeverity_activity, EventSeverity_lookup),\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\",\n EventCount = toint(1),\n AdditionalFields = bag_merge(AdditionalFields, todynamic(DataFields_s)),\n EventOriginalType = tostring(toint(activityType_d)),\n SrcIpAddr = iff(ipAddress != \"null\", ipAddress, \"\"),\n DvcAction = iff(EventResult == \"Success\", \"Allow\", \"Deny\")\n | project-rename\n EventStartTime = createdAt_t,\n EventUid = _ItemId,\n EventMessage = primaryDescription_s,\n ActorUserId = userId_s,\n DvcId = agentId_s,\n EventOriginalUid = activityUuid_g\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"Other\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetDvcIdType = iff(isnotempty(TargetDvcId), \"Other\", \"\"),\n ValueType = iff(isnotempty(NewValue), \"Other\", \"\")\n | extend\n EventEndTime = EventStartTime,\n User = ActorUsername,\n IpAddr = SrcIpAddr,\n Dvc = coalesce(DvcHostname, DvcId, EventProduct),\n Dst = coalesce(TargetHostname, TargetIpAddr),\n Src = SrcIpAddr,\n Rule = RuleName,\n Value = NewValue\n | project-away\n *_d,\n *_s,\n *_t,\n *_g,\n *_b,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n username,\n userName,\n userFullName,\n newValue,\n policyEnabled,\n siteName,\n oldValue,\n computerName,\n accountName,\n cloudProviderAccountName,\n email,\n globalTwoFaEnabled,\n cloudIntelligenceOn,\n fileDisplayName,\n roleName,\n oldIncidentStatusTitle,\n oldTicketId,\n oldAnalystVerdictTitle,\n oldConfidenceLevel,\n previous,\n oldStatus,\n oldTagName,\n oldTagDescription,\n newIncidentStatusTitle,\n newTicketId,\n newAnalystVerdictTitle,\n newConfidenceLevel,\n newStatus,\n current,\n Status,\n newTagName,\n newTagDescription,\n value,\n rulesAdded,\n rulesRemoved,\n tagsAdded,\n tagsRemoved,\n incidentName,\n ruleName,\n deviceId,\n ip,\n externalIp,\n affectedDevices,\n featureValue,\n featureName,\n recoveryEmail,\n policyName,\n policy,\n tagName,\n gatewayExternalIp,\n gatewayMac,\n threatClassification,\n applicationPath,\n externalId,\n groupName,\n oldSiteName,\n targetGroupName,\n ipAddress,\n EventType_*,\n EventSubType_*,\n EventSeverity_*,\n NewValue_*,\n _ResourceId,\n TimeGenerated1,\n ThreatCategory_*,\n ThreatConfidence_*,\n accountId,\n policyId,\n ruleId,\n byUser\n };\n parser(disabled=disabled, starttime=starttime, endtime=endtime, eventresult=eventresult, operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any)", - "version": 1, - "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',actorusername_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([])" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "vimAuditEventSentinelOne", + "query": "let EventFieldsLookup = datatable(\n activityType_d: real,\n Operation: string,\n EventType_activity: string,\n EventSubType: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 39, \"Research Settings Modified\", \"\", \"\", \"Success\", \"Research Settings\", \"Policy Rule\",\n 41, \"Learning Mode Settings Modified\", \"Set\", \"\", \"Success\", \"Mitigation policy\", \"Policy Rule\",\n 44, \"Auto decommission On\", \"Enable\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n 45, \"Auto decommission Off\", \"Disable\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n 46, \"Auto Decommission Period Modified\", \"Set\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n 56, \"Auto Mitigation Actions Modified\", \"Set\", \"\", \"Success\", \"Mitigation action\", \"Other\",\n 57, \"Quarantine Network Settings Modified\", \"\", \"\", \"Success\", \"NetworkSettings\", \"Configuration Atom\",\n 68, \"Engine Modified In Policy\", \"Set\", \"\", \"Success\", \"Engine Policy\", \"Policy Rule\",\n 69, \"Mitigation Policy Modified\", \"Set\", \"\", \"Success\", \"Threat Mitigation Policy\", \"Policy Rule\",\n 70, \"Policy Setting - Agent Notification On Suspicious Modified\", \"\", \"\", \"Success\", \"Agent notification\", \"Service\",\n 82, \"Monitor On Execute\", \"\", \"\", \"Success\", \"On execute setting\", \"Configuration Atom\",\n 83, \"Monitor On Write\", \"\", \"\", \"Success\", \"On write setting\", \"Configuration Atom\",\n 105, \"Deep Visibility Settings Modified\", \"\", \"\", \"Success\", \"Deep Visibility Setting\", \"Configuration Atom\",\n 116, \"Policy Settings Modified\", \"Disable\", \"\", \"Success\", \"Policy Settings\", \"Policy Rule\",\n 150, \"Live Security Updates Policy Modified\", \"\", \"\", \"Success\", \"Live Security Updates Policy\", \"Policy Rule\",\n 151, \"Live Security Updates Policy Inheritance Setting Changed\", \"Set\", \"\", \"Success\", \"Live Security Updates Policy\", \"Policy Rule\",\n 200, \"File Upload Settings Modified\", \"Set\", \"\", \"Success\", \"Binary Vault Settings\", \"Configuration Atom\",\n 201, \"File Upload Enabled/Disabled\", \"\", \"\", \"Success\", \"Binary Vault\", \"Policy Rule\",\n 4004, \"Policy Setting - Show Suspicious Activities Configuration Enabled\", \"Enable\", \"\", \"Success\", \"Policy Setting\", \"Policy Rule\",\n 4005, \"Policy Setting - Show Suspicious Activities Configuration Disabled\", \"Disable\", \"\", \"Success\", \"Policy Setting\", \"Policy Rule\",\n 4104, \"STAR Manual Response Marked Event As Malicious\", \"Set\", \"\", \"Success\", \"computerName\", \"Other\",\n 4105, \"STAR Manual Response Marked Event As Suspicious\", \"Set\", \"\", \"Success\", \"computerName\", \"Other\",\n 5012, \"Group Token Regenerated\", \"Create\", \"\", \"Success\", \"Token\", \"Policy Rule\",\n 5020, \"Site Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5021, \"Site Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5022, \"Site Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5024, \"Site Policy Reverted\", \"\", \"\", \"Success\", \"\", \"Other\",\n 5025, \"Site Marked As Expired\", \"Disable\", \"\", \"Success\", \"\", \"Other\",\n 5026, \"Site Duplicated\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5027, \"Site Token Regenerated\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 6000, \"Mobile Policy updated\", \"Set\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n 6001, \"Mobile Policy created\", \"Create\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n 6002, \"Mobile Policy removed\", \"Delete\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n 6010, \"UEM Connection created\", \"Create\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n 6011, \"UEM Connection updated\", \"Set\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n 6012, \"UEM Connection Removed\", \"Delete\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n 73, \"Scan New Agents Changed\", \"\", \"\", \"Success\", \"Scan new agents Setting\", \"Configuration Atom\",\n 76, \"Anti Tampering Modified\", \"\", \"\", \"Success\", \"Anti tampering setting\", \"Configuration Atom\",\n 77, \"Agent UI Settings Modified\", \"Set \", \"\", \"Success\", \"Agent UI setting\", \"Configuration Atom\",\n 78, \"Snapshots Settings Modified\", \"\", \"\", \"Success\", \"Snapshots setting\", \"Configuration Atom\",\n 79, \"Agent Logging Modified\", \"\", \"\", \"Success\", \"Agent logging setting\", \"Configuration Atom\",\n 84, \"Deep Visibility Settings Modified\", \"\", \"\", \"Success\", \"Deep Visibility setting\", \"Configuration Atom\",\n 87, \"Remote Shell Settings Modified\", \"\", \"\", \"Success\", \"Remote Shell Settings\", \"Configuration Atom\",\n 2100, \"Upgrade Policy - Concurrency Limit Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n 2101, \"Upgrade Policy - Concurrency Limit Inheritance Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n 2111, \"Upgrade Policy - Maintenance Window Time Inheritance Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n ];\n let EventFieldsLookupMachineActivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_machineactivity: string,\n EventSubType_machineactivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 52, \"User Approved Agent Uninstall Request\", \"Other\", \"Approve\", \"Success\", \"Agent\", \"Service\",\n 53, \"User Rejected Agent Uninstall Request\", \"Other\", \"Reject\", \"Failure\", \"Agent\", \"Service\",\n 54, \"User Decommissioned Agent\", \"Disable\", \"\", \"Success\", \"Agent\", \"Service\",\n 55, \"User Recommissioned Agent\", \"Enable\", \"\", \"Success\", \"Agent\", \"Service\",\n 61, \"User Disconnected Agent From Network\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 62, \"User Reconnected Agent to Network\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 63, \"User Shutdown Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 93, \"User Reset Agent's Local Config\", \"Set\", \"\", \"Success\", \"Local config\", \"Configuration Atom\",\n 95, \"User Moved Agent to Group\", \"Other\", \"Move\", \"Success\", \"Agent\", \"Service\",\n 117, \"User Disabled Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 118, \"User Enabled Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 4100, \"User Marked Deep Visibility Event As Threat\", \"Set\", \"\", \"Success\", \"Deep Visibility Event\", \"Other\",\n 4101, \"User Marked Deep Visibility Event As Suspicious\", \"Set\", \"\", \"Success\", \"Deep Visibility Event\", \"Other\",\n ];\n let EventFieldsLookupAccountActivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_accountactivity: string,\n EventSubType_accountactivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 130, \"Opt-in To EA program\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 131, \"Opt-out From EA Program\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5040, \"Account Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5041, \"Account Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5042, \"Account Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5044, \"Account Policy Reverted\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 7200, \"Add cloud account\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 7201, \"Disable cloud Account\", \"Disable\", \"\", \"Success\", \"\", \"Other\",\n 7202, \"Enable cloud Account\", \"Enable\", \"\", \"Success\", \"\", \"Other\"\n ];\n let EventFieldsLookup_useractivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_useractivity: string,\n EventSubType_useractivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 88, \"User Remote Shell Modified\", \"\", \"\", \"Success\", \"Remote Shell\", \"Configuration Atom\",\n 114, \"API Token Revoked\", \"Disable\", \"\", \"Success\", \"API Token\", \"Service\"\n ];\n let EventFieldsLookup_otheractivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_otheractivity: string,\n EventSubType_otheractivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 2, \"Hash Defined as Malicious By Cloud\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 40, \"Cloud Intelligence Settings Modified\", \"\", \"\", \"Success\", \"Cloud Intelligence Settings\", \"Policy Rule\",\n 58, \"Notification Option Level Modified\", \"Set\", \"\", \"Success\", \"Notification Level\", \"Service\",\n 59, \"Event Severity Level Modified\", \"Set\", \"\", \"Success\", \"EventSeverity Level\", \"Other\",\n 60, \"Notification - Recipients Configuration Modified\", \"Set\", \"\", \"Success\", \"Recipients configuration\", \"Policy Rule\",\n 101, \"User Changed Agent's Customer Identifier\", \"Set\", \"\", \"Success\", \"Customer Identifier string\", \"Configuration Atom\",\n 106, \"User Commanded Agents To Move To Another Console\", \"Execute\", \"\", \"Failure\", \"Agents\", \"Service\",\n 107, \"User Created RBAC Role\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 108, \"User Edited RBAC Role\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 109, \"User Deleted RBAC Role\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 112, \"API token Generated\", \"Create\", \"\", \"Success\", \"API Token\", \"Service\",\n 113, \"API Token Revoked\", \"Disable\", \"\", \"Success\", \"API Token\", \"Service\",\n 129, \"Allowed Domains Settings Changed\", \"Set\", \"\", \"Success\", \"User Domain Setting\", \"Other\",\n 1501, \"Location Created\", \"Create\", \"\", \"Success\", \"\", \"Service\",\n 1502, \"Location Copied\", \"Set\", \"Copy\", \"Success\", \"\", \"Service\",\n 1503, \"Location Modified\", \"Set\", \"\", \"Success\", \"\", \"Service\",\n 1504, \"Location Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Service\",\n 2011, \"User Issued Kill Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2012, \"User Issued Remediate Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2013, \"User Issued Rollback Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2014, \"User Issued Quarantine Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2015, \"User Issued Unquarantine Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2016, \"User Marked Application As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2028, \"Threat Incident Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2029, \"Ticket Number Changes\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2030, \"Analyst Verdict Changes\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2036, \"Threat Confidence Level Changed By Agent\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2037, \"Threat Confidence Level Changed By Cloud\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 3001, \"User Added Hash Exclusion\", \"Set\", \"\", \"Success\", \"Hash\", \"Other\",\n 3002, \"User Added Blocklist Hash\", \"Set\", \"\", \"Success\", \"Hash\", \"Other\",\n 3008, \"New Path Exclusion\", \"Create\", \"\", \"Success\", \"Path\", \"Other\",\n 3009, \"New Signer Identity Exclusion\", \"Create\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n 3010, \"New File Type Exclusion\", \"Create\", \"\", \"Success\", \"File Type\", \"Other\",\n 3011, \"New Browser Type Exclusion\", \"Create\", \"\", \"Success\", \"Browser Type\", \"Other\",\n 3012, \"Path Exclusion Modified\", \"Set\", \"\", \"Success\", \"Path\", \"Other\",\n 3013, \"Signer Identity Exclusion Modified\", \"Set\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n 3014, \"File Type Exclusion Modified\", \"Set\", \"\", \"Success\", \"File Type\", \"Other\",\n 3015, \"Browser Type Exclusion Modified\", \"Set\", \"\", \"Success\", \"Browser Type\", \"Other\",\n 3016, \"Path Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Path\", \"Other\",\n 3017, \"Signer Identity Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n 3018, \"File Type Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"File Type\", \"Other\",\n 3019, \"Browser Type Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Browser Type\", \"Other\",\n 3020, \"User Deleted Hash From Blocklist\", \"Delete\", \"\", \"Success\", \"Hash\", \"Other\",\n 3021, \"User Deleted Hash Exclusion\", \"Delete\", \"\", \"Success\", \"Hash\", \"Other\",\n 3100, \"User Added Package\", \"Create\", \"\", \"Success\", \"Package\", \"Other\",\n 3101, \"User Modified Package\", \"Set\", \"\", \"Success\", \"Package\", \"Other\",\n 3102, \"User Deleted Package\", \"Delete\", \"\", \"Success\", \"Package\", \"Other\",\n 3103, \"Package Deleted By System - Too Many Packages\", \"Delete\", \"\", \"Success\", \"Package\", \"Other\",\n 3500, \"User Toggled Ranger Status\", \"Set\", \"\", \"Success\", \"Ranger Settings\", \"Other\",\n 3501, \"Ranger Settings Modified\", \"Set\", \"\", \"Success\", \"Ranger Settings\", \"Configuration Atom\",\n 3502, \"Ranger Network Settings Modified\", \"Set\", \"\", \"Success\", \"Ranger Network Setting\", \"Other\",\n 3506, \"Ranger - Device Review Modified\", \"Set\", \"\", \"Success\", \"Device Review\", \"Other\",\n 3507, \"Ranger - Device Tag Modified On Host\", \"Set\", \"\", \"Success\", \"Device Tag\", \"Other\",\n 3521, \"Ranger Deploy Initiated\", \"Initialize\", \"\", \"Success\", \"Ranger Deploy\", \"Other\",\n 3525, \"Ranger Deploy - Credential Created\", \"Create\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n 3526, \"Ranger Deploy - Credential Deleted\", \"Delete\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n 3527, \"Ranger Deploy - Credential Overridden\", \"Set\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n 3530, \"Ranger Labels Updated\", \"Set\", \"\", \"Success\", \"Ranger Labels\", \"Other\",\n 3531, \"Ranger labels reverted\", \"Set\", \"\", \"Success\", \"Ranger Labels\", \"Other\",\n 3600, \"Custom Rules - User Created A Rule\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3601, \"Custom Rules - User Changed A Rule\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3602, \"Custom Rules - User Deleted A Rule\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3603, \"Custom Rules - Rule Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3604, \"Custom Rules - Rule Status Change Failed\", \"Set\", \"\", \"Failure\", \"\", \"Policy Rule\",\n 3626, \"User 2FA Email Verification Changed\", \"Set\", \"\", \"Success\", \"\", \"Service\",\n 3628, \"2FA Code Verification\", \"Set\", \"\", \"Success\", \"2FA\", \"Service\",\n 3641, \"Ranger self Provisioning Default Features Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 3650, \"Tag Manager - User Created New Tag\", \"Create\", \"\", \"Success\", \"Tag\", \"Other\",\n 3651, \"Tag Manager - User Modified Tag\", \"Set\", \"\", \"Success\", \"Tag\", \"Other\",\n 3652, \"Tag Manager - User Deleted Tag\", \"Delete\", \"\", \"Success\", \"Tag\", \"Other\",\n 3653, \"Tag Manager - User Attached Tag\", \"Other\", \"Attach\", \"Success\", \"Tags\", \"Other\",\n 3654, \"Tag Manager - User Detached Tag\", \"Detach\", \"\", \"Success\", \"Tags\", \"Other\", \n 3750, \"Auto-Upgrade Policy Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3751, \"Auto-Upgrade Policy Disabled\", \"Disable\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3752, \"Auto-Upgrade Policy Activated\", \"Enable\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3753, \"Auto-Upgrade Policy Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3754, \"Auto-Upgrade Policy Reordered\", \"Other\", \"Reorder\", \"Success\", \"\", \"Policy Rule\",\n 3755, \"Upgrade Policy Inheritance Setting Changed\", \"Set\", \"\", \"Success\", \"Upgrade Policy\", \"Policy Rule\",\n 3756, \"Auto-Upgrade Policy Edited\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3767, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3768, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3769, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3770, \"Local Upgrade Authorization Expiry Date Changed\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3771, \"Local Upgrade Authorization Expiry Date Changed\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3772, \"Local Upgrade Unauthorized\", \"Other\", \"Unauthorize\", \"Failure\", \"Local Upgrade Authorization\", \"Service\",\n 3773, \"Local Upgrade Authorization Inherits from Site Level\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3774, \"Local Upgrade Authorization Inherits from Site Level\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 4001, \"Suspicious Threat Was Marked As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4002, \"Suspicious Threat Was Resolved\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4006, \"Remember Me Length Modified\", \"Set\", \"\", \"Success\", \"Stay Sign in Duration\", \"Policy Rule\",\n 4007, \"Suspicious Threat Was Marked As Benign\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4008, \"Threat Mitigation Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4009, \"Process Was Marked As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4011, \"Suspicious Threat Was Unresolved\", \"Set\", \"\", \"Failure\", \"\", \"Other\",\n 4012, \"UI Inactivity Timeout Modified\", \"Set\", \"\", \"Success\", \"Inactivity timeout\", \"Configuration Atom\",\n 5242, \"Ranger - Device Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5243, \"Ranger - Device Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5244, \"Ranger - Device Tag Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5250, \"Firewall Control Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5251, \"Firewall Control Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5252, \"Firewall Control Tag Updated\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5253, \"Network Quarantine Control Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5254, \"Network Quarantine Control Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5255, \"Network Quarantine Control Tag Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5256, \"Firewall Control Tag Added/Removed From Rule\", \"\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5257, \"Firewall Control Tag Inherited\", \"Set\", \"\", \"Success\", \"Firewall Control tags\", \"Other\",\n 5258, \"Network Quarantine Control Tag Added/Removed From Rule\", \"\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5259, \"Network Quarantine Control Tag Inherited\", \"Set\", \"\", \"Success\", \"Network Quarantine Control Tag\", \"Other\",\n 7500, \"Remote Ops Password Configured\", \"Set\", \"\", \"Success\", \"Remote Ops password configuration\", \"Configuration Atom\",\n 7501, \"Remote Ops Password Deleted\", \"Delete\", \"\", \"Success\", \"Remote Ops password configuration\", \"Configuration Atom\",\n 7602, \"User Edited Run Script Guardrails\", \"Set\", \"\", \"Success\", \"Guardrails\", \"Service\",\n 7603, \"User Enabled Run Script Guardrails\", \"Enable\", \"\", \"Success\", \"Guardrails\", \"Service\",\n 7604, \"User Disabled Run Script Guardrails\", \"Disable\", \"\", \"Success\", \"Guardrails\", \"Service\",\n 5120, \"Device Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5121, \"Device Rule Modified\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5122, \"Device Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5123, \"Device Rules Reordered\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5124, \"Device Rules Settings Modified\", \"Set\", \"\", \"Success\", \"Device Control settings\", \"Policy Rule\",\n 5129, \"Device Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5220, \"Firewall Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5221, \"Firewall Rule Modified\", \"Set/Other\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5222, \"Firewall Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5225, \"Firewall Control Settings Modified\", \"Set\", \"\", \"Success\", \"Firewall Rule\", \"Policy Rule\",\n 5226, \"Firewall Rules Reordered\", \"Set\", \"\", \"Success\", \"Firewall Rule\", \"Policy Rule\",\n 5231, \"Firewall Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5234, \"Network Quarantine Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5235, \"Network Quarantine Rule Modified\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5236, \"Network Quarantine Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5237, \"Network Quarantine Control Settings Modified\", \"Set\", \"\", \"Success\", \"Network Quarantine Rule\", \"Policy Rule\",\n 5238, \"Network Quarantine Rules Reordered\", \"Set\", \"\", \"Success\", \"Network Quarantine Rule\", \"Policy Rule\",\n 5241, \"Network Quarantine Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 6030, \"Mobile Device Updated\", \"Other\", \"\", \"Success\", \"Device\", \"Other\",\n 6053, \"Mobile Incident Resolved\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 6054, \"Mobile Incident Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 6055, \"Mobile Incident Analyst Verdict Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\"\n ];\n let EventTypeLookup_onoff = datatable(\n field: string,\n EventType_field: string,\n NewValue_field: string\n )\n [\n \"true\", \"Enable\", \"on\",\n \"false\", \"Disable\", \"off\"\n ];\n let EventTypeLookup_enableddisabled = datatable(\n field: string,\n EventType_fieldenableddisabled: string,\n NewValue_fieldenableddisabled: string\n )\n [\n \"true\", \"Enable\", \"enabled\",\n \"false\", \"Disable\", \"disabled\"\n ];\n let EventSeverityLookup = datatable (EventResult: string, EventSeverity_lookup: string)\n [\n \"Success\", \"Informational\",\n \"Failure\", \"Low\"\n ];\n let EventSeverityLookup_activity = datatable (activityType_d: real, EventSeverity_activity: string)\n [\n 4100, \"Medium\",\n 4101, \"High\",\n 2016, \"Medium\",\n 2028, \"Low\",\n 4001, \"Medium\",\n 4002, \"Low\",\n 4007, \"Low\",\n 4008, \"Medium\",\n 4009, \"Medium\",\n 4011, \"High\",\n 2, \"Medium\",\n 2011, \"Low\",\n 2012, \"Low\",\n 2013, \"Medium\",\n 2014, \"Low\",\n 2015, \"Low\",\n 4002, \"Low\",\n 4104, \"High\",\n 4105, \"Medium\"\n ];\n let ThreatConfidenceLookup_undefined = datatable(\n threatInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n )\n [\n \"false_positive\", 5,\n \"undefined\", 15,\n \"suspicious\", 25,\n \"true_positive\", 33 \n ];\n let ThreatConfidenceLookup_suspicious = datatable(\n threatInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n )\n [\n \"false_positive\", 40,\n \"undefined\", 50,\n \"suspicious\", 60,\n \"true_positive\", 67 \n ];\n let ThreatConfidenceLookup_malicious = datatable(\n threatInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n )\n [\n \"false_positive\", 75,\n \"undefined\", 80,\n \"suspicious\", 90,\n \"true_positive\", 100 \n ];\n let parser=(disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) {\n let AllActivityIdsForAudit = dynamic([39, 41, 44, 45, 46, 56, 57, 68, 69, 70, 82, 83, 105, 116, 150, 151, 200, 201, 4004, 4005, 4104, 4105, 5012, 5020, 5021, 5022, 5024, 5025, 5026, 5027, 6000, 6001, 6002, 6010, 6011, 6012, 73, 76, 77, 78, 79, 84, 87, 2100, 2101, 2111, 52, 53, 54, 55, 61, 62, 63, 93, 95, 117, 118, 4100, 4101, 130, 131, 5040, 5041, 5042, 5044, 7200, 7201, 7202, 7203, 2, 40, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);\n let RawOtherActivityIds = dynamic([2, 40, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);\n let activitydata = SentinelOne_CL\n | where not(disabled) and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) \n and event_name_s == \"Activities.\" \n and activityType_d in (AllActivityIdsForAudit)\n and (array_length(actorusername_has_any) == 0 or primaryDescription_s has_any (actorusername_has_any))\n and (array_length(newvalue_has_any) == 0 or primaryDescription_s has_any (newvalue_has_any) or DataFields_s has_any (newvalue_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DataFields_s, srcipaddr_has_any_prefix))\n | project-away\n threatInfo_confidenceLevel_s,\n threatInfo_analystVerdict_s,\n threatInfo_threatName_s,\n threatInfo_incidentStatus_s,\n threatInfo_identifiedAt_t,\n threatInfo_updatedAt_t,\n threatInfo_threatId_s,\n mitigationStatus_s;\n let rawgroupsiteactivitydata = activitydata\n | where activityType_d in (39, 41, 44, 45, 46, 56, 57, 68, 69, 70, 82, 83, 105, 116, 150, 151, 200, 201, 4004, 4005, 4104, 4105, 5012, 5020, 5021, 5022, 5024, 5025, 5026, 5027, 6000, 6001, 6002, 6010, 6011, 6012, 73, 76, 77, 78, 79, 84, 87, 2100, 2101, 2111)\n | parse-kv DataFields_s as (username: string, userName: string, userFullName: string, newValue: string, policyEnabled: string, siteName: string, oldValue: string, ipAddress: string, oldSiteName: string, policy: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | parse-kv policy as (id: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | project-rename ObjectId = id\n | lookup EventFieldsLookup on activityType_d;\n let groupsiteactivitydata_onoff = rawgroupsiteactivitydata\n | where activityType_d in(39, 41, 57, 105, 200, 73, 76, 78, 79, 84, 87, 150)\n | lookup EventTypeLookup_onoff on $left.newValue == $right.field\n | lookup EventTypeLookup_onoff on $left.policyEnabled == $right.field\n | extend\n EventType = coalesce(EventType_field, EventType_field1),\n NewValue = coalesce(NewValue_field, NewValue_field1);\n let groupsiteactivitydata_enabledisabled = rawgroupsiteactivitydata\n | where activityType_d in (70, 82, 83, 201)\n | lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field\n | extend\n EventType = EventType_fieldenableddisabled,\n NewValue = NewValue_fieldenableddisabled;\n let groupsiteactivitydata_other = rawgroupsiteactivitydata\n | where activityType_d !in(39, 41, 57, 105, 200, 73, 76, 78, 79, 84, 87, 150, 70, 82, 83, 201)\n | extend EventType = EventType_activity;\n let groupsiteactivitydata = union\n groupsiteactivitydata_onoff,\n groupsiteactivitydata_enabledisabled,\n groupsiteactivitydata_other\n | extend\n ActorUsername = coalesce(username, userName, userFullName),\n Object = coalesce(Object, siteName, oldSiteName),\n NewValue = coalesce(NewValue, newValue),\n OldValue = oldValue;\n let machineactivitydata = activitydata\n | where activityType_d in (52, 53, 54, 55, 61, 62, 63, 93, 95, 117, 118, 4100, 4101)\n | parse-kv DataFields_s as (username: string, userName: string, computerName: string, threatClassification: string, ipAddress: string, groupName: string, targetGroupName: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookupMachineActivity on activityType_d\n | extend\n EventType = EventType_machineactivity,\n EventSubType = EventSubType_machineactivity,\n ThreatCategory = threatClassification,\n OldValue = groupName,\n NewValue = targetGroupName,\n ObjectId = agentId_s\n | extend ActorUsername = coalesce(username, userName)\n | invoke _ASIM_ResolveDvcFQDN('computerName');\n let accountactivitydata = activitydata\n | where activityType_d in (130, 131, 5040, 5041, 5042, 5044, 7200, 7201, 7202, 7203)\n | parse-kv DataFields_s as (username: string, accountName: string, cloudProviderAccountName: string, ipAddress: string, accountId: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookupAccountActivity on activityType_d\n | extend\n EventType = EventType_accountactivity,\n EventSubType = EventSubType_accountactivity,\n Object = coalesce(accountName, cloudProviderAccountName),\n ObjectId = accountId;\n let useractivitydata = activitydata\n | where activityType_d in (88, 114)\n | parse-kv DataFields_s as (username: string, byUser: string, newValue: string, ipAddress: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookup_useractivity on activityType_d\n | lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field\n | extend\n ActorUsername = byUser,\n EventType = coalesce(EventType_useractivity, EventType_fieldenableddisabled),\n EventSubType = EventSubType_useractivity,\n NewValue = NewValue_fieldenableddisabled;\n let rawotheractivitydata = activitydata\n | where activityType_d in (RawOtherActivityIds)\n | parse-kv DataFields_s as (username: string, userName: string, email: string, globalTwoFaEnabled: string, cloudIntelligenceOn: string, fileDisplayName: string, roleName: string, oldIncidentStatusTitle: string, oldTicketId: string, oldAnalystVerdictTitle: string, oldConfidenceLevel: string, previous: string, oldStatus: string, oldTagName: string, oldTagDescription: string, newIncidentStatusTitle: string, newTicketId: string, newAnalystVerdictTitle: string, newConfidenceLevel: string, newStatus: string, current: string, Status: string, newTagName: string, newTagDescription: string, value: string, rulesAdded: string, rulesRemoved: string, tagsAdded: string, tagsRemoved: string, incidentName: string, ruleName: string, deviceId: string, ip: string, externalIp: string, affectedDevices: string, featureValue: string, featureName: string, recoveryEmail: string, policyName: string, tagName: string, gatewayExternalIp: string, gatewayMac: string, threatClassification: string, ipAddress: string, applicationPath: string, externalId: string, consoleUrl: string, ruleId: string, policyId: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookup_otheractivity on activityType_d\n | lookup EventTypeLookup_onoff on $left.cloudIntelligenceOn == $right.field\n | lookup EventTypeLookup_onoff on $left.globalTwoFaEnabled == $right.field\n | extend\n ActorUsername = coalesce(username, userName),\n EventType = coalesce(EventType_otheractivity, EventType_field, EventType_field1),\n EventSubType = EventSubType_otheractivity,\n Object = coalesce(Object, fileDisplayName, applicationPath, roleName, ruleName, incidentName, recoveryEmail, featureName, policyName, tagName),\n NewValue = coalesce(newIncidentStatusTitle, newTicketId, newAnalystVerdictTitle, newConfidenceLevel, newStatus, current, Status, newTagName, newTagDescription, featureValue),\n OldValue = coalesce(oldIncidentStatusTitle, oldTicketId, oldAnalystVerdictTitle, oldConfidenceLevel, oldStatus, previous, oldTagName, oldTagDescription),\n TargetIpAddr = coalesce(externalIp, ip, gatewayExternalIp),\n ThreatCategory = threatClassification,\n RuleName = ruleName,\n TargetDvcId = deviceId,\n ObjectId = coalesce(ruleId, policyId, externalId, deviceId)\n | invoke _ASIM_ResolveDstFQDN('affectedDevices')\n | project-rename\n TargetHostname = DstHostname,\n TargetDomain = DstDomain,\n TargetDomainType = DstDomainType,\n TargetFQDN = DstFQDN,\n TargetUrl = consoleUrl;\n let parsedotheractivitydata_eventtype = rawotheractivitydata\n | where activityType_d in (5256, 5258)\n | extend EventType = case(\n isnotempty(rulesAdded) or isnotempty(tagsAdded),\n \"Create\",\n isnotempty(rulesRemoved) or isnotempty(tagsRemoved),\n \"Delete\",\n \"Set\"\n );\n let parsedotheractivitydata_objectvalue = rawotheractivitydata\n | where activityType_d in (3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3650, 3651, 3652, 3653, 3654)\n | extend Object = strcat(Object, ' ', value);\n let parsedotheractivitydata_severity = rawotheractivitydata\n | where activityType_d in (2036, 2037, 2030)\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix))\n | extend EventSeverity_specific = case(\n primaryDescription_s has_any (\"to malicious\", \"to True positive\"),\n \"High\", \n primaryDescription_s has_any (\"to suspicious\", \"to Undefined\"),\n \"Medium\",\n primaryDescription_s has \"to False positive\",\n \"Low\",\n \"Informational\"\n );\n let ParsedActivitydata = union\n groupsiteactivitydata,\n machineactivitydata,\n accountactivitydata,\n useractivitydata,\n rawotheractivitydata,\n parsedotheractivitydata_eventtype,\n parsedotheractivitydata_objectvalue\n | where activityType_d !in(2030, 2036, 2037)\n | lookup EventSeverityLookup on EventResult\n | lookup EventSeverityLookup_activity on activityType_d\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix));\n let UnParsedActivitydatawithThreat = union ParsedActivitydata, parsedotheractivitydata_severity\n | where isnotempty(threatId_s)\n | join kind=inner (SentinelOne_CL\n | where event_name_s == \"Threats.\"\n | project\n TimeGenerated,\n threatInfo_confidenceLevel_s,\n threatInfo_analystVerdict_s,\n threatInfo_threatName_s,\n threatInfo_incidentStatus_s,\n threatInfo_identifiedAt_t,\n threatInfo_updatedAt_t,\n threatInfo_threatId_s,\n mitigationStatus_s)\n on $left.threatId_s == $right.threatInfo_threatId_s\n | where TimeGenerated1 >= TimeGenerated\n | summarize arg_min(TimeGenerated1, *) by activityType_d, threatId_s, createdAt_t, TimeGenerated;\n let undefineddata = UnParsedActivitydatawithThreat\n | where threatInfo_confidenceLevel_s == \"Undefined\"\n | lookup ThreatConfidenceLookup_undefined on threatInfo_analystVerdict_s;\n let suspiciousdata = UnParsedActivitydatawithThreat\n | where threatInfo_confidenceLevel_s == \"suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on threatInfo_analystVerdict_s;\n let maliciousdata = UnParsedActivitydatawithThreat\n | where threatInfo_confidenceLevel_s == \"malicious\"\n | lookup ThreatConfidenceLookup_malicious on threatInfo_analystVerdict_s;\n let ParsedActivitydatawithThreat = union undefineddata, suspiciousdata, maliciousdata\n | extend\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious),\n AdditionalFields = bag_pack(\n \"threatUpdatedAt\",\n threatInfo_updatedAt_t,\n \"threatAnalystVerdict\",\n threatInfo_analystVerdict_s,\n \"threatIncidentStatus\",\n threatInfo_incidentStatus_s,\n \"mitigationStatus\",\n mitigationStatus_s\n )\n | project-rename\n ThreatId = threatId_s,\n ThreatName = threatInfo_threatName_s,\n ThreatFirstReportedTime = threatInfo_identifiedAt_t,\n ThreatCategory_threats = threatInfo_classification_s,\n ThreatOriginalConfidence = threatInfo_confidenceLevel_s;\n let ParsedActivitydatawithoutThreat = ParsedActivitydata\n | where isempty(threatId_s);\n union ParsedActivitydatawithThreat, ParsedActivitydatawithoutThreat\n | extend \n EventSeverity = coalesce(EventSeverity_specific, EventSeverity_activity, EventSeverity_lookup),\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\",\n EventCount = toint(1),\n AdditionalFields = bag_merge(AdditionalFields, todynamic(DataFields_s)),\n EventOriginalType = tostring(toint(activityType_d)),\n SrcIpAddr = iff(ipAddress != \"null\", ipAddress, \"\"),\n DvcAction = iff(EventResult == \"Success\", \"Allow\", \"Deny\")\n | project-rename\n EventStartTime = createdAt_t,\n EventUid = _ItemId,\n EventMessage = primaryDescription_s,\n ActorUserId = userId_s,\n DvcId = agentId_s,\n EventOriginalUid = activityUuid_g\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"Other\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetDvcIdType = iff(isnotempty(TargetDvcId), \"Other\", \"\"),\n ValueType = iff(isnotempty(NewValue), \"Other\", \"\")\n | extend\n EventEndTime = EventStartTime,\n User = ActorUsername,\n IpAddr = SrcIpAddr,\n Dvc = coalesce(DvcHostname, DvcId, EventProduct),\n Dst = coalesce(TargetHostname, TargetIpAddr),\n Src = SrcIpAddr,\n Rule = RuleName,\n Value = NewValue\n | project-away\n *_d,\n *_s,\n *_t,\n *_g,\n *_b,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n username,\n userName,\n userFullName,\n newValue,\n policyEnabled,\n siteName,\n oldValue,\n computerName,\n accountName,\n cloudProviderAccountName,\n email,\n globalTwoFaEnabled,\n cloudIntelligenceOn,\n fileDisplayName,\n roleName,\n oldIncidentStatusTitle,\n oldTicketId,\n oldAnalystVerdictTitle,\n oldConfidenceLevel,\n previous,\n oldStatus,\n oldTagName,\n oldTagDescription,\n newIncidentStatusTitle,\n newTicketId,\n newAnalystVerdictTitle,\n newConfidenceLevel,\n newStatus,\n current,\n Status,\n newTagName,\n newTagDescription,\n value,\n rulesAdded,\n rulesRemoved,\n tagsAdded,\n tagsRemoved,\n incidentName,\n ruleName,\n deviceId,\n ip,\n externalIp,\n affectedDevices,\n featureValue,\n featureName,\n recoveryEmail,\n policyName,\n policy,\n tagName,\n gatewayExternalIp,\n gatewayMac,\n threatClassification,\n applicationPath,\n externalId,\n groupName,\n oldSiteName,\n targetGroupName,\n ipAddress,\n EventType_*,\n EventSubType_*,\n EventSeverity_*,\n NewValue_*,\n _ResourceId,\n TimeGenerated1,\n ThreatCategory_*,\n ThreatConfidence_*,\n accountId,\n policyId,\n ruleId,\n byUser\n };\n parser(disabled=disabled, starttime=starttime, endtime=endtime, eventresult=eventresult, operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any)", + "version": 1, + "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',actorusername_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([])" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventVMwareCarbonBlackCloud/vimAuditEventVMwareCarbonBlackCloud.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventVMwareCarbonBlackCloud/vimAuditEventVMwareCarbonBlackCloud.json index 3599c51469e..233bb45d9b3 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventVMwareCarbonBlackCloud/vimAuditEventVMwareCarbonBlackCloud.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventVMwareCarbonBlackCloud/vimAuditEventVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "vimAuditEventVMwareCarbonBlackCloud", - "query": "let EventTypeLookup = datatable(temp_type: string, EventType: string)[\n \"created\", \"Create\",\n \"updated\", \"Set\",\n \"deleted\", \"Delete\",\n \"added\", \"Create\",\n \"modified\", \"Set\"\n];\nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n eventtype_in: dynamic=dynamic([]), \n eventresult: string='*', \n actorusername_has_any: dynamic=dynamic([]), \n operation_has_any: dynamic=dynamic([]), \n object_has_any: dynamic=dynamic([]), \n newvalue_has_any: dynamic=dynamic([]), \n disabled: bool = false\n ) {\n let allData = CarbonBlackAuditLogs_CL\n | where not(disabled)\n | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime))\n and not(description_s has_any (\"logged in\", \"login\"))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(clientIp_s, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or loginName_s has_any (actorusername_has_any))\n and (array_length(object_has_any) == 0 or description_s has_any (object_has_any))\n and (array_length(newvalue_has_any) == 0 or description_s has_any (newvalue_has_any))\n and (array_length(operation_has_any) == 0 or description_s has_any (operation_has_any));\n let Enabled = allData\n | where description_s has_cs \"Enabled\"\n | parse description_s with \"Enabled \" temp_object1: string \" in policy \" temp_restmessage1: string\n | parse description_s with \"Enabled \" temp_object2: string \" with \" temp_restmessage2: string\n | parse description_s with temp_object3: string \" Enabled \" temp_restmessage3: string\n | extend\n EventType = \"Enable\",\n Operation = description_s,\n Object = coalesce(temp_object1, temp_object2, temp_object3),\n ObjectType = iff(description_s has \"policy\", \"Policy Rule\", \"Configuration Atom\"),\n EventSeverity1 = iff(description_s has \"Sensor Bypass\", \"Low\", \"Informational\");\n let Set = allData\n | where description_s startswith \"Set\"\n | parse description_s with \"Set \" temp_field_s: string \" to \" NewValue: string \" for device(s): \" temp_deviceid_s: string\n | parse temp_deviceid_s with TargetFQDN: string \" (ID: \" TargetDvcId: string \")\" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n Object = temp_field_s,\n EventType = \"Set\",\n Operation = strcat(\"Set \", temp_field_s, \" to \", NewValue),\n ObjectType = \"Configuration Atom\",\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s);\n let AlertNotify = allData\n | where description_s has \"alert notification\"\n | parse-kv description_s as (name: string) with (pair_delimiter=\" \", kv_delimiter=\":\")\n | parse description_s with temp_type: string \" alert notification \" temp_restmessage: string\n | extend\n Operation = strcat(temp_type, \" alert notification\"),\n temp_type = tolower(temp_type),\n Object = coalesce(name, \"alert notification\"),\n ObjectType = \"Service\"\n | lookup EventTypeLookup on temp_type;\n let CustomRole = allData\n | where description_s has \"custom role\"\n | parse description_s with temp_type1: string \" custom role \" temp_rolename1: string \" (psc:role:\" temp_roleid1: string \")\" temp_restmessage1: string \n | parse description_s with * \" role \" temp_rolename2: string \" (psc:role:\" temp_roleid2: string \") \" temp_type2: string \" with\" temp_restmessage2: string\n | extend\n temp_type = tolower(coalesce(temp_type1, temp_type2)),\n Object = coalesce(temp_rolename1, temp_rolename2),\n ObjectType = \"Other\"\n | lookup EventTypeLookup on temp_type\n | extend\n Operation = strcat(temp_type, \" custom role \", Object),\n AdditionalFields = bag_pack(\"role id\", coalesce(temp_roleid1, temp_roleid2));\n let Policy = allData\n | where description_s startswith \"Policy\"\n | parse description_s with \"Policy \" temp_policyname1: string \" (ID: \" temp_policyid1 \") \" temp_type1: string \" successfully\"\n | parse description_s with \"Policy \" temp_policyname2: string \" (ID: \" temp_policyid2: string \") \" temp_type2: string \" and renamed to \" NewValue: string \" (ID: \" temp_restmessage2: string\n | parse description_s with \"Policy \" temp_policyname3: string \" (ID: \" temp_policyid3 \") \" temp_type3: string\n | extend\n Object = coalesce(temp_policyname1, temp_policyname2, temp_policyname3),\n ObjectType = \"Policy Rule\",\n temp_type = replace_regex(coalesce(temp_type1, temp_type2, temp_type3), @'[is,was]* (\\S+)', @'\\1'),\n OldValue = temp_policyname2,\n AdditionalFields = bag_pack(\"policy id\", coalesce(temp_policyid1, temp_policyid2, temp_policyid3))\n | lookup EventTypeLookup on temp_type\n | extend\n Operation = iff(isnotempty(temp_type2), strcat(\"Policy \", Object, \" \", temp_type, \" and renamed to \", NewValue), strcat(\"Policy \", Object, \" \", temp_type));\n let Changed = allData\n | where description_s startswith \"Changed policy\"\n | parse description_s with temp_operation_s: string \" to \" NewValue: string \")\" * \"device(s): \" temp_deviceid_s: string \n | extend\n EventType = \"Set\",\n Operation = strcat(temp_operation_s, \" to \", NewValue),\n Object = NewValue,\n ObjectType = \"Policy Rule\",\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s),\n TargetDvcId = iff(temp_deviceid_s contains ',', split(temp_deviceid_s, ',', 0), temp_deviceid_s);\n let ParamsUpdated = allData\n | where description_s startswith \"Parameters updated\"\n | parse description_s with \"Parameters updated for \" temp_config1: string \" (ID: \" temp_configid1: string \") for policy \" temp_policyname1: string \" (ID: \" temp_policyid1: string \")\" temp_restmessage1: string\n | parse description_s with \"Parameters updated for \" temp_config2: string \" (ID: \" temp_configid2: string \") for policy with ID \" temp_policyid2: string\n | extend\n temp_operation = coalesce(temp_config1, temp_config2),\n temp_configid = coalesce(temp_configid1, temp_configid2)\n | extend\n EventType = \"Set\", \n Operation = strcat(\"Parameters updated for \", temp_operation, \" for policy \", temp_policyname1, tostring(split(temp_policyid2, \"{\")[0])),\n Object = strcat(\"Policy \", coalesce(temp_policyname1, temp_policyid2)),\n ObjectType = \"Policy Rule\",\n AdditionalFields = bag_pack(\"config id\", temp_configid);\n let Reputation = allData\n | where description_s has_cs \"Reputation\"\n | parse description_s with \"User \" * \" \" temp_type1: string \" Reputation\" * \" for Organization ID \" temp_orgid1: string \" of type \" temp_reptype1: string \" to \" temp_list1: string \" with content: \" temp_content1: string \" | \" temp_restmessage1: string\n | parse description_s with \"User \" * \" \" temp_type2: string \" Reputation\" * \" for Organization ID \" temp_orgid2: string \": \" temp_content2: string \" | \" temp_restmessage2: string\n | extend\n temp_type = coalesce(temp_type1, temp_type2),\n Object = iff(isnotempty(temp_reptype1), strcat(\"Reputation Override of type \", temp_reptype1), \"Reputation Override\"),\n ObjectType = \"Configuration Atom\"\n | lookup EventTypeLookup on temp_type\n | extend\n Operation = strcat(temp_type, \" \", Object),\n ActorScopeId = coalesce(temp_orgid1, temp_orgid2),\n AdditionalFields = bag_pack(\"reputation value\", coalesce(temp_content1, temp_content2));\n let PolicyUpdateApplied = allData\n | where description_s has \"Policy update applied\"\n | parse description_s with * \"policy to \" Object: string\n | extend\n EventType = \"Set\",\n Operation = \"Policy update applied\",\n ObjectType = \"Policy Rule\",\n OriginalObjectType = \"Policy\"\n ;\n let auto_deletion = allData\n | where description_s has_all (\"auto-deletion\", \"devices\")\n | parse description_s with TargetFQDN: string \" \" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Delete\",\n Operation = \"auto-deletion\",\n Object = TargetFQDN,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let Hash_Deleted = allData\n | where description_s startswith \"Hash - \"\n | parse description_s with \"Hash - \" HashName_s: string \" \" * \"on device \" TargetFQDN: string\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Delete\",\n Operation = \"Delete Request\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\";\n let Failure_Deleting_Hash = allData\n | where description_s startswith \"Failure deleting hash\"\n | parse description_s with \"Failure deleting hash '\" HashName_s: string \"'\" * \"device '\" TargetDvcId: string \"'\" * \"Reason: \" EventResultDetails: string\n | extend\n EventType = \"Delete\",\n Operation = \"Deleting hash\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\",\n EventResult = \"Failure\";\n let Delete_Hash = allData\n | where description_s startswith \"Delete Hash\"\n | parse description_s with \"Delete Hash \" HashName_s: string \" \" * \"device(s): \" temp_deviceid_s: string\n | extend\n EventType = \"Delete\",\n Operation = \"Delete Hash\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\",\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s),\n TargetDvcId = iff(temp_deviceid_s contains ',', split(temp_deviceid_s, ',', 0), temp_deviceid_s);\n let Success_Deleting_Hash = allData\n | where description_s startswith \"Success deleting hash\"\n | parse description_s with \"Success deleting hash '\" HashName_s: string \"'\" * \"device '\" TargetDvcId: string \"'\" * \"Reason: \" EventResultDetails: string\n | extend\n EventType = \"Delete\",\n Operation = \"Deleting hash\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\",\n EventResult = \"Success\";\n let DeviceUninstalled = allData\n | where description_s has_all (\"Device\", \"uninstalled\")\n | parse description_s with \"Device \" TargetFQDN: string \" with deviceId \" TargetDvcId: string \" \" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Uninstall\",\n Operation = \"Uninstall\",\n Object = TargetFQDN,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let DeviceReset = allData\n | where description_s startswith (\"Device reset requested\")\n | parse description_s with \"Device reset requested on device \" TargetDvcId: string\n | extend \n EventType = \"Set\",\n Operation = \"Device reset\",\n Object = TargetDvcId,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let CreateOrModifyPolicy = allData\n | where description_s startswith \"Request received to\"\n | parse description_s with * \"policy \" Object: string\n | extend\n EventType = case(\n description_s has \"modify policy\",\n \"Set\", \n description_s has \"create new policy\",\n \"Create\",\n \"\"\n ),\n Operation = case(\n description_s has \"modify policy\",\n \"modify policy\", \n description_s has \"create new policy\",\n \"create new policy\",\n \"\"\n ),\n Object = replace_string(Object, \"- \", \"\"),\n ObjectType = \"Policy Rule\",\n OriginalObjectType = \"Policy\";\n let LogsRequested = allData\n | where description_s startswith (\"Logs requested\")\n | parse description_s with \"Logs requested for device \" TargetDvcId: string\n | extend \n EventType = \"Read\",\n Operation = \"Logs requested\",\n Object = TargetDvcId,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let Re_Registration = allData\n | where description_s startswith \"Re-registration of device\"\n | parse description_s with \"Re-registration of device\" TargetFQDN: string \" of \" TargetDvcId: string \" device completed\" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Enable\",\n Operation = \"Re-registration of device\",\n Object = TargetFQDN,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n union\n Enabled,\n Set,\n AlertNotify,\n CustomRole,\n Policy,\n Changed,\n ParamsUpdated,\n Reputation,\n PolicyUpdateApplied,\n auto_deletion,\n Hash_Deleted,\n Failure_Deleting_Hash,\n Delete_Hash,\n Success_Deleting_Hash,\n DeviceUninstalled,\n DeviceReset,\n CreateOrModifyPolicy,\n LogsRequested,\n Re_Registration\n | extend EventResult = iif(isnotempty(EventResult), EventResult, \"Success\")\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | extend\n EventStartTime = unixtime_milliseconds_todatetime(eventTime_d),\n EventSeverity = coalesce(EventSeverity1, \"Informational\"),\n AdditionalFields = bag_merge(AdditionalFields, bag_pack(\"flagged\", flagged_b, \"request url\", requestUrl_s))\n | extend\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\",\n EventVendor = \"VMware\",\n EventCount = int(1)\n | project-rename\n ActorUsername = loginName_s,\n EventUid = _ItemId,\n SrcIpAddr = clientIp_s,\n EventMessage = description_s,\n EventOriginalUid = eventId_g,\n ActorScope = orgName_s\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n TargetDvcIdType = iff(isnotempty(TargetDvcId), \"Other\", \"\"),\n EventEndTime = EventStartTime,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n User = ActorUsername,\n Value = NewValue,\n ValueType = iff(isnotempty(NewValue), \"Other\", \"\")\n | project-away \n *_s,\n *_d,\n *_b,\n temp*,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n _ResourceId,\n name,\n EventSeverity1\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n eventtype_in=eventtype_in, \n eventresult=eventresult, \n actorusername_has_any=actorusername_has_any, \n operation_has_any=operation_has_any, \n object_has_any=object_has_any, \n newvalue_has_any=newvalue_has_any, \n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "vimAuditEventVMwareCarbonBlackCloud", + "query": "let EventTypeLookup = datatable(temp_type: string, EventType: string)[\n \"created\", \"Create\",\n \"updated\", \"Set\",\n \"deleted\", \"Delete\",\n \"added\", \"Create\",\n \"modified\", \"Set\"\n];\nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n eventtype_in: dynamic=dynamic([]), \n eventresult: string='*', \n actorusername_has_any: dynamic=dynamic([]), \n operation_has_any: dynamic=dynamic([]), \n object_has_any: dynamic=dynamic([]), \n newvalue_has_any: dynamic=dynamic([]), \n disabled: bool = false\n ) {\n let allData = CarbonBlackAuditLogs_CL\n | where not(disabled)\n | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime))\n and not(description_s has_any (\"logged in\", \"login\"))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(clientIp_s, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or loginName_s has_any (actorusername_has_any))\n and (array_length(object_has_any) == 0 or description_s has_any (object_has_any))\n and (array_length(newvalue_has_any) == 0 or description_s has_any (newvalue_has_any))\n and (array_length(operation_has_any) == 0 or description_s has_any (operation_has_any));\n let Enabled = allData\n | where description_s has_cs \"Enabled\"\n | parse description_s with \"Enabled \" temp_object1: string \" in policy \" temp_restmessage1: string\n | parse description_s with \"Enabled \" temp_object2: string \" with \" temp_restmessage2: string\n | parse description_s with temp_object3: string \" Enabled \" temp_restmessage3: string\n | extend\n EventType = \"Enable\",\n Operation = description_s,\n Object = coalesce(temp_object1, temp_object2, temp_object3),\n ObjectType = iff(description_s has \"policy\", \"Policy Rule\", \"Configuration Atom\"),\n EventSeverity1 = iff(description_s has \"Sensor Bypass\", \"Low\", \"Informational\");\n let Set = allData\n | where description_s startswith \"Set\"\n | parse description_s with \"Set \" temp_field_s: string \" to \" NewValue: string \" for device(s): \" temp_deviceid_s: string\n | parse temp_deviceid_s with TargetFQDN: string \" (ID: \" TargetDvcId: string \")\" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n Object = temp_field_s,\n EventType = \"Set\",\n Operation = strcat(\"Set \", temp_field_s, \" to \", NewValue),\n ObjectType = \"Configuration Atom\",\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s);\n let AlertNotify = allData\n | where description_s has \"alert notification\"\n | parse-kv description_s as (name: string) with (pair_delimiter=\" \", kv_delimiter=\":\")\n | parse description_s with temp_type: string \" alert notification \" temp_restmessage: string\n | extend\n Operation = strcat(temp_type, \" alert notification\"),\n temp_type = tolower(temp_type),\n Object = coalesce(name, \"alert notification\"),\n ObjectType = \"Service\"\n | lookup EventTypeLookup on temp_type;\n let CustomRole = allData\n | where description_s has \"custom role\"\n | parse description_s with temp_type1: string \" custom role \" temp_rolename1: string \" (psc:role:\" temp_roleid1: string \")\" temp_restmessage1: string \n | parse description_s with * \" role \" temp_rolename2: string \" (psc:role:\" temp_roleid2: string \") \" temp_type2: string \" with\" temp_restmessage2: string\n | extend\n temp_type = tolower(coalesce(temp_type1, temp_type2)),\n Object = coalesce(temp_rolename1, temp_rolename2),\n ObjectType = \"Other\"\n | lookup EventTypeLookup on temp_type\n | extend\n Operation = strcat(temp_type, \" custom role \", Object),\n AdditionalFields = bag_pack(\"role id\", coalesce(temp_roleid1, temp_roleid2));\n let Policy = allData\n | where description_s startswith \"Policy\"\n | parse description_s with \"Policy \" temp_policyname1: string \" (ID: \" temp_policyid1 \") \" temp_type1: string \" successfully\"\n | parse description_s with \"Policy \" temp_policyname2: string \" (ID: \" temp_policyid2: string \") \" temp_type2: string \" and renamed to \" NewValue: string \" (ID: \" temp_restmessage2: string\n | parse description_s with \"Policy \" temp_policyname3: string \" (ID: \" temp_policyid3 \") \" temp_type3: string\n | extend\n Object = coalesce(temp_policyname1, temp_policyname2, temp_policyname3),\n ObjectType = \"Policy Rule\",\n temp_type = replace_regex(coalesce(temp_type1, temp_type2, temp_type3), @'[is,was]* (\\S+)', @'\\1'),\n OldValue = temp_policyname2,\n AdditionalFields = bag_pack(\"policy id\", coalesce(temp_policyid1, temp_policyid2, temp_policyid3))\n | lookup EventTypeLookup on temp_type\n | extend\n Operation = iff(isnotempty(temp_type2), strcat(\"Policy \", Object, \" \", temp_type, \" and renamed to \", NewValue), strcat(\"Policy \", Object, \" \", temp_type));\n let Changed = allData\n | where description_s startswith \"Changed policy\"\n | parse description_s with temp_operation_s: string \" to \" NewValue: string \")\" * \"device(s): \" temp_deviceid_s: string \n | extend\n EventType = \"Set\",\n Operation = strcat(temp_operation_s, \" to \", NewValue),\n Object = NewValue,\n ObjectType = \"Policy Rule\",\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s),\n TargetDvcId = iff(temp_deviceid_s contains ',', split(temp_deviceid_s, ',', 0), temp_deviceid_s);\n let ParamsUpdated = allData\n | where description_s startswith \"Parameters updated\"\n | parse description_s with \"Parameters updated for \" temp_config1: string \" (ID: \" temp_configid1: string \") for policy \" temp_policyname1: string \" (ID: \" temp_policyid1: string \")\" temp_restmessage1: string\n | parse description_s with \"Parameters updated for \" temp_config2: string \" (ID: \" temp_configid2: string \") for policy with ID \" temp_policyid2: string\n | extend\n temp_operation = coalesce(temp_config1, temp_config2),\n temp_configid = coalesce(temp_configid1, temp_configid2)\n | extend\n EventType = \"Set\", \n Operation = strcat(\"Parameters updated for \", temp_operation, \" for policy \", temp_policyname1, tostring(split(temp_policyid2, \"{\")[0])),\n Object = strcat(\"Policy \", coalesce(temp_policyname1, temp_policyid2)),\n ObjectType = \"Policy Rule\",\n AdditionalFields = bag_pack(\"config id\", temp_configid);\n let Reputation = allData\n | where description_s has_cs \"Reputation\"\n | parse description_s with \"User \" * \" \" temp_type1: string \" Reputation\" * \" for Organization ID \" temp_orgid1: string \" of type \" temp_reptype1: string \" to \" temp_list1: string \" with content: \" temp_content1: string \" | \" temp_restmessage1: string\n | parse description_s with \"User \" * \" \" temp_type2: string \" Reputation\" * \" for Organization ID \" temp_orgid2: string \": \" temp_content2: string \" | \" temp_restmessage2: string\n | extend\n temp_type = coalesce(temp_type1, temp_type2),\n Object = iff(isnotempty(temp_reptype1), strcat(\"Reputation Override of type \", temp_reptype1), \"Reputation Override\"),\n ObjectType = \"Configuration Atom\"\n | lookup EventTypeLookup on temp_type\n | extend\n Operation = strcat(temp_type, \" \", Object),\n ActorScopeId = coalesce(temp_orgid1, temp_orgid2),\n AdditionalFields = bag_pack(\"reputation value\", coalesce(temp_content1, temp_content2));\n let PolicyUpdateApplied = allData\n | where description_s has \"Policy update applied\"\n | parse description_s with * \"policy to \" Object: string\n | extend\n EventType = \"Set\",\n Operation = \"Policy update applied\",\n ObjectType = \"Policy Rule\",\n OriginalObjectType = \"Policy\"\n ;\n let auto_deletion = allData\n | where description_s has_all (\"auto-deletion\", \"devices\")\n | parse description_s with TargetFQDN: string \" \" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Delete\",\n Operation = \"auto-deletion\",\n Object = TargetFQDN,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let Hash_Deleted = allData\n | where description_s startswith \"Hash - \"\n | parse description_s with \"Hash - \" HashName_s: string \" \" * \"on device \" TargetFQDN: string\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Delete\",\n Operation = \"Delete Request\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\";\n let Failure_Deleting_Hash = allData\n | where description_s startswith \"Failure deleting hash\"\n | parse description_s with \"Failure deleting hash '\" HashName_s: string \"'\" * \"device '\" TargetDvcId: string \"'\" * \"Reason: \" EventResultDetails: string\n | extend\n EventType = \"Delete\",\n Operation = \"Deleting hash\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\",\n EventResult = \"Failure\";\n let Delete_Hash = allData\n | where description_s startswith \"Delete Hash\"\n | parse description_s with \"Delete Hash \" HashName_s: string \" \" * \"device(s): \" temp_deviceid_s: string\n | extend\n EventType = \"Delete\",\n Operation = \"Delete Hash\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\",\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s),\n TargetDvcId = iff(temp_deviceid_s contains ',', split(temp_deviceid_s, ',', 0), temp_deviceid_s);\n let Success_Deleting_Hash = allData\n | where description_s startswith \"Success deleting hash\"\n | parse description_s with \"Success deleting hash '\" HashName_s: string \"'\" * \"device '\" TargetDvcId: string \"'\" * \"Reason: \" EventResultDetails: string\n | extend\n EventType = \"Delete\",\n Operation = \"Deleting hash\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\",\n EventResult = \"Success\";\n let DeviceUninstalled = allData\n | where description_s has_all (\"Device\", \"uninstalled\")\n | parse description_s with \"Device \" TargetFQDN: string \" with deviceId \" TargetDvcId: string \" \" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Uninstall\",\n Operation = \"Uninstall\",\n Object = TargetFQDN,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let DeviceReset = allData\n | where description_s startswith (\"Device reset requested\")\n | parse description_s with \"Device reset requested on device \" TargetDvcId: string\n | extend \n EventType = \"Set\",\n Operation = \"Device reset\",\n Object = TargetDvcId,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let CreateOrModifyPolicy = allData\n | where description_s startswith \"Request received to\"\n | parse description_s with * \"policy \" Object: string\n | extend\n EventType = case(\n description_s has \"modify policy\",\n \"Set\", \n description_s has \"create new policy\",\n \"Create\",\n \"\"\n ),\n Operation = case(\n description_s has \"modify policy\",\n \"modify policy\", \n description_s has \"create new policy\",\n \"create new policy\",\n \"\"\n ),\n Object = replace_string(Object, \"- \", \"\"),\n ObjectType = \"Policy Rule\",\n OriginalObjectType = \"Policy\";\n let LogsRequested = allData\n | where description_s startswith (\"Logs requested\")\n | parse description_s with \"Logs requested for device \" TargetDvcId: string\n | extend \n EventType = \"Read\",\n Operation = \"Logs requested\",\n Object = TargetDvcId,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let Re_Registration = allData\n | where description_s startswith \"Re-registration of device\"\n | parse description_s with \"Re-registration of device\" TargetFQDN: string \" of \" TargetDvcId: string \" device completed\" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Enable\",\n Operation = \"Re-registration of device\",\n Object = TargetFQDN,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n union\n Enabled,\n Set,\n AlertNotify,\n CustomRole,\n Policy,\n Changed,\n ParamsUpdated,\n Reputation,\n PolicyUpdateApplied,\n auto_deletion,\n Hash_Deleted,\n Failure_Deleting_Hash,\n Delete_Hash,\n Success_Deleting_Hash,\n DeviceUninstalled,\n DeviceReset,\n CreateOrModifyPolicy,\n LogsRequested,\n Re_Registration\n | extend EventResult = iif(isnotempty(EventResult), EventResult, \"Success\")\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | extend\n EventStartTime = unixtime_milliseconds_todatetime(eventTime_d),\n EventSeverity = coalesce(EventSeverity1, \"Informational\"),\n AdditionalFields = bag_merge(AdditionalFields, bag_pack(\"flagged\", flagged_b, \"request url\", requestUrl_s))\n | extend\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\",\n EventVendor = \"VMware\",\n EventCount = int(1)\n | project-rename\n ActorUsername = loginName_s,\n EventUid = _ItemId,\n SrcIpAddr = clientIp_s,\n EventMessage = description_s,\n EventOriginalUid = eventId_g,\n ActorScope = orgName_s\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n TargetDvcIdType = iff(isnotempty(TargetDvcId), \"Other\", \"\"),\n EventEndTime = EventStartTime,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n User = ActorUsername,\n Value = NewValue,\n ValueType = iff(isnotempty(NewValue), \"Other\", \"\")\n | project-away \n *_s,\n *_d,\n *_b,\n temp*,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n _ResourceId,\n name,\n EventSeverity1\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n eventtype_in=eventtype_in, \n eventresult=eventresult, \n actorusername_has_any=actorusername_has_any, \n operation_has_any=operation_has_any, \n object_has_any=object_has_any, \n newvalue_has_any=newvalue_has_any, \n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventVectraXDRAudit/vimAuditEventVectraXDRAudit.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventVectraXDRAudit/vimAuditEventVectraXDRAudit.json index 941440de568..fc13fdae89d 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventVectraXDRAudit/vimAuditEventVectraXDRAudit.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventVectraXDRAudit/vimAuditEventVectraXDRAudit.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventVectraXDRAudit')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventVectraXDRAudit", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM filtering parser for Vectra XDR Audit Logs Event", - "category": "ASIM", - "FunctionAlias": "vimAuditEventVectraXDRAudit", - "query": "let parser = (disabled:bool = false, eventresult:string='*', starttime:datetime=datetime(null), endtime:datetime=datetime(null), actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]))\n{\n Audits_Data_CL\n | where not(disabled) and event_action_s !in (\"login\",\"logout\")\n | where (isnull(starttime) or event_timestamp_t >= starttime) and (isnull(endtime) or event_timestamp_t <= endtime) and (array_length(actorusername_has_any) == 0 or tostring(toint(user_id_d)) has_any (actorusername_has_any)) or (array_length(actorusername_has_any) == 0 or username_s has_any (actorusername_has_any)) and (array_length(operation_has_any) == 0 or event_action_s has_any (operation_has_any)) and (array_length(object_has_any) == 0 or event_object_s has_any (object_has_any))\n | extend\n EventEndTime = event_timestamp_t,\n EventProduct = 'XDR',\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventStartTime = event_timestamp_t,\n EventType = 'Other',\n EventVendor = 'Vectra',\n Type = \"Audit Log\",\n EventUid = tostring(toint(id_d)),\n ActorUserId = tostring(toint(user_id_d)),\n ActorUserIdType = \"UID\",\n ActorUsernameType = \"UPN\",\n EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\")\n | project-rename\n Dvc = source_ip_s,\n Operation = event_action_s,\n ActorUsername = username_s,\n Object = event_object_s,\n ActorOriginalUserType = user_type_s,\n EventMessage = Message,\n EventProductVersion = version_s\n | where ('*' in (eventresult) or EventResult in (eventresult))\n | extend User = ActorUsername\n | project-away\n id_d, user_id_d, user_role_s, result_status_s,event_timestamp_t, event_data_s, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\n};\nparser (disabled=disabled, eventresult=eventresult, starttime=starttime, endtime=endtime, actorusername_has_any=actorusername_has_any,operation_has_any=operation_has_any,object_has_any=object_has_any)", - "version": 1, - "functionParameters": "disabled:bool=False,eventresult:string='*',starttime:datetime=datetime(null),endtime:datetime=datetime(null),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([])" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM filtering parser for Vectra XDR Audit Logs Event", + "category": "ASIM", + "FunctionAlias": "vimAuditEventVectraXDRAudit", + "query": "let parser = (disabled:bool = false, eventresult:string='*', starttime:datetime=datetime(null), endtime:datetime=datetime(null), actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]))\n{\n Audits_Data_CL\n | where not(disabled) and event_action_s !in (\"login\",\"logout\")\n | where (isnull(starttime) or event_timestamp_t >= starttime) and (isnull(endtime) or event_timestamp_t <= endtime) and (array_length(actorusername_has_any) == 0 or tostring(toint(user_id_d)) has_any (actorusername_has_any)) or (array_length(actorusername_has_any) == 0 or username_s has_any (actorusername_has_any)) and (array_length(operation_has_any) == 0 or event_action_s has_any (operation_has_any)) and (array_length(object_has_any) == 0 or event_object_s has_any (object_has_any))\n | extend\n EventEndTime = event_timestamp_t,\n EventProduct = 'XDR',\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventStartTime = event_timestamp_t,\n EventType = 'Other',\n EventVendor = 'Vectra',\n Type = \"Audit Log\",\n EventUid = tostring(toint(id_d)),\n ActorUserId = tostring(toint(user_id_d)),\n ActorUserIdType = \"UID\",\n ActorUsernameType = \"UPN\",\n EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\")\n | project-rename\n Dvc = source_ip_s,\n Operation = event_action_s,\n ActorUsername = username_s,\n Object = event_object_s,\n ActorOriginalUserType = user_type_s,\n EventMessage = Message,\n EventProductVersion = version_s\n | where ('*' in (eventresult) or EventResult in (eventresult))\n | extend User = ActorUsername\n | project-away\n id_d, user_id_d, user_role_s, result_status_s,event_timestamp_t, event_data_s, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\n};\nparser (disabled=disabled, eventresult=eventresult, starttime=starttime, endtime=endtime, actorusername_has_any=actorusername_has_any,operation_has_any=operation_has_any,object_has_any=object_has_any)", + "version": 1, + "functionParameters": "disabled:bool=False,eventresult:string='*',starttime:datetime=datetime(null),endtime:datetime=datetime(null),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([])" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml b/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml index eac7faf071b..2abafc2be82 100644 --- a/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml +++ b/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml @@ -59,4 +59,3 @@ ParserQuery: | ASimAuditEventVMwareCarbonBlackCloud(BuiltInDisabled or ('ExcludeASimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers))), ASimAuditEventInfobloxBloxOne(BuiltInDisabled or ('ExcludeASimAuditEventInfobloxBloxOne' in (DisabledParsers))), ASimAuditEventIllumioSaaSCore(BuiltInDisabled or ('ExcludeASimAuditEventIllumioSaaSCore' in (DisabledParsers))) - diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json index 0b1cc1884d1..c953560b0d2 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthentication')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthentication", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser", - "category": "ASIM", - "FunctionAlias": "ASimAuthentication", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoASA (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationCiscoMerakiSyslog (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationOktaV2(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaV2' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSudo (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSudo' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )),\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n ASimAuthenticationSentinelOne (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n ASimAuthenticationGoogleWorkspace (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationGoogleWorkspace' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoCortexDataLake (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )),\n ASimAuthenticationVMwareCarbonBlackCloud (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimAuthenticationCrowdStrikeFalconHost (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )),\n ASimAuthenticationIllumioSaaSCore (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationIllumioSaaS' in (DisabledParsers) ))\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser", + "category": "ASIM", + "FunctionAlias": "ASimAuthentication", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoASA (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationCiscoMerakiSyslog (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationOktaV2(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaV2' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSudo (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSudo' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )),\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n ASimAuthenticationSentinelOne (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n ASimAuthenticationGoogleWorkspace (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationGoogleWorkspace' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoCortexDataLake (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )),\n ASimAuthenticationVMwareCarbonBlackCloud (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimAuthenticationCrowdStrikeFalconHost (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )),\n ASimAuthenticationIllumioSaaSCore (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationIllumioSaaS' in (DisabledParsers) ))\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json index a187c48c35e..024ae7cdead 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationAADManagedIdentitySignInLogs')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationAADManagedIdentitySignInLogs", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Microsoft Entra ID managed identity sign-in logs", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationAADManagedIdentitySignInLogs", - "query": "let AADResultTypes = (T:(ResultType:string)) {\n let AADResultTypesLookup = datatable (ResultType:string, EventResultDetails:string, EventType:string, EventResult:string, EventOriginalResultDetails:string, EventSeverity:string)\n [\n \"0\" ,\"\" ,\"Logon\" ,\"Success\" ,\"\", \"Informational\",\n \"50005\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50005 - DevicePolicyError\", \"Low\",\n \"50011\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50020\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50020 - UserUnauthorized\", \"Low\",\n \"50034\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50034 - UserAccountNotFound\", \"Low\",\n \"50053\" ,\"User locked\" ,\"Logon\" ,\"Failure\" ,\"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\" ,\"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"50056 - Invalid or null password\", \"Low\",\n \"50057\" ,\"User disabled\" ,\"Logon\" ,\"Failure\" ,\"50057 - UserDisabled\", \"Low\",\n \"50058\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50058 - UserInformationNotProvided\", \"Low\",\n \"50059\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50061\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50061 - SignoutInvalidRequest\", \"Low\",\n \"50064\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50064 - CredentialAuthenticationError\", \"Low\",\n \"50068\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50072\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50074\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"50076\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50078\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50078 - UserStrongAuthExpired\", \"Low\",\n \"50079\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"50173 -FreshTokenNeeded\", \"Low\",\n \"51004\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"51004 - UserAccountNotInDirectory\", \"Low\",\n \"53003\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"53003 - BlockedByConditionalAccess\", \"Low\",\n \"70008\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"80012\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"100003\",\"Other\" ,\"Logon\" ,\"Failure\" ,\"100003\", \"Low\",\n \"500011\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"530032\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"530034\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"700016\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"700027\",\"Incorrect key\" ,\"Logon\" ,\"Failure\" ,\"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"700082\",\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\"\n ];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails),\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult),\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity),\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n};\nlet parser = (disabled:bool=false) {\n AADManagedIdentitySignInLogs \n | where not(disabled)\n | invoke AADResultTypes()\n | project-rename\n ActingAppId = AppId,\n EventOriginalUid = Id,\n EventProductVersion = OperationVersion,\n EventUid = _ItemId,\n SrcIpAddr = IPAddress,\n TargetAppId = ResourceIdentity,\n TargetAppName = ResourceDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = ServicePrincipalId,\n TargetUsername = ServicePrincipalName\n | extend \n Dvc = 'Microsft/Entra ID',\n EventCount = int(1),\n EventProduct = 'Entra ID',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventVendor = 'Microsoft',\n LogonMethod = \"Managed Identity\",\n TargetAppType = \"Resource\",\n TargetUserIdType = 'EntraID',\n TargetUsernameType = 'Simple',\n TargetUserType = 'Service'\n | project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId\n // \n // -- Aliases\n | extend \n Application = TargetAppName,\n Dst = TargetAppName,\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n IpAddr = SrcIpAddr,\n LogonTarget = TargetAppName,\n Src = SrcIpAddr,\n TargetSimpleUsername = TargetUsername,\n TargetUserAadId = TargetUserId,\n User = TargetUsername\n};\nparser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Microsoft Entra ID managed identity sign-in logs", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationAADManagedIdentitySignInLogs", + "query": "let AADResultTypes = (T:(ResultType:string)) {\n let AADResultTypesLookup = datatable (ResultType:string, EventResultDetails:string, EventType:string, EventResult:string, EventOriginalResultDetails:string, EventSeverity:string)\n [\n \"0\" ,\"\" ,\"Logon\" ,\"Success\" ,\"\", \"Informational\",\n \"50005\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50005 - DevicePolicyError\", \"Low\",\n \"50011\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50020\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50020 - UserUnauthorized\", \"Low\",\n \"50034\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50034 - UserAccountNotFound\", \"Low\",\n \"50053\" ,\"User locked\" ,\"Logon\" ,\"Failure\" ,\"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\" ,\"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"50056 - Invalid or null password\", \"Low\",\n \"50057\" ,\"User disabled\" ,\"Logon\" ,\"Failure\" ,\"50057 - UserDisabled\", \"Low\",\n \"50058\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50058 - UserInformationNotProvided\", \"Low\",\n \"50059\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50061\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50061 - SignoutInvalidRequest\", \"Low\",\n \"50064\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50064 - CredentialAuthenticationError\", \"Low\",\n \"50068\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50072\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50074\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"50076\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50078\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50078 - UserStrongAuthExpired\", \"Low\",\n \"50079\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"50173 -FreshTokenNeeded\", \"Low\",\n \"51004\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"51004 - UserAccountNotInDirectory\", \"Low\",\n \"53003\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"53003 - BlockedByConditionalAccess\", \"Low\",\n \"70008\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"80012\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"100003\",\"Other\" ,\"Logon\" ,\"Failure\" ,\"100003\", \"Low\",\n \"500011\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"530032\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"530034\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"700016\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"700027\",\"Incorrect key\" ,\"Logon\" ,\"Failure\" ,\"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"700082\",\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\"\n ];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails),\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult),\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity),\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n};\nlet parser = (disabled:bool=false) {\n AADManagedIdentitySignInLogs \n | where not(disabled)\n | invoke AADResultTypes()\n | project-rename\n ActingAppId = AppId,\n EventOriginalUid = Id,\n EventProductVersion = OperationVersion,\n EventUid = _ItemId,\n SrcIpAddr = IPAddress,\n TargetAppId = ResourceIdentity,\n TargetAppName = ResourceDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = ServicePrincipalId,\n TargetUsername = ServicePrincipalName\n | extend \n Dvc = 'Microsft/Entra ID',\n EventCount = int(1),\n EventProduct = 'Entra ID',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventVendor = 'Microsoft',\n LogonMethod = \"Managed Identity\",\n TargetAppType = \"Resource\",\n TargetUserIdType = 'EntraID',\n TargetUsernameType = 'Simple',\n TargetUserType = 'Service'\n | project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId\n // \n // -- Aliases\n | extend \n Application = TargetAppName,\n Dst = TargetAppName,\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n IpAddr = SrcIpAddr,\n LogonTarget = TargetAppName,\n Src = SrcIpAddr,\n TargetSimpleUsername = TargetUsername,\n TargetUserAadId = TargetUserId,\n User = TargetUsername\n};\nparser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json index f3196240ba2..dd4e4545638 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationAADNonInteractiveUserSignInLogs')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationAADNonInteractiveUserSignInLogs", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Microsoft Entra ID non-interactive sign-in logs", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationAADNonInteractiveUserSignInLogs", - "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n '0', 'Success',\n '50005', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50020', 'Logon violates policy',\n '50034', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50059', 'No such user or password',\n '50064', 'No such user or password',\n '50072', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '51004', 'No such user or password',\n '53003', 'Logon violates policy',\n '70008', 'Password expired',\n '80012', 'Logon violates policy',\n '500011', 'No such user or password' ,\n '700016', 'No such user or password'\n ];\nlet parser=(disabled:bool=false){\n AADNonInteractiveUserSignInLogs \n | where not(disabled)\n | extend\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType),\n EventProduct = 'Entra ID',\n EventResult = iff (ResultType ==0, 'Success', 'Failure'),\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventSubType = 'NonInteractive',\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n Location = todynamic(LocationDetails),\n SrcDvcHostname = tostring(todynamic(DeviceDetail).displayName),\n SrcDvcId = tostring(todynamic(DeviceDetail).deviceId),\n SrcDvcOs = tostring(todynamic(DeviceDetail).operatingSystem),\n TargetAppId = ResourceIdentity ,\n TargetAppName = ResourceDisplayName,\n TargetUserIdType = 'EntraID',\n TargetUsernameType = 'UPN'\n | extend\n SrcGeoCity = tostring(Location.city),\n SrcGeoCountry = tostring(Location.countryOrRegion),\n SrcGeoLatitude = toreal(Location.geoCoordinates.latitude),\n SrcGeoLongitude = toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid = Id,\n EventUid = _ItemId,\n HttpUserAgent = UserAgent,\n LogonMethod = AuthenticationRequirement,\n SrcDvcIpAddr = IPAddress,\n TargetSessionId = CorrelationId,\n TargetUserId = UserId,\n TargetUsername = UserPrincipalName\n | lookup FailedReason on ResultType\n // -- Aliases\n | extend \n Dvc = EventVendor,\n LogonTarget = ResourceIdentity,\n User = TargetUsername,\n // -- Entity identifier explicit aliases\n TargetUserAadId = TargetUserId,\n TargetUserUpn = TargetUsername\n};\nparser \n (\n disabled = disabled\n )", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Microsoft Entra ID non-interactive sign-in logs", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationAADNonInteractiveUserSignInLogs", + "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n '0', 'Success',\n '50005', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50020', 'Logon violates policy',\n '50034', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50059', 'No such user or password',\n '50064', 'No such user or password',\n '50072', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '51004', 'No such user or password',\n '53003', 'Logon violates policy',\n '70008', 'Password expired',\n '80012', 'Logon violates policy',\n '500011', 'No such user or password' ,\n '700016', 'No such user or password'\n ];\nlet parser=(disabled:bool=false){\n AADNonInteractiveUserSignInLogs \n | where not(disabled)\n | extend\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType),\n EventProduct = 'Entra ID',\n EventResult = iff (ResultType ==0, 'Success', 'Failure'),\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventSubType = 'NonInteractive',\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n Location = todynamic(LocationDetails),\n SrcDvcHostname = tostring(todynamic(DeviceDetail).displayName),\n SrcDvcId = tostring(todynamic(DeviceDetail).deviceId),\n SrcDvcOs = tostring(todynamic(DeviceDetail).operatingSystem),\n TargetAppId = ResourceIdentity ,\n TargetAppName = ResourceDisplayName,\n TargetUserIdType = 'EntraID',\n TargetUsernameType = 'UPN'\n | extend\n SrcGeoCity = tostring(Location.city),\n SrcGeoCountry = tostring(Location.countryOrRegion),\n SrcGeoLatitude = toreal(Location.geoCoordinates.latitude),\n SrcGeoLongitude = toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid = Id,\n EventUid = _ItemId,\n HttpUserAgent = UserAgent,\n LogonMethod = AuthenticationRequirement,\n SrcDvcIpAddr = IPAddress,\n TargetSessionId = CorrelationId,\n TargetUserId = UserId,\n TargetUsername = UserPrincipalName\n | lookup FailedReason on ResultType\n // -- Aliases\n | extend \n Dvc = EventVendor,\n LogonTarget = ResourceIdentity,\n User = TargetUsername,\n // -- Entity identifier explicit aliases\n TargetUserAadId = TargetUserId,\n TargetUserUpn = TargetUsername\n};\nparser \n (\n disabled = disabled\n )", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json index 8053067d7ed..f4df060c3ba 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationAADServicePrincipalSignInLogs')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationAADServicePrincipalSignInLogs", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Microsoft Entra ID service principal sign-in logs", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationAADServicePrincipalSignInLogs", - "query": "let AADResultTypes = (T:(ResultType:string)) {\n let AADResultTypesLookup = datatable (ResultType:string, EventResultDetails:string, EventType:string, EventResult:string, EventOriginalResultDetails:string, EventSeverity:string)\n [\n \"0\" ,\"\" ,\"Logon\" ,\"Success\" ,\"\", \"Informational\",\n \"50005\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50005 - DevicePolicyError\", \"Low\",\n \"50011\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50020\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50020 - UserUnauthorized\", \"Low\",\n \"50034\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50034 - UserAccountNotFound\", \"Low\",\n \"50053\" ,\"User locked\" ,\"Logon\" ,\"Failure\" ,\"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\" ,\"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"50056 - Invalid or null password\", \"Low\",\n \"50057\" ,\"User disabled\" ,\"Logon\" ,\"Failure\" ,\"50057 - UserDisabled\", \"Low\",\n \"50058\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50058 - UserInformationNotProvided\", \"Low\",\n \"50059\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50061\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50061 - SignoutInvalidRequest\", \"Low\",\n \"50064\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50064 - CredentialAuthenticationError\", \"Low\",\n \"50068\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50072\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50074\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"50076\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50078\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50078 - UserStrongAuthExpired\", \"Low\",\n \"50079\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"50173 -FreshTokenNeeded\", \"Low\",\n \"51004\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"51004 - UserAccountNotInDirectory\", \"Low\",\n \"53003\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"53003 - BlockedByConditionalAccess\", \"Low\",\n \"70008\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"70021\", \"No such user\" ,\"Logon\" ,\"Failure\" ,\"70021 - No matching federated identity record found for presented assertion\", \"Low\",\n \"80012\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"90024\", \"Transient error\" ,\"Logon\" ,\"Failure\" ,\"90024 - RequestBudgetExceededError - A transient error has occurred\", \"Informational\",\n \"90033\", \"Transient error\" ,\"Logon\" ,\"Failure\" ,\"90033 - A transient error has occurred\", \"Informational\",\n \"100003\",\"Other\" ,\"Logon\" ,\"Failure\" ,\"100003\", \"Low\",\n \"500011\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"500341\", \"User disabled\" ,\"Logon\" ,\"Failure\" ,\"500341 - The user account has been deleted from the directory\", \"Low\",\n \"530032\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"530034\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"700016\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"700027\",\"Incorrect key\" ,\"Logon\" ,\"Failure\" ,\"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"700082\",\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"1002016\", \"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"1002016 - You are using TLS version 1.0, 1.1 and/or 3DES cipher\", \"Low\",\n \"7000215\", \"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"7000215 - Invalid client secret is provided\", \"Low\",\n \"7000222\", \"Session expired\" ,\"Logon\" ,\"Failure\" ,\"7000222 - The provided client secret keys are expired\", \"Low\"\n ];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails),\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult),\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity),\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n};\nlet parser = (\n disabled:bool=false\n ) {\n AADServicePrincipalSignInLogs\n | where not(disabled)\n | invoke AADResultTypes()\n | project-rename\n ActingAppId = AppId,\n EventOriginalUid = Id,\n EventProductVersion = OperationVersion,\n EventUid = _ItemId,\n SrcIpAddr = IPAddress,\n TargetAppId = ResourceIdentity ,\n TargetAppName = ResourceDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = ServicePrincipalId,\n TargetUsername = ServicePrincipalName\n | extend \n Dvc = 'Microsft/Entra ID',\n EventCount = int(1),\n EventProduct = 'Entra ID',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventVendor = 'Microsoft',\n LogonMethod = \"Service Principal\",\n LocationDetails = todynamic(LocationDetails),\n TargetAppType = \"Resource\",\n TargetUserIdType = 'EntraID',\n TargetUsernameType = 'Simple',\n TargetUserType = 'Service'\n | extend\n SrcGeoCity = tostring(LocationDetails.city),\n SrcGeoCountry = Location,\n SrcGeoLatitude = toreal(LocationDetails.geoCoordinates.latitude),\n SrcGeoLongitude = toreal(LocationDetails.geoCoordinates.longitude),\n SrcGeoRegion = tostring(LocationDetails.state)\n | project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId\n // \n // -- Aliases\n | extend \n Application = TargetAppName,\n Dst = TargetAppName,\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n IpAddr = SrcIpAddr,\n LogonTarget = TargetAppName,\n Src = SrcIpAddr,\n TargetSimpleUsername = TargetUsername,\n TargetUserAadId = TargetUserId,\n User = TargetUsername\n};\nparser \n(\n disabled = disabled\n)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Microsoft Entra ID service principal sign-in logs", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationAADServicePrincipalSignInLogs", + "query": "let AADResultTypes = (T:(ResultType:string)) {\n let AADResultTypesLookup = datatable (ResultType:string, EventResultDetails:string, EventType:string, EventResult:string, EventOriginalResultDetails:string, EventSeverity:string)\n [\n \"0\" ,\"\" ,\"Logon\" ,\"Success\" ,\"\", \"Informational\",\n \"50005\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50005 - DevicePolicyError\", \"Low\",\n \"50011\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50020\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50020 - UserUnauthorized\", \"Low\",\n \"50034\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50034 - UserAccountNotFound\", \"Low\",\n \"50053\" ,\"User locked\" ,\"Logon\" ,\"Failure\" ,\"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\" ,\"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"50056 - Invalid or null password\", \"Low\",\n \"50057\" ,\"User disabled\" ,\"Logon\" ,\"Failure\" ,\"50057 - UserDisabled\", \"Low\",\n \"50058\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50058 - UserInformationNotProvided\", \"Low\",\n \"50059\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50061\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50061 - SignoutInvalidRequest\", \"Low\",\n \"50064\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50064 - CredentialAuthenticationError\", \"Low\",\n \"50068\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50072\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50074\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"50076\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50078\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50078 - UserStrongAuthExpired\", \"Low\",\n \"50079\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"50173 -FreshTokenNeeded\", \"Low\",\n \"51004\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"51004 - UserAccountNotInDirectory\", \"Low\",\n \"53003\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"53003 - BlockedByConditionalAccess\", \"Low\",\n \"70008\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"70021\", \"No such user\" ,\"Logon\" ,\"Failure\" ,\"70021 - No matching federated identity record found for presented assertion\", \"Low\",\n \"80012\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"90024\", \"Transient error\" ,\"Logon\" ,\"Failure\" ,\"90024 - RequestBudgetExceededError - A transient error has occurred\", \"Informational\",\n \"90033\", \"Transient error\" ,\"Logon\" ,\"Failure\" ,\"90033 - A transient error has occurred\", \"Informational\",\n \"100003\",\"Other\" ,\"Logon\" ,\"Failure\" ,\"100003\", \"Low\",\n \"500011\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"500341\", \"User disabled\" ,\"Logon\" ,\"Failure\" ,\"500341 - The user account has been deleted from the directory\", \"Low\",\n \"530032\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"530034\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"700016\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"700027\",\"Incorrect key\" ,\"Logon\" ,\"Failure\" ,\"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"700082\",\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"1002016\", \"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"1002016 - You are using TLS version 1.0, 1.1 and/or 3DES cipher\", \"Low\",\n \"7000215\", \"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"7000215 - Invalid client secret is provided\", \"Low\",\n \"7000222\", \"Session expired\" ,\"Logon\" ,\"Failure\" ,\"7000222 - The provided client secret keys are expired\", \"Low\"\n ];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails),\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult),\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity),\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n};\nlet parser = (\n disabled:bool=false\n ) {\n AADServicePrincipalSignInLogs\n | where not(disabled)\n | invoke AADResultTypes()\n | project-rename\n ActingAppId = AppId,\n EventOriginalUid = Id,\n EventProductVersion = OperationVersion,\n EventUid = _ItemId,\n SrcIpAddr = IPAddress,\n TargetAppId = ResourceIdentity ,\n TargetAppName = ResourceDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = ServicePrincipalId,\n TargetUsername = ServicePrincipalName\n | extend \n Dvc = 'Microsft/Entra ID',\n EventCount = int(1),\n EventProduct = 'Entra ID',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventVendor = 'Microsoft',\n LogonMethod = \"Service Principal\",\n LocationDetails = todynamic(LocationDetails),\n TargetAppType = \"Resource\",\n TargetUserIdType = 'EntraID',\n TargetUsernameType = 'Simple',\n TargetUserType = 'Service'\n | extend\n SrcGeoCity = tostring(LocationDetails.city),\n SrcGeoCountry = Location,\n SrcGeoLatitude = toreal(LocationDetails.geoCoordinates.latitude),\n SrcGeoLongitude = toreal(LocationDetails.geoCoordinates.longitude),\n SrcGeoRegion = tostring(LocationDetails.state)\n | project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId\n // \n // -- Aliases\n | extend \n Application = TargetAppName,\n Dst = TargetAppName,\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n IpAddr = SrcIpAddr,\n LogonTarget = TargetAppName,\n Src = SrcIpAddr,\n TargetSimpleUsername = TargetUsername,\n TargetUserAadId = TargetUserId,\n User = TargetUsername\n};\nparser \n(\n disabled = disabled\n)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json index dc0fd8883da..5fe295558c4 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationSigninLogs')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationSigninLogs", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Microsoft Entra ID interactive sign-in logs", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationSigninLogs", - "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n '0', 'Success',\n '50005', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50020', 'Logon violates policy',\n '50034', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50059', 'No such user or password',\n '50064', 'No such user or password',\n '50072', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '51004', 'No such user or password',\n '53003', 'Logon violates policy',\n '70008', 'Password expired',\n '80012', 'Logon violates policy',\n '500011', 'No such user or password',\n '700016', 'No such user or password', \n ];\nlet UserTypeLookup = datatable (UserType:string, TargetUserType:string) [\n 'Guest','Guest', \n 'Member', 'Regular',\n '',''\n];\nlet parser=(disabled:bool=false){\nSigninLogs \n| where not(disabled)\n| extend\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType),\n EventProduct = 'Entra ID',\n EventResult = iff (ResultType ==0, 'Success', 'Failure'),\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventSubType = 'Interactive',\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n Location = todynamic(LocationDetails),\n SrcHostname = tostring(DeviceDetail.displayName),\n SrcDvcId = tostring(DeviceDetail.deviceId),\n SrcIpAddr = IPAddress,\n SrcDvcOs = tostring(DeviceDetail.operatingSystem),\n TargetUserIdType = 'EntraID',\n TargetUsernameType = 'UPN'\n| extend\n SrcGeoCity = tostring(Location.city),\n SrcGeoCountry = tostring(Location.countryOrRegion),\n SrcGeoLatitude = toreal(Location.geoCoordinates.latitude),\n SrcGeoLongitude = toreal(Location.geoCoordinates.longitude)\n | lookup FailedReason on ResultType\n | project-rename\n EventOriginalUid = Id,\n EventUid = _ItemId,\n HttpUserAgent = UserAgent,\n LogonMethod = AuthenticationRequirement,\n TargetAppId = ResourceIdentity,\n TargetAppName = ResourceDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = UserId,\n TargetUsername = UserPrincipalName\n //\n | lookup UserTypeLookup on UserType\n | project-away UserType\n // ** Aliases\n | extend \n Dvc = EventVendor,\n LogonTarget = TargetAppName,\n User = TargetUsername,\n // -- Entity identifier explicit aliases\n TargetUserAadId = TargetUserId,\n TargetUserUpn = TargetUsername\n };\n parser \n (\n disabled = disabled\n )", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Microsoft Entra ID interactive sign-in logs", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationSigninLogs", + "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n '0', 'Success',\n '50005', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50020', 'Logon violates policy',\n '50034', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50059', 'No such user or password',\n '50064', 'No such user or password',\n '50072', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '51004', 'No such user or password',\n '53003', 'Logon violates policy',\n '70008', 'Password expired',\n '80012', 'Logon violates policy',\n '500011', 'No such user or password',\n '700016', 'No such user or password', \n ];\nlet UserTypeLookup = datatable (UserType:string, TargetUserType:string) [\n 'Guest','Guest', \n 'Member', 'Regular',\n '',''\n];\nlet parser=(disabled:bool=false){\nSigninLogs \n| where not(disabled)\n| extend\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType),\n EventProduct = 'Entra ID',\n EventResult = iff (ResultType ==0, 'Success', 'Failure'),\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventSubType = 'Interactive',\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n Location = todynamic(LocationDetails),\n SrcHostname = tostring(DeviceDetail.displayName),\n SrcDvcId = tostring(DeviceDetail.deviceId),\n SrcIpAddr = IPAddress,\n SrcDvcOs = tostring(DeviceDetail.operatingSystem),\n TargetUserIdType = 'EntraID',\n TargetUsernameType = 'UPN'\n| extend\n SrcGeoCity = tostring(Location.city),\n SrcGeoCountry = tostring(Location.countryOrRegion),\n SrcGeoLatitude = toreal(Location.geoCoordinates.latitude),\n SrcGeoLongitude = toreal(Location.geoCoordinates.longitude)\n | lookup FailedReason on ResultType\n | project-rename\n EventOriginalUid = Id,\n EventUid = _ItemId,\n HttpUserAgent = UserAgent,\n LogonMethod = AuthenticationRequirement,\n TargetAppId = ResourceIdentity,\n TargetAppName = ResourceDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = UserId,\n TargetUsername = UserPrincipalName\n //\n | lookup UserTypeLookup on UserType\n | project-away UserType\n // ** Aliases\n | extend \n Dvc = EventVendor,\n LogonTarget = TargetAppName,\n User = TargetUsername,\n // -- Entity identifier explicit aliases\n TargetUserAadId = TargetUserId,\n TargetUserUpn = TargetUsername\n };\n parser \n (\n disabled = disabled\n )", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json index ef59fc9cb07..d9fd5480e92 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationAWSCloudTrail')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationAWSCloudTrail", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for AWS sign-in logs", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationAWSCloudTrail", - "query": "// -- Refer to https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html for details\nlet usertype_lookup = datatable (TargetOriginalUserType:string, TargetUserType:string) [\n // -- For console login, only IAMUser, Root and AssumedRole are relevant\n 'Root', 'Admin', \n 'IAMUser', 'Regular', \n 'AssumedRole', 'Service', \n 'Role' ,'Service', \n 'FederatedUser', 'Regular',\n 'Directory','Other',\n 'AWSAccount','Guest',\n 'AWSService', 'Application',\n 'Unknown', 'Other',\n];\nlet eventresultdetails_lookup = datatable (EventOriginalResultDetails:string, EventOriginalDetails:string) [\n 'No username found in supplied account', 'No such user',\n 'Failed authentication', ''\n];\nlet ASIM_GetUsernameType = (username:string) { \n case ( \n username contains \"@\" , \"UPN\",\n username contains \"\\\\\", \"Windows\",\n (username has \"CN=\" or username has \"OU=\" or username has \"DC=\"), \"DN\",\n isempty(username), \"\",\n \"Simple\"\n )\n};\nlet parser=(disabled:bool=false){\n AWSCloudTrail \n | where not(disabled)\n | where EventName == 'ConsoleLogin'\n | project-rename\n EventOriginalResultDetails = ErrorMessage,\n EventOriginalUid = AwsEventId,\n EventProductVersion = EventVersion,\n EventUid = _ItemId,\n HttpUserAgent = UserAgent,\n SrcIpAddr = SourceIpAddress,\n TargeCloudRegion = AWSRegion,\n TargetOriginalUserType = UserIdentityType,\n TargetUserScopeId = UserIdentityAccountId\n | extend\n Dvc = 'AWS',\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'CloudTrail',\n EventResult = iff (ResponseElements has 'Success', 'Success', 'Failure'),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventSubType = 'Interactive',\n EventType = 'Logon',\n EventVendor = 'AWS',\n LogonMethod = iff (AdditionalEventData has '\"MFAUsed\": \"Yes\"', 'MFA',''),\n LogonProtocol = 'HTTPS',\n SrcDeviceType = iff (AdditionalEventData has '\"MobileVersion\":\"Yes\"', 'Mobile Device', 'Computer'),\n TargetUserId = tostring(split(UserIdentityPrincipalid, ':')[0]),\n TargetUserIdType = 'AWSId',\n TargetUsername = case (\n UserIdentityUserName == \"HIDDEN_DUE_TO_SECURITY_REASONS\", \"\",\n TargetOriginalUserType == 'IAMUser' , UserIdentityUserName,\n TargetOriginalUserType == 'Root' , 'root',\n TargetOriginalUserType == 'AssumedRole' , tostring(split(UserIdentityArn, '/')[-1]), // -- This is the AssuderRole session name, which typically represents a user. \n UserIdentityUserName\n )\n | extend\n TargetUsernameType = ASIM_GetUsernameType (TargetUsername)\n | parse AdditionalEventData with * '\"LoginTo\":\"' TargetUrl:string '\"' *\n | lookup eventresultdetails_lookup on EventOriginalResultDetails\n | lookup usertype_lookup on TargetOriginalUserType \n | extend \n EventSeverity = iff(EventResult == 'Failure', 'Low','Informational'),\n LogonTarget=tostring(split(TargetUrl,'?')[0]),\n // -- Specific identifier aliases\n TargetUserAWSId = TargetUserId\n // -- Aliases\n | extend\n Dst = LogonTarget,\n Dvc = EventVendor,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n User = TargetUsername\n | project-away EventSource, EventTypeName, EventName, ResponseElements, AdditionalEventData, Session*, Category, ErrorCode, Aws*, ManagementEvent, OperationName, ReadOnly, RequestParameters, Resources, ServiceEventDetails, SharedEventId, SourceSystem, UserIdentity*, VpcEndpointId, APIVersion, RecipientAccountId, TenantId, EC2RoleDelivery\n };\n parser \n (\n disabled = disabled\n )", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for AWS sign-in logs", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationAWSCloudTrail", + "query": "// -- Refer to https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html for details\nlet usertype_lookup = datatable (TargetOriginalUserType:string, TargetUserType:string) [\n // -- For console login, only IAMUser, Root and AssumedRole are relevant\n 'Root', 'Admin', \n 'IAMUser', 'Regular', \n 'AssumedRole', 'Service', \n 'Role' ,'Service', \n 'FederatedUser', 'Regular',\n 'Directory','Other',\n 'AWSAccount','Guest',\n 'AWSService', 'Application',\n 'Unknown', 'Other',\n];\nlet eventresultdetails_lookup = datatable (EventOriginalResultDetails:string, EventOriginalDetails:string) [\n 'No username found in supplied account', 'No such user',\n 'Failed authentication', ''\n];\nlet ASIM_GetUsernameType = (username:string) { \n case ( \n username contains \"@\" , \"UPN\",\n username contains \"\\\\\", \"Windows\",\n (username has \"CN=\" or username has \"OU=\" or username has \"DC=\"), \"DN\",\n isempty(username), \"\",\n \"Simple\"\n )\n};\nlet parser=(disabled:bool=false){\n AWSCloudTrail \n | where not(disabled)\n | where EventName == 'ConsoleLogin'\n | project-rename\n EventOriginalResultDetails = ErrorMessage,\n EventOriginalUid = AwsEventId,\n EventProductVersion = EventVersion,\n EventUid = _ItemId,\n HttpUserAgent = UserAgent,\n SrcIpAddr = SourceIpAddress,\n TargeCloudRegion = AWSRegion,\n TargetOriginalUserType = UserIdentityType,\n TargetUserScopeId = UserIdentityAccountId\n | extend\n Dvc = 'AWS',\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'CloudTrail',\n EventResult = iff (ResponseElements has 'Success', 'Success', 'Failure'),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventSubType = 'Interactive',\n EventType = 'Logon',\n EventVendor = 'AWS',\n LogonMethod = iff (AdditionalEventData has '\"MFAUsed\": \"Yes\"', 'MFA',''),\n LogonProtocol = 'HTTPS',\n SrcDeviceType = iff (AdditionalEventData has '\"MobileVersion\":\"Yes\"', 'Mobile Device', 'Computer'),\n TargetUserId = tostring(split(UserIdentityPrincipalid, ':')[0]),\n TargetUserIdType = 'AWSId',\n TargetUsername = case (\n UserIdentityUserName == \"HIDDEN_DUE_TO_SECURITY_REASONS\", \"\",\n TargetOriginalUserType == 'IAMUser' , UserIdentityUserName,\n TargetOriginalUserType == 'Root' , 'root',\n TargetOriginalUserType == 'AssumedRole' , tostring(split(UserIdentityArn, '/')[-1]), // -- This is the AssuderRole session name, which typically represents a user. \n UserIdentityUserName\n )\n | extend\n TargetUsernameType = ASIM_GetUsernameType (TargetUsername)\n | parse AdditionalEventData with * '\"LoginTo\":\"' TargetUrl:string '\"' *\n | lookup eventresultdetails_lookup on EventOriginalResultDetails\n | lookup usertype_lookup on TargetOriginalUserType \n | extend \n EventSeverity = iff(EventResult == 'Failure', 'Low','Informational'),\n LogonTarget=tostring(split(TargetUrl,'?')[0]),\n // -- Specific identifier aliases\n TargetUserAWSId = TargetUserId\n // -- Aliases\n | extend\n Dst = LogonTarget,\n Dvc = EventVendor,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n User = TargetUsername\n | project-away EventSource, EventTypeName, EventName, ResponseElements, AdditionalEventData, Session*, Category, ErrorCode, Aws*, ManagementEvent, OperationName, ReadOnly, RequestParameters, Resources, ServiceEventDetails, SharedEventId, SourceSystem, UserIdentity*, VpcEndpointId, APIVersion, RecipientAccountId, TenantId, EC2RoleDelivery\n };\n parser \n (\n disabled = disabled\n )", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/ASimAuthenticationBarracudaWAF.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/ASimAuthenticationBarracudaWAF.json index 070f3cfe65f..3af334356a7 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/ASimAuthenticationBarracudaWAF.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/ASimAuthenticationBarracudaWAF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationBarracudaWAF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationBarracudaWAF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for Barracuda WAF", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationBarracudaWAF", - "query": "let barracudaSchema = datatable(\n LogType_s: string,\n UnitName_s: string,\n EventName_s: string,\n DeviceReceiptTime_s: string,\n HostIP_s: string,\n host_s: string,\n LoginIP_s: string,\n Severity_s: string,\n LoginPort_d: real,\n AdminName_s: string,\n EventMessage_s: string,\n TimeTaken_d: real,\n TenantId: string,\n Message: string,\n SourceSystem: string,\n _ResourceId: string,\n RawData: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n SourceIP: string\n)[];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventTypeLookup = datatable (\n EventName_s: string,\n EventType_lookup: string,\n EventResult: string\n)\n [\n \"LOGIN\", \"Logon\", \"Success\",\n \"UNSUCCESSFUL_LOGIN\", \"Logoff\", \"Failure\",\n \"LOGOUT\", \"Logoff\", \"Success\"\n];\nlet EventResultDetailsLookup = datatable (\n Reason: string,\n EventResultDetails: string\n)\n [\n \"Invalid Username/Password\", \"Incorrect password\",\n \"Account Lockout\", \"User locked\",\n \"Expired or Disabled Accounts\", \"User disabled\",\n \"IP Blocking\", \"Logon violates policy\",\n \"Session Timeouts\", \"Session expired\",\n \"CAPTCHA Verification\", \"Other\"\n];\nlet parser = (disabled: bool=false)\n{\nlet BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled)\n and (LogType_s == \"AUDIT\")\n and (EventName_s in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | parse trim(@'[^\\w(\")]+', EventMessage_s) with * \"Reason=\" Reason:string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n | lookup EventTypeLookup on EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | extend\n Dvc = UnitName_s,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s))),\n SrcPortNumber = toint(LoginPort_d),\n DvcIpAddr = HostIP_s,\n SrcIpAddr = LoginIP_s,\n DvcHostname = host_s,\n ActorUsername = AdminName_s\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\")\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime\n | project-away\n *_s,\n *_d,\n severity,\n EventType_lookup,\n TenantId,\n Message,\n SourceSystem,\n _ResourceId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceIP,\n Reason;\nlet BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"AUDIT\"\n and (toupper(ProcessName) in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | parse trim(@'[^\\w(\")]+', Message) with * \"Reason=\" Reason:string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n | extend ProcessName = toupper(ProcessName)\n | lookup EventTypeLookup on $left.ProcessName == $right.EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | extend\n Dvc = DeviceName,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n SrcPortNumber = toint(SourcePort),\n DvcIpAddr = DeviceAddress,\n SrcIpAddr = SourceIP,\n DvcHostname = DeviceName,\n ActorUsername= DestinationUserName\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\")\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime\n | project-away\n ThreatConfidence,\n EventType_lookup,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId;\nunion isfuzzy = true \n BarracudaCustom,\n BarracudaCEF\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationBarracudaWAF", + "query": "let barracudaSchema = datatable(\n LogType_s: string,\n UnitName_s: string,\n EventName_s: string,\n DeviceReceiptTime_s: string,\n HostIP_s: string,\n host_s: string,\n LoginIP_s: string,\n Severity_s: string,\n LoginPort_d: real,\n AdminName_s: string,\n EventMessage_s: string,\n TimeTaken_d: real,\n TenantId: string,\n Message: string,\n SourceSystem: string,\n _ResourceId: string,\n RawData: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n SourceIP: string\n)[];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventTypeLookup = datatable (\n EventName_s: string,\n EventType_lookup: string,\n EventResult: string\n)\n [\n \"LOGIN\", \"Logon\", \"Success\",\n \"UNSUCCESSFUL_LOGIN\", \"Logoff\", \"Failure\",\n \"LOGOUT\", \"Logoff\", \"Success\"\n];\nlet EventResultDetailsLookup = datatable (\n Reason: string,\n EventResultDetails: string\n)\n [\n \"Invalid Username/Password\", \"Incorrect password\",\n \"Account Lockout\", \"User locked\",\n \"Expired or Disabled Accounts\", \"User disabled\",\n \"IP Blocking\", \"Logon violates policy\",\n \"Session Timeouts\", \"Session expired\",\n \"CAPTCHA Verification\", \"Other\"\n];\nlet parser = (disabled: bool=false)\n{\nlet BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled)\n and (LogType_s == \"AUDIT\")\n and (EventName_s in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | parse trim(@'[^\\w(\")]+', EventMessage_s) with * \"Reason=\" Reason:string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n | lookup EventTypeLookup on EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | extend\n Dvc = UnitName_s,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s))),\n SrcPortNumber = toint(LoginPort_d),\n DvcIpAddr = HostIP_s,\n SrcIpAddr = LoginIP_s,\n DvcHostname = host_s,\n ActorUsername = AdminName_s\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\")\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime\n | project-away\n *_s,\n *_d,\n severity,\n EventType_lookup,\n TenantId,\n Message,\n SourceSystem,\n _ResourceId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceIP,\n Reason;\nlet BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"AUDIT\"\n and (toupper(ProcessName) in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | parse trim(@'[^\\w(\")]+', Message) with * \"Reason=\" Reason:string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n | extend ProcessName = toupper(ProcessName)\n | lookup EventTypeLookup on $left.ProcessName == $right.EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | extend\n Dvc = DeviceName,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n SrcPortNumber = toint(SourcePort),\n DvcIpAddr = DeviceAddress,\n SrcIpAddr = SourceIP,\n DvcHostname = DeviceName,\n ActorUsername= DestinationUserName\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\")\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime\n | project-away\n ThreatConfidence,\n EventType_lookup,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId;\nunion isfuzzy = true \n BarracudaCustom,\n BarracudaCEF\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/ASimAuthenticationCiscoASA.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/ASimAuthenticationCiscoASA.json index 0777b3bdadc..a1e4d0f7ac9 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/ASimAuthenticationCiscoASA.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/ASimAuthenticationCiscoASA.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationCiscoASA')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationCiscoASA", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Cisco Device Logon Events", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationCiscoASA", - "query": "let parser = (\n disabled:bool=false\n){\n let DeviceEventClassIDLookup = datatable (DeviceEventClassID:string, EventResultDetails:string, EventType:string, EventResult:string, DvcAction:string, EventSubType:string)\n [\n \"113004\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113005\", \"Incorrect password\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113006\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113008\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113010\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113012\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113019\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"113039\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"315011\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"502103\", \"\", \"Elevate\", \"Success\", \"Allowed\", \"AssumeRole\",\n \"605004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"605005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611101\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611102\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"611103\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"713198\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716002\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"716038\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"716039\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716040\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"722022\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"722023\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722028\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722037\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"772002\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772003\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772006\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\"\n ];\n let FilteredDeviceEventClassID = toscalar(\n DeviceEventClassIDLookup \n | summarize make_set(DeviceEventClassID)\n );\n let SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n [\n \"1\", \"High\", // Alert,\n \"2\", \"High\", // Critical\n \"3\", \"Medium\", // Error\n \"4\", \"Low\", // Warning\n \"5\", \"Informational\", // Notification\n \"6\", \"Informational\", // Information\n \"7\", \"Informational\", // Debug\n ];\n let LogMessages = \n CommonSecurityLog\n | where not(disabled) \n | where DeviceVendor =~ \"Cisco\"\n | where DeviceProduct == \"ASA\"\n | where DeviceEventClassID in(FilteredDeviceEventClassID)\n | extend EventOriginalSeverity = tostring(split(Message,\"-\",1)[0])\n | lookup SeverityLookup on EventOriginalSeverity\n | project TimeGenerated, Type, Computer, _ItemId, DeviceEventClassID, Message, DeviceAddress,EventOriginalSeverity, EventSeverity\n | lookup DeviceEventClassIDLookup on DeviceEventClassID;\n union \n (\n LogMessages\n | where DeviceEventClassID == 113005\n | parse Message with * 'reason = ' EventOriginalResultDetails ' : server = ' TargetIpAddr ' ' * 'user = ' TargetUsername ' ' * 'user IP = ' SrcIpAddr\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 502103\n | parse Message with * \"Uname: \" TargetUsername \" \" *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(605004,605005)\n | parse Message with * 'from ' SrcIpAddr '/' SrcPortNumber:int \" to \" * \":\" TargetIpAddr '/' * 'user \"' TargetUsername '\"'\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(611101,611102)\n | parse Message with * 'IP address: ' SrcIpAddr ', Uname: ' TargetUsername\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 611103\n | parse Message with * ' Uname: ' TargetUsername\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113004\n | parse Message with * 'server = ' TargetIpAddr ' ' * 'user = ' TargetUsername\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113008,113012)\n | parse Message with * 'user = ' TargetUsername\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113019\n | parse Message with * 'Username = ' TargetUsername ', IP = ' SrcIpAddr ',' * \n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113039,716002,716039,722022,722023,722028,722037)\n | parse Message with * '> User <' TargetUsername \"> IP <\" SrcIpAddr \">\" *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 315011\n | parse Message with * 'from ' SrcIpAddr ' ' * 'user \"' TargetUsername '\" ' * ' reason: \"' EventOriginalResultDetails '\" ' *\n | extend EventResultDetails = iif(EventOriginalResultDetails == \"Internal error\", \"Other\", EventResultDetails)\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113010\n | parse Message with * 'user ' TargetUsername ' from server' SrcIpAddr\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113006\n | parse Message with * 'User ' TargetUsername ' locked' *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716040\n | parse Message with * 'Denied ' TargetUsername ' login' *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 713198\n | parse Message with * 'Failed: ' TargetUsername ' User' *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716038\n | parse Message with * 'User ' TargetUsername ' IP ' SrcIpAddr ' Authentication'*\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772002)\n | parse Message with * 'user ' TargetUsername ', cause: ' EventOriginalResultDetails\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772003,772004)\n | parse Message with * 'user ' TargetUsername ', IP ' SrcIpAddr ', cause: ' EventOriginalResultDetails\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772005)\n | parse Message with * 'user ' TargetUsername ' passed'\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772006)\n | parse Message with * 'user ' TargetUsername ' failed'\n | project-away Message\n ) \n | project-rename \n DvcHostname = Computer,\n EventUid = _ItemId,\n EventOriginalType = DeviceEventClassID,\n DvcIpAddr = DeviceAddress\n | extend \n EventSchemaVersion = \"0.1.3\",\n EventSchema = \"Authentication\",\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n Dvc = DvcHostname,\n User = TargetUsername,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dst = TargetIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n EventResultDetails = iif(TargetUsername == \"*****\", \"No such user or password\", EventResultDetails)\n};\nparser (\n disabled = disabled\n)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Cisco Device Logon Events", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationCiscoASA", + "query": "let parser = (\n disabled:bool=false\n){\n let DeviceEventClassIDLookup = datatable (DeviceEventClassID:string, EventResultDetails:string, EventType:string, EventResult:string, DvcAction:string, EventSubType:string)\n [\n \"113004\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113005\", \"Incorrect password\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113006\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113008\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113010\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113012\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113019\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"113039\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"315011\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"502103\", \"\", \"Elevate\", \"Success\", \"Allowed\", \"AssumeRole\",\n \"605004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"605005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611101\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611102\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"611103\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"713198\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716002\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"716038\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"716039\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716040\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"722022\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"722023\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722028\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722037\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"772002\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772003\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772006\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\"\n ];\n let FilteredDeviceEventClassID = toscalar(\n DeviceEventClassIDLookup \n | summarize make_set(DeviceEventClassID)\n );\n let SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n [\n \"1\", \"High\", // Alert,\n \"2\", \"High\", // Critical\n \"3\", \"Medium\", // Error\n \"4\", \"Low\", // Warning\n \"5\", \"Informational\", // Notification\n \"6\", \"Informational\", // Information\n \"7\", \"Informational\", // Debug\n ];\n let LogMessages = \n CommonSecurityLog\n | where not(disabled) \n | where DeviceVendor =~ \"Cisco\"\n | where DeviceProduct == \"ASA\"\n | where DeviceEventClassID in(FilteredDeviceEventClassID)\n | extend EventOriginalSeverity = tostring(split(Message,\"-\",1)[0])\n | lookup SeverityLookup on EventOriginalSeverity\n | project TimeGenerated, Type, Computer, _ItemId, DeviceEventClassID, Message, DeviceAddress,EventOriginalSeverity, EventSeverity\n | lookup DeviceEventClassIDLookup on DeviceEventClassID;\n union \n (\n LogMessages\n | where DeviceEventClassID == 113005\n | parse Message with * 'reason = ' EventOriginalResultDetails ' : server = ' TargetIpAddr ' ' * 'user = ' TargetUsername ' ' * 'user IP = ' SrcIpAddr\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 502103\n | parse Message with * \"Uname: \" TargetUsername \" \" *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(605004,605005)\n | parse Message with * 'from ' SrcIpAddr '/' SrcPortNumber:int \" to \" * \":\" TargetIpAddr '/' * 'user \"' TargetUsername '\"'\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(611101,611102)\n | parse Message with * 'IP address: ' SrcIpAddr ', Uname: ' TargetUsername\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 611103\n | parse Message with * ' Uname: ' TargetUsername\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113004\n | parse Message with * 'server = ' TargetIpAddr ' ' * 'user = ' TargetUsername\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113008,113012)\n | parse Message with * 'user = ' TargetUsername\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113019\n | parse Message with * 'Username = ' TargetUsername ', IP = ' SrcIpAddr ',' * \n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113039,716002,716039,722022,722023,722028,722037)\n | parse Message with * '> User <' TargetUsername \"> IP <\" SrcIpAddr \">\" *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 315011\n | parse Message with * 'from ' SrcIpAddr ' ' * 'user \"' TargetUsername '\" ' * ' reason: \"' EventOriginalResultDetails '\" ' *\n | extend EventResultDetails = iif(EventOriginalResultDetails == \"Internal error\", \"Other\", EventResultDetails)\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113010\n | parse Message with * 'user ' TargetUsername ' from server' SrcIpAddr\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113006\n | parse Message with * 'User ' TargetUsername ' locked' *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716040\n | parse Message with * 'Denied ' TargetUsername ' login' *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 713198\n | parse Message with * 'Failed: ' TargetUsername ' User' *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716038\n | parse Message with * 'User ' TargetUsername ' IP ' SrcIpAddr ' Authentication'*\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772002)\n | parse Message with * 'user ' TargetUsername ', cause: ' EventOriginalResultDetails\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772003,772004)\n | parse Message with * 'user ' TargetUsername ', IP ' SrcIpAddr ', cause: ' EventOriginalResultDetails\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772005)\n | parse Message with * 'user ' TargetUsername ' passed'\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772006)\n | parse Message with * 'user ' TargetUsername ' failed'\n | project-away Message\n ) \n | project-rename \n DvcHostname = Computer,\n EventUid = _ItemId,\n EventOriginalType = DeviceEventClassID,\n DvcIpAddr = DeviceAddress\n | extend \n EventSchemaVersion = \"0.1.3\",\n EventSchema = \"Authentication\",\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n Dvc = DvcHostname,\n User = TargetUsername,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dst = TargetIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n EventResultDetails = iif(TargetUsername == \"*****\", \"No such user or password\", EventResultDetails)\n};\nparser (\n disabled = disabled\n)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/ASimAuthenticationCiscoISE.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/ASimAuthenticationCiscoISE.json index 4511c0681c7..056a53d4d7d 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/ASimAuthenticationCiscoISE.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/ASimAuthenticationCiscoISE.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationCiscoISE')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationCiscoISE", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Cisco ISE", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationCiscoISE", - "query": "let EventFieldsLookup=datatable(\n EventOriginalType: string,\n EventType: string,\n EventOriginalSeverity: string,\n EventResult: string,\n EventSeverity: string,\n EventResultDetails: string,\n EventMessage: string,\n EventOriginalResultDetails: string\n)[\n \"25104\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external REST ID store server succeeded\", \"Plain text password authentication in external REST ID store server succeeded\",\n \"25105\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external REST ID store server failed\", \"Plain text password authentication in external REST ID store server failed\",\n \"25106\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST ID Store server indicated plain text password authentication failure\", \"REST ID store server indicated plain text password authentication failure\",\n \"25112\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST database indicated plain text password authentication failure\", \"REST database indicated plain text password authentication failure\",\n \"51000\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"51001\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator authentication succeeded\", \"Administrator authentication succeeded\",\n \"51002\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator logged off\", \"Administrator logged off\",\n \"51003\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"Session expired\", \"Session Timeout\", \"Administrator had a session timeout\",\n \"51004\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Rejected administrator session from unauthorized client IP address\", \"An attempt to start an administration session from an unauthorized client IP address was rejected. Check the client's administration access setting.\",\n \"51005\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Administrator account is disabled\", \"Administrator authentication failed. Administrator account is disabled.\",\n \"51006\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Account is disabled due to inactivity\", \"Administrator authentication failed. Account is disabled due to inactivity.\",\n \"51007\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Authentication failed. Account is disabled due to password expiration\", \"Authentication failed. Account is disabled due to password expiration\",\n \"51008\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts.\",\n \"51009\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed. ISE Runtime is not running\", \"Authentication failed. ISE Runtime is not running\",\n \"51020\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user\", \"Administrator authentication failed. Login username does not exist.\", \"Administrator authentication failed. Login username does not exist.\",\n \"51021\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Incorrect password\", \"Administrator authentication failed. Wrong password.\", \"Administrator authentication failed. Wrong password.\",\n \"51022\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed. System Error\", \"Administrator authentication failed. System Error\",\n \"51106\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"60075\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Sponsor has successfully authenticated\", \"Sponsor has successfully authenticated\",\n \"60076\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Sponsor authentication has failed\", \"Sponsor authentication has failed; please see Failure Code for more details\",\n \"60077\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MyDevices user authentication has failed\", \"MyDevices user authentication has failed\",\n \"60078\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices user has successfully authenticated\", \"MyDevices user has successfully authenticated\",\n \"60080\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A SSH CLI user has successfully logged in\", \"A SSH CLI User has successfully logged in\",\n \"60081\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"A SSH CLI user has attempted unsuccessfully to login\", \"A SSH CLI user has attempted unsuccessfully to login\",\n \"60082\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User locked\", \"A SSH CLI user has attempted to login, however account is locked out\", \"A SSH CLI user has attempted to login, however account is locked out\",\n \"60135\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"MyDevices user SSO logout has failed\", \"MyDevices user SSO logout has failed\",\n \"60136\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Sponsor user SSO logout has failed\", \"Sponsor user SSO logout has failed\",\n \"60204\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"System root CLI account has successfully logged in\", \"System root CLI account has successfully logged in\",\n \"60205\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged in from console\", \"A CLI user has logged in from console\",\n \"60206\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged out from console\", \"A CLI user has logged out from console\",\n \"61012\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has authenticated against APIC successfully\", \"ISE has authenticated against APIC successfully\",\n \"61013\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to authenticate against APIC\", \"ISE failed to authenticate against APIC\",\n \"61014\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has refreshed authentication against APIC successfully\", \"ISE has refreshed authentication against APIC successfully\",\n \"61015\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to refresh authenticate against APIC\", \"ISE failed to refresh authenticate against APIC\",\n \"60507\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"ERS request rejected due to unauthorized user.\", \"ERS request was rejected because the user who sent the request is unauthorized.\",\n \"51025\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"61076\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"Sponsor has been successfully logged out\", \"Sponsor has been successfully logged out\",\n \"61077\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices has been successfully logged out\", \"MyDevices has been successfully logged out\",\n \"10003\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"Internal error: Administrator authentication received blank Administrator name\", \"Internal error: AAC RT component received Administrator authentication request\",\n \"10004\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Incorrect password\", \"Internal error: Administrator authentication received blank Administrator password\", \"Internal error: AAC RT component received an Administrator authentication request with blank admin password\",\n \"10005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Administrator authenticated successfully\", \"Administrator authenticated successfully\",\n \"10006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"10007\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed - DB Error\", \"Administrator authentication failed - DB Error\",\n \"22000\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication resulted in internal error\", \"Authentication resulted in internal error\",\n \"22004\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password\", \"Wrong password\",\n \"22028\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Authentication failed and the advanced options are ignored\", \"Authentication of the user failed and the advanced option settings specified in the identity portion of the relevant authentication policy were ignored. For PEAP, LEAP, EAP-FAST or RADIUS MSCHAP authentications, when authentication fails, ISE stops processing the request.\",\n \"22037\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Passed\", \"Authentication Passed, Skipping Attribute Retrieval\",\n \"22040\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password or invalid shared secret\", \"Wrong password or invalid shared secret\",\n \"22091\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level.\",\n \"5400\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5401\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5412\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"TACACS+ authentication request ended with error\", \"TACACS+ authentication request ended with an error\",\n \"5418\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Guest Authentication Failed\", \"Guest Authentication failed; please see Failure code for more details\",\n \"5447\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"MDM Authentication Passed\", \"MDM Authentication passed\",\n \"5448\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MDM Authentication Failed\", \"MDM Authentication failed; please see Failure code for more details\",\n \"86010\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Guest user authentication failed\", \"Guest user authentication failed. Please check your password and account permission\",\n \"86011\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"Guest user is not enabled\", \"Guest user authentication failed. User is not enabled. Please contact your system administrator\",\n \"86014\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"User is suspended\", \"User authentication failed. User account is suspended\",\n \"86020\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Guest Unknown Error\", \"User authentication failed. Please contact your System Administrator\",\n \"24015\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authenticating user against LDAP Server\", \"Authenticating user against LDAP Server\",\n \"24020\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against the LDAP Server failed\", \"User authentication against the LDAP Server failed. The user entered the wrong password or the user record in the LDAP Server is disabled or expired\",\n \"24021\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"User authentication ended with an error\", \"User authentication against LDAP Server ended with an error\",\n \"24022\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication succeeded\", \"User authentication against LDAP Server succeeded\",\n \"24050\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate with LDAP Identity Store because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"24054\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired\", \"The password has expired but there are remaining grace authentications. The user needs to change it\",\n \"24055\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that the user is authenticating for the first time after the password administrator set the password\", \"The user needs to change his password immediately\",\n \"24056\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired and there are no more grace authentications\", \"The user needs to contact the password administrator in order to have its password reset\",\n \"24057\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against LDAP server detected that the password failure limit has been reached and the account is locked\", \"The user needs to retry later or contact the password administrator to reset the password\",\n \"24337\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Ticket (TGT) request succeeded\", \"Authentication Ticket (TGT) request succeeded\",\n \"24338\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication Ticket (TGT) request failed\", \"Authentication Ticket (TGT) request failed\",\n \"24402\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"User authentication against Active Directory succeeded\", \"User authentication against Active Directory succeeded\",\n \"24403\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User authentication against Active Directory failed\", \"User authentication against Active Directory failed\",\n \"24406\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"User authentication against Active Directory failed since user has invalid credentials\", \"User authentication against Active Directory failed since user has invalid credentials\",\n \"24407\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against Active Directory failed since user is required to change his password\", \"User authentication against Active Directory failed since user is required to change his password\",\n \"24408\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against Active Directory failed since user has entered the wrong password\", \"User authentication against Active Directory failed since user has entered the wrong password\",\n \"24409\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"User authentication against Active Directory failed since the user's account is disabled\", \"User authentication against Active Directory failed since the user's account is disabled\",\n \"24410\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\",\n \"24414\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"User authentication against Active Directory failed since the user's account has expired\", \"User authentication against Active Directory failed since the user's account has expired\",\n \"24415\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"User authentication against Active Directory failed since user's account is locked out\", \"User authentication against Active Directory failed since user's account is locked out\",\n \"24418\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since it is disabled in configuration\", \"Machine authentication against Active Directory failed since it is disabled in configuration\",\n \"24454\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Session expired\", \"User authentication against Active Directory failed because of a timeout error\", \"User authentication against Active Directory failed because of a timeout error\",\n \"24470\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Machine authentication against Active Directory is successful\", \"Machine authentication against Active Directory is successful.\",\n \"24484\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired.\",\n \"24485\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Machine authentication against Active Directory has failed because of wrong password\", \"Machine authentication against Active Directory has failed because of wrong password.\",\n \"24486\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled.\",\n \"24487\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\",\n \"24489\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired.\",\n \"24490\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"Machine authentication against Active Directory has failed because the machine's account is locked out\", \"Machine authentication against Active Directory has failed because the machine's account is locked out.\",\n \"24491\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials.\",\n \"24492\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed\", \"Machine authentication against Active Directory has failed.\",\n \"24496\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication rejected due to a white or black list restriction\", \"Authentication rejected due to a white or black list restriction\",\n \"24505\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication has succeeded\", \"User authentication against the RSA SecurID Server has succeeded.\",\n \"24508\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication failed\", \"User authentication against RSA SecurID Server failed\",\n \"24518\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"User canceled New PIN operation; User authentication against RSA SecurIDServer failed\", \"User canceled New PIN operation; User authentication against RSA SecurID Server failed\",\n \"24547\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Session expired\", \"RSA request timeout expired. RSA authentication session cancelled\", \"RSA request timeout expired. RSA authentication session cancelled.\",\n \"24612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Authentication against the RADIUS token server succeeded\", \"Authentication against the RADIUS token server succeeded.\",\n \"24613\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication against the RADIUS token server failed\", \"Authentication against the RADIUS token server failed.\",\n \"24614\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user\", \"RADIUS token server authentication failure is translated as Unknown user failure\", \"RADIUS token server authentication failure is translated as Unknown user failure.\",\n \"24639\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication passed via Passcode cache\", \"User record was found in Passcode cache, passcode matches the passcode on the authentication request. Authentication passed via Passcode cache.\",\n \"24704\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because identity credentials are ambiguous\", \"Authentication found several accounts matching to the given credentials (i.e identity name and password)\",\n \"24705\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because ISE server is not joined to required domains\", \"Authentication failed because ISE server is not joined to required domains\",\n \"24706\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because NTLM was blocked\", \"Authentication failed because NTLM was blocked\",\n \"24707\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because all identity names have been rejected\", \"Authentication failed all identity names has been rejected according AD Identity Store Advanced Settings\",\n \"24708\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"User not found in Active Directory. Some authentication domains were not available\", \"User not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24709\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"Host not found in Active Directory. Some authentication domains were not available\", \"Host not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24712\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because domain trust is restricted\", \"Authentication failed because domain trust is restricted\",\n \"24814\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"The responding provider was unable to successfully authenticate the principal\", \"The responding provider was unable to successfully authenticate the principal\",\n \"24853\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external ODBC database succeeded\", \"Plain text password authentication in external ODBC database succeeded\",\n \"24854\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external ODBC database failed\", \"Plain text password authentication in external ODBC database failed\",\n \"24860\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"ODBC database indicated plain text password authentication failure\", \"ODBC database indicated plain text password authentication failure\",\n \"24890\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Social Login operation failed\", \"Social Login operation failed. Check the message details for more information\",\n \"24716\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Active Directory Kerberos ticket authentication succeeded\", \"Active Directory Kerberos ticket authentication succeeded\",\n \"24717\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Active Directory Kerberos ticket authentication failed\", \"Active Directory Kerberos ticket authentication failed\",\n \"24719\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\",\n \"89157\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"CMCS authentication failure\", \"ISE is unable to authenticate with the Cisco MDM Cloud Service\",\n \"89159\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"APNS authentication failure\", \"ISE is unable to authenticate with the Apple Push Notification System (APNS)\",\n \"89160\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MDM User Authentication completed\", \"The User Authentication part of mobile device enrollment has completed\",\n \"33102\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Successful user login to ISE configuration mode\", \"ISE administrator logged in to ISE configuration mode\",\n \"33103\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User login to ISE configuration mode failed\", \"Login to ISE configuration mode failed\",\n \"5200\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5201\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5231\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Guest Authentication Passed\", \"Guest Authentication Passed\",\n \"11002\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Returned RADIUS Access-Accept\", \"Returned RADIUS Access-Accept - authentication succeeded\",\n \"11003\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Returned RADIUS Access-Reject\", \"Returned RADIUS Access-Reject - authentication failed\",\n \"11039\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"RADIUS authentication request rejected due to critical logging error\", \"A RADIUS authentication request was rejected due to a critical logging error.\",\n \"11052\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication request dropped due to unsupported port number\", \"An authentication request was dropped because it was received through an unsupported port number.\",\n \"11812\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication succeeded.\",\n \"11813\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication failed.\",\n \"11814\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication for the inner EAP method succeeded.\",\n \"11815\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication for the inner EAP method failed.\",\n \"11823\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication attempt failed\", \"EAP-MSCHAP authentication attempt failed.\",\n \"11824\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication attempt passed\", \"EAP-MSCHAP authentication attempt passed.\",\n \"12005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MD5 authentication succeeded\", \"EAP-MD5 authentication succeeded.\",\n \"12006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MD5 authentication failed\", \"EAP-MD5 authentication failed.\",\n \"12208\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Client certificate was received but authentication failed\", \"ISE received client certificate during tunnel establishment or inside the tunnel but the authentication failed.\",\n \"12306\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"PEAP authentication succeeded\", \"PEAP authentication succeeded.\",\n \"12307\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"PEAP authentication failed\", \"PEAP authentication failed.\",\n \"12308\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Client sent Result TLV indicating failure\", \"Internal error, possibly in the supplicant: PEAP v0 authentication failed because client sent Result TLV indicating failure. Client indicates that it does not support Crypto-Binding TLV\",\n \"12506\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TLS authentication succeeded\", \"EAP-TLS authentication succeeded.\",\n \"12507\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TLS authentication failed\", \"EAP-TLS authentication failed.\",\n \"12528\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-TLS authentication succeeded\", \"EAP-TLS authentication for the inner EAP method succeeded.\",\n \"12529\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-TLS authentication failed\", \"EAP-TLS authentication for the inner EAP method failed.\",\n \"12612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication succeeded\", \"EAP-GTC authentication has succeeded.\",\n \"12613\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication failed\", \"EAP-GTC authentication has failed.\",\n \"12614\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-GTC authentication succeeded\", \"EAP-GTC authentication for the inner EAP method has succeeded.\",\n \"12615\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-GTC authentication failed\", \"EAP-GTC authentication for the inner EAP method has failed.\",\n \"12623\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication attempt failed\", \"The EAP-GTC authentication attempt has failed.\",\n \"12624\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication attempt passed\", \"The EAP-GTC authentication attempt has passed.\",\n \"12705\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"LEAP authentication passed; Continuing protocol\", \"LEAP authentication passed. Continue LEAP protocol.\",\n \"12706\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication failed; Finishing protocol\", \"LEAP authentication has failed. Protocol finished with a failure.\",\n \"12707\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication error; Finishing protocol\", \"A LEAP authentication error has occurred. Protocol finished with an error.\",\n \"12854\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"12975\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TTLS authentication succeeded\", \"EAP-TTLS authentication succeeded.\",\n \"12976\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TTLS authentication failed\", \"EAP-TTLS authentication failed.\",\n \"11700\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"5G AKA Authentication succeeded\", \"5G AKA Authentication succeeded.\"\n ];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | summarize make_set(EventOriginalType));\nlet CiscoISEAuthParser=(disabled: bool=false) {\n Syslog\n | where not(disabled)\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse kind = regex SyslogMessage with @\"\\d{10}\\s\" EventOriginalType @\"\\s(NOTICE|INFO|WARN|WARNING|ERROR|FATAL|DEBUG)\"\n | where EventOriginalType in (EventOriginalTypeList)\n | lookup EventFieldsLookup on EventOriginalType \n | parse-kv SyslogMessage as (FailureReason: string, NetworkDeviceName: string, Protocol: string, DestinationIPAddress: string, DestinationPort: int, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string, ['Device Port']: int, ['cisco-av-pair=audit-session-id']: string, ['Caller-Station-ID']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n LogonProtocol=Protocol\n , TargetIpAddr=DestinationIPAddress\n , TargetPortNumber=DestinationPort\n , TargetSessionId=[\"cisco-av-pair=audit-session-id\"]\n , SrcPortNumber=['Device Port']\n | invoke _ASIM_ResolveSrcFQDN(\"['Caller-Station-ID']\")\n | extend\n EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n | extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend TargetUsername = coalesce(['User-Name'], UserName, User)\n | extend\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n , SrcIpAddr = coalesce(['Device IP Address'], ['Remote-Address'], tostring(extract(@\"Caller-Station-ID=(\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3})\", 1, SyslogMessage)), \"\")\n | extend EventOriginalResultDetails = case(isnotempty(FailureReason), FailureReason, EventOriginalResultDetails)\n | extend DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n | extend \n EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"Authentication\"\n , EventSchemaVersion = \"0.1.3\"\n // **************** *****************\n | extend \n Dvc = coalesce(DvcIpAddr, DvcHostname)\n , IpAddr = SrcIpAddr\n , Dst = TargetIpAddr\n , Src = SrcIpAddr\n , User = TargetUsername\n // **************** ****************\n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n FailureReason,\n NetworkDeviceName,\n ['User-Name'],\n UserName,\n User,\n ['Remote-Address'],\n ['Device IP Address'],\n ['Caller-Station-ID']\n};\nCiscoISEAuthParser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Cisco ISE", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationCiscoISE", + "query": "let EventFieldsLookup=datatable(\n EventOriginalType: string,\n EventType: string,\n EventOriginalSeverity: string,\n EventResult: string,\n EventSeverity: string,\n EventResultDetails: string,\n EventMessage: string,\n EventOriginalResultDetails: string\n)[\n \"25104\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external REST ID store server succeeded\", \"Plain text password authentication in external REST ID store server succeeded\",\n \"25105\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external REST ID store server failed\", \"Plain text password authentication in external REST ID store server failed\",\n \"25106\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST ID Store server indicated plain text password authentication failure\", \"REST ID store server indicated plain text password authentication failure\",\n \"25112\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST database indicated plain text password authentication failure\", \"REST database indicated plain text password authentication failure\",\n \"51000\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"51001\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator authentication succeeded\", \"Administrator authentication succeeded\",\n \"51002\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator logged off\", \"Administrator logged off\",\n \"51003\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"Session expired\", \"Session Timeout\", \"Administrator had a session timeout\",\n \"51004\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Rejected administrator session from unauthorized client IP address\", \"An attempt to start an administration session from an unauthorized client IP address was rejected. Check the client's administration access setting.\",\n \"51005\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Administrator account is disabled\", \"Administrator authentication failed. Administrator account is disabled.\",\n \"51006\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Account is disabled due to inactivity\", \"Administrator authentication failed. Account is disabled due to inactivity.\",\n \"51007\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Authentication failed. Account is disabled due to password expiration\", \"Authentication failed. Account is disabled due to password expiration\",\n \"51008\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts.\",\n \"51009\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed. ISE Runtime is not running\", \"Authentication failed. ISE Runtime is not running\",\n \"51020\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user\", \"Administrator authentication failed. Login username does not exist.\", \"Administrator authentication failed. Login username does not exist.\",\n \"51021\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Incorrect password\", \"Administrator authentication failed. Wrong password.\", \"Administrator authentication failed. Wrong password.\",\n \"51022\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed. System Error\", \"Administrator authentication failed. System Error\",\n \"51106\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"60075\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Sponsor has successfully authenticated\", \"Sponsor has successfully authenticated\",\n \"60076\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Sponsor authentication has failed\", \"Sponsor authentication has failed; please see Failure Code for more details\",\n \"60077\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MyDevices user authentication has failed\", \"MyDevices user authentication has failed\",\n \"60078\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices user has successfully authenticated\", \"MyDevices user has successfully authenticated\",\n \"60080\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A SSH CLI user has successfully logged in\", \"A SSH CLI User has successfully logged in\",\n \"60081\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"A SSH CLI user has attempted unsuccessfully to login\", \"A SSH CLI user has attempted unsuccessfully to login\",\n \"60082\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User locked\", \"A SSH CLI user has attempted to login, however account is locked out\", \"A SSH CLI user has attempted to login, however account is locked out\",\n \"60135\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"MyDevices user SSO logout has failed\", \"MyDevices user SSO logout has failed\",\n \"60136\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Sponsor user SSO logout has failed\", \"Sponsor user SSO logout has failed\",\n \"60204\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"System root CLI account has successfully logged in\", \"System root CLI account has successfully logged in\",\n \"60205\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged in from console\", \"A CLI user has logged in from console\",\n \"60206\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged out from console\", \"A CLI user has logged out from console\",\n \"61012\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has authenticated against APIC successfully\", \"ISE has authenticated against APIC successfully\",\n \"61013\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to authenticate against APIC\", \"ISE failed to authenticate against APIC\",\n \"61014\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has refreshed authentication against APIC successfully\", \"ISE has refreshed authentication against APIC successfully\",\n \"61015\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to refresh authenticate against APIC\", \"ISE failed to refresh authenticate against APIC\",\n \"60507\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"ERS request rejected due to unauthorized user.\", \"ERS request was rejected because the user who sent the request is unauthorized.\",\n \"51025\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"61076\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"Sponsor has been successfully logged out\", \"Sponsor has been successfully logged out\",\n \"61077\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices has been successfully logged out\", \"MyDevices has been successfully logged out\",\n \"10003\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"Internal error: Administrator authentication received blank Administrator name\", \"Internal error: AAC RT component received Administrator authentication request\",\n \"10004\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Incorrect password\", \"Internal error: Administrator authentication received blank Administrator password\", \"Internal error: AAC RT component received an Administrator authentication request with blank admin password\",\n \"10005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Administrator authenticated successfully\", \"Administrator authenticated successfully\",\n \"10006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"10007\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed - DB Error\", \"Administrator authentication failed - DB Error\",\n \"22000\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication resulted in internal error\", \"Authentication resulted in internal error\",\n \"22004\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password\", \"Wrong password\",\n \"22028\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Authentication failed and the advanced options are ignored\", \"Authentication of the user failed and the advanced option settings specified in the identity portion of the relevant authentication policy were ignored. For PEAP, LEAP, EAP-FAST or RADIUS MSCHAP authentications, when authentication fails, ISE stops processing the request.\",\n \"22037\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Passed\", \"Authentication Passed, Skipping Attribute Retrieval\",\n \"22040\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password or invalid shared secret\", \"Wrong password or invalid shared secret\",\n \"22091\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level.\",\n \"5400\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5401\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5412\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"TACACS+ authentication request ended with error\", \"TACACS+ authentication request ended with an error\",\n \"5418\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Guest Authentication Failed\", \"Guest Authentication failed; please see Failure code for more details\",\n \"5447\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"MDM Authentication Passed\", \"MDM Authentication passed\",\n \"5448\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MDM Authentication Failed\", \"MDM Authentication failed; please see Failure code for more details\",\n \"86010\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Guest user authentication failed\", \"Guest user authentication failed. Please check your password and account permission\",\n \"86011\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"Guest user is not enabled\", \"Guest user authentication failed. User is not enabled. Please contact your system administrator\",\n \"86014\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"User is suspended\", \"User authentication failed. User account is suspended\",\n \"86020\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Guest Unknown Error\", \"User authentication failed. Please contact your System Administrator\",\n \"24015\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authenticating user against LDAP Server\", \"Authenticating user against LDAP Server\",\n \"24020\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against the LDAP Server failed\", \"User authentication against the LDAP Server failed. The user entered the wrong password or the user record in the LDAP Server is disabled or expired\",\n \"24021\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"User authentication ended with an error\", \"User authentication against LDAP Server ended with an error\",\n \"24022\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication succeeded\", \"User authentication against LDAP Server succeeded\",\n \"24050\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate with LDAP Identity Store because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"24054\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired\", \"The password has expired but there are remaining grace authentications. The user needs to change it\",\n \"24055\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that the user is authenticating for the first time after the password administrator set the password\", \"The user needs to change his password immediately\",\n \"24056\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired and there are no more grace authentications\", \"The user needs to contact the password administrator in order to have its password reset\",\n \"24057\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against LDAP server detected that the password failure limit has been reached and the account is locked\", \"The user needs to retry later or contact the password administrator to reset the password\",\n \"24337\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Ticket (TGT) request succeeded\", \"Authentication Ticket (TGT) request succeeded\",\n \"24338\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication Ticket (TGT) request failed\", \"Authentication Ticket (TGT) request failed\",\n \"24402\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"User authentication against Active Directory succeeded\", \"User authentication against Active Directory succeeded\",\n \"24403\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User authentication against Active Directory failed\", \"User authentication against Active Directory failed\",\n \"24406\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"User authentication against Active Directory failed since user has invalid credentials\", \"User authentication against Active Directory failed since user has invalid credentials\",\n \"24407\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against Active Directory failed since user is required to change his password\", \"User authentication against Active Directory failed since user is required to change his password\",\n \"24408\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against Active Directory failed since user has entered the wrong password\", \"User authentication against Active Directory failed since user has entered the wrong password\",\n \"24409\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"User authentication against Active Directory failed since the user's account is disabled\", \"User authentication against Active Directory failed since the user's account is disabled\",\n \"24410\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\",\n \"24414\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"User authentication against Active Directory failed since the user's account has expired\", \"User authentication against Active Directory failed since the user's account has expired\",\n \"24415\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"User authentication against Active Directory failed since user's account is locked out\", \"User authentication against Active Directory failed since user's account is locked out\",\n \"24418\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since it is disabled in configuration\", \"Machine authentication against Active Directory failed since it is disabled in configuration\",\n \"24454\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Session expired\", \"User authentication against Active Directory failed because of a timeout error\", \"User authentication against Active Directory failed because of a timeout error\",\n \"24470\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Machine authentication against Active Directory is successful\", \"Machine authentication against Active Directory is successful.\",\n \"24484\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired.\",\n \"24485\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Machine authentication against Active Directory has failed because of wrong password\", \"Machine authentication against Active Directory has failed because of wrong password.\",\n \"24486\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled.\",\n \"24487\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\",\n \"24489\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired.\",\n \"24490\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"Machine authentication against Active Directory has failed because the machine's account is locked out\", \"Machine authentication against Active Directory has failed because the machine's account is locked out.\",\n \"24491\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials.\",\n \"24492\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed\", \"Machine authentication against Active Directory has failed.\",\n \"24496\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication rejected due to a white or black list restriction\", \"Authentication rejected due to a white or black list restriction\",\n \"24505\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication has succeeded\", \"User authentication against the RSA SecurID Server has succeeded.\",\n \"24508\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication failed\", \"User authentication against RSA SecurID Server failed\",\n \"24518\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"User canceled New PIN operation; User authentication against RSA SecurIDServer failed\", \"User canceled New PIN operation; User authentication against RSA SecurID Server failed\",\n \"24547\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Session expired\", \"RSA request timeout expired. RSA authentication session cancelled\", \"RSA request timeout expired. RSA authentication session cancelled.\",\n \"24612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Authentication against the RADIUS token server succeeded\", \"Authentication against the RADIUS token server succeeded.\",\n \"24613\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication against the RADIUS token server failed\", \"Authentication against the RADIUS token server failed.\",\n \"24614\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user\", \"RADIUS token server authentication failure is translated as Unknown user failure\", \"RADIUS token server authentication failure is translated as Unknown user failure.\",\n \"24639\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication passed via Passcode cache\", \"User record was found in Passcode cache, passcode matches the passcode on the authentication request. Authentication passed via Passcode cache.\",\n \"24704\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because identity credentials are ambiguous\", \"Authentication found several accounts matching to the given credentials (i.e identity name and password)\",\n \"24705\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because ISE server is not joined to required domains\", \"Authentication failed because ISE server is not joined to required domains\",\n \"24706\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because NTLM was blocked\", \"Authentication failed because NTLM was blocked\",\n \"24707\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because all identity names have been rejected\", \"Authentication failed all identity names has been rejected according AD Identity Store Advanced Settings\",\n \"24708\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"User not found in Active Directory. Some authentication domains were not available\", \"User not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24709\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"Host not found in Active Directory. Some authentication domains were not available\", \"Host not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24712\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because domain trust is restricted\", \"Authentication failed because domain trust is restricted\",\n \"24814\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"The responding provider was unable to successfully authenticate the principal\", \"The responding provider was unable to successfully authenticate the principal\",\n \"24853\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external ODBC database succeeded\", \"Plain text password authentication in external ODBC database succeeded\",\n \"24854\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external ODBC database failed\", \"Plain text password authentication in external ODBC database failed\",\n \"24860\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"ODBC database indicated plain text password authentication failure\", \"ODBC database indicated plain text password authentication failure\",\n \"24890\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Social Login operation failed\", \"Social Login operation failed. Check the message details for more information\",\n \"24716\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Active Directory Kerberos ticket authentication succeeded\", \"Active Directory Kerberos ticket authentication succeeded\",\n \"24717\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Active Directory Kerberos ticket authentication failed\", \"Active Directory Kerberos ticket authentication failed\",\n \"24719\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\",\n \"89157\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"CMCS authentication failure\", \"ISE is unable to authenticate with the Cisco MDM Cloud Service\",\n \"89159\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"APNS authentication failure\", \"ISE is unable to authenticate with the Apple Push Notification System (APNS)\",\n \"89160\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MDM User Authentication completed\", \"The User Authentication part of mobile device enrollment has completed\",\n \"33102\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Successful user login to ISE configuration mode\", \"ISE administrator logged in to ISE configuration mode\",\n \"33103\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User login to ISE configuration mode failed\", \"Login to ISE configuration mode failed\",\n \"5200\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5201\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5231\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Guest Authentication Passed\", \"Guest Authentication Passed\",\n \"11002\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Returned RADIUS Access-Accept\", \"Returned RADIUS Access-Accept - authentication succeeded\",\n \"11003\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Returned RADIUS Access-Reject\", \"Returned RADIUS Access-Reject - authentication failed\",\n \"11039\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"RADIUS authentication request rejected due to critical logging error\", \"A RADIUS authentication request was rejected due to a critical logging error.\",\n \"11052\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication request dropped due to unsupported port number\", \"An authentication request was dropped because it was received through an unsupported port number.\",\n \"11812\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication succeeded.\",\n \"11813\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication failed.\",\n \"11814\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication for the inner EAP method succeeded.\",\n \"11815\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication for the inner EAP method failed.\",\n \"11823\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication attempt failed\", \"EAP-MSCHAP authentication attempt failed.\",\n \"11824\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication attempt passed\", \"EAP-MSCHAP authentication attempt passed.\",\n \"12005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MD5 authentication succeeded\", \"EAP-MD5 authentication succeeded.\",\n \"12006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MD5 authentication failed\", \"EAP-MD5 authentication failed.\",\n \"12208\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Client certificate was received but authentication failed\", \"ISE received client certificate during tunnel establishment or inside the tunnel but the authentication failed.\",\n \"12306\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"PEAP authentication succeeded\", \"PEAP authentication succeeded.\",\n \"12307\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"PEAP authentication failed\", \"PEAP authentication failed.\",\n \"12308\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Client sent Result TLV indicating failure\", \"Internal error, possibly in the supplicant: PEAP v0 authentication failed because client sent Result TLV indicating failure. Client indicates that it does not support Crypto-Binding TLV\",\n \"12506\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TLS authentication succeeded\", \"EAP-TLS authentication succeeded.\",\n \"12507\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TLS authentication failed\", \"EAP-TLS authentication failed.\",\n \"12528\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-TLS authentication succeeded\", \"EAP-TLS authentication for the inner EAP method succeeded.\",\n \"12529\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-TLS authentication failed\", \"EAP-TLS authentication for the inner EAP method failed.\",\n \"12612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication succeeded\", \"EAP-GTC authentication has succeeded.\",\n \"12613\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication failed\", \"EAP-GTC authentication has failed.\",\n \"12614\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-GTC authentication succeeded\", \"EAP-GTC authentication for the inner EAP method has succeeded.\",\n \"12615\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-GTC authentication failed\", \"EAP-GTC authentication for the inner EAP method has failed.\",\n \"12623\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication attempt failed\", \"The EAP-GTC authentication attempt has failed.\",\n \"12624\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication attempt passed\", \"The EAP-GTC authentication attempt has passed.\",\n \"12705\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"LEAP authentication passed; Continuing protocol\", \"LEAP authentication passed. Continue LEAP protocol.\",\n \"12706\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication failed; Finishing protocol\", \"LEAP authentication has failed. Protocol finished with a failure.\",\n \"12707\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication error; Finishing protocol\", \"A LEAP authentication error has occurred. Protocol finished with an error.\",\n \"12854\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"12975\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TTLS authentication succeeded\", \"EAP-TTLS authentication succeeded.\",\n \"12976\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TTLS authentication failed\", \"EAP-TTLS authentication failed.\",\n \"11700\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"5G AKA Authentication succeeded\", \"5G AKA Authentication succeeded.\"\n ];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | summarize make_set(EventOriginalType));\nlet CiscoISEAuthParser=(disabled: bool=false) {\n Syslog\n | where not(disabled)\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse kind = regex SyslogMessage with @\"\\d{10}\\s\" EventOriginalType @\"\\s(NOTICE|INFO|WARN|WARNING|ERROR|FATAL|DEBUG)\"\n | where EventOriginalType in (EventOriginalTypeList)\n | lookup EventFieldsLookup on EventOriginalType \n | parse-kv SyslogMessage as (FailureReason: string, NetworkDeviceName: string, Protocol: string, DestinationIPAddress: string, DestinationPort: int, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string, ['Device Port']: int, ['cisco-av-pair=audit-session-id']: string, ['Caller-Station-ID']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n LogonProtocol=Protocol\n , TargetIpAddr=DestinationIPAddress\n , TargetPortNumber=DestinationPort\n , TargetSessionId=[\"cisco-av-pair=audit-session-id\"]\n , SrcPortNumber=['Device Port']\n | invoke _ASIM_ResolveSrcFQDN(\"['Caller-Station-ID']\")\n | extend\n EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n | extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend TargetUsername = coalesce(['User-Name'], UserName, User)\n | extend\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n , SrcIpAddr = coalesce(['Device IP Address'], ['Remote-Address'], tostring(extract(@\"Caller-Station-ID=(\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3})\", 1, SyslogMessage)), \"\")\n | extend EventOriginalResultDetails = case(isnotempty(FailureReason), FailureReason, EventOriginalResultDetails)\n | extend DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n | extend \n EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"Authentication\"\n , EventSchemaVersion = \"0.1.3\"\n // **************** *****************\n | extend \n Dvc = coalesce(DvcIpAddr, DvcHostname)\n , IpAddr = SrcIpAddr\n , Dst = TargetIpAddr\n , Src = SrcIpAddr\n , User = TargetUsername\n // **************** ****************\n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n FailureReason,\n NetworkDeviceName,\n ['User-Name'],\n UserName,\n User,\n ['Remote-Address'],\n ['Device IP Address'],\n ['Caller-Station-ID']\n};\nCiscoISEAuthParser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/ASimAuthenticationCiscoMeraki.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/ASimAuthenticationCiscoMeraki.json index e1710a8945f..0b0ed9ec457 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/ASimAuthenticationCiscoMeraki.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/ASimAuthenticationCiscoMeraki.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationCiscoMeraki')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationCiscoMeraki", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationCiscoMeraki", - "query": "let LogSubTypeList = dynamic([\"8021x_auth\", \"wpa_auth\", \"splash_auth\", \"8021x_deauth\", \"8021x_client_deauth\", \"wpa_deauth\", \"8021x_eap_failure\", \"8021x_eap_success\"]);\nlet EventResultDetailsLookup = datatable (reason: string, EventResultDetails: string)\n [\n \"0\", \"Other\",\n \"1\", \"Other\",\n \"2\", \"Password expired\",\n \"3\", \"Other\",\n \"4\", \"Session expired\",\n \"5\", \"Other\",\n \"6\", \"Other\",\n \"7\", \"Other\",\n \"8\", \"Other\",\n \"9\", \"Other\",\n \"10\", \"Logon violates policy\",\n \"11\", \"Logon violates policy\",\n \"12\", \"Other\",\n \"13\", \"Logon violates policy\",\n \"14\", \"Other\",\n \"15\", \"Other\",\n \"16\", \"Other\",\n \"17\", \"Other\",\n \"18\", \"Incorrect key\",\n \"19\", \"Incorrect key\",\n \"20\", \"Incorrect key\",\n \"21\", \"Other\",\n \"22\", \"Other\",\n \"23\", \"Other\",\n \"24\", \"Logon violates policy\",\n];\nlet EventFieldsLookup = datatable (\n LogSubType: string,\n EventResult: string,\n EventType: string,\n EventSeverity: string\n)\n [\n \"8021x_auth\", \"Success\", \"Logon\", \"Informational\",\n \"wpa_auth\", \"Success\", \"Logon\", \"Informational\",\n \"splash_auth\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_eap_success\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_client_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"wpa_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_eap_failure\", \"Failure\", \"Logon\", \"Low\",\n \"disassociation\", \"Failure\", \"Logon\", \"Low\",\n];\nlet parser = (disabled: bool=false) {\n (\n meraki_CL\n | project-rename LogMessage = Message\n )\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (LogSubTypeList) or LogMessage has_all(\"disassociation\",\"auth_neg_failed\"))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1]),\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\"\n | parse Substring with * \"type=\" LogSubType:string \" \" restOfMessage:string\n | where LogSubType in (LogSubTypeList) or (LogSubType == \"disassociation\" and Substring has \"auth_neg_failed\")\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | parse-kv Substring as(last_known_client_ip: string, ip: string, client_ip: string, client_mac: string, identity: string, reason: string, aid: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend Dvc = DvcHostname, \n aid = trim('\"', aid)\n | extend\n SrcIpAddr = tostring(split(coalesce(last_known_client_ip, ip, client_ip), \" \")[0]),\n DvcMacAddr = client_mac,\n TargetUsername = identity,\n AdditionalFields = bag_pack(\"aid\", aid),\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n EventUid = _ResourceId\n | extend\n SrcIpAddr = trim('\"', SrcIpAddr),\n DvcMacAddr = trim('\"', DvcMacAddr),\n TargetUsername = trim('\"', TargetUsername),\n reason = trim('\"', reason)\n | extend\n DvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr,\n User = TargetUsername,\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\")\n | lookup EventFieldsLookup on LogSubType\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff(tolong(reason) between (25 .. 65535), \"Other\", EventResultDetails)\n | extend\n EventCount=int(1),\n EventProduct=\"Meraki\",\n EventVendor=\"Cisco\",\n EventSchema=\"Authentication\",\n EventSchemaVersion=\"0.1.3\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n LogType,\n LogSubType,\n restOfMessage,\n reason,\n last_known_client_ip,\n client_ip,\n ip,\n client_mac,\n identity,\n aid,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG\n};\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationCiscoMeraki", + "query": "let LogSubTypeList = dynamic([\"8021x_auth\", \"wpa_auth\", \"splash_auth\", \"8021x_deauth\", \"8021x_client_deauth\", \"wpa_deauth\", \"8021x_eap_failure\", \"8021x_eap_success\"]);\nlet EventResultDetailsLookup = datatable (reason: string, EventResultDetails: string)\n [\n \"0\", \"Other\",\n \"1\", \"Other\",\n \"2\", \"Password expired\",\n \"3\", \"Other\",\n \"4\", \"Session expired\",\n \"5\", \"Other\",\n \"6\", \"Other\",\n \"7\", \"Other\",\n \"8\", \"Other\",\n \"9\", \"Other\",\n \"10\", \"Logon violates policy\",\n \"11\", \"Logon violates policy\",\n \"12\", \"Other\",\n \"13\", \"Logon violates policy\",\n \"14\", \"Other\",\n \"15\", \"Other\",\n \"16\", \"Other\",\n \"17\", \"Other\",\n \"18\", \"Incorrect key\",\n \"19\", \"Incorrect key\",\n \"20\", \"Incorrect key\",\n \"21\", \"Other\",\n \"22\", \"Other\",\n \"23\", \"Other\",\n \"24\", \"Logon violates policy\",\n];\nlet EventFieldsLookup = datatable (\n LogSubType: string,\n EventResult: string,\n EventType: string,\n EventSeverity: string\n)\n [\n \"8021x_auth\", \"Success\", \"Logon\", \"Informational\",\n \"wpa_auth\", \"Success\", \"Logon\", \"Informational\",\n \"splash_auth\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_eap_success\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_client_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"wpa_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_eap_failure\", \"Failure\", \"Logon\", \"Low\",\n \"disassociation\", \"Failure\", \"Logon\", \"Low\",\n];\nlet parser = (disabled: bool=false) {\n (\n meraki_CL\n | project-rename LogMessage = Message\n )\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (LogSubTypeList) or LogMessage has_all(\"disassociation\",\"auth_neg_failed\"))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1]),\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\"\n | parse Substring with * \"type=\" LogSubType:string \" \" restOfMessage:string\n | where LogSubType in (LogSubTypeList) or (LogSubType == \"disassociation\" and Substring has \"auth_neg_failed\")\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | parse-kv Substring as(last_known_client_ip: string, ip: string, client_ip: string, client_mac: string, identity: string, reason: string, aid: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend Dvc = DvcHostname, \n aid = trim('\"', aid)\n | extend\n SrcIpAddr = tostring(split(coalesce(last_known_client_ip, ip, client_ip), \" \")[0]),\n DvcMacAddr = client_mac,\n TargetUsername = identity,\n AdditionalFields = bag_pack(\"aid\", aid),\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n EventUid = _ResourceId\n | extend\n SrcIpAddr = trim('\"', SrcIpAddr),\n DvcMacAddr = trim('\"', DvcMacAddr),\n TargetUsername = trim('\"', TargetUsername),\n reason = trim('\"', reason)\n | extend\n DvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr,\n User = TargetUsername,\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\")\n | lookup EventFieldsLookup on LogSubType\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff(tolong(reason) between (25 .. 65535), \"Other\", EventResultDetails)\n | extend\n EventCount=int(1),\n EventProduct=\"Meraki\",\n EventVendor=\"Cisco\",\n EventSchema=\"Authentication\",\n EventSchemaVersion=\"0.1.3\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n LogType,\n LogSubType,\n restOfMessage,\n reason,\n last_known_client_ip,\n client_ip,\n ip,\n client_mac,\n identity,\n aid,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMerakiSyslog/ASimAuthenticationCiscoMerakiSyslog.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMerakiSyslog/ASimAuthenticationCiscoMerakiSyslog.json index 5ff08c67f09..1cbed1b42ae 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMerakiSyslog/ASimAuthenticationCiscoMerakiSyslog.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMerakiSyslog/ASimAuthenticationCiscoMerakiSyslog.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationCiscoMerakiSyslog')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationCiscoMerakiSyslog", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationCiscoMerakiSyslog", - "query": "let LogSubTypeList = dynamic([\"8021x_auth\", \"wpa_auth\", \"splash_auth\", \"8021x_deauth\", \"8021x_client_deauth\", \"wpa_deauth\", \"8021x_eap_failure\", \"8021x_eap_success\"]);\nlet EventResultDetailsLookup = datatable (reason: string, EventResultDetails: string)\n [\n \"0\", \"Other\",\n \"1\", \"Other\",\n \"2\", \"Password expired\",\n \"3\", \"Other\",\n \"4\", \"Session expired\",\n \"5\", \"Other\",\n \"6\", \"Other\",\n \"7\", \"Other\",\n \"8\", \"Other\",\n \"9\", \"Other\",\n \"10\", \"Logon violates policy\",\n \"11\", \"Logon violates policy\",\n \"12\", \"Other\",\n \"13\", \"Logon violates policy\",\n \"14\", \"Other\",\n \"15\", \"Other\",\n \"16\", \"Other\",\n \"17\", \"Other\",\n \"18\", \"Incorrect key\",\n \"19\", \"Incorrect key\",\n \"20\", \"Incorrect key\",\n \"21\", \"Other\",\n \"22\", \"Other\",\n \"23\", \"Other\",\n \"24\", \"Logon violates policy\",\n];\nlet EventFieldsLookup = datatable (\n LogSubType: string,\n EventResult: string,\n EventType: string,\n EventSeverity: string\n)\n [\n \"8021x_auth\", \"Success\", \"Logon\", \"Informational\",\n \"wpa_auth\", \"Success\", \"Logon\", \"Informational\",\n \"splash_auth\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_eap_success\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_client_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"wpa_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_eap_failure\", \"Failure\", \"Logon\", \"Low\",\n \"disassociation\", \"Failure\", \"Logon\", \"Low\",\n];\nlet parser = (disabled: bool=false) {\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n )\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (LogSubTypeList) or LogMessage has_all(\"disassociation\",\"auth_neg_failed\"))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1]),\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\"\n | parse Substring with * \"type=\" LogSubType:string \" \" restOfMessage:string\n | where LogSubType in (LogSubTypeList) or (LogSubType == \"disassociation\" and Substring has \"auth_neg_failed\")\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | parse-kv Substring as(last_known_client_ip: string, ip: string, client_ip: string, client_mac: string, identity: string, reason: string, aid: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend Dvc = DvcHostname, \n aid = trim('\"', aid)\n | extend\n SrcIpAddr = tostring(split(coalesce(last_known_client_ip, ip, client_ip), \" \")[0]),\n DvcMacAddr = client_mac,\n TargetUsername = identity,\n AdditionalFields = bag_pack(\"aid\", aid),\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n EventUid = _ResourceId\n | extend\n SrcIpAddr = trim('\"', SrcIpAddr),\n DvcMacAddr = trim('\"', DvcMacAddr),\n TargetUsername = trim('\"', TargetUsername),\n reason = trim('\"', reason)\n | extend\n DvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr,\n User = TargetUsername,\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\")\n | lookup EventFieldsLookup on LogSubType\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff(tolong(reason) between (25 .. 65535), \"Other\", EventResultDetails)\n | extend\n EventCount=int(1),\n EventProduct=\"Meraki\",\n EventVendor=\"Cisco\",\n EventSchema=\"Authentication\",\n EventSchemaVersion=\"0.1.3\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n LogType,\n LogSubType,\n restOfMessage,\n reason,\n last_known_client_ip,\n client_ip,\n ip,\n client_mac,\n identity,\n aid,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName,\n CollectorHostName\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationCiscoMerakiSyslog", + "query": "let LogSubTypeList = dynamic([\"8021x_auth\", \"wpa_auth\", \"splash_auth\", \"8021x_deauth\", \"8021x_client_deauth\", \"wpa_deauth\", \"8021x_eap_failure\", \"8021x_eap_success\"]);\nlet EventResultDetailsLookup = datatable (reason: string, EventResultDetails: string)\n [\n \"0\", \"Other\",\n \"1\", \"Other\",\n \"2\", \"Password expired\",\n \"3\", \"Other\",\n \"4\", \"Session expired\",\n \"5\", \"Other\",\n \"6\", \"Other\",\n \"7\", \"Other\",\n \"8\", \"Other\",\n \"9\", \"Other\",\n \"10\", \"Logon violates policy\",\n \"11\", \"Logon violates policy\",\n \"12\", \"Other\",\n \"13\", \"Logon violates policy\",\n \"14\", \"Other\",\n \"15\", \"Other\",\n \"16\", \"Other\",\n \"17\", \"Other\",\n \"18\", \"Incorrect key\",\n \"19\", \"Incorrect key\",\n \"20\", \"Incorrect key\",\n \"21\", \"Other\",\n \"22\", \"Other\",\n \"23\", \"Other\",\n \"24\", \"Logon violates policy\",\n];\nlet EventFieldsLookup = datatable (\n LogSubType: string,\n EventResult: string,\n EventType: string,\n EventSeverity: string\n)\n [\n \"8021x_auth\", \"Success\", \"Logon\", \"Informational\",\n \"wpa_auth\", \"Success\", \"Logon\", \"Informational\",\n \"splash_auth\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_eap_success\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_client_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"wpa_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_eap_failure\", \"Failure\", \"Logon\", \"Low\",\n \"disassociation\", \"Failure\", \"Logon\", \"Low\",\n];\nlet parser = (disabled: bool=false) {\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n )\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (LogSubTypeList) or LogMessage has_all(\"disassociation\",\"auth_neg_failed\"))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1]),\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\"\n | parse Substring with * \"type=\" LogSubType:string \" \" restOfMessage:string\n | where LogSubType in (LogSubTypeList) or (LogSubType == \"disassociation\" and Substring has \"auth_neg_failed\")\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | parse-kv Substring as(last_known_client_ip: string, ip: string, client_ip: string, client_mac: string, identity: string, reason: string, aid: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend Dvc = DvcHostname, \n aid = trim('\"', aid)\n | extend\n SrcIpAddr = tostring(split(coalesce(last_known_client_ip, ip, client_ip), \" \")[0]),\n DvcMacAddr = client_mac,\n TargetUsername = identity,\n AdditionalFields = bag_pack(\"aid\", aid),\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n EventUid = _ResourceId\n | extend\n SrcIpAddr = trim('\"', SrcIpAddr),\n DvcMacAddr = trim('\"', DvcMacAddr),\n TargetUsername = trim('\"', TargetUsername),\n reason = trim('\"', reason)\n | extend\n DvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr,\n User = TargetUsername,\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\")\n | lookup EventFieldsLookup on LogSubType\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff(tolong(reason) between (25 .. 65535), \"Other\", EventResultDetails)\n | extend\n EventCount=int(1),\n EventProduct=\"Meraki\",\n EventVendor=\"Cisco\",\n EventSchema=\"Authentication\",\n EventSchemaVersion=\"0.1.3\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n LogType,\n LogSubType,\n restOfMessage,\n reason,\n last_known_client_ip,\n client_ip,\n ip,\n client_mac,\n identity,\n aid,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName,\n CollectorHostName\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCrowdStrikeFalconHost/ASimAuthenticationCrowdStrikeFalconHost.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCrowdStrikeFalconHost/ASimAuthenticationCrowdStrikeFalconHost.json index c1a489f023d..64553522c0d 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCrowdStrikeFalconHost/ASimAuthenticationCrowdStrikeFalconHost.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCrowdStrikeFalconHost/ASimAuthenticationCrowdStrikeFalconHost.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationCrowdStrikeFalconHost')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationCrowdStrikeFalconHost", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for CrowdStrike Falcon Endpoint Protection", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationCrowdStrikeFalconHost", - "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n | where (DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\")\n | where DeviceEventCategory == \"AuthActivityAuditEvent\" and DeviceEventClassID in (\"userAuthenticate\", \"twoFactorAuthenticate\")\n | lookup EventSeverityLookup on LogSeverity\n | extend\n EventResult = iff(EventOutcome == \"true\", \"Success\", \"Failure\"),\n EventStartTime = todatetime(DeviceCustomDate1),\n EventCount = int(1),\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventType = \"Logon\",\n EventProduct = \"FalconHost\",\n EventVendor = \"CrowdStrike\"\n | project-rename\n TargetIpAddr = DestinationTranslatedAddress,\n EventUid = _ItemId,\n EventOriginalSeverity = LogSeverity,\n EventOriginalSubType = DeviceEventClassID,\n EventOriginalType = DeviceEventCategory,\n EventProductVersion = DeviceVersion,\n EventOriginalResultDetails = EventOutcome,\n TargetUsername = DestinationUserName,\n TargetAppName = ProcessName\n | extend\n EventEndTime = EventStartTime,\n DvcIpAddr = TargetIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n TargetAppType = iff(isnotempty(TargetAppName), \"Service\", \"\"),\n LogonMethod = iff(EventOriginalSubType =~ \"userAuthenticate\", \"Username and Password\", \"Two Factor Authentication\")\n | extend\n User = TargetUsername,\n Dst = TargetIpAddr,\n Dvc = coalesce(DvcIpAddr, EventProduct),\n Application = TargetAppName\n | project-away \n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n Activity,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n IndicatorThreatType,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for CrowdStrike Falcon Endpoint Protection", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationCrowdStrikeFalconHost", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n | where (DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\")\n | where DeviceEventCategory == \"AuthActivityAuditEvent\" and DeviceEventClassID in (\"userAuthenticate\", \"twoFactorAuthenticate\")\n | lookup EventSeverityLookup on LogSeverity\n | extend\n EventResult = iff(EventOutcome == \"true\", \"Success\", \"Failure\"),\n EventStartTime = todatetime(DeviceCustomDate1),\n EventCount = int(1),\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventType = \"Logon\",\n EventProduct = \"FalconHost\",\n EventVendor = \"CrowdStrike\"\n | project-rename\n TargetIpAddr = DestinationTranslatedAddress,\n EventUid = _ItemId,\n EventOriginalSeverity = LogSeverity,\n EventOriginalSubType = DeviceEventClassID,\n EventOriginalType = DeviceEventCategory,\n EventProductVersion = DeviceVersion,\n EventOriginalResultDetails = EventOutcome,\n TargetUsername = DestinationUserName,\n TargetAppName = ProcessName\n | extend\n EventEndTime = EventStartTime,\n DvcIpAddr = TargetIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n TargetAppType = iff(isnotempty(TargetAppName), \"Service\", \"\"),\n LogonMethod = iff(EventOriginalSubType =~ \"userAuthenticate\", \"Username and Password\", \"Two Factor Authentication\")\n | extend\n User = TargetUsername,\n Dst = TargetIpAddr,\n Dvc = coalesce(DvcIpAddr, EventProduct),\n Application = TargetAppName\n | project-away \n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n Activity,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n IndicatorThreatType,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationGoogleWorkspace/ASimAuthenticationGoogleWorkspace.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationGoogleWorkspace/ASimAuthenticationGoogleWorkspace.json index 56a20abee31..3697fa5d2a7 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationGoogleWorkspace/ASimAuthenticationGoogleWorkspace.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationGoogleWorkspace/ASimAuthenticationGoogleWorkspace.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationGoogleWorkspace')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationGoogleWorkspace", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for Google Workspace", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationGoogleWorkspace", - "query": "let parser = (\n disabled: bool = false\n ) {\n let GoogleWorkspaceSchema = datatable (\n event_name_s: string,\n event_type_s: string,\n id_uniqueQualifier_s: string,\n actor_email_s: string,\n actor_profileId_s: string,\n IPAddress: string,\n login_challenge_method_s: string,\n id_applicationName_s: string,\n affected_email_address_s: string,\n is_suspicious_b: bool,\n is_second_factor_b: bool,\n login_type_s: string,\n sensitive_action_name_s: string,\n login_challenge_status_s: string,\n TimeGenerated: datetime,\n _ItemId: string,\n _ResourceId: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n RawData: string,\n SourceSystem: string,\n TenantId: string\n)[];\n let EventFieldsLookup = datatable (\n EventOriginalSubType: string,\n EventType: string,\n EventResult: string,\n DvcAction: string\n)\n [\n \"login_success\", \"Logon\", \"Success\", \"Allowed\",\n \"login_failure\", \"Logon\", \"Failure\", \"Blocked\",\n \"login_challenge\", \"Logon\", \"\", \"\",\n \"login_verification\", \"Logon\", \"\", \"\",\n \"risky_sensitive_action_blocked\", \"Logon\", \"Failure\", \"Blocked\",\n \"riskay_sensitive_action_allowed\", \"Logon\", \"Success\", \"Allowed\",\n \"logout\", \"Logoff\", \"Success\", \"Allowed\",\n \"suspicious_login\", \"Logon\", \"Failure\", \"Blocked\",\n \"suspicious_login_less_secure_app\", \"Logon\", \"Failure\", \"Blocked\",\n \"suspicious_programmatic_login\", \"Logon\", \"Failure\", \"Blocked\",\n \"user_signed_out_due_to_suspicious_session_cookie\", \"Logoff\", \"Success\", \"Allowed\"\n];\n let ThreatEventTypes = dynamic(['suspicious_login', 'suspicious_login_less_secure_app', 'suspicious_programmatic_login', 'user_signed_out_due_to_suspicious_session_cookie']);\n let SupportedEventNames = EventFieldsLookup\n | project EventOriginalSubType;\n union isfuzzy=true GoogleWorkspaceSchema, GWorkspace_ReportsAPI_login_CL\n | where not(disabled)\n | where event_name_s in (SupportedEventNames)\n | lookup EventFieldsLookup on $left.event_name_s == $right.EventOriginalSubType\n | project-rename\n TargetUsername = actor_email_s,\n TargetUserId = actor_profileId_s,\n SrcIpAddr = IPAddress,\n LogonMethod = login_challenge_method_s,\n EventOriginalType = event_type_s,\n EventOriginalUid = id_uniqueQualifier_s\n | extend\n TargetUsername = iif(event_name_s in (ThreatEventTypes), affected_email_address_s, TargetUsername),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserIdType = iif(isnotempty(TargetUserId), \"GWorkspaceProfileID\", \"\"),\n EventSeverity = iif(event_name_s in (ThreatEventTypes), \"High\", \"Informational\")\n | extend \n AdditionalFields = bag_pack(\n \"Is_Suspicious\",\n is_suspicious_b,\n \"Is_Second_Factor_b\",\n is_second_factor_b,\n \"Logon_Type\",\n login_type_s,\n \"Sensitive_Action_Name\",\n sensitive_action_name_s\n ),\n EventResult = case(\n event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"passed\",\n \"Success\",\n event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"incorrect_answer_entered\",\n \"Failure\",\n EventResult\n ),\n EventResultDetails = iif(event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"incorrect_answer_entered\", \"MFA not satisfied\", \"\"),\n RuleName = case(\n event_name_s == 'suspicious_login',\n \"Google has detected a suspicious login for TargetUSerName\",\n event_name_s == 'suspicious_login_less_secure_app',\n \"Google has detected a suspicious login for TargetUSerName from a less secure app\",\n event_name_s == 'suspicious_programmatic_login',\n \"Google has detected a suspicious programmatic login for TargetUserName\",\n event_name_s == 'user_signed_out_due_to_suspicious_session_cookie',\n \"Suspicious session cookie detected for user TargetUserName\",\n \"\"\n ),\n ThreatField = iif(event_name_s in (ThreatEventTypes), \"TargetUserName\", \"\"),\n ThreatFirstReportedTime = iif(event_name_s in (ThreatEventTypes), TimeGenerated, datetime(null)),\n ThreatLastReportedTime = iif(event_name_s in (ThreatEventTypes), TimeGenerated, datetime(null))\n | extend\n EventOriginalSubType = event_name_s,\n TargetAppName = \"Google Workspace - login\",\n Dst = \"Google Workspace\",\n Application = \"Google Workspace\",\n TargetAppType = \"SaaS application\",\n IpAddr = SrcIpAddr,\n User = TargetUsername,\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventProduct = \"Workspace\",\n EventVendor = \"Google\",\n Dvc=\"Workspace\",\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventUid = _ItemId\n | project-away \n *_s,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId\n};\nparser (disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for Google Workspace", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationGoogleWorkspace", + "query": "let parser = (\n disabled: bool = false\n ) {\n let GoogleWorkspaceSchema = datatable (\n event_name_s: string,\n event_type_s: string,\n id_uniqueQualifier_s: string,\n actor_email_s: string,\n actor_profileId_s: string,\n IPAddress: string,\n login_challenge_method_s: string,\n id_applicationName_s: string,\n affected_email_address_s: string,\n is_suspicious_b: bool,\n is_second_factor_b: bool,\n login_type_s: string,\n sensitive_action_name_s: string,\n login_challenge_status_s: string,\n TimeGenerated: datetime,\n _ItemId: string,\n _ResourceId: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n RawData: string,\n SourceSystem: string,\n TenantId: string\n)[];\n let EventFieldsLookup = datatable (\n EventOriginalSubType: string,\n EventType: string,\n EventResult: string,\n DvcAction: string\n)\n [\n \"login_success\", \"Logon\", \"Success\", \"Allowed\",\n \"login_failure\", \"Logon\", \"Failure\", \"Blocked\",\n \"login_challenge\", \"Logon\", \"\", \"\",\n \"login_verification\", \"Logon\", \"\", \"\",\n \"risky_sensitive_action_blocked\", \"Logon\", \"Failure\", \"Blocked\",\n \"riskay_sensitive_action_allowed\", \"Logon\", \"Success\", \"Allowed\",\n \"logout\", \"Logoff\", \"Success\", \"Allowed\",\n \"suspicious_login\", \"Logon\", \"Failure\", \"Blocked\",\n \"suspicious_login_less_secure_app\", \"Logon\", \"Failure\", \"Blocked\",\n \"suspicious_programmatic_login\", \"Logon\", \"Failure\", \"Blocked\",\n \"user_signed_out_due_to_suspicious_session_cookie\", \"Logoff\", \"Success\", \"Allowed\"\n];\n let ThreatEventTypes = dynamic(['suspicious_login', 'suspicious_login_less_secure_app', 'suspicious_programmatic_login', 'user_signed_out_due_to_suspicious_session_cookie']);\n let SupportedEventNames = EventFieldsLookup\n | project EventOriginalSubType;\n union isfuzzy=true GoogleWorkspaceSchema, GWorkspace_ReportsAPI_login_CL\n | where not(disabled)\n | where event_name_s in (SupportedEventNames)\n | lookup EventFieldsLookup on $left.event_name_s == $right.EventOriginalSubType\n | project-rename\n TargetUsername = actor_email_s,\n TargetUserId = actor_profileId_s,\n SrcIpAddr = IPAddress,\n LogonMethod = login_challenge_method_s,\n EventOriginalType = event_type_s,\n EventOriginalUid = id_uniqueQualifier_s\n | extend\n TargetUsername = iif(event_name_s in (ThreatEventTypes), affected_email_address_s, TargetUsername),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserIdType = iif(isnotempty(TargetUserId), \"GWorkspaceProfileID\", \"\"),\n EventSeverity = iif(event_name_s in (ThreatEventTypes), \"High\", \"Informational\")\n | extend \n AdditionalFields = bag_pack(\n \"Is_Suspicious\",\n is_suspicious_b,\n \"Is_Second_Factor_b\",\n is_second_factor_b,\n \"Logon_Type\",\n login_type_s,\n \"Sensitive_Action_Name\",\n sensitive_action_name_s\n ),\n EventResult = case(\n event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"passed\",\n \"Success\",\n event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"incorrect_answer_entered\",\n \"Failure\",\n EventResult\n ),\n EventResultDetails = iif(event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"incorrect_answer_entered\", \"MFA not satisfied\", \"\"),\n RuleName = case(\n event_name_s == 'suspicious_login',\n \"Google has detected a suspicious login for TargetUSerName\",\n event_name_s == 'suspicious_login_less_secure_app',\n \"Google has detected a suspicious login for TargetUSerName from a less secure app\",\n event_name_s == 'suspicious_programmatic_login',\n \"Google has detected a suspicious programmatic login for TargetUserName\",\n event_name_s == 'user_signed_out_due_to_suspicious_session_cookie',\n \"Suspicious session cookie detected for user TargetUserName\",\n \"\"\n ),\n ThreatField = iif(event_name_s in (ThreatEventTypes), \"TargetUserName\", \"\"),\n ThreatFirstReportedTime = iif(event_name_s in (ThreatEventTypes), TimeGenerated, datetime(null)),\n ThreatLastReportedTime = iif(event_name_s in (ThreatEventTypes), TimeGenerated, datetime(null))\n | extend\n EventOriginalSubType = event_name_s,\n TargetAppName = \"Google Workspace - login\",\n Dst = \"Google Workspace\",\n Application = \"Google Workspace\",\n TargetAppType = \"SaaS application\",\n IpAddr = SrcIpAddr,\n User = TargetUsername,\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventProduct = \"Workspace\",\n EventVendor = \"Google\",\n Dvc=\"Workspace\",\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventUid = _ItemId\n | project-away \n *_s,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId\n};\nparser (disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationIllumioSaaSCore/ASimAuthenticationIllumioSaaSCore.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationIllumioSaaSCore/ASimAuthenticationIllumioSaaSCore.json index 530d73876eb..5f9b3c20cf7 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationIllumioSaaSCore/ASimAuthenticationIllumioSaaSCore.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationIllumioSaaSCore/ASimAuthenticationIllumioSaaSCore.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationIllumioSaaSCore')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationIllumioSaaSCore", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Illumio SaaS Core", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationIllumioSaaSCore", - "query": "let EventTypeLookup = datatable(\n event_type: string, // what Illumio sends\n EventType: string, // an enumerated list [ Logon, Logoff, Elevate ] event type\n EventResultDetails: string,\n EventResult: string\n)\n[\n 'user.authenticate', 'Logon', 'Other', 'Success',\n 'user.login', 'Logon', 'Other', 'Success',\n 'user.logout', 'Logoff', 'Other', 'Success',\n 'user.sign_in', 'Logon', 'Other', 'Success',\n 'user.sign_out', 'Logoff', 'Other', 'Success',\n 'user.use_expired_password', 'Logon', 'Password expired', 'Success'\n];\nlet user_events = dynamic(['user.sigin', 'user.login', 'user.sign_out', 'user.logout', 'user.authenticate', 'user.use_expired_password']);\nlet parser=(disabled: bool=false) {\n Illumio_Auditable_Events_CL\n | where not(disabled) and event_type in (user_events) // limited to user signin, login, logoff, signoff events only\n | extend \n EventProduct='Core'\n ,\n EventVendor='Illumio'\n ,\n EventSchema = 'Authentication'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.3'\n , \n EventOriginalUid = href\n | lookup EventTypeLookup on event_type //fetch EventType, EventResultDetails, EventResult\n | extend \n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n , \n TargetUsername = case( \n isnotnull(created_by.user), created_by.user.username, \n \"Unknown\"\n ),\n TargetUsernameType = \"Simple\",\n EventUid = _ItemId,\n SrcIpAddr = iff(action.src_ip == 'FILTERED', \"\", action.src_ip)\n // ** Aliases\n | extend \n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n ,\n User = TargetUsername\n | project-away \n TenantId,\n href,\n pce_fqdn,\n created_by,\n event_type,\n status,\n severity,\n action,\n resource_changes,\n notifications,\n version \n };\n parser(disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Illumio SaaS Core", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationIllumioSaaSCore", + "query": "let EventTypeLookup = datatable(\n event_type: string, // what Illumio sends\n EventType: string, // an enumerated list [ Logon, Logoff, Elevate ] event type\n EventResultDetails: string,\n EventResult: string\n)\n[\n 'user.authenticate', 'Logon', 'Other', 'Success',\n 'user.login', 'Logon', 'Other', 'Success',\n 'user.logout', 'Logoff', 'Other', 'Success',\n 'user.sign_in', 'Logon', 'Other', 'Success',\n 'user.sign_out', 'Logoff', 'Other', 'Success',\n 'user.use_expired_password', 'Logon', 'Password expired', 'Success'\n];\nlet user_events = dynamic(['user.sigin', 'user.login', 'user.sign_out', 'user.logout', 'user.authenticate', 'user.use_expired_password']);\nlet parser=(disabled: bool=false) {\n Illumio_Auditable_Events_CL\n | where not(disabled) and event_type in (user_events) // limited to user signin, login, logoff, signoff events only\n | extend \n EventProduct='Core'\n ,\n EventVendor='Illumio'\n ,\n EventSchema = 'Authentication'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.3'\n , \n EventOriginalUid = href\n | lookup EventTypeLookup on event_type //fetch EventType, EventResultDetails, EventResult\n | extend \n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n , \n TargetUsername = case( \n isnotnull(created_by.user), created_by.user.username, \n \"Unknown\"\n ),\n TargetUsernameType = \"Simple\",\n EventUid = _ItemId,\n SrcIpAddr = iff(action.src_ip == 'FILTERED', \"\", action.src_ip)\n // ** Aliases\n | extend \n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n ,\n User = TargetUsername\n | project-away \n TenantId,\n href,\n pce_fqdn,\n created_by,\n event_type,\n status,\n severity,\n action,\n resource_changes,\n notifications,\n version \n };\n parser(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json index ad62a970a48..98e8ae1fd41 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationM365Defender')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationM365Defender", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for M365 Defender Device Logon Events", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationM365Defender", - "query": "let EventResultDetailsLookup=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[\n 'InvalidUserNameOrPassword','No such user or password'\n];\nlet EventSubTypeLookup = datatable (EventOriginalType:string, EventSubType:string) [ \n 'Batch', 'Service',\n 'CachedInteractive', 'Interactive',\n 'Interactive', 'Interactive',\n 'Network', 'Remote',\n 'Remote interactive (RDP) logons', 'RemoteInteractive',\n 'RemoteInteractive', 'RemoteInteractive',\n 'Service', 'Service',\n 'Unknown', ''\n];\nlet EventResultLookup = datatable (ActionType:string, EventResult:string) [ \n 'LogonAttempted', 'NA',\n 'LogonFailed', 'Failure',\n 'LogonSuccess', 'Success'\n];\nlet parser = (\n disabled:bool=false\n){\n let UnixDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n | where InitiatingProcessFolderPath startswith \"/\"\n | extend \n ActorUsernameType = \"Simple\",\n TargetDvcOs = \"Linux\",\n TargetUsernameType = \"Simple\"\n | project-rename \n ActingProcessName = InitiatingProcessFolderPath,\n ActorUsername = InitiatingProcessAccountName,\n TargetUsername = AccountName\n | project-away \n InitiatingProcessAccountSid, AccountDomain, InitiatingProcessAccountDomain, InitiatingProcessFileName, AccountSid\n };\n let WindowsDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n | where InitiatingProcessFolderPath !startswith \"/\"\n | extend \n ActingProcessName = strcat (InitiatingProcessFolderPath,'\\\\',InitiatingProcessFileName),\n ActorUserIdType = 'SID',\n ActorUsername = case (\n isempty(InitiatingProcessAccountName), \"\",\n isempty(InitiatingProcessAccountDomain), InitiatingProcessAccountName,\n strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)\n ),\n ActorUsernameType = iff (\n InitiatingProcessAccountDomain == '','Simple',\n 'Windows'\n ),\n TargetDvcOs = \"Windows\",\n TargetUserIdType = 'SID',\n TargetUsername = iff (\n isempty(AccountDomain), AccountName,\n strcat(AccountDomain, '\\\\', AccountName)\n ),\n TargetUsernameType = iff (AccountDomain == '','Simple', 'Windows')\n | project-rename \n ActorUserId = InitiatingProcessAccountSid,\n TargetUserId = AccountSid\n // -- Specific identifiers aliases\n | extend \n TargetUserSid = TargetUserId,\n ActorUserSid = ActorUserId,\n TargetWindowsUsername = TargetUsername,\n ActorWindowsUsername = ActorUsername,\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n | extend \n TargetUserType = iff(IsLocalAdmin, \n 'Admin',\n _ASIM_GetWindowsUserType (TargetWindowsUsername, TargetUserSid)\n )\n | project-away InitiatingProcessAccountName, InitiatingProcessAccountDomain, AccountDomain, AccountName, InitiatingProcessFolderPath, InitiatingProcessFileName\n };\n union \n WindowsDeviceLogonEvents (disabled=disabled),\n UnixDeviceLogonEvents (disabled=disabled)\n | project-away SourceSystem, TenantId, Timestamp, MachineGroup\n | project-rename \n ActingProcessCommandLine = InitiatingProcessCommandLine,\n ActingProcessCreationTime = InitiatingProcessCreationTime,\n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n ActingProcessMD5 = InitiatingProcessMD5,\n ActingProcessSHA1 = InitiatingProcessSHA1 ,\n ActingProcessSHA256 = InitiatingProcessSHA256,\n ActingProcessTokenElevation = InitiatingProcessTokenElevation,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn,\n EventOriginalResultDetails = FailureReason,\n EventOriginalType = LogonType,\n EventUid = _ItemId,\n LogonProtocol = Protocol,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime,\n ParentProcessName = InitiatingProcessParentFileName,\n SrcHostname = RemoteDeviceName,\n SrcPortNumber = RemotePort,\n TargetDvcId = DeviceId\n | extend \n ActingProcessId = tostring (InitiatingProcessId),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalUid = tostring (ReportId),\n EventProduct = 'M365 Defender for EndPoint',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n ParentProcessId = tostring (InitiatingProcessParentId),\n SrcIpAddr = iff (RemoteIP == '-', '', RemoteIP),\n TargetDvcIdType = 'MDEid',\n TargetSessionId = tostring (LogonId)\n | extend\n Hash = coalesce(\n ActingProcessMD5,\n ActingProcessSHA1,\n ActingProcessSHA256\n )\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(ActingProcessSHA256, ActingProcessSHA1, ActingProcessMD5),Hash)]) \n | invoke _ASIM_ResolveFQDN('DeviceName')\n | project-rename \n TargetDomain = Domain, \n TargetDomainType = DomainType,\n TargetFQDN = FQDN,\n TargetHostname = ExtractedHostname\n | project-away DeviceName\n | lookup EventResultDetailsLookup on EventOriginalResultDetails \n | lookup EventSubTypeLookup on EventOriginalType\n | lookup EventResultLookup on ActionType\n | extend\n EventSeverity = iff (EventResult == \"Success\", \"Informational\", \"Low\")\n // -- Specific identifiers aliases\n | extend\n DvcMDEid = TargetDvcId,\n TargetDvcMDEid = TargetDvcId\n // -- Aliases\n | extend \n ActingAppName = ActingProcessName,\n ActingAppType = \"Process\",\n Dvc = coalesce (TargetFQDN, TargetHostname),\n IpAddr = SrcIpAddr,\n Prcess = ActingProcessName,\n Src = coalesce (SrcIpAddr, SrcHostname),\n User = TargetUsername,\n // -- Alias Dvc to Target,\n DvcDomain = TargetDomain,\n DvcDomainType = TargetDomainType,\n DvcFQDN = TargetFQDN,\n DvcHostname = TargetHostname,\n DvcId = TargetDvcId,\n DvcIdType = TargetDvcIdType,\n DvcOs = TargetDvcOs\n | extend \n Dst = Dvc,\n LogonTarget = Dvc\n | project-away ReportId, LogonId, InitiatingProcessId, InitiatingProcessParentId, ActionType, InitiatingProcessFileSize, InitiatingProcessVersionInfoCompanyName, InitiatingProcessVersionInfoFileDescription, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessVersionInfoOriginalFileName, InitiatingProcessVersionInfoProductName, InitiatingProcessVersionInfoProductVersion, AppGuardContainerId, RemoteIPType, IsLocalAdmin, RemoteIP\n};\nparser (\n disabled = disabled\n)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for M365 Defender Device Logon Events", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationM365Defender", + "query": "let EventResultDetailsLookup=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[\n 'InvalidUserNameOrPassword','No such user or password'\n];\nlet EventSubTypeLookup = datatable (EventOriginalType:string, EventSubType:string) [ \n 'Batch', 'Service',\n 'CachedInteractive', 'Interactive',\n 'Interactive', 'Interactive',\n 'Network', 'Remote',\n 'Remote interactive (RDP) logons', 'RemoteInteractive',\n 'RemoteInteractive', 'RemoteInteractive',\n 'Service', 'Service',\n 'Unknown', ''\n];\nlet EventResultLookup = datatable (ActionType:string, EventResult:string) [ \n 'LogonAttempted', 'NA',\n 'LogonFailed', 'Failure',\n 'LogonSuccess', 'Success'\n];\nlet parser = (\n disabled:bool=false\n){\n let UnixDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n | where InitiatingProcessFolderPath startswith \"/\"\n | extend \n ActorUsernameType = \"Simple\",\n TargetDvcOs = \"Linux\",\n TargetUsernameType = \"Simple\"\n | project-rename \n ActingProcessName = InitiatingProcessFolderPath,\n ActorUsername = InitiatingProcessAccountName,\n TargetUsername = AccountName\n | project-away \n InitiatingProcessAccountSid, AccountDomain, InitiatingProcessAccountDomain, InitiatingProcessFileName, AccountSid\n };\n let WindowsDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n | where InitiatingProcessFolderPath !startswith \"/\"\n | extend \n ActingProcessName = strcat (InitiatingProcessFolderPath,'\\\\',InitiatingProcessFileName),\n ActorUserIdType = 'SID',\n ActorUsername = case (\n isempty(InitiatingProcessAccountName), \"\",\n isempty(InitiatingProcessAccountDomain), InitiatingProcessAccountName,\n strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)\n ),\n ActorUsernameType = iff (\n InitiatingProcessAccountDomain == '','Simple',\n 'Windows'\n ),\n TargetDvcOs = \"Windows\",\n TargetUserIdType = 'SID',\n TargetUsername = iff (\n isempty(AccountDomain), AccountName,\n strcat(AccountDomain, '\\\\', AccountName)\n ),\n TargetUsernameType = iff (AccountDomain == '','Simple', 'Windows')\n | project-rename \n ActorUserId = InitiatingProcessAccountSid,\n TargetUserId = AccountSid\n // -- Specific identifiers aliases\n | extend \n TargetUserSid = TargetUserId,\n ActorUserSid = ActorUserId,\n TargetWindowsUsername = TargetUsername,\n ActorWindowsUsername = ActorUsername,\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n | extend \n TargetUserType = iff(IsLocalAdmin, \n 'Admin',\n _ASIM_GetWindowsUserType (TargetWindowsUsername, TargetUserSid)\n )\n | project-away InitiatingProcessAccountName, InitiatingProcessAccountDomain, AccountDomain, AccountName, InitiatingProcessFolderPath, InitiatingProcessFileName\n };\n union \n WindowsDeviceLogonEvents (disabled=disabled),\n UnixDeviceLogonEvents (disabled=disabled)\n | project-away SourceSystem, TenantId, Timestamp, MachineGroup\n | project-rename \n ActingProcessCommandLine = InitiatingProcessCommandLine,\n ActingProcessCreationTime = InitiatingProcessCreationTime,\n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n ActingProcessMD5 = InitiatingProcessMD5,\n ActingProcessSHA1 = InitiatingProcessSHA1 ,\n ActingProcessSHA256 = InitiatingProcessSHA256,\n ActingProcessTokenElevation = InitiatingProcessTokenElevation,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn,\n EventOriginalResultDetails = FailureReason,\n EventOriginalType = LogonType,\n EventUid = _ItemId,\n LogonProtocol = Protocol,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime,\n ParentProcessName = InitiatingProcessParentFileName,\n SrcHostname = RemoteDeviceName,\n SrcPortNumber = RemotePort,\n TargetDvcId = DeviceId\n | extend \n ActingProcessId = tostring (InitiatingProcessId),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalUid = tostring (ReportId),\n EventProduct = 'M365 Defender for EndPoint',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n ParentProcessId = tostring (InitiatingProcessParentId),\n SrcIpAddr = iff (RemoteIP == '-', '', RemoteIP),\n TargetDvcIdType = 'MDEid',\n TargetSessionId = tostring (LogonId)\n | extend\n Hash = coalesce(\n ActingProcessMD5,\n ActingProcessSHA1,\n ActingProcessSHA256\n )\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(ActingProcessSHA256, ActingProcessSHA1, ActingProcessMD5),Hash)]) \n | invoke _ASIM_ResolveFQDN('DeviceName')\n | project-rename \n TargetDomain = Domain, \n TargetDomainType = DomainType,\n TargetFQDN = FQDN,\n TargetHostname = ExtractedHostname\n | project-away DeviceName\n | lookup EventResultDetailsLookup on EventOriginalResultDetails \n | lookup EventSubTypeLookup on EventOriginalType\n | lookup EventResultLookup on ActionType\n | extend\n EventSeverity = iff (EventResult == \"Success\", \"Informational\", \"Low\")\n // -- Specific identifiers aliases\n | extend\n DvcMDEid = TargetDvcId,\n TargetDvcMDEid = TargetDvcId\n // -- Aliases\n | extend \n ActingAppName = ActingProcessName,\n ActingAppType = \"Process\",\n Dvc = coalesce (TargetFQDN, TargetHostname),\n IpAddr = SrcIpAddr,\n Prcess = ActingProcessName,\n Src = coalesce (SrcIpAddr, SrcHostname),\n User = TargetUsername,\n // -- Alias Dvc to Target,\n DvcDomain = TargetDomain,\n DvcDomainType = TargetDomainType,\n DvcFQDN = TargetFQDN,\n DvcHostname = TargetHostname,\n DvcId = TargetDvcId,\n DvcIdType = TargetDvcIdType,\n DvcOs = TargetDvcOs\n | extend \n Dst = Dvc,\n LogonTarget = Dvc\n | project-away ReportId, LogonId, InitiatingProcessId, InitiatingProcessParentId, ActionType, InitiatingProcessFileSize, InitiatingProcessVersionInfoCompanyName, InitiatingProcessVersionInfoFileDescription, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessVersionInfoOriginalFileName, InitiatingProcessVersionInfoProductName, InitiatingProcessVersionInfoProductVersion, AppGuardContainerId, RemoteIPType, IsLocalAdmin, RemoteIP\n};\nparser (\n disabled = disabled\n)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/ASimAuthenticationMicrosoftMD4IoT.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/ASimAuthenticationMicrosoftMD4IoT.json index 1e3a7d8b4a2..d5a61c3d1b0 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/ASimAuthenticationMicrosoftMD4IoT.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/ASimAuthenticationMicrosoftMD4IoT.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationMD4IoT')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationMD4IoT", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Microsoft Defender for IoT endpoint logs", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationMD4IoT", - "query": "let parser=(disabled:bool=false)\n{\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"Login\" \n | project-rename EventUid = _ItemId\n | extend\n EventDetails = todynamic(EventDetails)\n | extend\n EventCount = int(1),\n EventEndTime = todatetime(TimeGenerated), \n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventProduct = 'Microsoft Defender for IoT',\n EventResult = iff (EventDetails.Operation == 'LoginFailed', 'Failure', 'Success'), \n EventSchemaVersion = '0.1.0', \n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventType = iff (EventDetails.Operation == 'Logout', 'Logoff', 'Logon'), \n EventVendor = 'Microsoft'\n | extend\n ActingProcessId = tostring(EventDetails.ProcessId), \n ActingProcessName = tostring(EventDetails.Executable), // -- Linux input device or service used to authenticate, for example pts/1, tty1, pts/0, ssh:notty \n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"), // -- Intermediate fix\n SrcIpAddr = tostring(EventDetails.RemoteAddress), \n TargetUsername = tostring(EventDetails.UserName),\n TargetUsernameType = \"Simple\"\n | project-rename\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId, \n DvcHostname = DeviceId, \n EventProductVersion = AgentVersion // -- Not available in Windows\n // -- aliases\n | extend \n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Process = ActingProcessName, \n SrcDvcIpAddr = SrcIpAddr,\n User = TargetUsername\n };\n parser (\n disabled = disabled\n )", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Microsoft Defender for IoT endpoint logs", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationMD4IoT", + "query": "let parser=(disabled:bool=false)\n{\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"Login\" \n | project-rename EventUid = _ItemId\n | extend\n EventDetails = todynamic(EventDetails)\n | extend\n EventCount = int(1),\n EventEndTime = todatetime(TimeGenerated), \n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventProduct = 'Microsoft Defender for IoT',\n EventResult = iff (EventDetails.Operation == 'LoginFailed', 'Failure', 'Success'), \n EventSchemaVersion = '0.1.0', \n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventType = iff (EventDetails.Operation == 'Logout', 'Logoff', 'Logon'), \n EventVendor = 'Microsoft'\n | extend\n ActingProcessId = tostring(EventDetails.ProcessId), \n ActingProcessName = tostring(EventDetails.Executable), // -- Linux input device or service used to authenticate, for example pts/1, tty1, pts/0, ssh:notty \n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"), // -- Intermediate fix\n SrcIpAddr = tostring(EventDetails.RemoteAddress), \n TargetUsername = tostring(EventDetails.UserName),\n TargetUsernameType = \"Simple\"\n | project-rename\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId, \n DvcHostname = DeviceId, \n EventProductVersion = AgentVersion // -- Not available in Windows\n // -- aliases\n | extend \n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Process = ActingProcessName, \n SrcDvcIpAddr = SrcIpAddr,\n User = TargetUsername\n };\n parser (\n disabled = disabled\n )", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json index 262519b8e67..958b051f666 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationMicrosoftWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationMicrosoftWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Windows Security Events", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationMicrosoftWindowsEvent", - "query": "let LogonEvents=dynamic([4624, 4625]);\nlet LogoffEvents=dynamic([4634, 4647]);\nlet LogonTypes=datatable(LogonType: int, EventSubType: string)[\n 2, 'Interactive',\n 3, 'Remote',\n 4, 'System',\n 5, 'Service',\n 7, 'Interactive',\n 8, 'NetworkCleartext',\n 9, 'AssumeRole',\n 10, 'RemoteInteractive',\n 11, 'Interactive'\n];\n// https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000\nlet LogonStatus=datatable \n (\n EventStatus: string,\n EventOriginalResultDetails: string,\n EventResultDetails: string\n)[\n '0x80090325', 'SEC_E_UNTRUSTED_ROOT', 'Other',\n '0xc0000064', 'STATUS_NO_SUCH_USER', 'No such user or password',\n '0xc000006f', 'STATUS_INVALID_LOGON_HOURS', 'Logon violates policy',\n '0xc0000070', 'STATUS_INVALID_WORKSTATION', 'Logon violates policy',\n '0xc0000071', 'STATUS_PASSWORD_EXPIRED', 'Password expired',\n '0xc0000072', 'STATUS_ACCOUNT_DISABLED', 'User disabled',\n '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC', 'Other',\n '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE', 'Other',\n '0xc0000193', 'STATUS_ACCOUNT_EXPIRED', 'Account expired',\n '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN', 'Other',\n '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED', 'Other',\n '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED', 'Other',\n '0xc0000383', 'STATUS_SMARTCARD_NO_CARD', 'Other',\n '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER', 'Other',\n '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE', 'Other',\n '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET', 'Other',\n '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR', 'Other',\n '0xc0000388', 'STATUS_DOWNGRADE_DETECTED', 'Other',\n '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED', 'Other',\n '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION', 'Other',\n '0x80090308', 'SEC_E_INVALID_TOKEN', 'Other',\n '0x8009030e', 'SEC_E_NO_CREDENTIALS', 'Other',\n '0xc0000008', 'STATUS_INVALID_HANDLE', 'Other',\n '0xc0000017', 'STATUS_NO_MEMORY', 'Other',\n '0xc0000022', 'STATUS_ACCESS_DENIED', 'Other',\n '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND', 'Other',\n '0xc000005e', 'STATUS_NO_LOGON_SERVERS', 'Other',\n '0xc000006a', 'STATUS_WRONG_PASSWORD', 'Incorrect password',\n '0xc000006d', 'STATUS_LOGON_FAILURE', 'Other',\n '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION', 'Logon violates policy',\n '0xc0000073', 'STATUS_NONE_MAPPED', 'Other',\n '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE', 'Other',\n '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES', 'Other',\n '0xc00000dc', 'STATUS_INVALID_SERVER_STATE', 'Other',\n '0xc0000106', 'STATUS_NAME_TOO_LONG', 'Other',\n '0xc000010b', 'STATUS_INVALID_LOGON_TYPE', 'Logon violates policy',\n '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED', 'Logon violates policy',\n '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT', 'Logon violates policy',\n '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE', 'Other',\n '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT', 'User locked',\n '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED', 'Other'\n];\nlet WinLogon=(disabled: bool=false) { \n WindowsEvent \n | where not(disabled)\n | where Provider == 'Microsoft-Windows-Security-Auditing'\n | where EventID in (LogonEvents) or EventID in (LogoffEvents)\n | project EventData, EventID, EventOriginId, Computer, TimeGenerated, _ItemId, Type\n | extend \n ActingProcessCreationTime = EventData.ProcessCreationTime,\n ActingProcessId = tostring(toint(EventData.ProcessId)),\n ActingProcessName = tostring(EventData.ProcessName),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n ActorUsername = tostring(iff (EventData.SubjectDomainName in ('-', ''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @\"\\\", EventData.SubjectUserName))),\n EventProduct = \"Security Events\",\n LogonGuid = tostring(EventData.LogonGuid),\n LogonProtocol = tostring(EventData.AuthenticationPackageName),\n LogonType = toint(EventData.LogonType),\n SrcHostname = tostring(EventData.WorkstationName),\n SrcIpAddr = tostring(EventData.IpAddress),\n Status = tostring(EventData.Status),\n SubStatus = tostring(EventData.SubStatus),\n TargetDomainName = tostring(EventData.TargetDomainName),\n TargetPortNumber = toint(EventData.IpPort),\n TargetSessionId = tostring(EventData.TargetLogonId),\n TargetUserId = tostring(EventData.TargetUserSid),\n TargetUsername = tostring(iff (EventData.TargetDomainName in ('-', ''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @\"\\\", EventData.TargetUserName)))\n | extend \n EventStatus = iff(SubStatus == '0x0', Status, SubStatus)\n // -- creating EventMessage matching EventMessage in SecurityEvent table\n | extend \n EventMessage = case(\n EventID == 4624,\n \"4624 - An account was successfully logged on.\",\n EventID == 4625,\n \"4625 - An account failed to log on.\",\n EventID == 4634,\n \"4634 - An account was logged off.\", \n \"4647 - User initiated logoff.\"\n ),\n EventResult = iff(EventID == 4625, 'Failure', 'Success')\n | project-rename \n EventOriginalType = EventID,\n EventOriginalUid = EventOriginId, \n EventUid = _ItemId, \n TargetDvcHostname = Computer\n | extend \n ActorUserIdType = 'SID',\n ActorUsernameType = iff(EventData.SubjectDomainName in ('-', ''), 'Simple', 'Windows'),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventStatus = iff(SubStatus == '0x0', Status, SubStatus),\n EventType = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'),\n EventVendor = 'Microsoft',\n SrcDvcOs = 'Windows',\n TargetUserIdType = 'SID',\n TargetUsernameType = iff(TargetDomainName in ('-', ''), 'Simple', 'Windows')\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId),\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId),\n EventOriginalType = tostring(EventOriginalType)\n | lookup LogonStatus on EventStatus\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n Dvc = SrcHostname,\n LogonTarget = TargetDvcHostname,\n User = TargetUsername,\n IpAddr = SrcIpAddr\n | project-away\n EventData,\n LogonGuid,\n EventStatus,\n LogonType,\n Status,\n SubStatus,\n TargetDomainName,\n TargetDvcHostname\n};\nlet SecEventLogon=(disabled: bool=false) {\n SecurityEvent \n | where not(disabled)\n | where EventID in (LogonEvents) or \n EventID in (LogoffEvents)\n | project\n SubjectLogonId,\n SubjectUserSid,\n Activity,\n EventID,\n EventOriginId,\n AuthenticationPackageName,\n WorkstationName,\n IpAddress,\n Computer,\n TargetLogonId,\n TargetUserSid,\n SubjectDomainName,\n SubjectUserName,\n SubjectAccount,\n TimeGenerated,\n SubStatus,\n TargetDomainName,\n TargetUserName,\n AccountType,\n TargetAccount,\n Status,\n LogonType,\n Type\n | project-rename \n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n EventMessage = Activity,\n EventOriginalType = EventID,\n EventOriginalUid = EventOriginId,\n LogonProtocol = AuthenticationPackageName,\n SrcHostname = WorkstationName,\n SrcIpAddr = IpAddress,\n TargetDvcHostname = Computer,\n TargetSessionId = TargetLogonId,\n TargetUserId = TargetUserSid\n | extend \n ActorUserIdType = 'SID',\n ActorUsername = iff (SubjectDomainName in ('-', ''), SubjectUserName, SubjectAccount),\n ActorUsernameType = iff(SubjectDomainName in ('-', ''), 'Simple', 'Windows'),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = \"Security Events\",\n EventResult = iff(EventOriginalType == 4625, 'Failure', 'Success'),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventStatus = iff(SubStatus == '0x0', Status, SubStatus),\n EventType = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'),\n EventVendor = 'Microsoft',\n SrcDvcOs = 'Windows',\n TargetUserIdType = 'SID',\n TargetUsername = iff (TargetDomainName in ('-', ''), trim(@'\\\\', TargetUserName), trim(@'\\\\', TargetAccount)),\n TargetUsernameType = iff (TargetDomainName in ('-', ''), 'Simple', 'Windows')\n | project-away TargetUserName, AccountType\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId),\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId),\n EventOriginalType = tostring(EventOriginalType)\n | lookup LogonStatus on EventStatus\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n Dvc = SrcHostname,\n LogonTarget = TargetDvcHostname,\n User = TargetUsername,\n IpAddr = SrcIpAddr\n | project-away\n EventStatus,\n LogonType,\n Status,\n SubStatus,\n SubjectAccount,\n SubjectDomainName,\n SubjectUserName,\n EventStatus,\n TargetAccount,\n TargetDomainName,\n TargetDvcHostname\n};\nunion isfuzzy=true \n SecEventLogon(disabled=disabled), \n WinLogon(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Windows Security Events", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationMicrosoftWindowsEvent", + "query": "let LogonEvents=dynamic([4624, 4625]);\nlet LogoffEvents=dynamic([4634, 4647]);\nlet LogonTypes=datatable(LogonType: int, EventSubType: string)[\n 2, 'Interactive',\n 3, 'Remote',\n 4, 'System',\n 5, 'Service',\n 7, 'Interactive',\n 8, 'NetworkCleartext',\n 9, 'AssumeRole',\n 10, 'RemoteInteractive',\n 11, 'Interactive'\n];\n// https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000\nlet LogonStatus=datatable \n (\n EventStatus: string,\n EventOriginalResultDetails: string,\n EventResultDetails: string\n)[\n '0x80090325', 'SEC_E_UNTRUSTED_ROOT', 'Other',\n '0xc0000064', 'STATUS_NO_SUCH_USER', 'No such user or password',\n '0xc000006f', 'STATUS_INVALID_LOGON_HOURS', 'Logon violates policy',\n '0xc0000070', 'STATUS_INVALID_WORKSTATION', 'Logon violates policy',\n '0xc0000071', 'STATUS_PASSWORD_EXPIRED', 'Password expired',\n '0xc0000072', 'STATUS_ACCOUNT_DISABLED', 'User disabled',\n '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC', 'Other',\n '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE', 'Other',\n '0xc0000193', 'STATUS_ACCOUNT_EXPIRED', 'Account expired',\n '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN', 'Other',\n '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED', 'Other',\n '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED', 'Other',\n '0xc0000383', 'STATUS_SMARTCARD_NO_CARD', 'Other',\n '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER', 'Other',\n '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE', 'Other',\n '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET', 'Other',\n '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR', 'Other',\n '0xc0000388', 'STATUS_DOWNGRADE_DETECTED', 'Other',\n '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED', 'Other',\n '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION', 'Other',\n '0x80090308', 'SEC_E_INVALID_TOKEN', 'Other',\n '0x8009030e', 'SEC_E_NO_CREDENTIALS', 'Other',\n '0xc0000008', 'STATUS_INVALID_HANDLE', 'Other',\n '0xc0000017', 'STATUS_NO_MEMORY', 'Other',\n '0xc0000022', 'STATUS_ACCESS_DENIED', 'Other',\n '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND', 'Other',\n '0xc000005e', 'STATUS_NO_LOGON_SERVERS', 'Other',\n '0xc000006a', 'STATUS_WRONG_PASSWORD', 'Incorrect password',\n '0xc000006d', 'STATUS_LOGON_FAILURE', 'Other',\n '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION', 'Logon violates policy',\n '0xc0000073', 'STATUS_NONE_MAPPED', 'Other',\n '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE', 'Other',\n '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES', 'Other',\n '0xc00000dc', 'STATUS_INVALID_SERVER_STATE', 'Other',\n '0xc0000106', 'STATUS_NAME_TOO_LONG', 'Other',\n '0xc000010b', 'STATUS_INVALID_LOGON_TYPE', 'Logon violates policy',\n '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED', 'Logon violates policy',\n '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT', 'Logon violates policy',\n '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE', 'Other',\n '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT', 'User locked',\n '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED', 'Other'\n];\nlet WinLogon=(disabled: bool=false) { \n WindowsEvent \n | where not(disabled)\n | where Provider == 'Microsoft-Windows-Security-Auditing'\n | where EventID in (LogonEvents) or EventID in (LogoffEvents)\n | project EventData, EventID, EventOriginId, Computer, TimeGenerated, _ItemId, Type\n | extend \n ActingProcessCreationTime = EventData.ProcessCreationTime,\n ActingProcessId = tostring(toint(EventData.ProcessId)),\n ActingProcessName = tostring(EventData.ProcessName),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n ActorUsername = tostring(iff (EventData.SubjectDomainName in ('-', ''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @\"\\\", EventData.SubjectUserName))),\n EventProduct = \"Security Events\",\n LogonGuid = tostring(EventData.LogonGuid),\n LogonProtocol = tostring(EventData.AuthenticationPackageName),\n LogonType = toint(EventData.LogonType),\n SrcHostname = tostring(EventData.WorkstationName),\n SrcIpAddr = tostring(EventData.IpAddress),\n Status = tostring(EventData.Status),\n SubStatus = tostring(EventData.SubStatus),\n TargetDomainName = tostring(EventData.TargetDomainName),\n TargetPortNumber = toint(EventData.IpPort),\n TargetSessionId = tostring(EventData.TargetLogonId),\n TargetUserId = tostring(EventData.TargetUserSid),\n TargetUsername = tostring(iff (EventData.TargetDomainName in ('-', ''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @\"\\\", EventData.TargetUserName)))\n | extend \n EventStatus = iff(SubStatus == '0x0', Status, SubStatus)\n // -- creating EventMessage matching EventMessage in SecurityEvent table\n | extend \n EventMessage = case(\n EventID == 4624,\n \"4624 - An account was successfully logged on.\",\n EventID == 4625,\n \"4625 - An account failed to log on.\",\n EventID == 4634,\n \"4634 - An account was logged off.\", \n \"4647 - User initiated logoff.\"\n ),\n EventResult = iff(EventID == 4625, 'Failure', 'Success')\n | project-rename \n EventOriginalType = EventID,\n EventOriginalUid = EventOriginId, \n EventUid = _ItemId, \n TargetDvcHostname = Computer\n | extend \n ActorUserIdType = 'SID',\n ActorUsernameType = iff(EventData.SubjectDomainName in ('-', ''), 'Simple', 'Windows'),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventStatus = iff(SubStatus == '0x0', Status, SubStatus),\n EventType = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'),\n EventVendor = 'Microsoft',\n SrcDvcOs = 'Windows',\n TargetUserIdType = 'SID',\n TargetUsernameType = iff(TargetDomainName in ('-', ''), 'Simple', 'Windows')\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId),\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId),\n EventOriginalType = tostring(EventOriginalType)\n | lookup LogonStatus on EventStatus\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n Dvc = SrcHostname,\n LogonTarget = TargetDvcHostname,\n User = TargetUsername,\n IpAddr = SrcIpAddr\n | project-away\n EventData,\n LogonGuid,\n EventStatus,\n LogonType,\n Status,\n SubStatus,\n TargetDomainName,\n TargetDvcHostname\n};\nlet SecEventLogon=(disabled: bool=false) {\n SecurityEvent \n | where not(disabled)\n | where EventID in (LogonEvents) or \n EventID in (LogoffEvents)\n | project\n SubjectLogonId,\n SubjectUserSid,\n Activity,\n EventID,\n EventOriginId,\n AuthenticationPackageName,\n WorkstationName,\n IpAddress,\n Computer,\n TargetLogonId,\n TargetUserSid,\n SubjectDomainName,\n SubjectUserName,\n SubjectAccount,\n TimeGenerated,\n SubStatus,\n TargetDomainName,\n TargetUserName,\n AccountType,\n TargetAccount,\n Status,\n LogonType,\n Type\n | project-rename \n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n EventMessage = Activity,\n EventOriginalType = EventID,\n EventOriginalUid = EventOriginId,\n LogonProtocol = AuthenticationPackageName,\n SrcHostname = WorkstationName,\n SrcIpAddr = IpAddress,\n TargetDvcHostname = Computer,\n TargetSessionId = TargetLogonId,\n TargetUserId = TargetUserSid\n | extend \n ActorUserIdType = 'SID',\n ActorUsername = iff (SubjectDomainName in ('-', ''), SubjectUserName, SubjectAccount),\n ActorUsernameType = iff(SubjectDomainName in ('-', ''), 'Simple', 'Windows'),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = \"Security Events\",\n EventResult = iff(EventOriginalType == 4625, 'Failure', 'Success'),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventStatus = iff(SubStatus == '0x0', Status, SubStatus),\n EventType = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'),\n EventVendor = 'Microsoft',\n SrcDvcOs = 'Windows',\n TargetUserIdType = 'SID',\n TargetUsername = iff (TargetDomainName in ('-', ''), trim(@'\\\\', TargetUserName), trim(@'\\\\', TargetAccount)),\n TargetUsernameType = iff (TargetDomainName in ('-', ''), 'Simple', 'Windows')\n | project-away TargetUserName, AccountType\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId),\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId),\n EventOriginalType = tostring(EventOriginalType)\n | lookup LogonStatus on EventStatus\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n Dvc = SrcHostname,\n LogonTarget = TargetDvcHostname,\n User = TargetUsername,\n IpAddr = SrcIpAddr\n | project-away\n EventStatus,\n LogonType,\n Status,\n SubStatus,\n SubjectAccount,\n SubjectDomainName,\n SubjectUserName,\n EventStatus,\n TargetAccount,\n TargetDomainName,\n TargetDvcHostname\n};\nunion isfuzzy=true \n SecEventLogon(disabled=disabled), \n WinLogon(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json index 6d5a591b5df..899a6b5ee95 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationOktaSSO')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationOktaSSO", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Okta", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationOktaSSO", - "query": "let parser=(disabled: bool=false) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let emptyOctV1Table = datatable(TimeGenerated:datetime)[];\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n let OktaV1 = union isfuzzy=true emptyOctV1Table, Okta_CL \n | where not(disabled)\n | extend\n outcome_result_s=column_ifexists('outcome_result_s', \"\")\n ,\n eventType_s=column_ifexists('eventType_s', \"\")\n ,\n legacyEventType_s=column_ifexists('legacyEventType_s', \"\")\n ,\n client_geographicalContext_geolocation_lat_d=column_ifexists('client_geographicalContext_geolocation_lat_d', \"\")\n ,\n client_geographicalContext_geolocation_lon_d=column_ifexists('client_geographicalContext_geolocation_lon_d', \"\")\n | where eventType_s in (OktaSigninEvents)\n | extend \n EventProduct='Okta'\n ,\n EventVendor='Okta'\n ,\n EventSchema = 'Authentication'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success', outcome_result_s in (OktaFailedOutcome), 'Failure', 'Partial')\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')\n ,\n EventSubType=legacyEventType_s\n ,\n EventMessage=column_ifexists('displayMessage_s', \"\")\n ,\n EventOriginalResultDetails=column_ifexists('outcome_reason_s', \"\")\n ,\n EventOriginalUid = column_ifexists('uuid_g', \"\")\n ,\n TargetUserIdType='OktaId'\n ,\n TargetUsernameType='UPN'\n ,\n TargetSessionId=column_ifexists('authenticationContext_externalSessionId_s', \"\")\n ,\n TargetUserId=column_ifexists('actor_id_s', \"\")\n ,\n TargetUsername=column_ifexists('actor_alternateId_s', \"\")\n ,\n TargetUserType=column_ifexists('actor_type_s', \"\")\n ,\n SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)\n ,\n SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)\n ,\n SrcDvcOs=column_ifexists('client_userAgent_os_s', \"\")\n ,\n SrcIsp=column_ifexists('securityContext_isp_s', \"\")\n ,\n SrcGeoCity=column_ifexists('client_geographicalContext_city_s', \"\")\n ,\n SrcGeoCountry=column_ifexists('client_geographicalContext_country_s', \"\")\n ,\n SrcIpAddr = column_ifexists('client_ipAddress_s', \"\")\n ,\n ActingAppName=column_ifexists('client_userAgent_browser_s', \"\")\n ,\n ActingAppType=\"Browser\"\n ,\n LogonMethod=column_ifexists('authenticationContext_credentialType_s', \"\")\n ,\n HttpUserAgent=column_ifexists('client_userAgent_rawUserAgent_s', \"\")\n // ** Aliases\n | extend \n User=TargetUsername\n ,\n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n | project-away *_s, *_d, *_b, *_g, *_t;\n OktaV1\n};\nparser(disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Okta", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationOktaSSO", + "query": "let parser=(disabled: bool=false) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let emptyOctV1Table = datatable(TimeGenerated:datetime)[];\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n let OktaV1 = union isfuzzy=true emptyOctV1Table, Okta_CL \n | where not(disabled)\n | extend\n outcome_result_s=column_ifexists('outcome_result_s', \"\")\n ,\n eventType_s=column_ifexists('eventType_s', \"\")\n ,\n legacyEventType_s=column_ifexists('legacyEventType_s', \"\")\n ,\n client_geographicalContext_geolocation_lat_d=column_ifexists('client_geographicalContext_geolocation_lat_d', \"\")\n ,\n client_geographicalContext_geolocation_lon_d=column_ifexists('client_geographicalContext_geolocation_lon_d', \"\")\n | where eventType_s in (OktaSigninEvents)\n | extend \n EventProduct='Okta'\n ,\n EventVendor='Okta'\n ,\n EventSchema = 'Authentication'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success', outcome_result_s in (OktaFailedOutcome), 'Failure', 'Partial')\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')\n ,\n EventSubType=legacyEventType_s\n ,\n EventMessage=column_ifexists('displayMessage_s', \"\")\n ,\n EventOriginalResultDetails=column_ifexists('outcome_reason_s', \"\")\n ,\n EventOriginalUid = column_ifexists('uuid_g', \"\")\n ,\n TargetUserIdType='OktaId'\n ,\n TargetUsernameType='UPN'\n ,\n TargetSessionId=column_ifexists('authenticationContext_externalSessionId_s', \"\")\n ,\n TargetUserId=column_ifexists('actor_id_s', \"\")\n ,\n TargetUsername=column_ifexists('actor_alternateId_s', \"\")\n ,\n TargetUserType=column_ifexists('actor_type_s', \"\")\n ,\n SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)\n ,\n SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)\n ,\n SrcDvcOs=column_ifexists('client_userAgent_os_s', \"\")\n ,\n SrcIsp=column_ifexists('securityContext_isp_s', \"\")\n ,\n SrcGeoCity=column_ifexists('client_geographicalContext_city_s', \"\")\n ,\n SrcGeoCountry=column_ifexists('client_geographicalContext_country_s', \"\")\n ,\n SrcIpAddr = column_ifexists('client_ipAddress_s', \"\")\n ,\n ActingAppName=column_ifexists('client_userAgent_browser_s', \"\")\n ,\n ActingAppType=\"Browser\"\n ,\n LogonMethod=column_ifexists('authenticationContext_credentialType_s', \"\")\n ,\n HttpUserAgent=column_ifexists('client_userAgent_rawUserAgent_s', \"\")\n // ** Aliases\n | extend \n User=TargetUsername\n ,\n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n | project-away *_s, *_d, *_b, *_g, *_t;\n OktaV1\n};\nparser(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaV2/ASimAuthenticationOktaV2.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaV2/ASimAuthenticationOktaV2.json index c31a5b84a18..672fa3081ce 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaV2/ASimAuthenticationOktaV2.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaV2/ASimAuthenticationOktaV2.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationOktaV2')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationOktaV2", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for OktaV2", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationOktaV2", - "query": "let parser=(disabled: bool=false) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let emptyOctaV2Table = datatable(\n TimeGenerated: datetime,\n ActorDetailEntry: dynamic,\n ActorDisplayName: string,\n AuthenticationContext: string,\n AuthenticationProvider: string,\n AuthenticationStep: string,\n AuthenticationContextAuthenticationProvider: string,\n AuthenticationContextAuthenticationStep: int,\n AuthenticationContextCredentialProvider: string,\n AuthenticationContextInterface: string,\n AuthenticationContextIssuerId: string,\n AuthenticationContextIssuerType: string,\n DebugData: dynamic,\n DvcAction: string,\n EventResult:string,\n OriginalActorAlternateId: string,\n OriginalClientDevice: string,\n OriginalOutcomeResult: string,\n OriginalSeverity: string,\n OriginalTarget: dynamic,\n OriginalUserId: string,\n OriginalUserType: string,\n Request: dynamic,\n SecurityContextAsNumber: int,\n SecurityContextAsOrg: string,\n SecurityContextDomain: string,\n SecurityContextIsProxy: bool,\n TransactionDetail: dynamic,\n TransactionId: string,\n TransactionType: string\n)[];\n let OktaV2 = union isfuzzy=true emptyOctaV2Table, OktaV2_CL\n | where not(disabled) \n | extend\n EventOriginalType=column_ifexists('EventOriginalType', \"\") \n ,\n OriginalActorAlternateId = column_ifexists('OriginalActorAlternateId', \"\")\n ,\n ActorUsername=column_ifexists('ActorUsername', \"\")\n ,\n SrcIpAddr = column_ifexists('SrcIpAddr', \"\")\n | where EventOriginalType in (OktaSigninEvents)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n | extend \n EventProduct='Okta'\n ,\n EventSchema = 'Authentication'\n ,\n EventVendor='Okta'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff') \n ,\n TargetSessionId=column_ifexists('ActorSessionId', \"\")\n ,\n TargetUserId= column_ifexists('ActorUserId', \"\")\n ,\n TargetUsername=column_ifexists('ActorUsername', \"\")\n ,\n TargetUserType=column_ifexists('ActorUserType', \"\")\n ,\n TargetUserIdType=column_ifexists('ActorUserIdType', \"\")\n ,\n TargetUsernameType=column_ifexists('ActorUsernameType', \"\")\n ,\n SrcIpAddr = column_ifexists('SrcIpAddr', \"\")\n //** extend non-normalized fields to be projected-away \n ,\n ActorDetailEntry,\n ActorDisplayName,\n AuthenticationContextAuthenticationProvider,\n AuthenticationContextAuthenticationStep,\n AuthenticationContextCredentialProvider,\n AuthenticationContextInterface,\n AuthenticationContextIssuerId,\n AuthenticationContextIssuerType\n ,\n DebugData,\n DvcAction,\n OriginalActorAlternateId,\n OriginalClientDevice,\n OriginalOutcomeResult,\n OriginalSeverity,\n OriginalTarget,\n OriginalUserId,\n OriginalUserType,\n Request,\n SecurityContextAsNumber,\n SecurityContextAsOrg,\n SecurityContextDomain,\n SecurityContextIsProxy\n ,\n TransactionDetail,\n TransactionId,\n TransactionType\n // ** Aliases\n | extend \n User=TargetUsername\n ,\n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n | project-away\n ActorDetailEntry,\n ActorDisplayName,\n AuthenticationContextAuthenticationProvider,\n AuthenticationContextAuthenticationStep,\n AuthenticationContextCredentialProvider,\n AuthenticationContextInterface,\n AuthenticationContextIssuerId,\n AuthenticationContextIssuerType,\n DebugData,\n DvcAction,\n OriginalActorAlternateId,\n OriginalClientDevice,\n OriginalOutcomeResult,\n OriginalSeverity,\n OriginalTarget,\n OriginalUserId,\n OriginalUserType,\n Request,\n SecurityContextAsNumber,\n SecurityContextAsOrg,\n SecurityContextDomain,\n SecurityContextIsProxy,\n TransactionId,\n TransactionType;\n OktaV2\n};\nparser(disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for OktaV2", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationOktaV2", + "query": "let parser=(disabled: bool=false) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let emptyOctaV2Table = datatable(\n TimeGenerated: datetime,\n ActorDetailEntry: dynamic,\n ActorDisplayName: string,\n AuthenticationContext: string,\n AuthenticationProvider: string,\n AuthenticationStep: string,\n AuthenticationContextAuthenticationProvider: string,\n AuthenticationContextAuthenticationStep: int,\n AuthenticationContextCredentialProvider: string,\n AuthenticationContextInterface: string,\n AuthenticationContextIssuerId: string,\n AuthenticationContextIssuerType: string,\n DebugData: dynamic,\n DvcAction: string,\n EventResult:string,\n OriginalActorAlternateId: string,\n OriginalClientDevice: string,\n OriginalOutcomeResult: string,\n OriginalSeverity: string,\n OriginalTarget: dynamic,\n OriginalUserId: string,\n OriginalUserType: string,\n Request: dynamic,\n SecurityContextAsNumber: int,\n SecurityContextAsOrg: string,\n SecurityContextDomain: string,\n SecurityContextIsProxy: bool,\n TransactionDetail: dynamic,\n TransactionId: string,\n TransactionType: string\n)[];\n let OktaV2 = union isfuzzy=true emptyOctaV2Table, OktaV2_CL\n | where not(disabled) \n | extend\n EventOriginalType=column_ifexists('EventOriginalType', \"\") \n ,\n OriginalActorAlternateId = column_ifexists('OriginalActorAlternateId', \"\")\n ,\n ActorUsername=column_ifexists('ActorUsername', \"\")\n ,\n SrcIpAddr = column_ifexists('SrcIpAddr', \"\")\n | where EventOriginalType in (OktaSigninEvents)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n | extend \n EventProduct='Okta'\n ,\n EventSchema = 'Authentication'\n ,\n EventVendor='Okta'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff') \n ,\n TargetSessionId=column_ifexists('ActorSessionId', \"\")\n ,\n TargetUserId= column_ifexists('ActorUserId', \"\")\n ,\n TargetUsername=column_ifexists('ActorUsername', \"\")\n ,\n TargetUserType=column_ifexists('ActorUserType', \"\")\n ,\n TargetUserIdType=column_ifexists('ActorUserIdType', \"\")\n ,\n TargetUsernameType=column_ifexists('ActorUsernameType', \"\")\n ,\n SrcIpAddr = column_ifexists('SrcIpAddr', \"\")\n //** extend non-normalized fields to be projected-away \n ,\n ActorDetailEntry,\n ActorDisplayName,\n AuthenticationContextAuthenticationProvider,\n AuthenticationContextAuthenticationStep,\n AuthenticationContextCredentialProvider,\n AuthenticationContextInterface,\n AuthenticationContextIssuerId,\n AuthenticationContextIssuerType\n ,\n DebugData,\n DvcAction,\n OriginalActorAlternateId,\n OriginalClientDevice,\n OriginalOutcomeResult,\n OriginalSeverity,\n OriginalTarget,\n OriginalUserId,\n OriginalUserType,\n Request,\n SecurityContextAsNumber,\n SecurityContextAsOrg,\n SecurityContextDomain,\n SecurityContextIsProxy\n ,\n TransactionDetail,\n TransactionId,\n TransactionType\n // ** Aliases\n | extend \n User=TargetUsername\n ,\n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n | project-away\n ActorDetailEntry,\n ActorDisplayName,\n AuthenticationContextAuthenticationProvider,\n AuthenticationContextAuthenticationStep,\n AuthenticationContextCredentialProvider,\n AuthenticationContextInterface,\n AuthenticationContextIssuerId,\n AuthenticationContextIssuerType,\n DebugData,\n DvcAction,\n OriginalActorAlternateId,\n OriginalClientDevice,\n OriginalOutcomeResult,\n OriginalSeverity,\n OriginalTarget,\n OriginalUserId,\n OriginalUserType,\n Request,\n SecurityContextAsNumber,\n SecurityContextAsOrg,\n SecurityContextDomain,\n SecurityContextIsProxy,\n TransactionId,\n TransactionType;\n OktaV2\n};\nparser(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoCortexDataLake/ASimAuthenticationPaloAltoCortexDataLake.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoCortexDataLake/ASimAuthenticationPaloAltoCortexDataLake.json index 41c1bbc7b6d..c963395d981 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoCortexDataLake/ASimAuthenticationPaloAltoCortexDataLake.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoCortexDataLake/ASimAuthenticationPaloAltoCortexDataLake.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationPaloAltoCortexDataLake')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationPaloAltoCortexDataLake", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Palo Alto Cortex Data Lake", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationPaloAltoCortexDataLake", - "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"AUTH\"\n | parse-kv AdditionalExtensions as (PanOSSourceDeviceHost: string, PanOSSourceDeviceOSFamily: string, PanOSAuthenticationProtocol: string, PanOSAuthenticatedUserDomain: string, PanOSAuthenticatedUserName: string, PanOSAuthenticatedUserUUID: string, start: string, PanOSLogSource: string, PanOSRuleMatchedUUID: string, PanOSAuthenticationDescription: string, PanOSClientTypeName: string, PanOSConfigVersion: string, PanOSMFAVendor: string, PanOSSourceDeviceCategory: string, PanOSSourceDeviceModel: string, PanOSSourceDeviceProfile: string, PanOSSourceDeviceVendor: string, PanOSUserAgentString: string, PanOSCortexDataLakeTenantID: string, PanOSSessionID: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | lookup EventSeverityLookup on LogSeverity\n | extend\n EventStartTime = todatetime(start),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n TargetIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n EventMessage = Message,\n LogonMethod = case(\n FieldDeviceCustomNumber1 == 1, \"Username & Password\",\n FieldDeviceCustomNumber1 == 2, \"Multi factor authentication\",\n FieldDeviceCustomNumber1 == 3, \"Multi factor authentication\",\n \"\"\n ),\n AdditionalFields = bag_pack(\n \"FileName\",\n FileName,\n \"PanOSLogSource\",\n PanOSLogSource,\n \"PanOSRuleMatchedUUID\",\n PanOSRuleMatchedUUID,\n DeviceCustomNumber1Label,\n FieldDeviceCustomNumber1, \n DeviceCustomNumber2Label,\n FieldDeviceCustomNumber2,\n DeviceCustomString3Label,\n DeviceCustomString3,\n DeviceCustomString4Label,\n DeviceCustomString4,\n DeviceCustomString5Label,\n DeviceCustomString5,\n DeviceCustomString6Label,\n DeviceCustomString6,\n \"PanOSAuthenticationDescription\",\n PanOSAuthenticationDescription,\n \"PanOSClientTypeName\",\n PanOSClientTypeName,\n \"PanOSConfigVersion\",\n PanOSConfigVersion,\n \"PanOSMFAVendor\",\n PanOSMFAVendor,\n \"PanOSSourceDeviceCategory\",\n PanOSSourceDeviceCategory,\n \"PanOSSourceDeviceModel\",\n PanOSSourceDeviceModel,\n \"PanOSSourceDeviceProfile\",\n PanOSSourceDeviceProfile,\n \"PanOSSourceDeviceVendor\",\n PanOSSourceDeviceVendor\n )\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DvcId = DeviceExternalID,\n EventOriginalResultDetails = Message,\n EventOriginalSeverity = LogSeverity,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n LogonProtocol = PanOSAuthenticationProtocol,\n SrcDvcOs = PanOSSourceDeviceOSFamily,\n TargetUsername = PanOSAuthenticatedUserName,\n TargetUserId = PanOSAuthenticatedUserUUID,\n TargetDomain = PanOSAuthenticatedUserDomain,\n EventOriginalSubType = Activity,\n HttpUserAgent = PanOSUserAgentString,\n TargetDvcScopeId = PanOSCortexDataLakeTenantID,\n TargetSessionId = PanOSSessionID,\n TargetDvc = DeviceCustomString1\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n EventResult = iff(EventMessage has \"Invalid Certificate\", \"Failure\", \"Success\"),\n Dst = TargetIpAddr,\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n User = TargetUsername,\n IpAddr = SrcIpAddr,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetDomainType = case(\n array_length(split(DestinationUserName, \".\")) > 1, \"FQDN\",\n array_length(split(DestinationUserName, \"\\\\\")) > 1, \"Windows\",\n \"\"\n ),\n TargetUserIdType = iff(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n | extend\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventType = \"Logon\",\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n start,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n Indicator*,\n _ResourceId\n};\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Palo Alto Cortex Data Lake", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationPaloAltoCortexDataLake", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"AUTH\"\n | parse-kv AdditionalExtensions as (PanOSSourceDeviceHost: string, PanOSSourceDeviceOSFamily: string, PanOSAuthenticationProtocol: string, PanOSAuthenticatedUserDomain: string, PanOSAuthenticatedUserName: string, PanOSAuthenticatedUserUUID: string, start: string, PanOSLogSource: string, PanOSRuleMatchedUUID: string, PanOSAuthenticationDescription: string, PanOSClientTypeName: string, PanOSConfigVersion: string, PanOSMFAVendor: string, PanOSSourceDeviceCategory: string, PanOSSourceDeviceModel: string, PanOSSourceDeviceProfile: string, PanOSSourceDeviceVendor: string, PanOSUserAgentString: string, PanOSCortexDataLakeTenantID: string, PanOSSessionID: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | lookup EventSeverityLookup on LogSeverity\n | extend\n EventStartTime = todatetime(start),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n TargetIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n EventMessage = Message,\n LogonMethod = case(\n FieldDeviceCustomNumber1 == 1, \"Username & Password\",\n FieldDeviceCustomNumber1 == 2, \"Multi factor authentication\",\n FieldDeviceCustomNumber1 == 3, \"Multi factor authentication\",\n \"\"\n ),\n AdditionalFields = bag_pack(\n \"FileName\",\n FileName,\n \"PanOSLogSource\",\n PanOSLogSource,\n \"PanOSRuleMatchedUUID\",\n PanOSRuleMatchedUUID,\n DeviceCustomNumber1Label,\n FieldDeviceCustomNumber1, \n DeviceCustomNumber2Label,\n FieldDeviceCustomNumber2,\n DeviceCustomString3Label,\n DeviceCustomString3,\n DeviceCustomString4Label,\n DeviceCustomString4,\n DeviceCustomString5Label,\n DeviceCustomString5,\n DeviceCustomString6Label,\n DeviceCustomString6,\n \"PanOSAuthenticationDescription\",\n PanOSAuthenticationDescription,\n \"PanOSClientTypeName\",\n PanOSClientTypeName,\n \"PanOSConfigVersion\",\n PanOSConfigVersion,\n \"PanOSMFAVendor\",\n PanOSMFAVendor,\n \"PanOSSourceDeviceCategory\",\n PanOSSourceDeviceCategory,\n \"PanOSSourceDeviceModel\",\n PanOSSourceDeviceModel,\n \"PanOSSourceDeviceProfile\",\n PanOSSourceDeviceProfile,\n \"PanOSSourceDeviceVendor\",\n PanOSSourceDeviceVendor\n )\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DvcId = DeviceExternalID,\n EventOriginalResultDetails = Message,\n EventOriginalSeverity = LogSeverity,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n LogonProtocol = PanOSAuthenticationProtocol,\n SrcDvcOs = PanOSSourceDeviceOSFamily,\n TargetUsername = PanOSAuthenticatedUserName,\n TargetUserId = PanOSAuthenticatedUserUUID,\n TargetDomain = PanOSAuthenticatedUserDomain,\n EventOriginalSubType = Activity,\n HttpUserAgent = PanOSUserAgentString,\n TargetDvcScopeId = PanOSCortexDataLakeTenantID,\n TargetSessionId = PanOSSessionID,\n TargetDvc = DeviceCustomString1\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n EventResult = iff(EventMessage has \"Invalid Certificate\", \"Failure\", \"Success\"),\n Dst = TargetIpAddr,\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n User = TargetUsername,\n IpAddr = SrcIpAddr,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetDomainType = case(\n array_length(split(DestinationUserName, \".\")) > 1, \"FQDN\",\n array_length(split(DestinationUserName, \"\\\\\")) > 1, \"Windows\",\n \"\"\n ),\n TargetUserIdType = iff(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n | extend\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventType = \"Logon\",\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n start,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n Indicator*,\n _ResourceId\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationPostgreSQL/ASimAuthenticationPostgreSQL.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationPostgreSQL/ASimAuthenticationPostgreSQL.json index 9520256bcd0..cc368e11f20 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationPostgreSQL/ASimAuthenticationPostgreSQL.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationPostgreSQL/ASimAuthenticationPostgreSQL.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationPostgreSQL')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationPostgreSQL", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for PostgreSQL", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationPostgreSQL", - "query": "let PostgreSQLSignInAuthorized=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has 'connection authorized'\n| project-rename \n EventUid = _ItemId\n| extend\n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'Connection authorized',\n EventProduct = 'PostgreSQL',\n EventResult = 'Success',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'PostgreSQL',\n TargetUsername = extract(@'user=([^\\s,]+)', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc=Computer,\n User=TargetUsername\n// ************************ \n// \n// ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\nlet PostgreSQLAuthFailure1=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has 'authentication failed'\n| extend \n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User authentication failed',\n EventProduct = 'PostgreSQL',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'PostgreSQL',\n TargetUsername = extract(@'for user\\s\"(.*?)\"', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************ \n// \n// ************************\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n};\nlet PostgreSQLAuthFailure2=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has_all ('role', 'does', 'not', 'exist')\n| extend \n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'Role does not exist',\n EventProduct = 'PostgreSQL',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'PostgreSQL',\n TargetUsername = extract(@'role\\s\"(.*?)\"\\sdoes', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************ \n// \n// ************************\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n};\nlet PostgreSQLAuthFailure3=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has_all ('no', 'entry', 'user')\n| extend \n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'No entry for user',\n EventProduct = 'PostgreSQL',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'PostgreSQL',\n SrcIpAddr = extract(@'host\\s\"(.*?)\",', 1, RawData),\n TargetUsername = extract(@'user\\s\"(.*?)\",', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************ \n// \n// ************************\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n};\nlet PostgreSQLDisconnect=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has 'disconnection'\n| extend \n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User session closed',\n EventProduct = 'PostgreSQL',\n EventResult = 'Success',\n EventResultDetails = 'Session expired',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logoff',\n EventVendor = 'PostgreSQL',\n SrcIpAddr = extract(@'host=([\\d.]+)', 1, RawData),\n TargetUsername = extract(@'user=([^\\s,]+)', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************ \n// \n// ************************\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n};\nunion isfuzzy=false \n PostgreSQLSignInAuthorized(disabled = disabled), \n PostgreSQLAuthFailure1(disabled = disabled), \n PostgreSQLAuthFailure2(disabled = disabled), \n PostgreSQLAuthFailure3(disabled = disabled), \n PostgreSQLDisconnect(disabled = disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for PostgreSQL", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationPostgreSQL", + "query": "let PostgreSQLSignInAuthorized=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has 'connection authorized'\n| project-rename \n EventUid = _ItemId\n| extend\n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'Connection authorized',\n EventProduct = 'PostgreSQL',\n EventResult = 'Success',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'PostgreSQL',\n TargetUsername = extract(@'user=([^\\s,]+)', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc=Computer,\n User=TargetUsername\n// ************************ \n// \n// ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\nlet PostgreSQLAuthFailure1=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has 'authentication failed'\n| extend \n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User authentication failed',\n EventProduct = 'PostgreSQL',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'PostgreSQL',\n TargetUsername = extract(@'for user\\s\"(.*?)\"', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************ \n// \n// ************************\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n};\nlet PostgreSQLAuthFailure2=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has_all ('role', 'does', 'not', 'exist')\n| extend \n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'Role does not exist',\n EventProduct = 'PostgreSQL',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'PostgreSQL',\n TargetUsername = extract(@'role\\s\"(.*?)\"\\sdoes', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************ \n// \n// ************************\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n};\nlet PostgreSQLAuthFailure3=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has_all ('no', 'entry', 'user')\n| extend \n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'No entry for user',\n EventProduct = 'PostgreSQL',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'PostgreSQL',\n SrcIpAddr = extract(@'host\\s\"(.*?)\",', 1, RawData),\n TargetUsername = extract(@'user\\s\"(.*?)\",', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************ \n// \n// ************************\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n};\nlet PostgreSQLDisconnect=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has 'disconnection'\n| extend \n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User session closed',\n EventProduct = 'PostgreSQL',\n EventResult = 'Success',\n EventResultDetails = 'Session expired',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logoff',\n EventVendor = 'PostgreSQL',\n SrcIpAddr = extract(@'host=([\\d.]+)', 1, RawData),\n TargetUsername = extract(@'user=([^\\s,]+)', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************ \n// \n// ************************\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n};\nunion isfuzzy=false \n PostgreSQLSignInAuthorized(disabled = disabled), \n PostgreSQLAuthFailure1(disabled = disabled), \n PostgreSQLAuthFailure2(disabled = disabled), \n PostgreSQLAuthFailure3(disabled = disabled), \n PostgreSQLDisconnect(disabled = disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json index d2500cda5a3..532bc513756 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationSalesforceSC')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationSalesforceSC", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Salesforce Service Cloud", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationSalesforceSC", - "query": "let parser = (\ndisabled: bool=false\n) {\nlet SalesforceSchema = datatable(\napi_version_s: string,\nbrowser_type_s: string,\ncipher_suite_s: string,\nclient_ip_s: string,\ndelegated_user_id_s: string,\ndelegated_user_name_s: string,\nevent_type_s: string,\nlogin_key_s: string,\nlogin_status_s: string,\nlogin_type_s: string,\nlogin_sub_type_s: string,\norganization_id_s: string,\nplatform_type_s: string,\nrequest_id_s: string,\nrequest_status_s: string,\nsession_key_s: string,\nsource_ip_s: string,\ntimestamp_s: string,\ntls_protocol_s: string,\nuri_s: string,\nuser_id_s: string,\nuser_name_s: string,\nuser_type_s: string,\nwave_session_id_g: string\n)[];\n let EventResultLookup = datatable (\n login_status_s: string,\n DvcAction: string,\n EventResultDetails: string,\n EventResult: string,\n EventSeverity: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable(\n LoginType_s: string,\n LogonMethodOriginal: string,\n LogonMethod: string\n)[\n \"7\", \"AppExchange\", \"Other\",\n \"A\", \"Application\", \"Other\",\n \"s\", \"Certificate-based login\", \"PKI\",\n \"k\", \"Chatter Communities External User\", \"Other\",\n \"n\", \"Chatter Communities External User Third Party SSO\", \"Other\",\n \"r\", \"Employee Login to Community\", \"Other\",\n \"z\", \"Lightning Login\", \"Username & Password\",\n \"l\", \"Networks Portal API Only\", \"Other\",\n \"6\", \"Remote Access Client\", \"Other\",\n \"i\", \"Remote Access 2.0\", \"Other\",\n \"I\", \"Other Apex API\", \"Other\",\n \"R\", \"Partner Product\", \"Other\",\n \"w\", \"Passwordless Login\", \"Passwordless\",\n \"3\", \"Customer Service Portal\", \"Other\",\n \"q\", \"Partner Portal Third-Party SSO\", \"Other\",\n \"9\", \"Partner Portal\", \"Other\",\n \"5\", \"SAML Idp Initiated SSO\", \"Other\",\n \"m\", \"SAML Chatter Communities External User SSO\", \"Other\",\n \"b\", \"SAML Customer Service Portal SSO\", \"Other\",\n \"c\", \"SAML Partner Portal SSO\", \"Other\",\n \"h\", \"SAML Site SSO\", \"Other\",\n \"8\", \"SAML Sfdc Initiated SSO\", \"Other\",\n \"E\", \"SelfService\", \"Other\",\n \"j\", \"Third Party SSO\", \"Other\"\n];\n let LogonProtocolLookup = datatable(\n LoginSubType_s: string,\n LogonProtocolOriginal: string,\n LogonProtocol: string\n)[\n \"uiup\", \"UI Username-Password\", \"Basic Auth\",\n \"oauthpassword\", \"OAuth Username-Password\", \"OAuth\",\n \"oauthtoken\", \"OAuth User-Agent\", \"OAuth\",\n \"oauthhybridtoken\", \"OAuth User-Agent for Hybrid Apps\", \"OAuth\",\n \"oauthtokenidtoken\", \"OAuth User-Agent with ID Token\", \"OAuth\",\n \"oauthclientcredential\", \"OAuth Client Credential\", \"OAuth\",\n \"oauthcode\", \"OAuth Web Server\", \"OAuth\",\n \"oauthhybridauthcode\", \"OAuth Web Server for Hybrid Apps\", \"OAuth\",\n];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n union isfuzzy=true\n SalesforceSchema,\n SalesforceServiceCloud_CL \n | where not(disabled)\n | where event_type_s in~ (SalesforceEventType)\n | extend TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0]))\n | extend LoginType_s = login_type_s, LoginSubType_s = login_sub_type_s\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n | lookup LogonMethodLookup on LoginType_s\n | lookup LogonProtocolLookup on LoginSubType_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n EventVendor = 'Salesforce',\n EventProduct='Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n TargetAppType = \"SaaS application\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s,\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s)\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated\n | project-away\n *_s,\n *_t,\n *_g,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Salesforce Service Cloud", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationSalesforceSC", + "query": "let parser = (\ndisabled: bool=false\n) {\nlet SalesforceSchema = datatable(\napi_version_s: string,\nbrowser_type_s: string,\ncipher_suite_s: string,\nclient_ip_s: string,\ndelegated_user_id_s: string,\ndelegated_user_name_s: string,\nevent_type_s: string,\nlogin_key_s: string,\nlogin_status_s: string,\nlogin_type_s: string,\nlogin_sub_type_s: string,\norganization_id_s: string,\nplatform_type_s: string,\nrequest_id_s: string,\nrequest_status_s: string,\nsession_key_s: string,\nsource_ip_s: string,\ntimestamp_s: string,\ntls_protocol_s: string,\nuri_s: string,\nuser_id_s: string,\nuser_name_s: string,\nuser_type_s: string,\nwave_session_id_g: string\n)[];\n let EventResultLookup = datatable (\n login_status_s: string,\n DvcAction: string,\n EventResultDetails: string,\n EventResult: string,\n EventSeverity: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable(\n LoginType_s: string,\n LogonMethodOriginal: string,\n LogonMethod: string\n)[\n \"7\", \"AppExchange\", \"Other\",\n \"A\", \"Application\", \"Other\",\n \"s\", \"Certificate-based login\", \"PKI\",\n \"k\", \"Chatter Communities External User\", \"Other\",\n \"n\", \"Chatter Communities External User Third Party SSO\", \"Other\",\n \"r\", \"Employee Login to Community\", \"Other\",\n \"z\", \"Lightning Login\", \"Username & Password\",\n \"l\", \"Networks Portal API Only\", \"Other\",\n \"6\", \"Remote Access Client\", \"Other\",\n \"i\", \"Remote Access 2.0\", \"Other\",\n \"I\", \"Other Apex API\", \"Other\",\n \"R\", \"Partner Product\", \"Other\",\n \"w\", \"Passwordless Login\", \"Passwordless\",\n \"3\", \"Customer Service Portal\", \"Other\",\n \"q\", \"Partner Portal Third-Party SSO\", \"Other\",\n \"9\", \"Partner Portal\", \"Other\",\n \"5\", \"SAML Idp Initiated SSO\", \"Other\",\n \"m\", \"SAML Chatter Communities External User SSO\", \"Other\",\n \"b\", \"SAML Customer Service Portal SSO\", \"Other\",\n \"c\", \"SAML Partner Portal SSO\", \"Other\",\n \"h\", \"SAML Site SSO\", \"Other\",\n \"8\", \"SAML Sfdc Initiated SSO\", \"Other\",\n \"E\", \"SelfService\", \"Other\",\n \"j\", \"Third Party SSO\", \"Other\"\n];\n let LogonProtocolLookup = datatable(\n LoginSubType_s: string,\n LogonProtocolOriginal: string,\n LogonProtocol: string\n)[\n \"uiup\", \"UI Username-Password\", \"Basic Auth\",\n \"oauthpassword\", \"OAuth Username-Password\", \"OAuth\",\n \"oauthtoken\", \"OAuth User-Agent\", \"OAuth\",\n \"oauthhybridtoken\", \"OAuth User-Agent for Hybrid Apps\", \"OAuth\",\n \"oauthtokenidtoken\", \"OAuth User-Agent with ID Token\", \"OAuth\",\n \"oauthclientcredential\", \"OAuth Client Credential\", \"OAuth\",\n \"oauthcode\", \"OAuth Web Server\", \"OAuth\",\n \"oauthhybridauthcode\", \"OAuth Web Server for Hybrid Apps\", \"OAuth\",\n];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n union isfuzzy=true\n SalesforceSchema,\n SalesforceServiceCloud_CL \n | where not(disabled)\n | where event_type_s in~ (SalesforceEventType)\n | extend TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0]))\n | extend LoginType_s = login_type_s, LoginSubType_s = login_sub_type_s\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n | lookup LogonMethodLookup on LoginType_s\n | lookup LogonProtocolLookup on LoginSubType_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n EventVendor = 'Salesforce',\n EventProduct='Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n TargetAppType = \"SaaS application\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s,\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s)\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated\n | project-away\n *_s,\n *_t,\n *_g,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSentinelOne/ASimAuthenticationSentinelOne.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSentinelOne/ASimAuthenticationSentinelOne.json index ef11843ceeb..3ffed72291b 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSentinelOne/ASimAuthenticationSentinelOne.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSentinelOne/ASimAuthenticationSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationSentinelOne", - "query": "let EventResultDetailsLookup = datatable (comments_s: string, EventResultDetails: string)\n [\n \"invalid 2FA code\", \"Incorrect password\",\n \"IP/User mismatch\", \"No such user or password\",\n \"invalid password\", \"Incorrect password\",\n \"user temporarily locked 2FA attempt\", \"User locked\",\n \"no active site\", \"Other\"\n ];\n let EventFieldsLookup = datatable (\n activityType_d: real,\n EventType: string,\n EventResult: string,\n EventOriginalResultDetails: string\n )\n [\n 27, \"Logon\", \"Success\", \"User Logged In\",\n 33, \"Logoff\", \"Success\", \"User Logged Out\",\n 133, \"Logon\", \"Failure\", \"Existing User Login Failure\",\n 134, \"Logon\", \"Failure\", \"Unknown User Login\",\n 139, \"Logon\", \"Failure\", \"User Failed to Start an Unrestricted Session\",\n 3629, \"Logon\", \"Success\", \"Login Using Saved 2FA Recovery Code\"\n ];\n let EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\n [\n \"WINLOGONATTEMPT\", \"Logon\",\n \"WINLOGOFFATTEMPT\", \"Logoff\"\n ];\n let EventSubTypeLookup = datatable (alertInfo_loginType_s: string, EventSubType: string)\n [\n \"BATCH\", \"System\",\n \"CACHED_INTERACTIVE\", \"Interactive\",\n \"CACHED_REMOTE_INTERACTIVE\", \"RemoteInteractive\",\n \"CACHED_UNLOCK\", \"System\",\n \"INTERACTIVE\", \"Interactive\",\n \"NETWORK_CLEAR_TEXT\", \"Remote\",\n \"NETWORK_CREDENTIALS\", \"Remote\",\n \"NETWORK\", \"Remote\",\n \"REMOTE_INTERACTIVE\", \"RemoteInteractive\",\n \"SERVICE\", \"Service\",\n \"SYSTEM\", \"System\",\n \"UNLOCK\", \"System\"\n ];\n let DeviceTypeLookup = datatable (\n agentDetectionInfo_machineType_s: string,\n SrcDeviceType: string\n )\n [\n \"desktop\", \"Computer\",\n \"server\", \"Computer\",\n \"laptop\", \"Computer\",\n \"kubernetes node\", \"Other\",\n \"unknown\", \"Other\"\n ];\n let ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n )\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n ];\n let ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n )\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n ];\n let ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n )\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n ];\n let TargetUserTypesList = dynamic([\"Regular\", \"Machine\", \"Admin\", \"System\", \"Application\", \"Service Principal\", \"Service\", \"Anonymous\"]);\n let parser = (disabled: bool=false) {\n let alldata = SentinelOne_CL\n | where not(disabled);\n let activitydata = alldata\n | where event_name_s == \"Activities.\"\n and activityType_d in (27, 33, 133, 134, 139, 3629)\n | parse-kv DataFields_s as (ipAddress: string, username: string, userScope: string, accountName: string, fullScopeDetails: string, fullScopeDetailsPath: string, role: string, scopeLevel: string, source: string, sourceType: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookup on activityType_d\n | lookup EventResultDetailsLookup on comments_s\n | extend \n SrcIpAddr = iff(ipAddress == \"null\", \"\", ipAddress),\n EventOriginalType = tostring(toint(activityType_d)),\n TargetUsername = username,\n TargetUserScope = userScope,\n AdditionalFields = bag_pack(\n \"accountName\", accountName,\n \"fullScopeDetails\", fullScopeDetails,\n \"fullScopeDetailsPath\", fullScopeDetailsPath,\n \"scopeLevel\", scopeLevel,\n \"source\", source,\n \"sourceType\", sourceType\n ),\n TargetOriginalUserType = role,\n TargetUserType = case(\n role in (TargetUserTypesList), role,\n role == \"null\", \"\",\n \"Other\"\n )\n | project-rename\n EventStartTime = createdAt_t,\n TargetUserId = userId_s,\n EventOriginalUid = activityUuid_g,\n EventMessage = primaryDescription_s\n | extend TargetUserIdType = iff(isnotempty(TargetUserId), \"Other\", \"\");\n let alertdata = alldata\n | where event_name_s == \"Alerts.\"\n and alertInfo_eventType_s in (\"WINLOGONATTEMPT\", \"WINLOGOFFATTEMPT\")\n | lookup EventTypeLookup on alertInfo_eventType_s\n | lookup EventSubTypeLookup on alertInfo_loginType_s\n | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s;\n let undefineddata = alertdata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alertdata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maliciousdata = alertdata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n let alertdatawiththreatfield = union undefineddata, suspiciousdata, maliciousdata\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | invoke _ASIM_ResolveSrcFQDN('alertInfo_loginAccountDomain_s')\n | extend\n EventResult = iff(alertInfo_loginIsSuccessful_s == \"true\", \"Success\", \"Failure\"),\n EventSeverity = iff(ruleInfo_severity_s == \"Critical\", \"High\", ruleInfo_severity_s),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = alertInfo_createdAt_t,\n SrcIpAddr = alertInfo_srcMachineIp_s,\n ActingAppName = sourceProcessInfo_name_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSubType = alertInfo_loginType_s,\n RuleName = ruleInfo_name_s,\n TargetUserId = alertInfo_loginAccountSid_s,\n TargetUsername = alertInfo_loginsUserName_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n Rule = RuleName,\n ActingAppType = iff(isnotempty(ActingAppName), \"Process\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetUserType = _ASIM_GetUserType(TargetUsername, TargetUserId),\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SID\", \"\");\n union activitydata, alertdatawiththreatfield\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"SentinelOne\",\n EventSchema = \"Authentication\"\n | extend\n Dvc = coalesce(DvcHostname, EventProduct),\n EventEndTime = EventStartTime,\n EventUid = _ItemId,\n User = TargetUsername\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n *_b,\n *_d,\n *_g,\n *_s,\n *_t,\n ipAddress,\n username,\n accountName,\n fullScopeDetails,\n fullScopeDetailsPath,\n role,\n scopeLevel,\n source,\n sourceType,\n userScope,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n _ItemId,\n _ResourceId,\n ThreatConfidence_*\n };\n parser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationSentinelOne", + "query": "let EventResultDetailsLookup = datatable (comments_s: string, EventResultDetails: string)\n [\n \"invalid 2FA code\", \"Incorrect password\",\n \"IP/User mismatch\", \"No such user or password\",\n \"invalid password\", \"Incorrect password\",\n \"user temporarily locked 2FA attempt\", \"User locked\",\n \"no active site\", \"Other\"\n ];\n let EventFieldsLookup = datatable (\n activityType_d: real,\n EventType: string,\n EventResult: string,\n EventOriginalResultDetails: string\n )\n [\n 27, \"Logon\", \"Success\", \"User Logged In\",\n 33, \"Logoff\", \"Success\", \"User Logged Out\",\n 133, \"Logon\", \"Failure\", \"Existing User Login Failure\",\n 134, \"Logon\", \"Failure\", \"Unknown User Login\",\n 139, \"Logon\", \"Failure\", \"User Failed to Start an Unrestricted Session\",\n 3629, \"Logon\", \"Success\", \"Login Using Saved 2FA Recovery Code\"\n ];\n let EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\n [\n \"WINLOGONATTEMPT\", \"Logon\",\n \"WINLOGOFFATTEMPT\", \"Logoff\"\n ];\n let EventSubTypeLookup = datatable (alertInfo_loginType_s: string, EventSubType: string)\n [\n \"BATCH\", \"System\",\n \"CACHED_INTERACTIVE\", \"Interactive\",\n \"CACHED_REMOTE_INTERACTIVE\", \"RemoteInteractive\",\n \"CACHED_UNLOCK\", \"System\",\n \"INTERACTIVE\", \"Interactive\",\n \"NETWORK_CLEAR_TEXT\", \"Remote\",\n \"NETWORK_CREDENTIALS\", \"Remote\",\n \"NETWORK\", \"Remote\",\n \"REMOTE_INTERACTIVE\", \"RemoteInteractive\",\n \"SERVICE\", \"Service\",\n \"SYSTEM\", \"System\",\n \"UNLOCK\", \"System\"\n ];\n let DeviceTypeLookup = datatable (\n agentDetectionInfo_machineType_s: string,\n SrcDeviceType: string\n )\n [\n \"desktop\", \"Computer\",\n \"server\", \"Computer\",\n \"laptop\", \"Computer\",\n \"kubernetes node\", \"Other\",\n \"unknown\", \"Other\"\n ];\n let ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n )\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n ];\n let ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n )\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n ];\n let ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n )\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n ];\n let TargetUserTypesList = dynamic([\"Regular\", \"Machine\", \"Admin\", \"System\", \"Application\", \"Service Principal\", \"Service\", \"Anonymous\"]);\n let parser = (disabled: bool=false) {\n let alldata = SentinelOne_CL\n | where not(disabled);\n let activitydata = alldata\n | where event_name_s == \"Activities.\"\n and activityType_d in (27, 33, 133, 134, 139, 3629)\n | parse-kv DataFields_s as (ipAddress: string, username: string, userScope: string, accountName: string, fullScopeDetails: string, fullScopeDetailsPath: string, role: string, scopeLevel: string, source: string, sourceType: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookup on activityType_d\n | lookup EventResultDetailsLookup on comments_s\n | extend \n SrcIpAddr = iff(ipAddress == \"null\", \"\", ipAddress),\n EventOriginalType = tostring(toint(activityType_d)),\n TargetUsername = username,\n TargetUserScope = userScope,\n AdditionalFields = bag_pack(\n \"accountName\", accountName,\n \"fullScopeDetails\", fullScopeDetails,\n \"fullScopeDetailsPath\", fullScopeDetailsPath,\n \"scopeLevel\", scopeLevel,\n \"source\", source,\n \"sourceType\", sourceType\n ),\n TargetOriginalUserType = role,\n TargetUserType = case(\n role in (TargetUserTypesList), role,\n role == \"null\", \"\",\n \"Other\"\n )\n | project-rename\n EventStartTime = createdAt_t,\n TargetUserId = userId_s,\n EventOriginalUid = activityUuid_g,\n EventMessage = primaryDescription_s\n | extend TargetUserIdType = iff(isnotempty(TargetUserId), \"Other\", \"\");\n let alertdata = alldata\n | where event_name_s == \"Alerts.\"\n and alertInfo_eventType_s in (\"WINLOGONATTEMPT\", \"WINLOGOFFATTEMPT\")\n | lookup EventTypeLookup on alertInfo_eventType_s\n | lookup EventSubTypeLookup on alertInfo_loginType_s\n | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s;\n let undefineddata = alertdata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alertdata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maliciousdata = alertdata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n let alertdatawiththreatfield = union undefineddata, suspiciousdata, maliciousdata\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | invoke _ASIM_ResolveSrcFQDN('alertInfo_loginAccountDomain_s')\n | extend\n EventResult = iff(alertInfo_loginIsSuccessful_s == \"true\", \"Success\", \"Failure\"),\n EventSeverity = iff(ruleInfo_severity_s == \"Critical\", \"High\", ruleInfo_severity_s),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = alertInfo_createdAt_t,\n SrcIpAddr = alertInfo_srcMachineIp_s,\n ActingAppName = sourceProcessInfo_name_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSubType = alertInfo_loginType_s,\n RuleName = ruleInfo_name_s,\n TargetUserId = alertInfo_loginAccountSid_s,\n TargetUsername = alertInfo_loginsUserName_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n Rule = RuleName,\n ActingAppType = iff(isnotempty(ActingAppName), \"Process\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetUserType = _ASIM_GetUserType(TargetUsername, TargetUserId),\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SID\", \"\");\n union activitydata, alertdatawiththreatfield\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"SentinelOne\",\n EventSchema = \"Authentication\"\n | extend\n Dvc = coalesce(DvcHostname, EventProduct),\n EventEndTime = EventStartTime,\n EventUid = _ItemId,\n User = TargetUsername\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n *_b,\n *_d,\n *_g,\n *_s,\n *_t,\n ipAddress,\n username,\n accountName,\n fullScopeDetails,\n fullScopeDetailsPath,\n role,\n scopeLevel,\n source,\n sourceType,\n userScope,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n _ItemId,\n _ResourceId,\n ThreatConfidence_*\n };\n parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSshd/ASimAuthenticationSshd.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSshd/ASimAuthenticationSshd.json index a370118546f..459c848a9a9 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSshd/ASimAuthenticationSshd.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSshd/ASimAuthenticationSshd.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationSshd')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationSshd", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for OpenSSH sshd", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationSshd", - "query": "let parser = (disabled:bool=false) {\n let SyslogProjects = Syslog | project TimeGenerated, Computer, SyslogMessage, ProcessName, ProcessID, HostIP, Type, _ItemId, _ResourceId, _SubscriptionId;\n //\n // -- Successful login\n let SSHDAccepted=(disabled:bool=false) { \n // -- Parse events with the format \"Accepted password for from port ssh2\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Accepted'\n | parse SyslogMessage with \"Accepted password for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | extend\n EventCount = int(1),\n EventResult = 'Success',\n EventSeverity = 'Informational',\n EventType = 'Logon'\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Failed login - incorrect password\n let SSHDFailed=(disabled:bool=false) {\n // -- Parse events with the format \"Failed (password|none|publickey) for from port ssh2[: RSA :]\"\n // -- Or a number of such events message repeated times: [ ]\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and (\n SyslogMessage startswith 'Failed' \n or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed')\n )\n | parse SyslogMessage with * \"Failed \" * \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | parse SyslogMessage with \"message repeated\" EventCount:int \" times:\" * \n | extend\n EventCount = toint(coalesce(EventCount,1)),\n EventResult = 'Failure',\n EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password'),\n EventSeverity = 'Low' ,\n EventType = 'Logon',\n LogonMethod = iff (SyslogMessage has 'publickey', 'PKI', 'Username & password')\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Logoff - Timeout\n let SSHDTimeout=(disabled:bool=false) {\n // -- Parse events with the format \"Timeout, client not responding from user yanivsh 131.107.174.198 port 7623\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Timeout'\n | parse-where SyslogMessage with * \"user \" TargetUsername:string \" \" SrcIpAddr:string \" port \" SrcPortNumber:int\n | extend\n EventCount = int(1),\n EventResult = 'Success',\n EventSeverity = 'Informational',\n EventType = 'Logoff'\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Failed login - invalid user\n let SSHDInvalidUser=(disabled:bool=false) {\n // -- Parse events with the format \"Invalid user [] from port \"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Invalid user'\n | parse SyslogMessage with \"Invalid user \" TargetUsername:string \" from \" SrcIpAddr:string \" port \" SrcPortNumber:int\n | parse SyslogMessage with \"Invalid user from \" SrcIpAddrNoUser:string \" port \" SrcPortNumberNoUser:int\n | extend\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'No such user',\n EventSeverity = 'Low',\n EventType = 'Logon',\n SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser),\n SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser)\n | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser\n };\n //\n // -- Blocked intrusion attempts\n let SSHDABreakInAttemptMappingFailed=(disabled:bool=false) {\n // -- Parse events with the format \"reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"reverse mapping checking getaddrinfo for\"\n | parse SyslogMessage with * \" for \" Src \" [\" SrcIpAddr \"]\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Reverse mapping failed\", \n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptMappingMismatch=(disabled:bool=false) {\n // -- Parse events with the format \"Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage has \"but this does not map back to the address\"\n | parse SyslogMessage with \"Address \" SrcIpAddr:string \" maps to \" Src:string \", but this\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Address to host to address mapping does not map back to address\",\n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptNastyPtr=(disabled:bool=false) {\n // -- Parse events with the format \"Nasty PTR record \"\" is set up for , ignoring\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"Nasty PTR record\"\n | parse SyslogMessage with * \"set up for \" SrcIpAddr:string \", ignoring\"\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Nasty PTR record set for IP Address\",\n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName\n };\n union isfuzzy=false \n SSHDAccepted (disabled=disabled),\n SSHDFailed (disabled=disabled),\n SSHDInvalidUser (disabled=disabled),\n SSHDTimeout (disabled=disabled),\n SSHDABreakInAttemptMappingFailed (disabled=disabled),\n SSHDABreakInAttemptMappingMismatch (disabled=disabled),\n SSHDABreakInAttemptNastyPtr (disabled=disabled)\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend \n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\"),\n DvcOs = 'Linux',\n EventEndTime = TimeGenerated,\n EventProduct = 'OpenSSH',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.2',\n EventStartTime = TimeGenerated,\n EventSubType = 'Remote',\n EventVendor = 'OpenBSD',\n LogonProtocol = 'ssh',\n TargetAppId = tostring(ProcessID),\n TargetAppName = 'sshd',\n TargetAppType = 'Service',\n TargetDvcOs = 'Linux',\n TargetUsernameType = 'Simple'\n | project-away Computer, ProcessID\n | project-rename \n DvcId = _ResourceId,\n DvcIpAddr = HostIP,\n DvcScopeId = _SubscriptionId,\n EventUid = _ItemId\n //\n // -- Aliases\n | extend\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr),\n Dvc = DvcHostname,\n IpAddr = DvcIpAddr,\n TargetDomain = DvcDomain,\n TargetDomainType = DvcDomainType,\n TargetDvcId = DvcId,\n TargetDvcIdType = DvcDomainType,\n TargetDvcScopeId = DvcScopeId,\n TargetFQDN = DvcFQDN,\n TargetHostname = DvcHostname,\n TargetIpAddr = DvcIpAddr,\n User = TargetUsername\n };\n parser (\n disabled=disabled\n )", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for OpenSSH sshd", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationSshd", + "query": "let parser = (disabled:bool=false) {\n let SyslogProjects = Syslog | project TimeGenerated, Computer, SyslogMessage, ProcessName, ProcessID, HostIP, Type, _ItemId, _ResourceId, _SubscriptionId;\n //\n // -- Successful login\n let SSHDAccepted=(disabled:bool=false) { \n // -- Parse events with the format \"Accepted password for from port ssh2\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Accepted'\n | parse SyslogMessage with \"Accepted password for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | extend\n EventCount = int(1),\n EventResult = 'Success',\n EventSeverity = 'Informational',\n EventType = 'Logon'\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Failed login - incorrect password\n let SSHDFailed=(disabled:bool=false) {\n // -- Parse events with the format \"Failed (password|none|publickey) for from port ssh2[: RSA :]\"\n // -- Or a number of such events message repeated times: [ ]\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and (\n SyslogMessage startswith 'Failed' \n or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed')\n )\n | parse SyslogMessage with * \"Failed \" * \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | parse SyslogMessage with \"message repeated\" EventCount:int \" times:\" * \n | extend\n EventCount = toint(coalesce(EventCount,1)),\n EventResult = 'Failure',\n EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password'),\n EventSeverity = 'Low' ,\n EventType = 'Logon',\n LogonMethod = iff (SyslogMessage has 'publickey', 'PKI', 'Username & password')\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Logoff - Timeout\n let SSHDTimeout=(disabled:bool=false) {\n // -- Parse events with the format \"Timeout, client not responding from user yanivsh 131.107.174.198 port 7623\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Timeout'\n | parse-where SyslogMessage with * \"user \" TargetUsername:string \" \" SrcIpAddr:string \" port \" SrcPortNumber:int\n | extend\n EventCount = int(1),\n EventResult = 'Success',\n EventSeverity = 'Informational',\n EventType = 'Logoff'\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Failed login - invalid user\n let SSHDInvalidUser=(disabled:bool=false) {\n // -- Parse events with the format \"Invalid user [] from port \"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Invalid user'\n | parse SyslogMessage with \"Invalid user \" TargetUsername:string \" from \" SrcIpAddr:string \" port \" SrcPortNumber:int\n | parse SyslogMessage with \"Invalid user from \" SrcIpAddrNoUser:string \" port \" SrcPortNumberNoUser:int\n | extend\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'No such user',\n EventSeverity = 'Low',\n EventType = 'Logon',\n SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser),\n SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser)\n | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser\n };\n //\n // -- Blocked intrusion attempts\n let SSHDABreakInAttemptMappingFailed=(disabled:bool=false) {\n // -- Parse events with the format \"reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"reverse mapping checking getaddrinfo for\"\n | parse SyslogMessage with * \" for \" Src \" [\" SrcIpAddr \"]\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Reverse mapping failed\", \n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptMappingMismatch=(disabled:bool=false) {\n // -- Parse events with the format \"Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage has \"but this does not map back to the address\"\n | parse SyslogMessage with \"Address \" SrcIpAddr:string \" maps to \" Src:string \", but this\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Address to host to address mapping does not map back to address\",\n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptNastyPtr=(disabled:bool=false) {\n // -- Parse events with the format \"Nasty PTR record \"\" is set up for , ignoring\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"Nasty PTR record\"\n | parse SyslogMessage with * \"set up for \" SrcIpAddr:string \", ignoring\"\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Nasty PTR record set for IP Address\",\n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName\n };\n union isfuzzy=false \n SSHDAccepted (disabled=disabled),\n SSHDFailed (disabled=disabled),\n SSHDInvalidUser (disabled=disabled),\n SSHDTimeout (disabled=disabled),\n SSHDABreakInAttemptMappingFailed (disabled=disabled),\n SSHDABreakInAttemptMappingMismatch (disabled=disabled),\n SSHDABreakInAttemptNastyPtr (disabled=disabled)\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend \n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\"),\n DvcOs = 'Linux',\n EventEndTime = TimeGenerated,\n EventProduct = 'OpenSSH',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.2',\n EventStartTime = TimeGenerated,\n EventSubType = 'Remote',\n EventVendor = 'OpenBSD',\n LogonProtocol = 'ssh',\n TargetAppId = tostring(ProcessID),\n TargetAppName = 'sshd',\n TargetAppType = 'Service',\n TargetDvcOs = 'Linux',\n TargetUsernameType = 'Simple'\n | project-away Computer, ProcessID\n | project-rename \n DvcId = _ResourceId,\n DvcIpAddr = HostIP,\n DvcScopeId = _SubscriptionId,\n EventUid = _ItemId\n //\n // -- Aliases\n | extend\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr),\n Dvc = DvcHostname,\n IpAddr = DvcIpAddr,\n TargetDomain = DvcDomain,\n TargetDomainType = DvcDomainType,\n TargetDvcId = DvcId,\n TargetDvcIdType = DvcDomainType,\n TargetDvcScopeId = DvcScopeId,\n TargetFQDN = DvcFQDN,\n TargetHostname = DvcHostname,\n TargetIpAddr = DvcIpAddr,\n User = TargetUsername\n };\n parser (\n disabled=disabled\n )", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSu/ASimAuthenticationSu.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSu/ASimAuthenticationSu.json index e98e448189d..a02544c60b8 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSu/ASimAuthenticationSu.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSu/ASimAuthenticationSu.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationSu')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationSu", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Linux su", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationSu", - "query": "let parser = (disabled: bool=false)\n{\n let SyslogProjects = Syslog\n | project\n TimeGenerated,\n Computer,\n SyslogMessage,\n ProcessName,\n ProcessID,\n HostIP,\n Type,\n _ItemId,\n _ResourceId,\n _SubscriptionId;\n //\n // -- Successful SU\n // Parses the event \"Successful su for by \"\n let SuSignInAuthorized=(disabled: bool=false)\n{\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage startswith \"Successful su for\"\n | parse SyslogMessage with * \"for \" TargetUsername: string \" by \" ActorUsername: string\n | extend\n EventType = 'Elevation'\n | project-away SyslogMessage, ProcessName\n};\n // \n // -- SU end\n // Parsers the event \"pam_unix(su[-l]:session): session closed for user \"\n let SuDisconnect=(disabled: bool=false)\n{\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage has_all ('pam_unix(su', 'session): session closed for user')\n | parse SyslogMessage with * \"for user \" TargetUsername: string\n | extend\n EventType = 'Logoff'\n | project-away SyslogMessage, ProcessName\n};\n union isfuzzy=false \n SuDisconnect(disabled = disabled),\n SuSignInAuthorized (disabled = disabled)\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend\n ActingAppId = tostring(ProcessID),\n ActingAppType = 'Process',\n ActorUsernameType = 'Simple',\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\"),\n DvcOs = 'Linux',\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'su',\n EventResult = 'Success',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.2',\n EventSeverity = 'Informational',\n EventStartTime = TimeGenerated,\n EventVendor = 'Linux',\n TargetDvcOs = 'Linux',\n TargetUsernameType = 'Simple'\n | project-away Computer, ProcessID\n | project-rename \n DvcId = _ResourceId,\n DvcIpAddr = HostIP,\n DvcScopeId = _SubscriptionId,\n EventUid = _ItemId\n //\n // -- Aliases\n | extend\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr),\n Dvc = DvcHostname,\n IpAddr = DvcIpAddr,\n TargetDomain = DvcDomain,\n TargetDomainType = DvcDomainType,\n TargetDvcId = DvcId,\n TargetDvcIdType = DvcDomainType,\n TargetDvcScopeId = DvcScopeId,\n TargetFQDN = DvcFQDN,\n TargetHostname = DvcHostname,\n TargetIpAddr = DvcIpAddr,\n User = TargetUsername\n};\nparser\n(\n disabled=disabled\n)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Linux su", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationSu", + "query": "let parser = (disabled: bool=false)\n{\n let SyslogProjects = Syslog\n | project\n TimeGenerated,\n Computer,\n SyslogMessage,\n ProcessName,\n ProcessID,\n HostIP,\n Type,\n _ItemId,\n _ResourceId,\n _SubscriptionId;\n //\n // -- Successful SU\n // Parses the event \"Successful su for by \"\n let SuSignInAuthorized=(disabled: bool=false)\n{\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage startswith \"Successful su for\"\n | parse SyslogMessage with * \"for \" TargetUsername: string \" by \" ActorUsername: string\n | extend\n EventType = 'Elevation'\n | project-away SyslogMessage, ProcessName\n};\n // \n // -- SU end\n // Parsers the event \"pam_unix(su[-l]:session): session closed for user \"\n let SuDisconnect=(disabled: bool=false)\n{\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage has_all ('pam_unix(su', 'session): session closed for user')\n | parse SyslogMessage with * \"for user \" TargetUsername: string\n | extend\n EventType = 'Logoff'\n | project-away SyslogMessage, ProcessName\n};\n union isfuzzy=false \n SuDisconnect(disabled = disabled),\n SuSignInAuthorized (disabled = disabled)\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend\n ActingAppId = tostring(ProcessID),\n ActingAppType = 'Process',\n ActorUsernameType = 'Simple',\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\"),\n DvcOs = 'Linux',\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'su',\n EventResult = 'Success',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.2',\n EventSeverity = 'Informational',\n EventStartTime = TimeGenerated,\n EventVendor = 'Linux',\n TargetDvcOs = 'Linux',\n TargetUsernameType = 'Simple'\n | project-away Computer, ProcessID\n | project-rename \n DvcId = _ResourceId,\n DvcIpAddr = HostIP,\n DvcScopeId = _SubscriptionId,\n EventUid = _ItemId\n //\n // -- Aliases\n | extend\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr),\n Dvc = DvcHostname,\n IpAddr = DvcIpAddr,\n TargetDomain = DvcDomain,\n TargetDomainType = DvcDomainType,\n TargetDvcId = DvcId,\n TargetDvcIdType = DvcDomainType,\n TargetDvcScopeId = DvcScopeId,\n TargetFQDN = DvcFQDN,\n TargetHostname = DvcHostname,\n TargetIpAddr = DvcIpAddr,\n User = TargetUsername\n};\nparser\n(\n disabled=disabled\n)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json index 787a1217f61..3b711fb19b8 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationSudo')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationSudo", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Syslog sudo", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationSudo", - "query": "let SudoSignInAuthorized=(disabled:bool=false){\nSyslog \n | where not(disabled)\n | where ProcessName == \"sudo\" and \n SyslogMessage has 'TTY=' and \n SyslogMessage has 'USER=' and\n SyslogMessage has 'COMMAND='\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename TargetUsername = USER\n | extend\n EventVendor = 'sudo',\n EventProduct = 'sudo',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventResult = 'Success',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'Logon',\n DvcHostname = Computer,\n ActorUsernameType = 'Simple',\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\n TargetUsernameType = 'Simple',\n EventResultDetails = 'Other',\n EventOriginalRestultDetails = 'Connection authorized'\n// ************************\n// \n// ************************\n | extend\n User = TargetUsername,\n Dvc = Computer\n// ************************\n// \n// ************************\n | project-away Computer, MG, SourceSystem, TenantId\n };\nlet SudoAuthFailure1=(disabled:bool=false){\nSyslog | where not(disabled)\n | where ProcessName == \"sudo\" and (SyslogMessage has 'user NOT in sudoers' or SyslogMessage has 'incorrect password attempts')\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename \n EventUid = _ItemId,\n TargetUsername = USER\n | extend\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\n ActorUsernameType = 'Simple',\n DvcHostname = Computer,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User authentication failed',\n EventProduct = 'sudo',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'sudo',\n TargetUsernameType = 'Simple'\n | project-away Computer, MG, SourceSystem, TenantId\n };\nlet SudoDisconnect=(disabled:bool=false){\n Syslog \n | where not(disabled)\n | where ProcessName == \"sudo\" and \n SyslogMessage has 'session closed for user '\n | parse SyslogMessage with * \"for user \" TargetUsername:string\n | extend\n DvcHostname = Computer,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User session closed',\n EventProduct = 'sudo',\n EventResult = 'Success',\n EventResultDetails = 'Other',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logoff',\n EventVendor = 'sudo',\n TargetUsernameType = 'Simple'\n// ************************\n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************\n// \n// ************************\n | project-away Computer, MG, SourceSystem, TenantId\n };\nunion isfuzzy=false \n SudoSignInAuthorized(disabled = disabled), \n SudoAuthFailure1(disabled = disabled), \n SudoDisconnect(disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Syslog sudo", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationSudo", + "query": "let SudoSignInAuthorized=(disabled:bool=false){\nSyslog \n | where not(disabled)\n | where ProcessName == \"sudo\" and \n SyslogMessage has 'TTY=' and \n SyslogMessage has 'USER=' and\n SyslogMessage has 'COMMAND='\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename TargetUsername = USER\n | extend\n EventVendor = 'sudo',\n EventProduct = 'sudo',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventResult = 'Success',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'Logon',\n DvcHostname = Computer,\n ActorUsernameType = 'Simple',\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\n TargetUsernameType = 'Simple',\n EventResultDetails = 'Other',\n EventOriginalRestultDetails = 'Connection authorized'\n// ************************\n// \n// ************************\n | extend\n User = TargetUsername,\n Dvc = Computer\n// ************************\n// \n// ************************\n | project-away Computer, MG, SourceSystem, TenantId\n };\nlet SudoAuthFailure1=(disabled:bool=false){\nSyslog | where not(disabled)\n | where ProcessName == \"sudo\" and (SyslogMessage has 'user NOT in sudoers' or SyslogMessage has 'incorrect password attempts')\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename \n EventUid = _ItemId,\n TargetUsername = USER\n | extend\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\n ActorUsernameType = 'Simple',\n DvcHostname = Computer,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User authentication failed',\n EventProduct = 'sudo',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'sudo',\n TargetUsernameType = 'Simple'\n | project-away Computer, MG, SourceSystem, TenantId\n };\nlet SudoDisconnect=(disabled:bool=false){\n Syslog \n | where not(disabled)\n | where ProcessName == \"sudo\" and \n SyslogMessage has 'session closed for user '\n | parse SyslogMessage with * \"for user \" TargetUsername:string\n | extend\n DvcHostname = Computer,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User session closed',\n EventProduct = 'sudo',\n EventResult = 'Success',\n EventResultDetails = 'Other',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logoff',\n EventVendor = 'sudo',\n TargetUsernameType = 'Simple'\n// ************************\n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************\n// \n// ************************\n | project-away Computer, MG, SourceSystem, TenantId\n };\nunion isfuzzy=false \n SudoSignInAuthorized(disabled = disabled), \n SudoAuthFailure1(disabled = disabled), \n SudoDisconnect(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareCarbonBlackCloud/ASimAuthenticationVMwareCarbonBlackCloud.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareCarbonBlackCloud/ASimAuthenticationVMwareCarbonBlackCloud.json index cfd10c5c9e3..a116ee78fbc 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareCarbonBlackCloud/ASimAuthenticationVMwareCarbonBlackCloud.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareCarbonBlackCloud/ASimAuthenticationVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationVMwareCarbonBlackCloud", - "query": "let parser = (disabled: bool=false) {\n CarbonBlackAuditLogs_CL\n | where not(disabled)\n | where description_s has_any (\"logged in\", \"login\",\"second factor authentication\") and description_s !has \"connector\"\n | extend\n EventStartTime = unixtime_milliseconds_todatetime(eventTime_d),\n EventResult = iff(description_s has \"successfully\", \"Success\", \"Failure\"),\n AdditionalFields = bag_pack(\"flagged\", flagged_b),\n EventSeverity = iff(flagged_b == true, \"Low\", \"Informational\")\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"VMware\",\n EventType = \"Logon\",\n EventResultDetails = case(\n EventResult == \"Failure\" and description_s has (\"locked\"),\n \"User locked\",\n EventResult == \"Failure\" and description_s has_any (\"logged in\", \"login\"),\n \"Incorrect password\",\n EventResult == \"Failure\" and description_s has (\"second factor authentication\"),\n \"MFA not satisfied\",\n \"\"\n ),\n EventOriginalResultDetails = iff(EventResult == \"Failure\", tostring(split(description_s, ';')[1]), \"\")\n | project-rename\n EventMessage = description_s,\n EventOriginalUid = eventId_g,\n TargetUsername = loginName_s,\n SrcIpAddr = clientIp_s,\n EventUid=_ItemId,\n EventOwner = orgName_s\n | extend\n IpAddr = SrcIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n Dvc = EventProduct,\n EventEndTime = EventStartTime,\n User = TargetUsername,\n Src = SrcIpAddr\n | project-away\n *_s,\n *_d,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId \n};\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationVMwareCarbonBlackCloud", + "query": "let parser = (disabled: bool=false) {\n CarbonBlackAuditLogs_CL\n | where not(disabled)\n | where description_s has_any (\"logged in\", \"login\",\"second factor authentication\") and description_s !has \"connector\"\n | extend\n EventStartTime = unixtime_milliseconds_todatetime(eventTime_d),\n EventResult = iff(description_s has \"successfully\", \"Success\", \"Failure\"),\n AdditionalFields = bag_pack(\"flagged\", flagged_b),\n EventSeverity = iff(flagged_b == true, \"Low\", \"Informational\")\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"VMware\",\n EventType = \"Logon\",\n EventResultDetails = case(\n EventResult == \"Failure\" and description_s has (\"locked\"),\n \"User locked\",\n EventResult == \"Failure\" and description_s has_any (\"logged in\", \"login\"),\n \"Incorrect password\",\n EventResult == \"Failure\" and description_s has (\"second factor authentication\"),\n \"MFA not satisfied\",\n \"\"\n ),\n EventOriginalResultDetails = iff(EventResult == \"Failure\", tostring(split(description_s, ';')[1]), \"\")\n | project-rename\n EventMessage = description_s,\n EventOriginalUid = eventId_g,\n TargetUsername = loginName_s,\n SrcIpAddr = clientIp_s,\n EventUid=_ItemId,\n EventOwner = orgName_s\n | extend\n IpAddr = SrcIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n Dvc = EventProduct,\n EventEndTime = EventStartTime,\n User = TargetUsername,\n Src = SrcIpAddr\n | project-away\n *_s,\n *_d,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId \n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/ASimAuthenticationVectraXDRAudit.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/ASimAuthenticationVectraXDRAudit.json index 1d1acc98e3a..3edcdb6a2e7 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/ASimAuthenticationVectraXDRAudit.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/ASimAuthenticationVectraXDRAudit.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationVectraXDRAudit')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationVectraXDRAudit", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Vectra XDR Audit Logs Event", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationVectraXDRAudit", - "query": "let parser = (disabled:bool = false)\n{\n Audits_Data_CL\n | where not(disabled) and event_action_s in (\"login\",\"logout\")\n | extend\n EventCount = int(1),\n EventEndTime = event_timestamp_t,\n EventProduct = 'Vectra XDR',\n EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\"),\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventStartTime = event_timestamp_t,\n EventType = case(event_action_s==\"login\", \"Logon\", event_action_s==\"logout\", \"Logoff\",\"\"),\n EventVendor = 'Vectra',\n ActorUserId = tostring(toint(user_id_d)),\n ActorUserIdType = \"VectraUserId\",\n ActorUsernameType = \"UPN\",\n EventUid = tostring(toint(id_d))\n | project-rename\n DvcIpAddr = source_ip_s,\n ActorOriginalUserType = user_type_s,\n ActorUsername = username_s,\n EventMessage = Message,\n EventProductVersion = version_s\n | extend\n User = ActorUsername,\n Dvc = DvcIpAddr\n | project-away\n *_d, *_s, event_timestamp_t, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\n};\nparser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Vectra XDR Audit Logs Event", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationVectraXDRAudit", + "query": "let parser = (disabled:bool = false)\n{\n Audits_Data_CL\n | where not(disabled) and event_action_s in (\"login\",\"logout\")\n | extend\n EventCount = int(1),\n EventEndTime = event_timestamp_t,\n EventProduct = 'Vectra XDR',\n EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\"),\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventStartTime = event_timestamp_t,\n EventType = case(event_action_s==\"login\", \"Logon\", event_action_s==\"logout\", \"Logoff\",\"\"),\n EventVendor = 'Vectra',\n ActorUserId = tostring(toint(user_id_d)),\n ActorUserIdType = \"VectraUserId\",\n ActorUsernameType = \"UPN\",\n EventUid = tostring(toint(id_d))\n | project-rename\n DvcIpAddr = source_ip_s,\n ActorOriginalUserType = user_type_s,\n ActorUsername = username_s,\n EventMessage = Message,\n EventProductVersion = version_s\n | extend\n User = ActorUsername,\n Dvc = DvcIpAddr\n | project-away\n *_d, *_s, event_timestamp_t, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\n};\nparser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json b/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json index 9646a038b0e..1a2e8bf4b44 100644 --- a/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/imAuthentication')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "imAuthentication", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser", - "category": "ASIM", - "FunctionAlias": "imAuthentication", - "query": "let Generic=(starttime: datetime=datetime(null), endtime: datetime=datetime(null), username_has_any: dynamic = dynamic([]), targetappname_has_any: dynamic = dynamic([]), srcipaddr_has_any_prefix: dynamic = dynamic([]), srchostname_has_any: dynamic = dynamic([]), eventtype_in: dynamic = dynamic([]), eventresultdetails_in: dynamic = dynamic([]), eventresult: string = '*', pack: bool=false) {\n let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\n let imAuthenticationBuiltInDisabled=toscalar('ExcludeimAuthenticationBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n union isfuzzy=true\n vimAuthenticationEmpty\n , vimAuthenticationAADManagedIdentitySignInLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADServicePrincipalSignInLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationSigninLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSigninLogs' in (DisabledParsers) )))\n , vimAuthenticationAWSCloudTrail (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled = (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAWSCloudTrail' in (DisabledParsers) )))\n , vimAuthenticationOktaSSO (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaSSO' in (DisabledParsers) )))\n , vimAuthenticationOktaV2 (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaV2' in (DisabledParsers) )))\n , vimAuthenticationM365Defender (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationM365Defender' in (DisabledParsers) )))\n , vimAuthenticationMicrosoftWindowsEvent (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )))\n , vimAuthenticationMD4IoT (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMD4IoT' in (DisabledParsers) )))\n , vimAuthenticationPostgreSQL (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPostgreSQL' in (DisabledParsers) )))\n , vimAuthenticationSshd (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSshd' in (DisabledParsers) )))\n , vimAuthenticationSu (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSu' in (DisabledParsers) )))\n , vimAuthenticationSudo (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSudo' in (DisabledParsers) )))\n , vimAuthenticationCiscoASA (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoASA' in (DisabledParsers) )))\n , vimAuthenticationCiscoMeraki (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoMeraki' in (DisabledParsers) )))\n , vimAuthenticationCiscoMerakiSyslog (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )))\n , vimAuthenticationCiscoISE (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoISE' in (DisabledParsers) )))\n , vimAuthenticationBarracudaWAF (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationBarracudaWAF' in (DisabledParsers) )))\n , vimAuthenticationVectraXDRAudit (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVectraXDRAudit' in (DisabledParsers) )))\n , vimAuthenticationGoogleWorkspace (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationGoogleWorkspace' in (DisabledParsers) )))\n , vimAuthenticationSalesforceSC (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) )))\n , vimAuthenticationPaloAltoCortexDataLake (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )))\n , vimAuthenticationSentinelOne (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSentinelOne' in (DisabledParsers) )))\n , vimAuthenticationCrowdStrikeFalconHost (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCrowdStrikeFalconHost' in (DisabledParsers) )))\n , vimAuthenticationVMwareCarbonBlackCloud (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )))\n , vimAuthenticationIllumioSaaSCore (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationIllumioSaaS' in (DisabledParsers) )))\n};\nGeneric(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, pack=pack)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser", + "category": "ASIM", + "FunctionAlias": "imAuthentication", + "query": "let Generic=(starttime: datetime=datetime(null), endtime: datetime=datetime(null), username_has_any: dynamic = dynamic([]), targetappname_has_any: dynamic = dynamic([]), srcipaddr_has_any_prefix: dynamic = dynamic([]), srchostname_has_any: dynamic = dynamic([]), eventtype_in: dynamic = dynamic([]), eventresultdetails_in: dynamic = dynamic([]), eventresult: string = '*', pack: bool=false) {\n let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\n let imAuthenticationBuiltInDisabled=toscalar('ExcludeimAuthenticationBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n union isfuzzy=true\n vimAuthenticationEmpty\n , vimAuthenticationAADManagedIdentitySignInLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADServicePrincipalSignInLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationSigninLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSigninLogs' in (DisabledParsers) )))\n , vimAuthenticationAWSCloudTrail (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled = (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAWSCloudTrail' in (DisabledParsers) )))\n , vimAuthenticationOktaSSO (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaSSO' in (DisabledParsers) )))\n , vimAuthenticationOktaV2 (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaV2' in (DisabledParsers) )))\n , vimAuthenticationM365Defender (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationM365Defender' in (DisabledParsers) )))\n , vimAuthenticationMicrosoftWindowsEvent (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )))\n , vimAuthenticationMD4IoT (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMD4IoT' in (DisabledParsers) )))\n , vimAuthenticationPostgreSQL (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPostgreSQL' in (DisabledParsers) )))\n , vimAuthenticationSshd (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSshd' in (DisabledParsers) )))\n , vimAuthenticationSu (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSu' in (DisabledParsers) )))\n , vimAuthenticationSudo (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSudo' in (DisabledParsers) )))\n , vimAuthenticationCiscoASA (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoASA' in (DisabledParsers) )))\n , vimAuthenticationCiscoMeraki (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoMeraki' in (DisabledParsers) )))\n , vimAuthenticationCiscoMerakiSyslog (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )))\n , vimAuthenticationCiscoISE (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoISE' in (DisabledParsers) )))\n , vimAuthenticationBarracudaWAF (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationBarracudaWAF' in (DisabledParsers) )))\n , vimAuthenticationVectraXDRAudit (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVectraXDRAudit' in (DisabledParsers) )))\n , vimAuthenticationGoogleWorkspace (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationGoogleWorkspace' in (DisabledParsers) )))\n , vimAuthenticationSalesforceSC (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) )))\n , vimAuthenticationPaloAltoCortexDataLake (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )))\n , vimAuthenticationSentinelOne (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSentinelOne' in (DisabledParsers) )))\n , vimAuthenticationCrowdStrikeFalconHost (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCrowdStrikeFalconHost' in (DisabledParsers) )))\n , vimAuthenticationVMwareCarbonBlackCloud (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )))\n , vimAuthenticationIllumioSaaSCore (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationIllumioSaaS' in (DisabledParsers) )))\n};\nGeneric(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, pack=pack)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json index 8722f71293a..27831bbafe5 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationAADManagedIdentitySignInLogs')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationAADManagedIdentitySignInLogs", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Microsoft Entra ID managed identity sign-in logs", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationAADManagedIdentitySignInLogs", - "query": "let AADResultTypes = (T: (ResultType: string))\n{\n let AADResultTypesLookup = datatable\n(\n ResultType: string,\n EventResultDetails: string,\n EventType: string,\n EventResult: string,\n EventOriginalResultDetails: string,\n EventSeverity: string\n)\n[\n \"0\", \"\", \"Logon\", \"Success\", \"\", \"Informational\",\n \"53003\", \"Logon violates policy\", \"Logon\", \"Failure\", \"53003 - BlockedByConditionalAccess\", \"Low\",\n \"50034\", \"No such user\", \"Logon\", \"Failure\", \"50034 - UserAccountNotFound\", \"Low\",\n \"50059\", \"No such user\", \"Logon\", \"Failure\", \"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50053\", \"User locked\", \"Logon\", \"Failure\", \"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\", \"Password expired\", \"Logon\", \"Failure\", \"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\", \"Incorrect password\", \"Logon\", \"Failure\", \"50056 - Invalid or null password\", \"Low\",\n \"50057\", \"User disabled\", \"Logon\", \"Failure\", \"50057 - UserDisabled\", \"Low\",\n \"50058\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50058 - UserInformationNotProvided\", \"Low\",\n \"50011\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50064\", \"No such user or password\", \"Logon\", \"Failure\", \"50064 - CredentialAuthenticationError\", \"Low\",\n \"50076\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50079\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\", \"No such user or password\", \"Logon\", \"Failure\", \"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\", \"Password expired\", \"Logon\", \"Failure\", \"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\", \"Password expired\", \"Logon\", \"Failure\", \"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\", \"Password expired\", \"Logon\", \"Failure\", \"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\", \"Session expired\", \"Logon\", \"Failure\", \"50173 -FreshTokenNeeded\", \"Low\",\n \"80012\", \"Logon violates policy\", \"Logon\", \"Failure\", \"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"51004\", \"No such user\", \"Logon\", \"Failure\", \"51004 - UserAccountNotInDirectory\", \"Low\",\n \"50072\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50005\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50005 - DevicePolicyError\", \"Low\",\n \"50020\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50020 - UserUnauthorized\", \"Low\",\n \"50074\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"70008\", \"Session expired\", \"Logon\", \"Failure\", \"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"700016\", \"No such user\", \"Logon\", \"Failure\", \"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"500011\", \"No such user\", \"Logon\", \"Failure\", \"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"700027\", \"Incorrect key\", \"Logon\", \"Failure\", \"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"100003\", \"Other\", \"Logon\", \"Failure\", \"100003\", \"Low\",\n \"700082\", \"Session expired\", \"Logon\", \"Failure\", \"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"530034\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"530032\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"50061\", \"\", \"Logoff\", \"Failure\", \"50061 - SignoutInvalidRequest\", \"Low\",\n \"50068\", \"\", \"Logoff\", \"Failure\", \"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50078\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50078 - UserStrongAuthExpired\", \"Low\"\n];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n ,\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult)\n ,\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails)\n ,\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity)\n};\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n AADManagedIdentitySignInLogs\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or ServicePrincipalName has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or ResourceDisplayName has_any (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n | invoke AADResultTypes()\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | project-rename\n ActingAppId = AppId\n ,\n TargetAppId = ResourceIdentity \n ,\n TargetAppName = ResourceDisplayName\n ,\n TargetUsername = ServicePrincipalName\n ,\n TargetUserId = ServicePrincipalId\n ,\n EventOriginalUid = Id\n ,\n TargetSessionId = CorrelationId\n ,\n SrcIpAddr = IPAddress\n ,\n EventUid = _ItemId\n ,\n EventProductVersion = OperationVersion\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend \n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Entra ID'\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.3'\n ,\n Dvc = 'Microsft/Entra ID'\n ,\n LogonMethod = \"Managed Identity\"\n ,\n TargetAppType = \"Resource\"\n ,\n EventCount = int(1)\n ,\n TargetUserType = 'Application'\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUserIdType = 'EntraID'\n | project-away\n OperationName,\n Category,\n Result*,\n ServicePrincipal*,\n SourceSystem,\n DurationMs,\n Resource*,\n Location*,\n UniqueTokenIdentifier,\n FederatedCredentialId,\n Conditional*,\n Authentication*,\n Identity,\n Level,\n TenantId,\n temp*\n // \n // -- Aliases\n | extend \n User = TargetUsername\n ,\n LogonTarget = TargetAppName\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n Application = TargetAppName\n ,\n Dst = TargetAppName\n ,\n Src = SrcIpAddr\n ,\n IpAddr = SrcIpAddr\n ,\n TargetSimpleUsername = TargetUsername\n ,\n TargetUserAadId = TargetUserId\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Microsoft Entra ID managed identity sign-in logs", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationAADManagedIdentitySignInLogs", + "query": "let AADResultTypes = (T: (ResultType: string))\n{\n let AADResultTypesLookup = datatable\n(\n ResultType: string,\n EventResultDetails: string,\n EventType: string,\n EventResult: string,\n EventOriginalResultDetails: string,\n EventSeverity: string\n)\n[\n \"0\", \"\", \"Logon\", \"Success\", \"\", \"Informational\",\n \"53003\", \"Logon violates policy\", \"Logon\", \"Failure\", \"53003 - BlockedByConditionalAccess\", \"Low\",\n \"50034\", \"No such user\", \"Logon\", \"Failure\", \"50034 - UserAccountNotFound\", \"Low\",\n \"50059\", \"No such user\", \"Logon\", \"Failure\", \"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50053\", \"User locked\", \"Logon\", \"Failure\", \"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\", \"Password expired\", \"Logon\", \"Failure\", \"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\", \"Incorrect password\", \"Logon\", \"Failure\", \"50056 - Invalid or null password\", \"Low\",\n \"50057\", \"User disabled\", \"Logon\", \"Failure\", \"50057 - UserDisabled\", \"Low\",\n \"50058\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50058 - UserInformationNotProvided\", \"Low\",\n \"50011\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50064\", \"No such user or password\", \"Logon\", \"Failure\", \"50064 - CredentialAuthenticationError\", \"Low\",\n \"50076\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50079\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\", \"No such user or password\", \"Logon\", \"Failure\", \"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\", \"Password expired\", \"Logon\", \"Failure\", \"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\", \"Password expired\", \"Logon\", \"Failure\", \"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\", \"Password expired\", \"Logon\", \"Failure\", \"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\", \"Session expired\", \"Logon\", \"Failure\", \"50173 -FreshTokenNeeded\", \"Low\",\n \"80012\", \"Logon violates policy\", \"Logon\", \"Failure\", \"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"51004\", \"No such user\", \"Logon\", \"Failure\", \"51004 - UserAccountNotInDirectory\", \"Low\",\n \"50072\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50005\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50005 - DevicePolicyError\", \"Low\",\n \"50020\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50020 - UserUnauthorized\", \"Low\",\n \"50074\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"70008\", \"Session expired\", \"Logon\", \"Failure\", \"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"700016\", \"No such user\", \"Logon\", \"Failure\", \"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"500011\", \"No such user\", \"Logon\", \"Failure\", \"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"700027\", \"Incorrect key\", \"Logon\", \"Failure\", \"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"100003\", \"Other\", \"Logon\", \"Failure\", \"100003\", \"Low\",\n \"700082\", \"Session expired\", \"Logon\", \"Failure\", \"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"530034\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"530032\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"50061\", \"\", \"Logoff\", \"Failure\", \"50061 - SignoutInvalidRequest\", \"Low\",\n \"50068\", \"\", \"Logoff\", \"Failure\", \"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50078\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50078 - UserStrongAuthExpired\", \"Low\"\n];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n ,\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult)\n ,\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails)\n ,\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity)\n};\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n AADManagedIdentitySignInLogs\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or ServicePrincipalName has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or ResourceDisplayName has_any (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n | invoke AADResultTypes()\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | project-rename\n ActingAppId = AppId\n ,\n TargetAppId = ResourceIdentity \n ,\n TargetAppName = ResourceDisplayName\n ,\n TargetUsername = ServicePrincipalName\n ,\n TargetUserId = ServicePrincipalId\n ,\n EventOriginalUid = Id\n ,\n TargetSessionId = CorrelationId\n ,\n SrcIpAddr = IPAddress\n ,\n EventUid = _ItemId\n ,\n EventProductVersion = OperationVersion\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend \n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Entra ID'\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.3'\n ,\n Dvc = 'Microsft/Entra ID'\n ,\n LogonMethod = \"Managed Identity\"\n ,\n TargetAppType = \"Resource\"\n ,\n EventCount = int(1)\n ,\n TargetUserType = 'Application'\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUserIdType = 'EntraID'\n | project-away\n OperationName,\n Category,\n Result*,\n ServicePrincipal*,\n SourceSystem,\n DurationMs,\n Resource*,\n Location*,\n UniqueTokenIdentifier,\n FederatedCredentialId,\n Conditional*,\n Authentication*,\n Identity,\n Level,\n TenantId,\n temp*\n // \n // -- Aliases\n | extend \n User = TargetUsername\n ,\n LogonTarget = TargetAppName\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n Application = TargetAppName\n ,\n Dst = TargetAppName\n ,\n Src = SrcIpAddr\n ,\n IpAddr = SrcIpAddr\n ,\n TargetSimpleUsername = TargetUsername\n ,\n TargetUserAadId = TargetUserId\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json index 5e200c0f92b..0ba0304ae2a 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationAADNonInteractiveUserSignInLogs')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationAADNonInteractiveUserSignInLogs", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Microsoft Entra ID non-interactive sign-in logs", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationAADNonInteractiveUserSignInLogs", - "query": "let FailedReason=datatable(ResultType: string, EventResultDetails: string)[\n '0', 'Success',\n '53003', 'Logon violates policy',\n '50034', 'No such user or password',\n '50059', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50064', 'No such user or password',\n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '80012', 'Logon violates policy',\n '51004', 'No such user or password',\n '50072', 'Logon violates policy',\n '50005', 'Logon violates policy',\n '50020', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '70008', 'Password expired',\n '700016', 'No such user or password', \n '500011', 'No such user or password' \n];\nlet AADNIAuthentication=(starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false) {\n AADNonInteractiveUserSignInLogs\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or UserPrincipalName has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or ResourceDisplayName has_any (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0 or tostring(todynamic(DeviceDetail).displayName) has_any (srchostname_has_any))\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | extend\n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Entra ID'\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventCount=int(1)\n ,\n EventResult = iff (ResultType == 0, 'Success', 'Failure')\n ,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime= TimeGenerated\n ,\n EventType= 'Logon'\n ,\n SrcDvcId=tostring(todynamic(DeviceDetail).deviceId)\n ,\n SrcHostname =tostring(todynamic(DeviceDetail).displayName)\n ,\n SrcDvcOs=tostring(todynamic(DeviceDetail).operatingSystem)\n ,\n Location = todynamic(LocationDetails)\n ,\n TargetAppId = ResourceIdentity \n ,\n EventSubType = 'NonInteractive'\n ,\n TargetUsernameType='UPN'\n ,\n TargetUserIdType='EntraID'\n ,\n TargetAppName=ResourceDisplayName\n // Filtering on 'eventresult'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n SrcGeoCity=tostring(Location.city)\n ,\n SrcGeoCountry=tostring(Location.countryOrRegion)\n ,\n SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n ,\n SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid =Id\n ,\n LogonMethod = AuthenticationRequirement\n ,\n HttpUserAgent=UserAgent\n ,\n TargetSessionId=CorrelationId\n ,\n TargetUserId = UserId\n ,\n TargetUsername=UserPrincipalName\n ,\n SrcIpAddr = IPAddress\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case(\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | lookup FailedReason on ResultType\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | extend\n User=TargetUsername\n ,\n LogonTarget=ResourceIdentity\n ,\n Dvc=EventVendor\n // -- Entity identifier explicit aliases\n ,\n TargetUserUpn = TargetUsername\n ,\n TargetUserAadId = TargetUserId\n};\nAADNIAuthentication(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Microsoft Entra ID non-interactive sign-in logs", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationAADNonInteractiveUserSignInLogs", + "query": "let FailedReason=datatable(ResultType: string, EventResultDetails: string)[\n '0', 'Success',\n '53003', 'Logon violates policy',\n '50034', 'No such user or password',\n '50059', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50064', 'No such user or password',\n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '80012', 'Logon violates policy',\n '51004', 'No such user or password',\n '50072', 'Logon violates policy',\n '50005', 'Logon violates policy',\n '50020', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '70008', 'Password expired',\n '700016', 'No such user or password', \n '500011', 'No such user or password' \n];\nlet AADNIAuthentication=(starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false) {\n AADNonInteractiveUserSignInLogs\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or UserPrincipalName has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or ResourceDisplayName has_any (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0 or tostring(todynamic(DeviceDetail).displayName) has_any (srchostname_has_any))\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | extend\n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Entra ID'\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventCount=int(1)\n ,\n EventResult = iff (ResultType == 0, 'Success', 'Failure')\n ,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime= TimeGenerated\n ,\n EventType= 'Logon'\n ,\n SrcDvcId=tostring(todynamic(DeviceDetail).deviceId)\n ,\n SrcHostname =tostring(todynamic(DeviceDetail).displayName)\n ,\n SrcDvcOs=tostring(todynamic(DeviceDetail).operatingSystem)\n ,\n Location = todynamic(LocationDetails)\n ,\n TargetAppId = ResourceIdentity \n ,\n EventSubType = 'NonInteractive'\n ,\n TargetUsernameType='UPN'\n ,\n TargetUserIdType='EntraID'\n ,\n TargetAppName=ResourceDisplayName\n // Filtering on 'eventresult'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n SrcGeoCity=tostring(Location.city)\n ,\n SrcGeoCountry=tostring(Location.countryOrRegion)\n ,\n SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n ,\n SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid =Id\n ,\n LogonMethod = AuthenticationRequirement\n ,\n HttpUserAgent=UserAgent\n ,\n TargetSessionId=CorrelationId\n ,\n TargetUserId = UserId\n ,\n TargetUsername=UserPrincipalName\n ,\n SrcIpAddr = IPAddress\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case(\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | lookup FailedReason on ResultType\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | extend\n User=TargetUsername\n ,\n LogonTarget=ResourceIdentity\n ,\n Dvc=EventVendor\n // -- Entity identifier explicit aliases\n ,\n TargetUserUpn = TargetUsername\n ,\n TargetUserAadId = TargetUserId\n};\nAADNIAuthentication(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json index 55c5bb1a195..37eb5245a83 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationAADServicePrincipalSignInLogs')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationAADServicePrincipalSignInLogs", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Microsoft Entra ID service principal sign-in logs", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationAADServicePrincipalSignInLogs", - "query": "let AADResultTypes = (T: (ResultType: string))\n{\n let AADResultTypesLookup = datatable\n(\n ResultType: string,\n EventResultDetails: string,\n EventType: string,\n EventResult: string,\n EventOriginalResultDetails: string,\n EventSeverity: string\n)\n[\n \"0\", \"\", \"Logon\", \"Success\", \"\", \"Informational\",\n \"53003\", \"Logon violates policy\", \"Logon\", \"Failure\", \"53003 - BlockedByConditionalAccess\", \"Low\",\n \"50034\", \"No such user\", \"Logon\", \"Failure\", \"50034 - UserAccountNotFound\", \"Low\",\n \"50059\", \"No such user\", \"Logon\", \"Failure\", \"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50053\", \"User locked\", \"Logon\", \"Failure\", \"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\", \"Password expired\", \"Logon\", \"Failure\", \"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\", \"Incorrect password\", \"Logon\", \"Failure\", \"50056 - Invalid or null password\", \"Low\",\n \"50057\", \"User disabled\", \"Logon\", \"Failure\", \"50057 - UserDisabled\", \"Low\",\n \"50058\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50058 - UserInformationNotProvided\", \"Low\",\n \"50011\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50064\", \"No such user or password\", \"Logon\", \"Failure\", \"50064 - CredentialAuthenticationError\", \"Low\",\n \"50076\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50079\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\", \"No such user or password\", \"Logon\", \"Failure\", \"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\", \"Password expired\", \"Logon\", \"Failure\", \"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\", \"Password expired\", \"Logon\", \"Failure\", \"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\", \"Password expired\", \"Logon\", \"Failure\", \"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\", \"Session expired\", \"Logon\", \"Failure\", \"50173 -FreshTokenNeeded\", \"Low\",\n \"80012\", \"Logon violates policy\", \"Logon\", \"Failure\", \"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"51004\", \"No such user\", \"Logon\", \"Failure\", \"51004 - UserAccountNotInDirectory\", \"Low\",\n \"50072\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50005\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50005 - DevicePolicyError\", \"Low\",\n \"50020\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50020 - UserUnauthorized\", \"Low\",\n \"50074\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"70008\", \"Session expired\", \"Logon\", \"Failure\", \"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"700016\", \"No such user\", \"Logon\", \"Failure\", \"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"500011\", \"No such user\", \"Logon\", \"Failure\", \"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"700027\", \"Incorrect key\", \"Logon\", \"Failure\", \"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"100003\", \"Other\", \"Logon\", \"Failure\", \"100003\", \"Low\",\n \"700082\", \"Session expired\", \"Logon\", \"Failure\", \"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"530034\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"530032\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"50061\", \"\", \"Logoff\", \"Failure\", \"50061 - SignoutInvalidRequest\", \"Low\",\n \"50068\", \"\", \"Logoff\", \"Failure\", \"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50078\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50078 - UserStrongAuthExpired\", \"Low\",\n \"7000222\", \"Session expired\", \"Logon\", \"Failure\", \"7000222 - The provided client secret keys are expired\", \"Low\",\n \"70021\", \"No such user\", \"Logon\", \"Failure\", \"70021 - No matching federated identity record found for presented assertion\", \"Low\",\n \"500341\", \"User disabled\", \"Logon\", \"Failure\", \"500341 - The user account has been deleted from the directory\", \"Low\",\n \"1002016\", \"Logon violates policy\", \"Logon\", \"Failure\", \"1002016 - You are using TLS version 1.0, 1.1 and/or 3DES cipher\", \"Low\",\n \"7000215\", \"Incorrect password\", \"Logon\", \"Failure\", \"7000215 - Invalid client secret is provided\", \"Low\",\n \"90033\", \"Transient error\", \"Logon\", \"Failure\", \"90033 - A transient error has occurred\", \"Informational\",\n \"90024\", \"Transient error\", \"Logon\", \"Failure\", \"90024 - RequestBudgetExceededError - A transient error has occurred\", \"Informational\"\n];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n ,\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult)\n ,\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails)\n ,\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity)\n};\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n AADServicePrincipalSignInLogs\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or ServicePrincipalName has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or ResourceDisplayName has_any (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n | invoke AADResultTypes()\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | project-rename\n ActingAppId = AppId\n ,\n TargetAppId = ResourceIdentity \n ,\n TargetAppName = ResourceDisplayName\n ,\n TargetUsername = ServicePrincipalName\n ,\n TargetUserId = ServicePrincipalId\n ,\n EventOriginalUid = Id\n ,\n TargetSessionId = CorrelationId\n ,\n SrcIpAddr = IPAddress\n ,\n EventUid = _ItemId\n ,\n EventProductVersion = OperationVersion\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend \n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Entra ID'\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.3'\n ,\n Dvc = 'Microsft/Entra ID'\n ,\n LogonMethod = \"Service Principal\"\n ,\n TargetAppType = \"Resource\"\n ,\n EventCount = int(1)\n ,\n TargetUserType = 'Service'\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUserIdType = 'EntraID'\n | extend\n LocationDetails = todynamic(LocationDetails)\n | extend\n SrcGeoCity = tostring(LocationDetails.city)\n ,\n SrcGeoCountry = Location\n ,\n SrcGeoLatitude = toreal(LocationDetails.geoCoordinates.latitude)\n ,\n SrcGeoLongitude = toreal(LocationDetails.geoCoordinates.longitude)\n ,\n SrcGeoRegion = tostring(LocationDetails.state)\n | project-away\n OperationName,\n Category,\n Result*,\n ServicePrincipal*,\n SourceSystem,\n DurationMs,\n Resource*,\n Location*,\n UniqueTokenIdentifier,\n FederatedCredentialId,\n Conditional*,\n Authentication*,\n Identity,\n Level,\n TenantId,\n temp*\n // \n // -- Aliases\n | extend \n User = TargetUsername\n ,\n LogonTarget = TargetAppName\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n Application = TargetAppName\n ,\n Dst = TargetAppName\n ,\n Src = SrcIpAddr\n ,\n IpAddr = SrcIpAddr\n ,\n TargetSimpleUsername = TargetUsername\n ,\n TargetUserAadId = TargetUserId\n};\nparser \n(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Microsoft Entra ID service principal sign-in logs", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationAADServicePrincipalSignInLogs", + "query": "let AADResultTypes = (T: (ResultType: string))\n{\n let AADResultTypesLookup = datatable\n(\n ResultType: string,\n EventResultDetails: string,\n EventType: string,\n EventResult: string,\n EventOriginalResultDetails: string,\n EventSeverity: string\n)\n[\n \"0\", \"\", \"Logon\", \"Success\", \"\", \"Informational\",\n \"53003\", \"Logon violates policy\", \"Logon\", \"Failure\", \"53003 - BlockedByConditionalAccess\", \"Low\",\n \"50034\", \"No such user\", \"Logon\", \"Failure\", \"50034 - UserAccountNotFound\", \"Low\",\n \"50059\", \"No such user\", \"Logon\", \"Failure\", \"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50053\", \"User locked\", \"Logon\", \"Failure\", \"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\", \"Password expired\", \"Logon\", \"Failure\", \"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\", \"Incorrect password\", \"Logon\", \"Failure\", \"50056 - Invalid or null password\", \"Low\",\n \"50057\", \"User disabled\", \"Logon\", \"Failure\", \"50057 - UserDisabled\", \"Low\",\n \"50058\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50058 - UserInformationNotProvided\", \"Low\",\n \"50011\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50064\", \"No such user or password\", \"Logon\", \"Failure\", \"50064 - CredentialAuthenticationError\", \"Low\",\n \"50076\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50079\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\", \"No such user or password\", \"Logon\", \"Failure\", \"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\", \"Password expired\", \"Logon\", \"Failure\", \"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\", \"Password expired\", \"Logon\", \"Failure\", \"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\", \"Password expired\", \"Logon\", \"Failure\", \"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\", \"Session expired\", \"Logon\", \"Failure\", \"50173 -FreshTokenNeeded\", \"Low\",\n \"80012\", \"Logon violates policy\", \"Logon\", \"Failure\", \"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"51004\", \"No such user\", \"Logon\", \"Failure\", \"51004 - UserAccountNotInDirectory\", \"Low\",\n \"50072\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50005\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50005 - DevicePolicyError\", \"Low\",\n \"50020\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50020 - UserUnauthorized\", \"Low\",\n \"50074\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"70008\", \"Session expired\", \"Logon\", \"Failure\", \"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"700016\", \"No such user\", \"Logon\", \"Failure\", \"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"500011\", \"No such user\", \"Logon\", \"Failure\", \"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"700027\", \"Incorrect key\", \"Logon\", \"Failure\", \"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"100003\", \"Other\", \"Logon\", \"Failure\", \"100003\", \"Low\",\n \"700082\", \"Session expired\", \"Logon\", \"Failure\", \"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"530034\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"530032\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"50061\", \"\", \"Logoff\", \"Failure\", \"50061 - SignoutInvalidRequest\", \"Low\",\n \"50068\", \"\", \"Logoff\", \"Failure\", \"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50078\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50078 - UserStrongAuthExpired\", \"Low\",\n \"7000222\", \"Session expired\", \"Logon\", \"Failure\", \"7000222 - The provided client secret keys are expired\", \"Low\",\n \"70021\", \"No such user\", \"Logon\", \"Failure\", \"70021 - No matching federated identity record found for presented assertion\", \"Low\",\n \"500341\", \"User disabled\", \"Logon\", \"Failure\", \"500341 - The user account has been deleted from the directory\", \"Low\",\n \"1002016\", \"Logon violates policy\", \"Logon\", \"Failure\", \"1002016 - You are using TLS version 1.0, 1.1 and/or 3DES cipher\", \"Low\",\n \"7000215\", \"Incorrect password\", \"Logon\", \"Failure\", \"7000215 - Invalid client secret is provided\", \"Low\",\n \"90033\", \"Transient error\", \"Logon\", \"Failure\", \"90033 - A transient error has occurred\", \"Informational\",\n \"90024\", \"Transient error\", \"Logon\", \"Failure\", \"90024 - RequestBudgetExceededError - A transient error has occurred\", \"Informational\"\n];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n ,\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult)\n ,\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails)\n ,\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity)\n};\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n AADServicePrincipalSignInLogs\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or ServicePrincipalName has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or ResourceDisplayName has_any (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n | invoke AADResultTypes()\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | project-rename\n ActingAppId = AppId\n ,\n TargetAppId = ResourceIdentity \n ,\n TargetAppName = ResourceDisplayName\n ,\n TargetUsername = ServicePrincipalName\n ,\n TargetUserId = ServicePrincipalId\n ,\n EventOriginalUid = Id\n ,\n TargetSessionId = CorrelationId\n ,\n SrcIpAddr = IPAddress\n ,\n EventUid = _ItemId\n ,\n EventProductVersion = OperationVersion\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend \n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Entra ID'\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.3'\n ,\n Dvc = 'Microsft/Entra ID'\n ,\n LogonMethod = \"Service Principal\"\n ,\n TargetAppType = \"Resource\"\n ,\n EventCount = int(1)\n ,\n TargetUserType = 'Service'\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUserIdType = 'EntraID'\n | extend\n LocationDetails = todynamic(LocationDetails)\n | extend\n SrcGeoCity = tostring(LocationDetails.city)\n ,\n SrcGeoCountry = Location\n ,\n SrcGeoLatitude = toreal(LocationDetails.geoCoordinates.latitude)\n ,\n SrcGeoLongitude = toreal(LocationDetails.geoCoordinates.longitude)\n ,\n SrcGeoRegion = tostring(LocationDetails.state)\n | project-away\n OperationName,\n Category,\n Result*,\n ServicePrincipal*,\n SourceSystem,\n DurationMs,\n Resource*,\n Location*,\n UniqueTokenIdentifier,\n FederatedCredentialId,\n Conditional*,\n Authentication*,\n Identity,\n Level,\n TenantId,\n temp*\n // \n // -- Aliases\n | extend \n User = TargetUsername\n ,\n LogonTarget = TargetAppName\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n Application = TargetAppName\n ,\n Dst = TargetAppName\n ,\n Src = SrcIpAddr\n ,\n IpAddr = SrcIpAddr\n ,\n TargetSimpleUsername = TargetUsername\n ,\n TargetUserAadId = TargetUserId\n};\nparser \n(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json index bdad4fa2c1d..4a9ed414f0b 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationSigninLogs')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationSigninLogs", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Microsoft Entra ID interactive sign-in logs", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationSigninLogs", - "query": "let FailedReason=datatable(ResultType: string, EventResultDetails: string)[\n '0', 'Success',\n '53003', 'Logon violates policy',\n '50034', 'No such user or password',\n '50059', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50064', 'No such user or password',\n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '80012', 'Logon violates policy',\n '51004', 'No such user or password',\n '50072', 'Logon violates policy',\n '50005', 'Logon violates policy',\n '50020', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '70008', 'Password expired',\n '700016', 'No such user or password', \n '500011', 'No such user or password' \n];\nlet UserTypeLookup = datatable (UserType: string, TargetUserType: string) [\n 'Member', 'Regular',\n 'Guest', 'Guest', \n '', ''\n];\nlet AADSigninLogs=(starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false) {\n SigninLogs\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and ((array_length(username_has_any) == 0) or UserPrincipalName has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or ResourceDisplayName has_any (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0 or tostring(DeviceDetail.displayName) has_any (srchostname_has_any))\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | extend\n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Entra ID'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventResult = iff (ResultType == 0, 'Success', 'Failure')\n ,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime= TimeGenerated\n ,\n EventType= 'Logon'\n ,\n SrcDvcId=tostring(DeviceDetail.deviceId)\n ,\n SrcDvcHostname = tostring(DeviceDetail.displayName) // Backword Compatibility. Will be removed by July 2024\n ,\n SrcHostname = tostring(DeviceDetail.displayName)\n ,\n SrcDvcOs=tostring(DeviceDetail.operatingSystem)\n // , SrcBrowser= tostring(DeviceDetail.browser)\n ,\n Location = todynamic(LocationDetails)\n ,\n TargetUsernameType='Upn'\n ,\n TargetUserIdType='EntraID'\n ,\n SrcIpAddr = IPAddress\n // Filtering on 'eventresult'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n SrcGeoCity=tostring(Location.city)\n ,\n SrcGeoCountry=tostring(Location.countryOrRegion)\n ,\n SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n ,\n SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | lookup FailedReason on ResultType\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | project-rename\n EventOriginalUid =Id\n ,\n LogonMethod = AuthenticationRequirement\n ,\n HttpUserAgent=UserAgent\n ,\n TargetSessionId=CorrelationId\n ,\n TargetUserId = UserId\n ,\n TargetUsername=UserPrincipalName\n ,\n TargetAppId = ResourceIdentity\n ,\n TargetAppName=ResourceDisplayName\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case(\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | lookup UserTypeLookup on UserType\n | project-away UserType\n // ** Aliases\n | extend \n User=TargetUsername\n ,\n LogonTarget=TargetAppName\n ,\n Dvc=EventVendor\n // -- Entity identifier explicit aliases\n ,\n TargetUserUpn = TargetUsername\n ,\n TargetUserAadId = TargetUserId \n};\nAADSigninLogs(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Microsoft Entra ID interactive sign-in logs", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationSigninLogs", + "query": "let FailedReason=datatable(ResultType: string, EventResultDetails: string)[\n '0', 'Success',\n '53003', 'Logon violates policy',\n '50034', 'No such user or password',\n '50059', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50064', 'No such user or password',\n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '80012', 'Logon violates policy',\n '51004', 'No such user or password',\n '50072', 'Logon violates policy',\n '50005', 'Logon violates policy',\n '50020', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '70008', 'Password expired',\n '700016', 'No such user or password', \n '500011', 'No such user or password' \n];\nlet UserTypeLookup = datatable (UserType: string, TargetUserType: string) [\n 'Member', 'Regular',\n 'Guest', 'Guest', \n '', ''\n];\nlet AADSigninLogs=(starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false) {\n SigninLogs\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and ((array_length(username_has_any) == 0) or UserPrincipalName has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or ResourceDisplayName has_any (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0 or tostring(DeviceDetail.displayName) has_any (srchostname_has_any))\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | extend\n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Entra ID'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventResult = iff (ResultType == 0, 'Success', 'Failure')\n ,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime= TimeGenerated\n ,\n EventType= 'Logon'\n ,\n SrcDvcId=tostring(DeviceDetail.deviceId)\n ,\n SrcDvcHostname = tostring(DeviceDetail.displayName) // Backword Compatibility. Will be removed by July 2024\n ,\n SrcHostname = tostring(DeviceDetail.displayName)\n ,\n SrcDvcOs=tostring(DeviceDetail.operatingSystem)\n // , SrcBrowser= tostring(DeviceDetail.browser)\n ,\n Location = todynamic(LocationDetails)\n ,\n TargetUsernameType='Upn'\n ,\n TargetUserIdType='EntraID'\n ,\n SrcIpAddr = IPAddress\n // Filtering on 'eventresult'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n SrcGeoCity=tostring(Location.city)\n ,\n SrcGeoCountry=tostring(Location.countryOrRegion)\n ,\n SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n ,\n SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | lookup FailedReason on ResultType\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | project-rename\n EventOriginalUid =Id\n ,\n LogonMethod = AuthenticationRequirement\n ,\n HttpUserAgent=UserAgent\n ,\n TargetSessionId=CorrelationId\n ,\n TargetUserId = UserId\n ,\n TargetUsername=UserPrincipalName\n ,\n TargetAppId = ResourceIdentity\n ,\n TargetAppName=ResourceDisplayName\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case(\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | lookup UserTypeLookup on UserType\n | project-away UserType\n // ** Aliases\n | extend \n User=TargetUsername\n ,\n LogonTarget=TargetAppName\n ,\n Dvc=EventVendor\n // -- Entity identifier explicit aliases\n ,\n TargetUserUpn = TargetUsername\n ,\n TargetUserAadId = TargetUserId \n};\nAADSigninLogs(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json index e9237fa3110..bd4c03b6727 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationAWSCloudTrail')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationAWSCloudTrail", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for AWS sign-in logs", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationAWSCloudTrail", - "query": "// -- Refer to https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html for details\nlet usertype_lookup = datatable (TargetOriginalUserType: string, TargetUserType: string) [\n // -- For console login, only IAMUser, Root and AssumedRole are relevant\n 'Root', 'Admin', \n 'IAMUser', 'Regular', \n 'AssumedRole', 'Service', \n 'Role', 'Service', \n 'FederatedUser', 'Regular',\n 'Directory', 'Other',\n 'AWSAccount', 'Guest',\n 'AWSService', 'Application',\n 'Unknown', 'Other',\n];\nlet eventresultdetails_lookup = datatable (\n EventOriginalResultDetails: string,\n EventOriginalDetails: string\n) [\n 'No username found in supplied account', 'No such user',\n 'Failed authentication', ''\n];\nlet ASIM_GetUsernameType = (username: string) { \n case ( \n username contains \"@\",\n \"UPN\"\n ,\n username contains \"\\\\\",\n \"Windows\"\n ,\n (username has \"CN=\" or username has \"OU=\" or username has \"DC=\"),\n \"DN\"\n ,\n isempty(username),\n \"\"\n ,\n \"Simple\"\n)\n};\nlet parser= (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n AWSCloudTrail\n | where not(disabled)\n // -- Pre filtering\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and EventName == 'ConsoleLogin'\n and ((array_length(username_has_any) == 0) or (UserIdentityArn has_any (username_has_any)) or (UserIdentityUserName has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SourceIpAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n // eventresult filtering done later in the parser\n // -- end pre-filtering\n | project-rename\n EventOriginalUid = AwsEventId,\n EventOriginalResultDetails = ErrorMessage,\n TargetOriginalUserType = UserIdentityType,\n EventProductVersion = EventVersion,\n SrcIpAddr = SourceIpAddress,\n TargeCloudRegion = AWSRegion,\n TargetUserScopeId = UserIdentityAccountId,\n HttpUserAgent = UserAgent,\n EventUid = _ItemId\n | extend\n TargetUsername = case (\n UserIdentityUserName == \"HIDDEN_DUE_TO_SECURITY_REASONS\",\n \"\",\n TargetOriginalUserType == 'IAMUser',\n UserIdentityUserName,\n TargetOriginalUserType == 'Root',\n 'root',\n TargetOriginalUserType == 'AssumedRole',\n tostring(split(UserIdentityArn, '/')[-1]), // -- This is the AssuderRole session name, which typically represents a user. \n UserIdentityUserName\n )\n // Filtering on 'username_has_any'\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n EventVendor = 'AWS',\n Dvc = 'AWS',\n EventProduct = 'CloudTrail',\n EventCount = int(1),\n EventSchemaVersion = '0.1.3',\n EventSchema = 'Authentication',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'Logon',\n EventSubType = 'Interactive',\n TargetUserIdType = 'AWSId',\n LogonProtocol = 'HTTPS',\n TargetUserId = tostring(split(UserIdentityPrincipalid, ':')[0]),\n LogonMethod = iff (AdditionalEventData has '\"MFAUsed\": \"Yes\"', 'MFA', ''),\n SrcDeviceType = iff (AdditionalEventData has '\"MobileVersion\":\"Yes\"', 'Mobile Device', 'Computer'),\n EventResult = iff (ResponseElements has 'Success', 'Success', 'Failure')\n // Filtering on 'eventresult'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n TargetUsernameType = ASIM_GetUsernameType (TargetUsername)\n | parse AdditionalEventData with * '\"LoginTo\":\"' TargetUrl: string '\"' *\n | lookup eventresultdetails_lookup on EventOriginalResultDetails\n | lookup usertype_lookup on TargetOriginalUserType \n | extend \n LogonTarget=tostring(split(TargetUrl, '?')[0]),\n EventSeverity = iff(EventResult == 'Failure', 'Low', 'Informational')\n // -- Specific idetifier aliases\n | extend \n TargetUserAWSId = TargetUserId\n // -- Aliases\n | extend\n User = TargetUsername,\n Dvc = EventVendor,\n Dst = LogonTarget,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n EventSource,\n EventTypeName,\n EventName,\n ResponseElements,\n AdditionalEventData,\n Session*,\n Category,\n ErrorCode,\n Aws*,\n ManagementEvent,\n OperationName,\n ReadOnly,\n RequestParameters,\n Resources,\n ServiceEventDetails,\n SharedEventId,\n SourceSystem,\n UserIdentity*,\n VpcEndpointId,\n APIVersion,\n RecipientAccountId,\n TenantId,\n EC2RoleDelivery,\n temp_*\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for AWS sign-in logs", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationAWSCloudTrail", + "query": "// -- Refer to https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html for details\nlet usertype_lookup = datatable (TargetOriginalUserType: string, TargetUserType: string) [\n // -- For console login, only IAMUser, Root and AssumedRole are relevant\n 'Root', 'Admin', \n 'IAMUser', 'Regular', \n 'AssumedRole', 'Service', \n 'Role', 'Service', \n 'FederatedUser', 'Regular',\n 'Directory', 'Other',\n 'AWSAccount', 'Guest',\n 'AWSService', 'Application',\n 'Unknown', 'Other',\n];\nlet eventresultdetails_lookup = datatable (\n EventOriginalResultDetails: string,\n EventOriginalDetails: string\n) [\n 'No username found in supplied account', 'No such user',\n 'Failed authentication', ''\n];\nlet ASIM_GetUsernameType = (username: string) { \n case ( \n username contains \"@\",\n \"UPN\"\n ,\n username contains \"\\\\\",\n \"Windows\"\n ,\n (username has \"CN=\" or username has \"OU=\" or username has \"DC=\"),\n \"DN\"\n ,\n isempty(username),\n \"\"\n ,\n \"Simple\"\n)\n};\nlet parser= (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n AWSCloudTrail\n | where not(disabled)\n // -- Pre filtering\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and EventName == 'ConsoleLogin'\n and ((array_length(username_has_any) == 0) or (UserIdentityArn has_any (username_has_any)) or (UserIdentityUserName has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SourceIpAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n // eventresult filtering done later in the parser\n // -- end pre-filtering\n | project-rename\n EventOriginalUid = AwsEventId,\n EventOriginalResultDetails = ErrorMessage,\n TargetOriginalUserType = UserIdentityType,\n EventProductVersion = EventVersion,\n SrcIpAddr = SourceIpAddress,\n TargeCloudRegion = AWSRegion,\n TargetUserScopeId = UserIdentityAccountId,\n HttpUserAgent = UserAgent,\n EventUid = _ItemId\n | extend\n TargetUsername = case (\n UserIdentityUserName == \"HIDDEN_DUE_TO_SECURITY_REASONS\",\n \"\",\n TargetOriginalUserType == 'IAMUser',\n UserIdentityUserName,\n TargetOriginalUserType == 'Root',\n 'root',\n TargetOriginalUserType == 'AssumedRole',\n tostring(split(UserIdentityArn, '/')[-1]), // -- This is the AssuderRole session name, which typically represents a user. \n UserIdentityUserName\n )\n // Filtering on 'username_has_any'\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n EventVendor = 'AWS',\n Dvc = 'AWS',\n EventProduct = 'CloudTrail',\n EventCount = int(1),\n EventSchemaVersion = '0.1.3',\n EventSchema = 'Authentication',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'Logon',\n EventSubType = 'Interactive',\n TargetUserIdType = 'AWSId',\n LogonProtocol = 'HTTPS',\n TargetUserId = tostring(split(UserIdentityPrincipalid, ':')[0]),\n LogonMethod = iff (AdditionalEventData has '\"MFAUsed\": \"Yes\"', 'MFA', ''),\n SrcDeviceType = iff (AdditionalEventData has '\"MobileVersion\":\"Yes\"', 'Mobile Device', 'Computer'),\n EventResult = iff (ResponseElements has 'Success', 'Success', 'Failure')\n // Filtering on 'eventresult'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n TargetUsernameType = ASIM_GetUsernameType (TargetUsername)\n | parse AdditionalEventData with * '\"LoginTo\":\"' TargetUrl: string '\"' *\n | lookup eventresultdetails_lookup on EventOriginalResultDetails\n | lookup usertype_lookup on TargetOriginalUserType \n | extend \n LogonTarget=tostring(split(TargetUrl, '?')[0]),\n EventSeverity = iff(EventResult == 'Failure', 'Low', 'Informational')\n // -- Specific idetifier aliases\n | extend \n TargetUserAWSId = TargetUserId\n // -- Aliases\n | extend\n User = TargetUsername,\n Dvc = EventVendor,\n Dst = LogonTarget,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n EventSource,\n EventTypeName,\n EventName,\n ResponseElements,\n AdditionalEventData,\n Session*,\n Category,\n ErrorCode,\n Aws*,\n ManagementEvent,\n OperationName,\n ReadOnly,\n RequestParameters,\n Resources,\n ServiceEventDetails,\n SharedEventId,\n SourceSystem,\n UserIdentity*,\n VpcEndpointId,\n APIVersion,\n RecipientAccountId,\n TenantId,\n EC2RoleDelivery,\n temp_*\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json index f7ecd4a50fe..c129ab1db40 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationBarracudaWAF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationBarracudaWAF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for Barracuda WAF", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationBarracudaWAF", - "query": "let barracudaSchema = datatable(\n LogType_s: string,\n UnitName_s: string,\n EventName_s: string,\n DeviceReceiptTime_s: string,\n HostIP_s: string,\n host_s: string,\n LoginIP_s: string,\n Severity_s: string,\n LoginPort_d: real,\n AdminName_s: string,\n EventMessage_s: string,\n TimeTaken_d: real,\n TenantId: string,\n Message: string,\n SourceSystem: string,\n _ResourceId: string,\n RawData: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n SourceIP: string,\n TimeGenerated: datetime\n )[];\n let SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n ];\n let EventTypeLookup = datatable (\n EventName_s: string,\n EventType_lookup: string,\n EventResult: string\n )\n [\n \"LOGIN\", \"Logon\", \"Success\",\n \"UNSUCCESSFUL_LOGIN\", \"Logoff\", \"Failure\",\n \"LOGOUT\", \"Logoff\", \"Success\"\n ];\n let EventResultDetailsLookup = datatable (\n Reason: string,\n EventResultDetails: string\n )\n [\n \"Invalid Username/Password\", \"Incorrect password\",\n \"Account Lockout\", \"User locked\",\n \"Expired or Disabled Accounts\", \"User disabled\",\n \"IP Blocking\", \"Logon violates policy\",\n \"Session Timeouts\", \"Session expired\",\n \"CAPTCHA Verification\", \"Other\"\n ];\n let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) { \n let BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled)\n and (LogType_s == \"AUDIT\")\n and (EventName_s in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or (AdminName_s has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(LoginIP_s, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // Filtering for eventtype_in done later in the parser\n // Filtering for eventresultdetails_in done later in the parser\n // Filtering for eventresult done later in the parser\n | parse trim(@'[^\\w(\")]+', EventMessage_s) with * \"Reason=\" Reason: string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n // Filtering on eventresultdetails_in\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | lookup EventTypeLookup on EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(Severity_s)\n // Filtering on eventtype_in and eventresult\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | lookup SeverityLookup on severity\n | extend\n Dvc = UnitName_s,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n SrcPortNumber = toint(LoginPort_d),\n DvcIpAddr = HostIP_s,\n SrcIpAddr = LoginIP_s,\n DvcHostname = host_s,\n ActorUsername = AdminName_s,\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s) - tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)))\n // mapping ASimMatchingUsername\n | extend temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n // TargetUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case(\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n EventEndTime = EventStartTime\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n *_s,\n *_d,\n temp_*,\n severity,\n EventType_lookup,\n TenantId,\n Message,\n SourceSystem,\n _ResourceId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceIP,\n Reason;\n let BarracudaCEF = \n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor startswith \"Barracuda\"\n and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"AUDIT\"\n and (toupper(ProcessName) in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or (DestinationUserName has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // Filtering for eventtype_in done later in the parser\n // Filtering for eventresultdetails_in done later in the parser\n // Filtering for eventresult done later in the parser\n | parse trim(@'[^\\w(\")]+', Message) with * \"Reason=\" Reason: string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n // Filtering on eventresultdetails_in\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | extend ProcessName = toupper(ProcessName)\n | lookup EventTypeLookup on $left.ProcessName == $right.EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(LogSeverity)\n // Filtering on eventtype_in and eventresult\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n | lookup SeverityLookup on severity\n | extend\n Dvc = DeviceName,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n SrcPortNumber = toint(SourcePort),\n DvcIpAddr = DeviceAddress,\n SrcIpAddr = SourceIP,\n DvcHostname = DeviceName,\n ActorUsername = DestinationUserName,\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime) - tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime)))\n // mapping ASimMatchingUsername\n | extend temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n // TargetUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case(\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"), \n EventEndTime = EventStartTime\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n ThreatConfidence,\n EventType_lookup,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n temp_*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId;\n union isfuzzy = true \n BarracudaCustom,\n BarracudaCEF\n };\n parser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationBarracudaWAF", + "query": "let barracudaSchema = datatable(\n LogType_s: string,\n UnitName_s: string,\n EventName_s: string,\n DeviceReceiptTime_s: string,\n HostIP_s: string,\n host_s: string,\n LoginIP_s: string,\n Severity_s: string,\n LoginPort_d: real,\n AdminName_s: string,\n EventMessage_s: string,\n TimeTaken_d: real,\n TenantId: string,\n Message: string,\n SourceSystem: string,\n _ResourceId: string,\n RawData: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n SourceIP: string,\n TimeGenerated: datetime\n )[];\n let SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n ];\n let EventTypeLookup = datatable (\n EventName_s: string,\n EventType_lookup: string,\n EventResult: string\n )\n [\n \"LOGIN\", \"Logon\", \"Success\",\n \"UNSUCCESSFUL_LOGIN\", \"Logoff\", \"Failure\",\n \"LOGOUT\", \"Logoff\", \"Success\"\n ];\n let EventResultDetailsLookup = datatable (\n Reason: string,\n EventResultDetails: string\n )\n [\n \"Invalid Username/Password\", \"Incorrect password\",\n \"Account Lockout\", \"User locked\",\n \"Expired or Disabled Accounts\", \"User disabled\",\n \"IP Blocking\", \"Logon violates policy\",\n \"Session Timeouts\", \"Session expired\",\n \"CAPTCHA Verification\", \"Other\"\n ];\n let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) { \n let BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled)\n and (LogType_s == \"AUDIT\")\n and (EventName_s in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or (AdminName_s has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(LoginIP_s, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // Filtering for eventtype_in done later in the parser\n // Filtering for eventresultdetails_in done later in the parser\n // Filtering for eventresult done later in the parser\n | parse trim(@'[^\\w(\")]+', EventMessage_s) with * \"Reason=\" Reason: string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n // Filtering on eventresultdetails_in\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | lookup EventTypeLookup on EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(Severity_s)\n // Filtering on eventtype_in and eventresult\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | lookup SeverityLookup on severity\n | extend\n Dvc = UnitName_s,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n SrcPortNumber = toint(LoginPort_d),\n DvcIpAddr = HostIP_s,\n SrcIpAddr = LoginIP_s,\n DvcHostname = host_s,\n ActorUsername = AdminName_s,\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s) - tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)))\n // mapping ASimMatchingUsername\n | extend temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n // TargetUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case(\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n EventEndTime = EventStartTime\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n *_s,\n *_d,\n temp_*,\n severity,\n EventType_lookup,\n TenantId,\n Message,\n SourceSystem,\n _ResourceId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceIP,\n Reason;\n let BarracudaCEF = \n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor startswith \"Barracuda\"\n and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"AUDIT\"\n and (toupper(ProcessName) in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or (DestinationUserName has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // Filtering for eventtype_in done later in the parser\n // Filtering for eventresultdetails_in done later in the parser\n // Filtering for eventresult done later in the parser\n | parse trim(@'[^\\w(\")]+', Message) with * \"Reason=\" Reason: string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n // Filtering on eventresultdetails_in\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | extend ProcessName = toupper(ProcessName)\n | lookup EventTypeLookup on $left.ProcessName == $right.EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(LogSeverity)\n // Filtering on eventtype_in and eventresult\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n | lookup SeverityLookup on severity\n | extend\n Dvc = DeviceName,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n SrcPortNumber = toint(SourcePort),\n DvcIpAddr = DeviceAddress,\n SrcIpAddr = SourceIP,\n DvcHostname = DeviceName,\n ActorUsername = DestinationUserName,\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime) - tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime)))\n // mapping ASimMatchingUsername\n | extend temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n // TargetUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case(\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"), \n EventEndTime = EventStartTime\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n ThreatConfidence,\n EventType_lookup,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n temp_*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId;\n union isfuzzy = true \n BarracudaCustom,\n BarracudaCEF\n };\n parser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json index f8d05114a53..7f66de9ad1c 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationCiscoASA')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationCiscoASA", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering for Cisco Device Logon Events", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationCiscoASA", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n let DeviceEventClassIDLookup = datatable (\n DeviceEventClassID: string,\n EventResultDetails: string,\n EventType: string,\n EventResult: string,\n DvcAction: string,\n EventSubType: string\n )\n [\n \"113004\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113005\", \"Incorrect password\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113006\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113008\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113010\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113012\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113019\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"113039\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"315011\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"502103\", \"\", \"Elevate\", \"Success\", \"Allowed\", \"AssumeRole\",\n \"605004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"605005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611101\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611102\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"611103\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"713198\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716002\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"716038\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"716039\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716040\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"722022\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"722023\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722028\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722037\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"772002\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772003\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772006\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\"\n ];\n let FilteredDeviceEventClassID = toscalar(\n DeviceEventClassIDLookup \n | summarize make_set(DeviceEventClassID)\n );\n let SeverityLookup = datatable (EventOriginalSeverity: string, EventSeverity: string)\n [\n \"1\", \"High\", // Alert,\n \"2\", \"High\", // Critical\n \"3\", \"Medium\", // Error\n \"4\", \"Low\", // Warning\n \"5\", \"Informational\", // Notification\n \"6\", \"Informational\", // Information\n \"7\", \"Informational\", // Debug\n ];\n let LogMessages = \n CommonSecurityLog \n | where not(disabled)\n | where\n (isnull(starttime) or TimeGenerated >= starttime) and\n (isnull(endtime) or TimeGenerated <= endtime) \n | where DeviceVendor =~ \"Cisco\"\n and DeviceProduct == \"ASA\"\n and DeviceEventClassID in(FilteredDeviceEventClassID)\n and ((array_length(username_has_any) == 0) or (Message has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(Message, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n | extend EventOriginalSeverity = tostring(split(Message, \"-\", 1)[0])\n | lookup SeverityLookup on EventOriginalSeverity\n | project\n TimeGenerated,\n Type,\n Computer,\n _ItemId,\n DeviceEventClassID,\n Message,\n DeviceAddress,\n EventOriginalSeverity,\n EventSeverity\n | lookup DeviceEventClassIDLookup on DeviceEventClassID\n // Filtering on eventtype_in and eventresult\n | where ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\n and (eventresult == \"*\" or (EventResult == eventresult));\n union \n (\n LogMessages\n | where DeviceEventClassID == 113005\n | parse Message with * 'reason = ' EventOriginalResultDetails ' : server = ' TargetIpAddr ' ' * 'user = ' TargetUsername ' ' * 'user IP = ' SrcIpAddr\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 502103\n | parse Message with * \"Uname: \" TargetUsername \" \" *\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(605004, 605005)\n | parse Message with * 'from ' SrcIpAddr '/' SrcPortNumber: int \" to \" * \":\" TargetIpAddr '/' * 'user \"' TargetUsername '\"'\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(611101, 611102)\n | parse Message with * 'IP address: ' SrcIpAddr ', Uname: ' TargetUsername\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 611103\n | parse Message with * ' Uname: ' TargetUsername\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113004\n | parse Message with * 'server = ' TargetIpAddr ' ' * 'user = ' TargetUsername\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113008, 113012)\n | parse Message with * 'user = ' TargetUsername\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113019\n | parse Message with * 'Username = ' TargetUsername ', IP = ' SrcIpAddr ',' * \n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113039, 716002, 716039, 722022, 722023, 722028, 722037)\n | parse Message with * '> User <' TargetUsername \"> IP <\" SrcIpAddr \">\" *\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 315011\n | parse Message with * 'from ' SrcIpAddr ' ' * 'user \"' TargetUsername '\" ' * ' reason: \"' EventOriginalResultDetails '\" ' *\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | extend EventResultDetails = iif(EventOriginalResultDetails == \"Internal error\", \"Other\", EventResultDetails)\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113010\n | parse Message with * 'user ' TargetUsername ' from server' SrcIpAddr\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113006\n | parse Message with * 'User ' TargetUsername ' locked' *\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716040\n | parse Message with * 'Denied ' TargetUsername ' login' *\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 713198\n | parse Message with * 'Failed: ' TargetUsername ' User' *\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716038\n | parse Message with * 'User ' TargetUsername ' IP ' SrcIpAddr ' Authentication'*\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772002)\n | parse Message with * 'user ' TargetUsername ', cause: ' EventOriginalResultDetails\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772003, 772004)\n | parse Message with * 'user ' TargetUsername ', IP ' SrcIpAddr ', cause: ' EventOriginalResultDetails\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772005)\n | parse Message with * 'user ' TargetUsername ' passed'\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772006)\n | parse Message with * 'user ' TargetUsername ' failed'\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n )\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | project-rename \n DvcHostname = Computer,\n EventUid = _ItemId,\n EventOriginalType = DeviceEventClassID,\n DvcIpAddr = DeviceAddress\n | extend \n EventSchemaVersion = \"0.1.3\",\n EventSchema = \"Authentication\",\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n Dvc = DvcHostname,\n User = TargetUsername,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dst = TargetIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n EventResultDetails = iif(TargetUsername == \"*****\", \"No such user or password\", EventResultDetails)\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n };\n parser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n ) ", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering for Cisco Device Logon Events", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationCiscoASA", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n let DeviceEventClassIDLookup = datatable (\n DeviceEventClassID: string,\n EventResultDetails: string,\n EventType: string,\n EventResult: string,\n DvcAction: string,\n EventSubType: string\n )\n [\n \"113004\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113005\", \"Incorrect password\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113006\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113008\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113010\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113012\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113019\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"113039\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"315011\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"502103\", \"\", \"Elevate\", \"Success\", \"Allowed\", \"AssumeRole\",\n \"605004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"605005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611101\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611102\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"611103\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"713198\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716002\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"716038\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"716039\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716040\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"722022\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"722023\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722028\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722037\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"772002\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772003\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772006\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\"\n ];\n let FilteredDeviceEventClassID = toscalar(\n DeviceEventClassIDLookup \n | summarize make_set(DeviceEventClassID)\n );\n let SeverityLookup = datatable (EventOriginalSeverity: string, EventSeverity: string)\n [\n \"1\", \"High\", // Alert,\n \"2\", \"High\", // Critical\n \"3\", \"Medium\", // Error\n \"4\", \"Low\", // Warning\n \"5\", \"Informational\", // Notification\n \"6\", \"Informational\", // Information\n \"7\", \"Informational\", // Debug\n ];\n let LogMessages = \n CommonSecurityLog \n | where not(disabled)\n | where\n (isnull(starttime) or TimeGenerated >= starttime) and\n (isnull(endtime) or TimeGenerated <= endtime) \n | where DeviceVendor =~ \"Cisco\"\n and DeviceProduct == \"ASA\"\n and DeviceEventClassID in(FilteredDeviceEventClassID)\n and ((array_length(username_has_any) == 0) or (Message has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(Message, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n | extend EventOriginalSeverity = tostring(split(Message, \"-\", 1)[0])\n | lookup SeverityLookup on EventOriginalSeverity\n | project\n TimeGenerated,\n Type,\n Computer,\n _ItemId,\n DeviceEventClassID,\n Message,\n DeviceAddress,\n EventOriginalSeverity,\n EventSeverity\n | lookup DeviceEventClassIDLookup on DeviceEventClassID\n // Filtering on eventtype_in and eventresult\n | where ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\n and (eventresult == \"*\" or (EventResult == eventresult));\n union \n (\n LogMessages\n | where DeviceEventClassID == 113005\n | parse Message with * 'reason = ' EventOriginalResultDetails ' : server = ' TargetIpAddr ' ' * 'user = ' TargetUsername ' ' * 'user IP = ' SrcIpAddr\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 502103\n | parse Message with * \"Uname: \" TargetUsername \" \" *\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(605004, 605005)\n | parse Message with * 'from ' SrcIpAddr '/' SrcPortNumber: int \" to \" * \":\" TargetIpAddr '/' * 'user \"' TargetUsername '\"'\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(611101, 611102)\n | parse Message with * 'IP address: ' SrcIpAddr ', Uname: ' TargetUsername\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 611103\n | parse Message with * ' Uname: ' TargetUsername\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113004\n | parse Message with * 'server = ' TargetIpAddr ' ' * 'user = ' TargetUsername\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113008, 113012)\n | parse Message with * 'user = ' TargetUsername\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113019\n | parse Message with * 'Username = ' TargetUsername ', IP = ' SrcIpAddr ',' * \n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113039, 716002, 716039, 722022, 722023, 722028, 722037)\n | parse Message with * '> User <' TargetUsername \"> IP <\" SrcIpAddr \">\" *\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 315011\n | parse Message with * 'from ' SrcIpAddr ' ' * 'user \"' TargetUsername '\" ' * ' reason: \"' EventOriginalResultDetails '\" ' *\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | extend EventResultDetails = iif(EventOriginalResultDetails == \"Internal error\", \"Other\", EventResultDetails)\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113010\n | parse Message with * 'user ' TargetUsername ' from server' SrcIpAddr\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113006\n | parse Message with * 'User ' TargetUsername ' locked' *\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716040\n | parse Message with * 'Denied ' TargetUsername ' login' *\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 713198\n | parse Message with * 'Failed: ' TargetUsername ' User' *\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716038\n | parse Message with * 'User ' TargetUsername ' IP ' SrcIpAddr ' Authentication'*\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772002)\n | parse Message with * 'user ' TargetUsername ', cause: ' EventOriginalResultDetails\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772003, 772004)\n | parse Message with * 'user ' TargetUsername ', IP ' SrcIpAddr ', cause: ' EventOriginalResultDetails\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772005)\n | parse Message with * 'user ' TargetUsername ' passed'\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772006)\n | parse Message with * 'user ' TargetUsername ' failed'\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n )\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | project-rename \n DvcHostname = Computer,\n EventUid = _ItemId,\n EventOriginalType = DeviceEventClassID,\n DvcIpAddr = DeviceAddress\n | extend \n EventSchemaVersion = \"0.1.3\",\n EventSchema = \"Authentication\",\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n Dvc = DvcHostname,\n User = TargetUsername,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dst = TargetIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n EventResultDetails = iif(TargetUsername == \"*****\", \"No such user or password\", EventResultDetails)\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n };\n parser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n ) ", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json index 8a54df6685a..9f0e6492869 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationCiscoISE')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationCiscoISE", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Cisco ISE", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationCiscoISE", - "query": "let EventFieldsLookup=datatable(\n EventOriginalType: string,\n EventType: string,\n EventOriginalSeverity: string,\n EventResult: string,\n EventSeverity: string,\n EventResultDetails: string,\n EventMessage: string,\n EventOriginalResultDetails: string\n)[\n \"25104\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external REST ID store server succeeded\", \"Plain text password authentication in external REST ID store server succeeded\",\n \"25105\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external REST ID store server failed\", \"Plain text password authentication in external REST ID store server failed\",\n \"25106\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST ID Store server indicated plain text password authentication failure\", \"REST ID store server indicated plain text password authentication failure\",\n \"25112\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST database indicated plain text password authentication failure\", \"REST database indicated plain text password authentication failure\",\n \"51000\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"51001\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator authentication succeeded\", \"Administrator authentication succeeded\",\n \"51002\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator logged off\", \"Administrator logged off\",\n \"51003\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"Session expired\", \"Session Timeout\", \"Administrator had a session timeout\",\n \"51004\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Rejected administrator session from unauthorized client IP address\", \"An attempt to start an administration session from an unauthorized client IP address was rejected. Check the client's administration access setting.\",\n \"51005\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Administrator account is disabled\", \"Administrator authentication failed. Administrator account is disabled.\",\n \"51006\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Account is disabled due to inactivity\", \"Administrator authentication failed. Account is disabled due to inactivity.\",\n \"51007\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Authentication failed. Account is disabled due to password expiration\", \"Authentication failed. Account is disabled due to password expiration\",\n \"51008\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts.\",\n \"51009\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed. ISE Runtime is not running\", \"Authentication failed. ISE Runtime is not running\",\n \"51020\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user\", \"Administrator authentication failed. Login username does not exist.\", \"Administrator authentication failed. Login username does not exist.\",\n \"51021\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Incorrect password\", \"Administrator authentication failed. Wrong password.\", \"Administrator authentication failed. Wrong password.\",\n \"51022\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed. System Error\", \"Administrator authentication failed. System Error\",\n \"51106\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"60075\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Sponsor has successfully authenticated\", \"Sponsor has successfully authenticated\",\n \"60076\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Sponsor authentication has failed\", \"Sponsor authentication has failed; please see Failure Code for more details\",\n \"60077\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MyDevices user authentication has failed\", \"MyDevices user authentication has failed\",\n \"60078\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices user has successfully authenticated\", \"MyDevices user has successfully authenticated\",\n \"60080\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A SSH CLI user has successfully logged in\", \"A SSH CLI User has successfully logged in\",\n \"60081\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"A SSH CLI user has attempted unsuccessfully to login\", \"A SSH CLI user has attempted unsuccessfully to login\",\n \"60082\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User locked\", \"A SSH CLI user has attempted to login, however account is locked out\", \"A SSH CLI user has attempted to login, however account is locked out\",\n \"60135\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"MyDevices user SSO logout has failed\", \"MyDevices user SSO logout has failed\",\n \"60136\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Sponsor user SSO logout has failed\", \"Sponsor user SSO logout has failed\",\n \"60204\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"System root CLI account has successfully logged in\", \"System root CLI account has successfully logged in\",\n \"60205\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged in from console\", \"A CLI user has logged in from console\",\n \"60206\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged out from console\", \"A CLI user has logged out from console\",\n \"61012\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has authenticated against APIC successfully\", \"ISE has authenticated against APIC successfully\",\n \"61013\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to authenticate against APIC\", \"ISE failed to authenticate against APIC\",\n \"61014\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has refreshed authentication against APIC successfully\", \"ISE has refreshed authentication against APIC successfully\",\n \"61015\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to refresh authenticate against APIC\", \"ISE failed to refresh authenticate against APIC\",\n \"60507\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"ERS request rejected due to unauthorized user.\", \"ERS request was rejected because the user who sent the request is unauthorized.\",\n \"51025\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"61076\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"Sponsor has been successfully logged out\", \"Sponsor has been successfully logged out\",\n \"61077\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices has been successfully logged out\", \"MyDevices has been successfully logged out\",\n \"10003\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"Internal error: Administrator authentication received blank Administrator name\", \"Internal error: AAC RT component received Administrator authentication request\",\n \"10004\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Incorrect password\", \"Internal error: Administrator authentication received blank Administrator password\", \"Internal error: AAC RT component received an Administrator authentication request with blank admin password\",\n \"10005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Administrator authenticated successfully\", \"Administrator authenticated successfully\",\n \"10006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"10007\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed - DB Error\", \"Administrator authentication failed - DB Error\",\n \"22000\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication resulted in internal error\", \"Authentication resulted in internal error\",\n \"22004\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password\", \"Wrong password\",\n \"22028\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Authentication failed and the advanced options are ignored\", \"Authentication of the user failed and the advanced option settings specified in the identity portion of the relevant authentication policy were ignored. For PEAP, LEAP, EAP-FAST or RADIUS MSCHAP authentications, when authentication fails, ISE stops processing the request.\",\n \"22037\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Passed\", \"Authentication Passed, Skipping Attribute Retrieval\",\n \"22040\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password or invalid shared secret\", \"Wrong password or invalid shared secret\",\n \"22091\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level.\",\n \"5400\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5401\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5412\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"TACACS+ authentication request ended with error\", \"TACACS+ authentication request ended with an error\",\n \"5418\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Guest Authentication Failed\", \"Guest Authentication failed; please see Failure code for more details\",\n \"5447\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"MDM Authentication Passed\", \"MDM Authentication passed\",\n \"5448\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MDM Authentication Failed\", \"MDM Authentication failed; please see Failure code for more details\",\n \"86010\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Guest user authentication failed\", \"Guest user authentication failed. Please check your password and account permission\",\n \"86011\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"Guest user is not enabled\", \"Guest user authentication failed. User is not enabled. Please contact your system administrator\",\n \"86014\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"User is suspended\", \"User authentication failed. User account is suspended\",\n \"86020\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Guest Unknown Error\", \"User authentication failed. Please contact your System Administrator\",\n \"24015\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authenticating user against LDAP Server\", \"Authenticating user against LDAP Server\",\n \"24020\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against the LDAP Server failed\", \"User authentication against the LDAP Server failed. The user entered the wrong password or the user record in the LDAP Server is disabled or expired\",\n \"24021\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"User authentication ended with an error\", \"User authentication against LDAP Server ended with an error\",\n \"24022\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication succeeded\", \"User authentication against LDAP Server succeeded\",\n \"24050\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate with LDAP Identity Store because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"24054\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired\", \"The password has expired but there are remaining grace authentications. The user needs to change it\",\n \"24055\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that the user is authenticating for the first time after the password administrator set the password\", \"The user needs to change his password immediately\",\n \"24056\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired and there are no more grace authentications\", \"The user needs to contact the password administrator in order to have its password reset\",\n \"24057\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against LDAP server detected that the password failure limit has been reached and the account is locked\", \"The user needs to retry later or contact the password administrator to reset the password\",\n \"24337\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Ticket (TGT) request succeeded\", \"Authentication Ticket (TGT) request succeeded\",\n \"24338\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication Ticket (TGT) request failed\", \"Authentication Ticket (TGT) request failed\",\n \"24402\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"User authentication against Active Directory succeeded\", \"User authentication against Active Directory succeeded\",\n \"24403\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User authentication against Active Directory failed\", \"User authentication against Active Directory failed\",\n \"24406\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"User authentication against Active Directory failed since user has invalid credentials\", \"User authentication against Active Directory failed since user has invalid credentials\",\n \"24407\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against Active Directory failed since user is required to change his password\", \"User authentication against Active Directory failed since user is required to change his password\",\n \"24408\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against Active Directory failed since user has entered the wrong password\", \"User authentication against Active Directory failed since user has entered the wrong password\",\n \"24409\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"User authentication against Active Directory failed since the user's account is disabled\", \"User authentication against Active Directory failed since the user's account is disabled\",\n \"24410\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\",\n \"24414\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"User authentication against Active Directory failed since the user's account has expired\", \"User authentication against Active Directory failed since the user's account has expired\",\n \"24415\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"User authentication against Active Directory failed since user's account is locked out\", \"User authentication against Active Directory failed since user's account is locked out\",\n \"24418\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since it is disabled in configuration\", \"Machine authentication against Active Directory failed since it is disabled in configuration\",\n \"24454\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Session expired\", \"User authentication against Active Directory failed because of a timeout error\", \"User authentication against Active Directory failed because of a timeout error\",\n \"24470\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Machine authentication against Active Directory is successful\", \"Machine authentication against Active Directory is successful.\",\n \"24484\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired.\",\n \"24485\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Machine authentication against Active Directory has failed because of wrong password\", \"Machine authentication against Active Directory has failed because of wrong password.\",\n \"24486\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled.\",\n \"24487\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\",\n \"24489\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired.\",\n \"24490\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"Machine authentication against Active Directory has failed because the machine's account is locked out\", \"Machine authentication against Active Directory has failed because the machine's account is locked out.\",\n \"24491\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials.\",\n \"24492\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed\", \"Machine authentication against Active Directory has failed.\",\n \"24496\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication rejected due to a white or black list restriction\", \"Authentication rejected due to a white or black list restriction\",\n \"24505\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication has succeeded\", \"User authentication against the RSA SecurID Server has succeeded.\",\n \"24508\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication failed\", \"User authentication against RSA SecurID Server failed\",\n \"24518\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"User canceled New PIN operation; User authentication against RSA SecurIDServer failed\", \"User canceled New PIN operation; User authentication against RSA SecurID Server failed\",\n \"24547\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Session expired\", \"RSA request timeout expired. RSA authentication session cancelled\", \"RSA request timeout expired. RSA authentication session cancelled.\",\n \"24612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Authentication against the RADIUS token server succeeded\", \"Authentication against the RADIUS token server succeeded.\",\n \"24613\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication against the RADIUS token server failed\", \"Authentication against the RADIUS token server failed.\",\n \"24614\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user\", \"RADIUS token server authentication failure is translated as Unknown user failure\", \"RADIUS token server authentication failure is translated as Unknown user failure.\",\n \"24639\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication passed via Passcode cache\", \"User record was found in Passcode cache, passcode matches the passcode on the authentication request. Authentication passed via Passcode cache.\",\n \"24704\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because identity credentials are ambiguous\", \"Authentication found several accounts matching to the given credentials (i.e identity name and password)\",\n \"24705\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because ISE server is not joined to required domains\", \"Authentication failed because ISE server is not joined to required domains\",\n \"24706\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because NTLM was blocked\", \"Authentication failed because NTLM was blocked\",\n \"24707\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because all identity names have been rejected\", \"Authentication failed all identity names has been rejected according AD Identity Store Advanced Settings\",\n \"24708\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"User not found in Active Directory. Some authentication domains were not available\", \"User not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24709\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"Host not found in Active Directory. Some authentication domains were not available\", \"Host not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24712\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because domain trust is restricted\", \"Authentication failed because domain trust is restricted\",\n \"24814\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"The responding provider was unable to successfully authenticate the principal\", \"The responding provider was unable to successfully authenticate the principal\",\n \"24853\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external ODBC database succeeded\", \"Plain text password authentication in external ODBC database succeeded\",\n \"24854\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external ODBC database failed\", \"Plain text password authentication in external ODBC database failed\",\n \"24860\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"ODBC database indicated plain text password authentication failure\", \"ODBC database indicated plain text password authentication failure\",\n \"24890\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Social Login operation failed\", \"Social Login operation failed. Check the message details for more information\",\n \"24716\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Active Directory Kerberos ticket authentication succeeded\", \"Active Directory Kerberos ticket authentication succeeded\",\n \"24717\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Active Directory Kerberos ticket authentication failed\", \"Active Directory Kerberos ticket authentication failed\",\n \"24719\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\",\n \"89157\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"CMCS authentication failure\", \"ISE is unable to authenticate with the Cisco MDM Cloud Service\",\n \"89159\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"APNS authentication failure\", \"ISE is unable to authenticate with the Apple Push Notification System (APNS)\",\n \"89160\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MDM User Authentication completed\", \"The User Authentication part of mobile device enrollment has completed\",\n \"33102\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Successful user login to ISE configuration mode\", \"ISE administrator logged in to ISE configuration mode\",\n \"33103\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User login to ISE configuration mode failed\", \"Login to ISE configuration mode failed\",\n \"5200\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5201\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5231\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Guest Authentication Passed\", \"Guest Authentication Passed\",\n \"11002\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Returned RADIUS Access-Accept\", \"Returned RADIUS Access-Accept - authentication succeeded\",\n \"11003\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Returned RADIUS Access-Reject\", \"Returned RADIUS Access-Reject - authentication failed\",\n \"11039\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"RADIUS authentication request rejected due to critical logging error\", \"A RADIUS authentication request was rejected due to a critical logging error.\",\n \"11052\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication request dropped due to unsupported port number\", \"An authentication request was dropped because it was received through an unsupported port number.\",\n \"11812\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication succeeded.\",\n \"11813\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication failed.\",\n \"11814\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication for the inner EAP method succeeded.\",\n \"11815\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication for the inner EAP method failed.\",\n \"11823\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication attempt failed\", \"EAP-MSCHAP authentication attempt failed.\",\n \"11824\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication attempt passed\", \"EAP-MSCHAP authentication attempt passed.\",\n \"12005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MD5 authentication succeeded\", \"EAP-MD5 authentication succeeded.\",\n \"12006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MD5 authentication failed\", \"EAP-MD5 authentication failed.\",\n \"12208\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Client certificate was received but authentication failed\", \"ISE received client certificate during tunnel establishment or inside the tunnel but the authentication failed.\",\n \"12306\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"PEAP authentication succeeded\", \"PEAP authentication succeeded.\",\n \"12307\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"PEAP authentication failed\", \"PEAP authentication failed.\",\n \"12308\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Client sent Result TLV indicating failure\", \"Internal error, possibly in the supplicant: PEAP v0 authentication failed because client sent Result TLV indicating failure. Client indicates that it does not support Crypto-Binding TLV\",\n \"12506\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TLS authentication succeeded\", \"EAP-TLS authentication succeeded.\",\n \"12507\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TLS authentication failed\", \"EAP-TLS authentication failed.\",\n \"12528\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-TLS authentication succeeded\", \"EAP-TLS authentication for the inner EAP method succeeded.\",\n \"12529\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-TLS authentication failed\", \"EAP-TLS authentication for the inner EAP method failed.\",\n \"12612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication succeeded\", \"EAP-GTC authentication has succeeded.\",\n \"12613\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication failed\", \"EAP-GTC authentication has failed.\",\n \"12614\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-GTC authentication succeeded\", \"EAP-GTC authentication for the inner EAP method has succeeded.\",\n \"12615\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-GTC authentication failed\", \"EAP-GTC authentication for the inner EAP method has failed.\",\n \"12623\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication attempt failed\", \"The EAP-GTC authentication attempt has failed.\",\n \"12624\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication attempt passed\", \"The EAP-GTC authentication attempt has passed.\",\n \"12705\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"LEAP authentication passed; Continuing protocol\", \"LEAP authentication passed. Continue LEAP protocol.\",\n \"12706\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication failed; Finishing protocol\", \"LEAP authentication has failed. Protocol finished with a failure.\",\n \"12707\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication error; Finishing protocol\", \"A LEAP authentication error has occurred. Protocol finished with an error.\",\n \"12854\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"12975\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TTLS authentication succeeded\", \"EAP-TTLS authentication succeeded.\",\n \"12976\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TTLS authentication failed\", \"EAP-TTLS authentication failed.\",\n \"11700\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"5G AKA Authentication succeeded\", \"5G AKA Authentication succeeded.\"\n];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | summarize make_set(EventOriginalType));\nlet CiscoISEAuthParser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n Syslog\n | where not(disabled)\n // ************************** ******************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or (SyslogMessage has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // ************************** *****************************\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse kind = regex SyslogMessage with @\"\\d{10}\\s\" EventOriginalType @\"\\s(NOTICE|INFO|WARN|WARNING|ERROR|FATAL|DEBUG)\"\n | where EventOriginalType in (EventOriginalTypeList)\n | lookup EventFieldsLookup on EventOriginalType\n // Filtering on eventtype_in, eventresultdetails_in and eventresult\n | where ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\n and ((array_length(eventresultdetails_in) == 0) or (EventResultDetails in~ (eventresultdetails_in)))\n and ((eventresult == \"*\") or (EventResult == eventresult))\n | parse-kv SyslogMessage as (FailureReason: string, NetworkDeviceName: string, Protocol: string, DestinationIPAddress: string, DestinationPort: int, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string, ['Device Port']: int, ['cisco-av-pair=audit-session-id']: string, ['Caller-Station-ID']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n LogonProtocol=Protocol\n ,\n TargetIpAddr=DestinationIPAddress\n ,\n TargetPortNumber=DestinationPort\n ,\n TargetSessionId=[\"cisco-av-pair=audit-session-id\"]\n ,\n SrcPortNumber=['Device Port']\n | invoke _ASIM_ResolveSrcFQDN(\"['Caller-Station-ID']\")\n | extend\n EventStartTime = coalesce(EventTime, TimeGenerated)\n ,\n EventEndTime = coalesce(EventTime, TimeGenerated)\n | extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend TargetUsername = coalesce(['User-Name'], UserName, User)\n | extend\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n ,\n SrcIpAddr = coalesce(['Device IP Address'], ['Remote-Address'], tostring(extract(@\"Caller-Station-ID=(\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3})\", 1, SyslogMessage)), \"\")\n | extend EventOriginalResultDetails = case(isnotempty(FailureReason), FailureReason, EventOriginalResultDetails)\n | extend DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n // ********************** **********************************\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n // ********************** *********************************\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend \n EventVendor = \"Cisco\"\n ,\n EventProduct = \"ISE\"\n ,\n EventProductVersion = \"3.2\"\n ,\n EventCount = int(1)\n ,\n EventSchema = \"Authentication\"\n ,\n EventSchemaVersion = \"0.1.3\" \n // ************************* **********************\n | extend \n Dvc = coalesce(DvcIpAddr, DvcHostname)\n ,\n IpAddr = SrcIpAddr\n ,\n Dst = TargetIpAddr\n ,\n Src = SrcIpAddr\n ,\n User = TargetUsername\n // ************************* ******************** \n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n FailureReason,\n NetworkDeviceName,\n ['User-Name'],\n UserName,\n User,\n ['Remote-Address'],\n ['Device IP Address'],\n ['Caller-Station-ID']\n};\nCiscoISEAuthParser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Cisco ISE", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationCiscoISE", + "query": "let EventFieldsLookup=datatable(\n EventOriginalType: string,\n EventType: string,\n EventOriginalSeverity: string,\n EventResult: string,\n EventSeverity: string,\n EventResultDetails: string,\n EventMessage: string,\n EventOriginalResultDetails: string\n)[\n \"25104\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external REST ID store server succeeded\", \"Plain text password authentication in external REST ID store server succeeded\",\n \"25105\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external REST ID store server failed\", \"Plain text password authentication in external REST ID store server failed\",\n \"25106\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST ID Store server indicated plain text password authentication failure\", \"REST ID store server indicated plain text password authentication failure\",\n \"25112\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST database indicated plain text password authentication failure\", \"REST database indicated plain text password authentication failure\",\n \"51000\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"51001\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator authentication succeeded\", \"Administrator authentication succeeded\",\n \"51002\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator logged off\", \"Administrator logged off\",\n \"51003\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"Session expired\", \"Session Timeout\", \"Administrator had a session timeout\",\n \"51004\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Rejected administrator session from unauthorized client IP address\", \"An attempt to start an administration session from an unauthorized client IP address was rejected. Check the client's administration access setting.\",\n \"51005\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Administrator account is disabled\", \"Administrator authentication failed. Administrator account is disabled.\",\n \"51006\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Account is disabled due to inactivity\", \"Administrator authentication failed. Account is disabled due to inactivity.\",\n \"51007\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Authentication failed. Account is disabled due to password expiration\", \"Authentication failed. Account is disabled due to password expiration\",\n \"51008\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts.\",\n \"51009\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed. ISE Runtime is not running\", \"Authentication failed. ISE Runtime is not running\",\n \"51020\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user\", \"Administrator authentication failed. Login username does not exist.\", \"Administrator authentication failed. Login username does not exist.\",\n \"51021\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Incorrect password\", \"Administrator authentication failed. Wrong password.\", \"Administrator authentication failed. Wrong password.\",\n \"51022\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed. System Error\", \"Administrator authentication failed. System Error\",\n \"51106\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"60075\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Sponsor has successfully authenticated\", \"Sponsor has successfully authenticated\",\n \"60076\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Sponsor authentication has failed\", \"Sponsor authentication has failed; please see Failure Code for more details\",\n \"60077\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MyDevices user authentication has failed\", \"MyDevices user authentication has failed\",\n \"60078\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices user has successfully authenticated\", \"MyDevices user has successfully authenticated\",\n \"60080\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A SSH CLI user has successfully logged in\", \"A SSH CLI User has successfully logged in\",\n \"60081\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"A SSH CLI user has attempted unsuccessfully to login\", \"A SSH CLI user has attempted unsuccessfully to login\",\n \"60082\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User locked\", \"A SSH CLI user has attempted to login, however account is locked out\", \"A SSH CLI user has attempted to login, however account is locked out\",\n \"60135\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"MyDevices user SSO logout has failed\", \"MyDevices user SSO logout has failed\",\n \"60136\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Sponsor user SSO logout has failed\", \"Sponsor user SSO logout has failed\",\n \"60204\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"System root CLI account has successfully logged in\", \"System root CLI account has successfully logged in\",\n \"60205\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged in from console\", \"A CLI user has logged in from console\",\n \"60206\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged out from console\", \"A CLI user has logged out from console\",\n \"61012\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has authenticated against APIC successfully\", \"ISE has authenticated against APIC successfully\",\n \"61013\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to authenticate against APIC\", \"ISE failed to authenticate against APIC\",\n \"61014\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has refreshed authentication against APIC successfully\", \"ISE has refreshed authentication against APIC successfully\",\n \"61015\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to refresh authenticate against APIC\", \"ISE failed to refresh authenticate against APIC\",\n \"60507\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"ERS request rejected due to unauthorized user.\", \"ERS request was rejected because the user who sent the request is unauthorized.\",\n \"51025\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"61076\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"Sponsor has been successfully logged out\", \"Sponsor has been successfully logged out\",\n \"61077\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices has been successfully logged out\", \"MyDevices has been successfully logged out\",\n \"10003\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"Internal error: Administrator authentication received blank Administrator name\", \"Internal error: AAC RT component received Administrator authentication request\",\n \"10004\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Incorrect password\", \"Internal error: Administrator authentication received blank Administrator password\", \"Internal error: AAC RT component received an Administrator authentication request with blank admin password\",\n \"10005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Administrator authenticated successfully\", \"Administrator authenticated successfully\",\n \"10006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"10007\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed - DB Error\", \"Administrator authentication failed - DB Error\",\n \"22000\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication resulted in internal error\", \"Authentication resulted in internal error\",\n \"22004\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password\", \"Wrong password\",\n \"22028\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Authentication failed and the advanced options are ignored\", \"Authentication of the user failed and the advanced option settings specified in the identity portion of the relevant authentication policy were ignored. For PEAP, LEAP, EAP-FAST or RADIUS MSCHAP authentications, when authentication fails, ISE stops processing the request.\",\n \"22037\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Passed\", \"Authentication Passed, Skipping Attribute Retrieval\",\n \"22040\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password or invalid shared secret\", \"Wrong password or invalid shared secret\",\n \"22091\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level.\",\n \"5400\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5401\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5412\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"TACACS+ authentication request ended with error\", \"TACACS+ authentication request ended with an error\",\n \"5418\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Guest Authentication Failed\", \"Guest Authentication failed; please see Failure code for more details\",\n \"5447\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"MDM Authentication Passed\", \"MDM Authentication passed\",\n \"5448\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MDM Authentication Failed\", \"MDM Authentication failed; please see Failure code for more details\",\n \"86010\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Guest user authentication failed\", \"Guest user authentication failed. Please check your password and account permission\",\n \"86011\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"Guest user is not enabled\", \"Guest user authentication failed. User is not enabled. Please contact your system administrator\",\n \"86014\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"User is suspended\", \"User authentication failed. User account is suspended\",\n \"86020\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Guest Unknown Error\", \"User authentication failed. Please contact your System Administrator\",\n \"24015\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authenticating user against LDAP Server\", \"Authenticating user against LDAP Server\",\n \"24020\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against the LDAP Server failed\", \"User authentication against the LDAP Server failed. The user entered the wrong password or the user record in the LDAP Server is disabled or expired\",\n \"24021\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"User authentication ended with an error\", \"User authentication against LDAP Server ended with an error\",\n \"24022\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication succeeded\", \"User authentication against LDAP Server succeeded\",\n \"24050\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate with LDAP Identity Store because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"24054\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired\", \"The password has expired but there are remaining grace authentications. The user needs to change it\",\n \"24055\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that the user is authenticating for the first time after the password administrator set the password\", \"The user needs to change his password immediately\",\n \"24056\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired and there are no more grace authentications\", \"The user needs to contact the password administrator in order to have its password reset\",\n \"24057\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against LDAP server detected that the password failure limit has been reached and the account is locked\", \"The user needs to retry later or contact the password administrator to reset the password\",\n \"24337\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Ticket (TGT) request succeeded\", \"Authentication Ticket (TGT) request succeeded\",\n \"24338\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication Ticket (TGT) request failed\", \"Authentication Ticket (TGT) request failed\",\n \"24402\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"User authentication against Active Directory succeeded\", \"User authentication against Active Directory succeeded\",\n \"24403\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User authentication against Active Directory failed\", \"User authentication against Active Directory failed\",\n \"24406\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"User authentication against Active Directory failed since user has invalid credentials\", \"User authentication against Active Directory failed since user has invalid credentials\",\n \"24407\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against Active Directory failed since user is required to change his password\", \"User authentication against Active Directory failed since user is required to change his password\",\n \"24408\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against Active Directory failed since user has entered the wrong password\", \"User authentication against Active Directory failed since user has entered the wrong password\",\n \"24409\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"User authentication against Active Directory failed since the user's account is disabled\", \"User authentication against Active Directory failed since the user's account is disabled\",\n \"24410\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\",\n \"24414\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"User authentication against Active Directory failed since the user's account has expired\", \"User authentication against Active Directory failed since the user's account has expired\",\n \"24415\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"User authentication against Active Directory failed since user's account is locked out\", \"User authentication against Active Directory failed since user's account is locked out\",\n \"24418\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since it is disabled in configuration\", \"Machine authentication against Active Directory failed since it is disabled in configuration\",\n \"24454\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Session expired\", \"User authentication against Active Directory failed because of a timeout error\", \"User authentication against Active Directory failed because of a timeout error\",\n \"24470\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Machine authentication against Active Directory is successful\", \"Machine authentication against Active Directory is successful.\",\n \"24484\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired.\",\n \"24485\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Machine authentication against Active Directory has failed because of wrong password\", \"Machine authentication against Active Directory has failed because of wrong password.\",\n \"24486\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled.\",\n \"24487\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\",\n \"24489\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired.\",\n \"24490\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"Machine authentication against Active Directory has failed because the machine's account is locked out\", \"Machine authentication against Active Directory has failed because the machine's account is locked out.\",\n \"24491\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials.\",\n \"24492\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed\", \"Machine authentication against Active Directory has failed.\",\n \"24496\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication rejected due to a white or black list restriction\", \"Authentication rejected due to a white or black list restriction\",\n \"24505\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication has succeeded\", \"User authentication against the RSA SecurID Server has succeeded.\",\n \"24508\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication failed\", \"User authentication against RSA SecurID Server failed\",\n \"24518\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"User canceled New PIN operation; User authentication against RSA SecurIDServer failed\", \"User canceled New PIN operation; User authentication against RSA SecurID Server failed\",\n \"24547\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Session expired\", \"RSA request timeout expired. RSA authentication session cancelled\", \"RSA request timeout expired. RSA authentication session cancelled.\",\n \"24612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Authentication against the RADIUS token server succeeded\", \"Authentication against the RADIUS token server succeeded.\",\n \"24613\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication against the RADIUS token server failed\", \"Authentication against the RADIUS token server failed.\",\n \"24614\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user\", \"RADIUS token server authentication failure is translated as Unknown user failure\", \"RADIUS token server authentication failure is translated as Unknown user failure.\",\n \"24639\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication passed via Passcode cache\", \"User record was found in Passcode cache, passcode matches the passcode on the authentication request. Authentication passed via Passcode cache.\",\n \"24704\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because identity credentials are ambiguous\", \"Authentication found several accounts matching to the given credentials (i.e identity name and password)\",\n \"24705\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because ISE server is not joined to required domains\", \"Authentication failed because ISE server is not joined to required domains\",\n \"24706\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because NTLM was blocked\", \"Authentication failed because NTLM was blocked\",\n \"24707\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because all identity names have been rejected\", \"Authentication failed all identity names has been rejected according AD Identity Store Advanced Settings\",\n \"24708\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"User not found in Active Directory. Some authentication domains were not available\", \"User not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24709\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"Host not found in Active Directory. Some authentication domains were not available\", \"Host not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24712\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because domain trust is restricted\", \"Authentication failed because domain trust is restricted\",\n \"24814\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"The responding provider was unable to successfully authenticate the principal\", \"The responding provider was unable to successfully authenticate the principal\",\n \"24853\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external ODBC database succeeded\", \"Plain text password authentication in external ODBC database succeeded\",\n \"24854\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external ODBC database failed\", \"Plain text password authentication in external ODBC database failed\",\n \"24860\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"ODBC database indicated plain text password authentication failure\", \"ODBC database indicated plain text password authentication failure\",\n \"24890\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Social Login operation failed\", \"Social Login operation failed. Check the message details for more information\",\n \"24716\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Active Directory Kerberos ticket authentication succeeded\", \"Active Directory Kerberos ticket authentication succeeded\",\n \"24717\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Active Directory Kerberos ticket authentication failed\", \"Active Directory Kerberos ticket authentication failed\",\n \"24719\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\",\n \"89157\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"CMCS authentication failure\", \"ISE is unable to authenticate with the Cisco MDM Cloud Service\",\n \"89159\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"APNS authentication failure\", \"ISE is unable to authenticate with the Apple Push Notification System (APNS)\",\n \"89160\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MDM User Authentication completed\", \"The User Authentication part of mobile device enrollment has completed\",\n \"33102\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Successful user login to ISE configuration mode\", \"ISE administrator logged in to ISE configuration mode\",\n \"33103\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User login to ISE configuration mode failed\", \"Login to ISE configuration mode failed\",\n \"5200\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5201\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5231\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Guest Authentication Passed\", \"Guest Authentication Passed\",\n \"11002\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Returned RADIUS Access-Accept\", \"Returned RADIUS Access-Accept - authentication succeeded\",\n \"11003\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Returned RADIUS Access-Reject\", \"Returned RADIUS Access-Reject - authentication failed\",\n \"11039\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"RADIUS authentication request rejected due to critical logging error\", \"A RADIUS authentication request was rejected due to a critical logging error.\",\n \"11052\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication request dropped due to unsupported port number\", \"An authentication request was dropped because it was received through an unsupported port number.\",\n \"11812\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication succeeded.\",\n \"11813\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication failed.\",\n \"11814\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication for the inner EAP method succeeded.\",\n \"11815\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication for the inner EAP method failed.\",\n \"11823\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication attempt failed\", \"EAP-MSCHAP authentication attempt failed.\",\n \"11824\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication attempt passed\", \"EAP-MSCHAP authentication attempt passed.\",\n \"12005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MD5 authentication succeeded\", \"EAP-MD5 authentication succeeded.\",\n \"12006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MD5 authentication failed\", \"EAP-MD5 authentication failed.\",\n \"12208\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Client certificate was received but authentication failed\", \"ISE received client certificate during tunnel establishment or inside the tunnel but the authentication failed.\",\n \"12306\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"PEAP authentication succeeded\", \"PEAP authentication succeeded.\",\n \"12307\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"PEAP authentication failed\", \"PEAP authentication failed.\",\n \"12308\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Client sent Result TLV indicating failure\", \"Internal error, possibly in the supplicant: PEAP v0 authentication failed because client sent Result TLV indicating failure. Client indicates that it does not support Crypto-Binding TLV\",\n \"12506\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TLS authentication succeeded\", \"EAP-TLS authentication succeeded.\",\n \"12507\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TLS authentication failed\", \"EAP-TLS authentication failed.\",\n \"12528\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-TLS authentication succeeded\", \"EAP-TLS authentication for the inner EAP method succeeded.\",\n \"12529\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-TLS authentication failed\", \"EAP-TLS authentication for the inner EAP method failed.\",\n \"12612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication succeeded\", \"EAP-GTC authentication has succeeded.\",\n \"12613\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication failed\", \"EAP-GTC authentication has failed.\",\n \"12614\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-GTC authentication succeeded\", \"EAP-GTC authentication for the inner EAP method has succeeded.\",\n \"12615\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-GTC authentication failed\", \"EAP-GTC authentication for the inner EAP method has failed.\",\n \"12623\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication attempt failed\", \"The EAP-GTC authentication attempt has failed.\",\n \"12624\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication attempt passed\", \"The EAP-GTC authentication attempt has passed.\",\n \"12705\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"LEAP authentication passed; Continuing protocol\", \"LEAP authentication passed. Continue LEAP protocol.\",\n \"12706\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication failed; Finishing protocol\", \"LEAP authentication has failed. Protocol finished with a failure.\",\n \"12707\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication error; Finishing protocol\", \"A LEAP authentication error has occurred. Protocol finished with an error.\",\n \"12854\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"12975\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TTLS authentication succeeded\", \"EAP-TTLS authentication succeeded.\",\n \"12976\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TTLS authentication failed\", \"EAP-TTLS authentication failed.\",\n \"11700\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"5G AKA Authentication succeeded\", \"5G AKA Authentication succeeded.\"\n];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | summarize make_set(EventOriginalType));\nlet CiscoISEAuthParser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n Syslog\n | where not(disabled)\n // ************************** ******************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or (SyslogMessage has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // ************************** *****************************\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse kind = regex SyslogMessage with @\"\\d{10}\\s\" EventOriginalType @\"\\s(NOTICE|INFO|WARN|WARNING|ERROR|FATAL|DEBUG)\"\n | where EventOriginalType in (EventOriginalTypeList)\n | lookup EventFieldsLookup on EventOriginalType\n // Filtering on eventtype_in, eventresultdetails_in and eventresult\n | where ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\n and ((array_length(eventresultdetails_in) == 0) or (EventResultDetails in~ (eventresultdetails_in)))\n and ((eventresult == \"*\") or (EventResult == eventresult))\n | parse-kv SyslogMessage as (FailureReason: string, NetworkDeviceName: string, Protocol: string, DestinationIPAddress: string, DestinationPort: int, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string, ['Device Port']: int, ['cisco-av-pair=audit-session-id']: string, ['Caller-Station-ID']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n LogonProtocol=Protocol\n ,\n TargetIpAddr=DestinationIPAddress\n ,\n TargetPortNumber=DestinationPort\n ,\n TargetSessionId=[\"cisco-av-pair=audit-session-id\"]\n ,\n SrcPortNumber=['Device Port']\n | invoke _ASIM_ResolveSrcFQDN(\"['Caller-Station-ID']\")\n | extend\n EventStartTime = coalesce(EventTime, TimeGenerated)\n ,\n EventEndTime = coalesce(EventTime, TimeGenerated)\n | extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend TargetUsername = coalesce(['User-Name'], UserName, User)\n | extend\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n ,\n SrcIpAddr = coalesce(['Device IP Address'], ['Remote-Address'], tostring(extract(@\"Caller-Station-ID=(\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3})\", 1, SyslogMessage)), \"\")\n | extend EventOriginalResultDetails = case(isnotempty(FailureReason), FailureReason, EventOriginalResultDetails)\n | extend DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n // ********************** **********************************\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n // ********************** *********************************\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend \n EventVendor = \"Cisco\"\n ,\n EventProduct = \"ISE\"\n ,\n EventProductVersion = \"3.2\"\n ,\n EventCount = int(1)\n ,\n EventSchema = \"Authentication\"\n ,\n EventSchemaVersion = \"0.1.3\" \n // ************************* **********************\n | extend \n Dvc = coalesce(DvcIpAddr, DvcHostname)\n ,\n IpAddr = SrcIpAddr\n ,\n Dst = TargetIpAddr\n ,\n Src = SrcIpAddr\n ,\n User = TargetUsername\n // ************************* ******************** \n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n FailureReason,\n NetworkDeviceName,\n ['User-Name'],\n UserName,\n User,\n ['Remote-Address'],\n ['Device IP Address'],\n ['Caller-Station-ID']\n};\nCiscoISEAuthParser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json index 301eae01b10..c532545e5fe 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationCiscoMeraki')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationCiscoMeraki", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationCiscoMeraki", - "query": "let LogSubTypeList = dynamic([\"8021x_auth\", \"wpa_auth\", \"splash_auth\", \"8021x_deauth\", \"8021x_client_deauth\", \"wpa_deauth\", \"8021x_eap_failure\", \"8021x_eap_success\"]);\nlet EventResultDetailsLookup = datatable (reason: string, EventResultDetails: string)\n [\n \"0\", \"Other\",\n \"1\", \"Other\",\n \"2\", \"Password expired\",\n \"3\", \"Other\",\n \"4\", \"Session expired\",\n \"5\", \"Other\",\n \"6\", \"Other\",\n \"7\", \"Other\",\n \"8\", \"Other\",\n \"9\", \"Other\",\n \"10\", \"Logon violates policy\",\n \"11\", \"Logon violates policy\",\n \"12\", \"Other\",\n \"13\", \"Logon violates policy\",\n \"14\", \"Other\",\n \"15\", \"Other\",\n \"16\", \"Other\",\n \"17\", \"Other\",\n \"18\", \"Incorrect key\",\n \"19\", \"Incorrect key\",\n \"20\", \"Incorrect key\",\n \"21\", \"Other\",\n \"22\", \"Other\",\n \"23\", \"Other\",\n \"24\", \"Logon violates policy\",\n];\nlet EventFieldsLookup = datatable (\n LogSubType: string,\n EventResult: string,\n EventType: string,\n EventSeverity: string\n)\n [\n \"8021x_auth\", \"Success\", \"Logon\", \"Informational\",\n \"wpa_auth\", \"Success\", \"Logon\", \"Informational\",\n \"splash_auth\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_eap_success\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_client_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"wpa_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_eap_failure\", \"Failure\", \"Logon\", \"Low\",\n \"disassociation\", \"Failure\", \"Logon\", \"Low\",\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n (\n meraki_CL\n | project-rename LogMessage = Message\n )\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (LogSubTypeList) or LogMessage has_all (\"disassociation\", \"auth_neg_failed\"))\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or LogMessage has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(LogMessage, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1]),\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | where LogType == \"events\"\n | parse Substring with * \"type=\" LogSubType: string \" \" restOfMessage: string\n | where LogSubType in (LogSubTypeList) or (LogSubType == \"disassociation\" and Substring has \"auth_neg_failed\")\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | parse-kv Substring as(last_known_client_ip: string, ip: string, client_ip: string, client_mac: string, identity: string, reason: string, aid: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend TargetUsername = identity\n | extend TargetUsername = trim('\"', TargetUsername)\n // post-filtering username_has_any\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n Dvc = DvcHostname, \n aid = trim('\"', aid)\n | extend\n SrcIpAddr = tostring(split(coalesce(last_known_client_ip, ip, client_ip), \" \")[0]),\n DvcMacAddr = client_mac,\n AdditionalFields = bag_pack(\"aid\", aid),\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\"),\n EventUid = _ResourceId\n | extend\n SrcIpAddr = trim('\"', SrcIpAddr),\n DvcMacAddr = trim('\"', DvcMacAddr),\n reason = trim('\"', reason)\n // post-filtering srcipaddr_has_any_prefix\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n | extend\n DvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr,\n User = TargetUsername\n | lookup EventFieldsLookup on LogSubType\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff(tolong(reason) between (25 .. 65535), \"Other\", EventResultDetails)\n // Filtering on eventtype_in, eventresultdetails_in and eventresult\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n EventCount=int(1),\n EventProduct=\"Meraki\",\n EventVendor=\"Cisco\",\n EventSchema=\"Authentication\",\n EventSchemaVersion=\"0.1.3\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n LogType,\n LogSubType,\n restOfMessage,\n reason,\n last_known_client_ip,\n client_ip,\n ip,\n client_mac,\n identity,\n aid,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationCiscoMeraki", + "query": "let LogSubTypeList = dynamic([\"8021x_auth\", \"wpa_auth\", \"splash_auth\", \"8021x_deauth\", \"8021x_client_deauth\", \"wpa_deauth\", \"8021x_eap_failure\", \"8021x_eap_success\"]);\nlet EventResultDetailsLookup = datatable (reason: string, EventResultDetails: string)\n [\n \"0\", \"Other\",\n \"1\", \"Other\",\n \"2\", \"Password expired\",\n \"3\", \"Other\",\n \"4\", \"Session expired\",\n \"5\", \"Other\",\n \"6\", \"Other\",\n \"7\", \"Other\",\n \"8\", \"Other\",\n \"9\", \"Other\",\n \"10\", \"Logon violates policy\",\n \"11\", \"Logon violates policy\",\n \"12\", \"Other\",\n \"13\", \"Logon violates policy\",\n \"14\", \"Other\",\n \"15\", \"Other\",\n \"16\", \"Other\",\n \"17\", \"Other\",\n \"18\", \"Incorrect key\",\n \"19\", \"Incorrect key\",\n \"20\", \"Incorrect key\",\n \"21\", \"Other\",\n \"22\", \"Other\",\n \"23\", \"Other\",\n \"24\", \"Logon violates policy\",\n];\nlet EventFieldsLookup = datatable (\n LogSubType: string,\n EventResult: string,\n EventType: string,\n EventSeverity: string\n)\n [\n \"8021x_auth\", \"Success\", \"Logon\", \"Informational\",\n \"wpa_auth\", \"Success\", \"Logon\", \"Informational\",\n \"splash_auth\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_eap_success\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_client_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"wpa_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_eap_failure\", \"Failure\", \"Logon\", \"Low\",\n \"disassociation\", \"Failure\", \"Logon\", \"Low\",\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n (\n meraki_CL\n | project-rename LogMessage = Message\n )\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (LogSubTypeList) or LogMessage has_all (\"disassociation\", \"auth_neg_failed\"))\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or LogMessage has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(LogMessage, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1]),\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | where LogType == \"events\"\n | parse Substring with * \"type=\" LogSubType: string \" \" restOfMessage: string\n | where LogSubType in (LogSubTypeList) or (LogSubType == \"disassociation\" and Substring has \"auth_neg_failed\")\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | parse-kv Substring as(last_known_client_ip: string, ip: string, client_ip: string, client_mac: string, identity: string, reason: string, aid: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend TargetUsername = identity\n | extend TargetUsername = trim('\"', TargetUsername)\n // post-filtering username_has_any\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n Dvc = DvcHostname, \n aid = trim('\"', aid)\n | extend\n SrcIpAddr = tostring(split(coalesce(last_known_client_ip, ip, client_ip), \" \")[0]),\n DvcMacAddr = client_mac,\n AdditionalFields = bag_pack(\"aid\", aid),\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\"),\n EventUid = _ResourceId\n | extend\n SrcIpAddr = trim('\"', SrcIpAddr),\n DvcMacAddr = trim('\"', DvcMacAddr),\n reason = trim('\"', reason)\n // post-filtering srcipaddr_has_any_prefix\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n | extend\n DvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr,\n User = TargetUsername\n | lookup EventFieldsLookup on LogSubType\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff(tolong(reason) between (25 .. 65535), \"Other\", EventResultDetails)\n // Filtering on eventtype_in, eventresultdetails_in and eventresult\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n EventCount=int(1),\n EventProduct=\"Meraki\",\n EventVendor=\"Cisco\",\n EventSchema=\"Authentication\",\n EventSchemaVersion=\"0.1.3\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n LogType,\n LogSubType,\n restOfMessage,\n reason,\n last_known_client_ip,\n client_ip,\n ip,\n client_mac,\n identity,\n aid,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMerakiSyslog/vimAuthenticationCiscoMerakiSyslog.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMerakiSyslog/vimAuthenticationCiscoMerakiSyslog.json index 4f613d7fcb5..4bc127598cc 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMerakiSyslog/vimAuthenticationCiscoMerakiSyslog.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMerakiSyslog/vimAuthenticationCiscoMerakiSyslog.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationCiscoMerakiSyslog')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationCiscoMerakiSyslog", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationCiscoMerakiSyslog", - "query": "let LogSubTypeList = dynamic([\"8021x_auth\", \"wpa_auth\", \"splash_auth\", \"8021x_deauth\", \"8021x_client_deauth\", \"wpa_deauth\", \"8021x_eap_failure\", \"8021x_eap_success\"]);\nlet EventResultDetailsLookup = datatable (reason: string, EventResultDetails: string)\n [\n \"0\", \"Other\",\n \"1\", \"Other\",\n \"2\", \"Password expired\",\n \"3\", \"Other\",\n \"4\", \"Session expired\",\n \"5\", \"Other\",\n \"6\", \"Other\",\n \"7\", \"Other\",\n \"8\", \"Other\",\n \"9\", \"Other\",\n \"10\", \"Logon violates policy\",\n \"11\", \"Logon violates policy\",\n \"12\", \"Other\",\n \"13\", \"Logon violates policy\",\n \"14\", \"Other\",\n \"15\", \"Other\",\n \"16\", \"Other\",\n \"17\", \"Other\",\n \"18\", \"Incorrect key\",\n \"19\", \"Incorrect key\",\n \"20\", \"Incorrect key\",\n \"21\", \"Other\",\n \"22\", \"Other\",\n \"23\", \"Other\",\n \"24\", \"Logon violates policy\",\n];\nlet EventFieldsLookup = datatable (\n LogSubType: string,\n EventResult: string,\n EventType: string,\n EventSeverity: string\n)\n [\n \"8021x_auth\", \"Success\", \"Logon\", \"Informational\",\n \"wpa_auth\", \"Success\", \"Logon\", \"Informational\",\n \"splash_auth\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_eap_success\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_client_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"wpa_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_eap_failure\", \"Failure\", \"Logon\", \"Low\",\n \"disassociation\", \"Failure\", \"Logon\", \"Low\",\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n )\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (LogSubTypeList) or LogMessage has_all (\"disassociation\", \"auth_neg_failed\"))\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or LogMessage has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(LogMessage, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1]),\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | where LogType == \"events\"\n | parse Substring with * \"type=\" LogSubType: string \" \" restOfMessage: string\n | where LogSubType in (LogSubTypeList) or (LogSubType == \"disassociation\" and Substring has \"auth_neg_failed\")\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | parse-kv Substring as(last_known_client_ip: string, ip: string, client_ip: string, client_mac: string, identity: string, reason: string, aid: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend TargetUsername = identity\n | extend TargetUsername = trim('\"', TargetUsername)\n // post-filtering username_has_any\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n Dvc = DvcHostname, \n aid = trim('\"', aid)\n | extend\n SrcIpAddr = tostring(split(coalesce(last_known_client_ip, ip, client_ip), \" \")[0]),\n DvcMacAddr = client_mac,\n AdditionalFields = bag_pack(\"aid\", aid),\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\"),\n EventUid = _ResourceId\n | extend\n SrcIpAddr = trim('\"', SrcIpAddr),\n DvcMacAddr = trim('\"', DvcMacAddr),\n reason = trim('\"', reason)\n // post-filtering srcipaddr_has_any_prefix\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n | extend\n DvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr,\n User = TargetUsername\n | lookup EventFieldsLookup on LogSubType\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff(tolong(reason) between (25 .. 65535), \"Other\", EventResultDetails)\n // Filtering on eventtype_in, eventresultdetails_in and eventresult\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n EventCount=int(1),\n EventProduct=\"Meraki\",\n EventVendor=\"Cisco\",\n EventSchema=\"Authentication\",\n EventSchemaVersion=\"0.1.3\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n LogType,\n LogSubType,\n restOfMessage,\n reason,\n last_known_client_ip,\n client_ip,\n ip,\n client_mac,\n identity,\n aid,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName,ASimMatchingUsername,CollectorHostName,temp_isMatchTargetUsername\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationCiscoMerakiSyslog", + "query": "let LogSubTypeList = dynamic([\"8021x_auth\", \"wpa_auth\", \"splash_auth\", \"8021x_deauth\", \"8021x_client_deauth\", \"wpa_deauth\", \"8021x_eap_failure\", \"8021x_eap_success\"]);\nlet EventResultDetailsLookup = datatable (reason: string, EventResultDetails: string)\n [\n \"0\", \"Other\",\n \"1\", \"Other\",\n \"2\", \"Password expired\",\n \"3\", \"Other\",\n \"4\", \"Session expired\",\n \"5\", \"Other\",\n \"6\", \"Other\",\n \"7\", \"Other\",\n \"8\", \"Other\",\n \"9\", \"Other\",\n \"10\", \"Logon violates policy\",\n \"11\", \"Logon violates policy\",\n \"12\", \"Other\",\n \"13\", \"Logon violates policy\",\n \"14\", \"Other\",\n \"15\", \"Other\",\n \"16\", \"Other\",\n \"17\", \"Other\",\n \"18\", \"Incorrect key\",\n \"19\", \"Incorrect key\",\n \"20\", \"Incorrect key\",\n \"21\", \"Other\",\n \"22\", \"Other\",\n \"23\", \"Other\",\n \"24\", \"Logon violates policy\",\n];\nlet EventFieldsLookup = datatable (\n LogSubType: string,\n EventResult: string,\n EventType: string,\n EventSeverity: string\n)\n [\n \"8021x_auth\", \"Success\", \"Logon\", \"Informational\",\n \"wpa_auth\", \"Success\", \"Logon\", \"Informational\",\n \"splash_auth\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_eap_success\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_client_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"wpa_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_eap_failure\", \"Failure\", \"Logon\", \"Low\",\n \"disassociation\", \"Failure\", \"Logon\", \"Low\",\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n )\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (LogSubTypeList) or LogMessage has_all (\"disassociation\", \"auth_neg_failed\"))\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or LogMessage has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(LogMessage, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1]),\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | where LogType == \"events\"\n | parse Substring with * \"type=\" LogSubType: string \" \" restOfMessage: string\n | where LogSubType in (LogSubTypeList) or (LogSubType == \"disassociation\" and Substring has \"auth_neg_failed\")\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | parse-kv Substring as(last_known_client_ip: string, ip: string, client_ip: string, client_mac: string, identity: string, reason: string, aid: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend TargetUsername = identity\n | extend TargetUsername = trim('\"', TargetUsername)\n // post-filtering username_has_any\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n Dvc = DvcHostname, \n aid = trim('\"', aid)\n | extend\n SrcIpAddr = tostring(split(coalesce(last_known_client_ip, ip, client_ip), \" \")[0]),\n DvcMacAddr = client_mac,\n AdditionalFields = bag_pack(\"aid\", aid),\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\"),\n EventUid = _ResourceId\n | extend\n SrcIpAddr = trim('\"', SrcIpAddr),\n DvcMacAddr = trim('\"', DvcMacAddr),\n reason = trim('\"', reason)\n // post-filtering srcipaddr_has_any_prefix\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n | extend\n DvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr,\n User = TargetUsername\n | lookup EventFieldsLookup on LogSubType\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff(tolong(reason) between (25 .. 65535), \"Other\", EventResultDetails)\n // Filtering on eventtype_in, eventresultdetails_in and eventresult\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n EventCount=int(1),\n EventProduct=\"Meraki\",\n EventVendor=\"Cisco\",\n EventSchema=\"Authentication\",\n EventSchemaVersion=\"0.1.3\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n LogType,\n LogSubType,\n restOfMessage,\n reason,\n last_known_client_ip,\n client_ip,\n ip,\n client_mac,\n identity,\n aid,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName,ASimMatchingUsername,CollectorHostName,temp_isMatchTargetUsername\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCrowdStrikeFalconHost/vimAuthenticationCrowdStrikeFalconHost.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCrowdStrikeFalconHost/vimAuthenticationCrowdStrikeFalconHost.json index b6d0da4265a..173c6524ef2 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationCrowdStrikeFalconHost/vimAuthenticationCrowdStrikeFalconHost.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCrowdStrikeFalconHost/vimAuthenticationCrowdStrikeFalconHost.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationCrowdStrikeFalconHost')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationCrowdStrikeFalconHost", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for CrowdStrike Falcon Endpoint Protection", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationCrowdStrikeFalconHost", - "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet parser = ( \n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\")\n and (DeviceEventCategory == \"AuthActivityAuditEvent\" and DeviceEventClassID in (\"userAuthenticate\", \"twoFactorAuthenticate\"))\n and ((array_length(username_has_any) == 0) or DestinationUserName has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0 or ProcessName has_any (targetappname_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n and array_length(eventresultdetails_in) == 0 // EventResultDetails not available in source\n // eventresult filtering done later in the parser\n | extend\n EventResult = iff(EventOutcome == \"true\", \"Success\", \"Failure\"),\n EventType = \"Logon\"\n | where (eventresult == '*' or eventresult =~ EventResult)\n and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | lookup EventSeverityLookup on LogSeverity\n | extend\n EventStartTime = todatetime(DeviceCustomDate1),\n EventCount = int(1),\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventProduct = \"FalconHost\",\n EventVendor = \"CrowdStrike\"\n | project-rename \n TargetIpAddr = DestinationTranslatedAddress,\n EventUid = _ItemId,\n EventOriginalSeverity = LogSeverity,\n EventOriginalSubType = DeviceEventClassID,\n EventOriginalType = DeviceEventCategory,\n EventProductVersion = DeviceVersion,\n EventOriginalResultDetails = EventOutcome,\n TargetUsername = DestinationUserName,\n TargetAppName = ProcessName\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n EventEndTime = EventStartTime,\n DvcIpAddr = TargetIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n TargetAppType = iff(isnotempty(TargetAppName), \"Service\", \"\"),\n LogonMethod = iff(EventOriginalSubType =~ \"userAuthenticate\", \"Username and Password\", \"Two Factor Authentication\")\n | extend\n User = TargetUsername,\n Dst = TargetIpAddr,\n Dvc = coalesce(DvcIpAddr, EventProduct),\n Application = TargetAppName\n | project-away \n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n Activity,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n IndicatorThreatType,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message,\n temp_*\n};\nparser(\n starttime=datetime(null),\n endtime=datetime(null),\n username_has_any=dynamic([]),\n targetappname_has_any=dynamic([]),\n srcipaddr_has_any_prefix=dynamic([]),\n srchostname_has_any=dynamic([]),\n eventtype_in=dynamic([]),\n eventresultdetails_in=dynamic([]),\n eventresult=dynamic([]),\n disabled=false\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for CrowdStrike Falcon Endpoint Protection", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationCrowdStrikeFalconHost", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet parser = ( \n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\")\n and (DeviceEventCategory == \"AuthActivityAuditEvent\" and DeviceEventClassID in (\"userAuthenticate\", \"twoFactorAuthenticate\"))\n and ((array_length(username_has_any) == 0) or DestinationUserName has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0 or ProcessName has_any (targetappname_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n and array_length(eventresultdetails_in) == 0 // EventResultDetails not available in source\n // eventresult filtering done later in the parser\n | extend\n EventResult = iff(EventOutcome == \"true\", \"Success\", \"Failure\"),\n EventType = \"Logon\"\n | where (eventresult == '*' or eventresult =~ EventResult)\n and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | lookup EventSeverityLookup on LogSeverity\n | extend\n EventStartTime = todatetime(DeviceCustomDate1),\n EventCount = int(1),\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventProduct = \"FalconHost\",\n EventVendor = \"CrowdStrike\"\n | project-rename \n TargetIpAddr = DestinationTranslatedAddress,\n EventUid = _ItemId,\n EventOriginalSeverity = LogSeverity,\n EventOriginalSubType = DeviceEventClassID,\n EventOriginalType = DeviceEventCategory,\n EventProductVersion = DeviceVersion,\n EventOriginalResultDetails = EventOutcome,\n TargetUsername = DestinationUserName,\n TargetAppName = ProcessName\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n EventEndTime = EventStartTime,\n DvcIpAddr = TargetIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n TargetAppType = iff(isnotempty(TargetAppName), \"Service\", \"\"),\n LogonMethod = iff(EventOriginalSubType =~ \"userAuthenticate\", \"Username and Password\", \"Two Factor Authentication\")\n | extend\n User = TargetUsername,\n Dst = TargetIpAddr,\n Dvc = coalesce(DvcIpAddr, EventProduct),\n Application = TargetAppName\n | project-away \n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n Activity,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n IndicatorThreatType,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message,\n temp_*\n};\nparser(\n starttime=datetime(null),\n endtime=datetime(null),\n username_has_any=dynamic([]),\n targetappname_has_any=dynamic([]),\n srcipaddr_has_any_prefix=dynamic([]),\n srchostname_has_any=dynamic([]),\n eventtype_in=dynamic([]),\n eventresultdetails_in=dynamic([]),\n eventresult=dynamic([]),\n disabled=false\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json index db7650c0abd..21b838f848b 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationEmpty')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationEmpty", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM schema function", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationEmpty", - "query": "let EmptyAuthenticationTable=datatable(\n EventProduct:string\n , EventProductVersion: string\n , EventVendor:string\n , EventCount:int\n , EventReportUrl:string\n , EventSchemaVersion:string\n , EventSchema:string\n , TimeGenerated:datetime\n , EventOriginalUid:string\n , EventOriginalType:string\n , EventOriginalSubType:string\n , EventMessage:string\n , EventResult:string\n , EventResultDetails:string\n , EventOriginalResultDetails:string\n , EventStartTime:datetime\n , EventEndTime:datetime\n , EventType:string\n , EventSubType:string\n , EventUid:string\n , EventSeverity:string\n , EventOriginalSeverity:string\n , EventOwner:string\n , ActorSessionId:string\n , TargetSessionId:string\n , ActorUserId:string\n , ActorUsername:string\n , ActorUserType:string\n , ActorUserIdType:string\n , ActorUsernameType:string\n , ActorScopeId:string\n , ActorOriginalUserType:string\n , TargetUserId:string\n , TargetUsername:string\n , TargetUserType:string\n , SrcDvcId:string\n , SrcDvcIdType:string\n , SrcDeviceType:string\n , SrcDvcOs:string\n , HttpUserAgent:string\n , SrcIsp:string\n , SrcGeoCity:string\n , SrcGeoCountry:string\n , SrcGeoRegion:string\n , SrcGeoLatitude:real\n , SrcGeoLongitude:real\n , SrcIpAddr:string\n , SrcPortNumber:string\n , SrcHostname:string\n , SrcDomain:string\n , SrcDomainType:string\n , SrcFQDN:string\n , SrcDescription:string\n , SrcDvcScopeId:string\n , SrcRiskLevel:int\n , SrcOriginalRiskLevel:string\n , ActingAppId:string\n , ActingAppName:string\n , ActingAppType:string\n , ActingOriginalAppType:string\n , TargetAppId:string\n , TargetAppName:string\n , TargetAppType:string\n , TargetOriginalAppType:string\n , TargetDvcId:string\n , TargetDvcIdType:string\n , TargetHostname:string\n , TargetDomain:string\n , TargetDomainType:string\n , TargetFQDN:string\n , TargetDescription:string\n , TargetDeviceType:string\n , TargetIpAddr:string\n , TargetDvcOs:string\n , TargetUrl:string\n , TargetPortNumber:int\n , TargetDvcScope:string\n , TargetDvcScopeId:string\n , TargetGeoCity:string\n , TargetGeoCountry:string\n , TargetGeoRegion:string\n , TargetGeoLatitude:real\n , TargetGeoLongitude:real\n , LogonMethod: string\t\n , LogonProtocol: string\t\n , TargetUserIdType: string\t\n , TargetUsernameType: string\t\n , UserScope:string\n , UserScopeId:string\n , TargetOriginalUserType:string\n , TargetUserSessionId:string\n , User: string\t\n , IpAddr: string\n , SrcDvcHostnameType: string\t\n , LogonTarget: string\n , Dvc: string\t\n , DvcId: string\n , DvcIpAddr: string\t\n , DvcHostname: string\n , DvcDomain:string\n , DvcDomainType:string\n , DvcFQDN:string\n , DvcDescription:string\n , DvcIdType:string\n , DvcMacAddr:string\n , DvcZone:string\n , DvcOs:string\n , DvcOsVersion:string\n , DvcAction:string\n , DvcOriginalAction:string\n , DvcScope:string\n , DvcScopeOd:string\n , AdditionalFields:dynamic\n , Type:string\n , Src:string\n , Dst:string\n , Rule:string\n , RuleName:string\n , RuleNumber:int\n , ThreatId:string\n , ThreatName:string\n , ThreatCategory:string\n , ThreatOriginalRiskLevel:string\n , ThreatOriginalConfidence:string\n , ThreatIsActive:bool\n , ThreatField:string\n , ThreatConfidence:int\n , ThreatRiskLevel:string\n , ThreatFirstReportedTime:datetime\n , ThreatLastReportedTime:datetime\n , Application:string\n )[];\nEmptyAuthenticationTable", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM schema function", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationEmpty", + "query": "let EmptyAuthenticationTable=datatable(\n EventProduct:string\n , EventProductVersion: string\n , EventVendor:string\n , EventCount:int\n , EventReportUrl:string\n , EventSchemaVersion:string\n , EventSchema:string\n , TimeGenerated:datetime\n , EventOriginalUid:string\n , EventOriginalType:string\n , EventOriginalSubType:string\n , EventMessage:string\n , EventResult:string\n , EventResultDetails:string\n , EventOriginalResultDetails:string\n , EventStartTime:datetime\n , EventEndTime:datetime\n , EventType:string\n , EventSubType:string\n , EventUid:string\n , EventSeverity:string\n , EventOriginalSeverity:string\n , EventOwner:string\n , ActorSessionId:string\n , TargetSessionId:string\n , ActorUserId:string\n , ActorUsername:string\n , ActorUserType:string\n , ActorUserIdType:string\n , ActorUsernameType:string\n , ActorScopeId:string\n , ActorOriginalUserType:string\n , TargetUserId:string\n , TargetUsername:string\n , TargetUserType:string\n , SrcDvcId:string\n , SrcDvcIdType:string\n , SrcDeviceType:string\n , SrcDvcOs:string\n , HttpUserAgent:string\n , SrcIsp:string\n , SrcGeoCity:string\n , SrcGeoCountry:string\n , SrcGeoRegion:string\n , SrcGeoLatitude:real\n , SrcGeoLongitude:real\n , SrcIpAddr:string\n , SrcPortNumber:string\n , SrcHostname:string\n , SrcDomain:string\n , SrcDomainType:string\n , SrcFQDN:string\n , SrcDescription:string\n , SrcDvcScopeId:string\n , SrcRiskLevel:int\n , SrcOriginalRiskLevel:string\n , ActingAppId:string\n , ActingAppName:string\n , ActingAppType:string\n , ActingOriginalAppType:string\n , TargetAppId:string\n , TargetAppName:string\n , TargetAppType:string\n , TargetOriginalAppType:string\n , TargetDvcId:string\n , TargetDvcIdType:string\n , TargetHostname:string\n , TargetDomain:string\n , TargetDomainType:string\n , TargetFQDN:string\n , TargetDescription:string\n , TargetDeviceType:string\n , TargetIpAddr:string\n , TargetDvcOs:string\n , TargetUrl:string\n , TargetPortNumber:int\n , TargetDvcScope:string\n , TargetDvcScopeId:string\n , TargetGeoCity:string\n , TargetGeoCountry:string\n , TargetGeoRegion:string\n , TargetGeoLatitude:real\n , TargetGeoLongitude:real\n , LogonMethod: string\t\n , LogonProtocol: string\t\n , TargetUserIdType: string\t\n , TargetUsernameType: string\t\n , UserScope:string\n , UserScopeId:string\n , TargetOriginalUserType:string\n , TargetUserSessionId:string\n , User: string\t\n , IpAddr: string\n , SrcDvcHostnameType: string\t\n , LogonTarget: string\n , Dvc: string\t\n , DvcId: string\n , DvcIpAddr: string\t\n , DvcHostname: string\n , DvcDomain:string\n , DvcDomainType:string\n , DvcFQDN:string\n , DvcDescription:string\n , DvcIdType:string\n , DvcMacAddr:string\n , DvcZone:string\n , DvcOs:string\n , DvcOsVersion:string\n , DvcAction:string\n , DvcOriginalAction:string\n , DvcScope:string\n , DvcScopeOd:string\n , AdditionalFields:dynamic\n , Type:string\n , Src:string\n , Dst:string\n , Rule:string\n , RuleName:string\n , RuleNumber:int\n , ThreatId:string\n , ThreatName:string\n , ThreatCategory:string\n , ThreatOriginalRiskLevel:string\n , ThreatOriginalConfidence:string\n , ThreatIsActive:bool\n , ThreatField:string\n , ThreatConfidence:int\n , ThreatRiskLevel:string\n , ThreatFirstReportedTime:datetime\n , ThreatLastReportedTime:datetime\n , Application:string\n )[];\nEmptyAuthenticationTable", + "version": 1 + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationGoogleWorkspace/vimAuthenticationGoogleWorkspace.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationGoogleWorkspace/vimAuthenticationGoogleWorkspace.json index ddc8d23c6ec..f073b9a025d 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationGoogleWorkspace/vimAuthenticationGoogleWorkspace.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationGoogleWorkspace/vimAuthenticationGoogleWorkspace.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationGoogleWorkspace')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationGoogleWorkspace", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Google Workspace", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationGoogleWorkspace", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n let GoogleWorkspaceSchema = datatable\n(\n event_name_s: string,\n event_type_s: string,\n id_uniqueQualifier_s: string,\n actor_email_s: string,\n actor_profileId_s: string,\n IPAddress: string,\n login_challenge_method_s: string,\n id_applicationName_s: string,\n affected_email_address_s: string,\n is_suspicious_b: bool,\n is_second_factor_b: bool,\n login_type_s: string,\n sensitive_action_name_s: string,\n login_challenge_status_s: string,\n TimeGenerated: datetime,\n _ItemId: string,\n _ResourceId: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n RawData: string,\n SourceSystem: string,\n TenantId: string\n)[];\n let EventFieldsLookup = datatable\n(\n EventOriginalSubType: string,\n EventType: string,\n EventResult: string,\n DvcAction: string\n)\n[\n \"login_success\", \"Logon\", \"Success\", \"Allowed\",\n \"login_failure\", \"Logon\", \"Failure\", \"Blocked\",\n \"login_challenge\", \"Logon\", \"\", \"\",\n \"login_verification\", \"Logon\", \"\", \"\",\n \"risky_sensitive_action_blocked\", \"Logon\", \"Failure\", \"Blocked\",\n \"riskay_sensitive_action_allowed\", \"Logon\", \"Success\", \"Allowed\",\n \"logout\", \"Logoff\", \"Success\", \"Allowed\",\n \"suspicious_login\", \"Logon\", \"Failure\", \"Blocked\",\n \"suspicious_login_less_secure_app\", \"Logon\", \"Failure\", \"Blocked\",\n \"suspicious_programmatic_login\", \"Logon\", \"Failure\", \"Blocked\",\n \"user_signed_out_due_to_suspicious_session_cookie\", \"Logoff\", \"Success\", \"Allowed\"\n];\n let ThreatEventTypes = dynamic(['suspicious_login', 'suspicious_login_less_secure_app', 'suspicious_programmatic_login', 'user_signed_out_due_to_suspicious_session_cookie']);\n let SupportedEventNames = EventFieldsLookup\n | project EventOriginalSubType;\n union isfuzzy=true GoogleWorkspaceSchema, GWorkspace_ReportsAPI_login_CL\n | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or actor_email_s has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or 'Google Workspace - login' in~ (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or (\"Logon\" in~ (eventtype_in)) or (\"Logoff\" in~ (eventtype_in)))\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n and event_name_s in (SupportedEventNames)\n | lookup EventFieldsLookup on $left.event_name_s == $right.EventOriginalSubType\n // Filtering on 'eventresult' and eventtype_in\n | where (eventresult == \"*\" or (EventResult == eventresult))\n and ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\n | project-rename\n TargetUsername = actor_email_s,\n TargetUserId = actor_profileId_s,\n SrcIpAddr = IPAddress,\n LogonMethod = login_challenge_method_s,\n EventOriginalType = event_type_s,\n EventOriginalUid = id_uniqueQualifier_s\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n TargetUsername = iif(event_name_s in (ThreatEventTypes), affected_email_address_s, TargetUsername),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserIdType = iif(isnotempty(TargetUserId), \"GWorkspaceProfileID\", \"\"),\n EventSeverity = iif(event_name_s in (ThreatEventTypes), \"High\", \"Informational\")\n | extend \n AdditionalFields = bag_pack\n (\n \"Is_Suspicious\",\n is_suspicious_b,\n \"Is_Second_Factor_b\",\n is_second_factor_b,\n \"Logon_Type\",\n login_type_s,\n \"Sensitive_Action_Name\",\n sensitive_action_name_s\n ),\n EventResult = case\n (\n event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"passed\",\n \"Success\",\n event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"incorrect_answer_entered\",\n \"Failure\",\n EventResult\n ),\n EventResultDetails = iif(event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"incorrect_answer_entered\", \"MFA not satisfied\", \"\"),\n RuleName = case\n (\n event_name_s == 'suspicious_login',\n \"Google has detected a suspicious login for TargetUSerName\",\n event_name_s == 'suspicious_login_less_secure_app',\n \"Google has detected a suspicious login for TargetUSerName from a less secure app\",\n event_name_s == 'suspicious_programmatic_login',\n \"Google has detected a suspicious programmatic login for TargetUserName\",\n event_name_s == 'user_signed_out_due_to_suspicious_session_cookie',\n \"Suspicious session cookie detected for user TargetUserName\",\n \"\"\n ),\n ThreatField = iif(event_name_s in (ThreatEventTypes), \"TargetUserName\", \"\"),\n ThreatFirstReportedTime = iif(event_name_s in (ThreatEventTypes), TimeGenerated, datetime(null)),\n ThreatLastReportedTime = iif(event_name_s in (ThreatEventTypes), TimeGenerated, datetime(null))\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | extend\n EventOriginalSubType = event_name_s,\n TargetAppName = \"Google Workspace - login\",\n Dst = \"Google Workspace\",\n Application = \"Google Workspace\",\n TargetAppType = \"SaaS application\",\n IpAddr = SrcIpAddr,\n User = TargetUsername,\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventProduct = \"Workspace\",\n EventVendor = \"Google\",\n Dvc=\"Workspace\",\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventUid = _ItemId\n | project-away \n *_s,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n temp*\n};\nparser\n(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Google Workspace", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationGoogleWorkspace", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n let GoogleWorkspaceSchema = datatable\n(\n event_name_s: string,\n event_type_s: string,\n id_uniqueQualifier_s: string,\n actor_email_s: string,\n actor_profileId_s: string,\n IPAddress: string,\n login_challenge_method_s: string,\n id_applicationName_s: string,\n affected_email_address_s: string,\n is_suspicious_b: bool,\n is_second_factor_b: bool,\n login_type_s: string,\n sensitive_action_name_s: string,\n login_challenge_status_s: string,\n TimeGenerated: datetime,\n _ItemId: string,\n _ResourceId: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n RawData: string,\n SourceSystem: string,\n TenantId: string\n)[];\n let EventFieldsLookup = datatable\n(\n EventOriginalSubType: string,\n EventType: string,\n EventResult: string,\n DvcAction: string\n)\n[\n \"login_success\", \"Logon\", \"Success\", \"Allowed\",\n \"login_failure\", \"Logon\", \"Failure\", \"Blocked\",\n \"login_challenge\", \"Logon\", \"\", \"\",\n \"login_verification\", \"Logon\", \"\", \"\",\n \"risky_sensitive_action_blocked\", \"Logon\", \"Failure\", \"Blocked\",\n \"riskay_sensitive_action_allowed\", \"Logon\", \"Success\", \"Allowed\",\n \"logout\", \"Logoff\", \"Success\", \"Allowed\",\n \"suspicious_login\", \"Logon\", \"Failure\", \"Blocked\",\n \"suspicious_login_less_secure_app\", \"Logon\", \"Failure\", \"Blocked\",\n \"suspicious_programmatic_login\", \"Logon\", \"Failure\", \"Blocked\",\n \"user_signed_out_due_to_suspicious_session_cookie\", \"Logoff\", \"Success\", \"Allowed\"\n];\n let ThreatEventTypes = dynamic(['suspicious_login', 'suspicious_login_less_secure_app', 'suspicious_programmatic_login', 'user_signed_out_due_to_suspicious_session_cookie']);\n let SupportedEventNames = EventFieldsLookup\n | project EventOriginalSubType;\n union isfuzzy=true GoogleWorkspaceSchema, GWorkspace_ReportsAPI_login_CL\n | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or actor_email_s has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or 'Google Workspace - login' in~ (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or (\"Logon\" in~ (eventtype_in)) or (\"Logoff\" in~ (eventtype_in)))\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n and event_name_s in (SupportedEventNames)\n | lookup EventFieldsLookup on $left.event_name_s == $right.EventOriginalSubType\n // Filtering on 'eventresult' and eventtype_in\n | where (eventresult == \"*\" or (EventResult == eventresult))\n and ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\n | project-rename\n TargetUsername = actor_email_s,\n TargetUserId = actor_profileId_s,\n SrcIpAddr = IPAddress,\n LogonMethod = login_challenge_method_s,\n EventOriginalType = event_type_s,\n EventOriginalUid = id_uniqueQualifier_s\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n TargetUsername = iif(event_name_s in (ThreatEventTypes), affected_email_address_s, TargetUsername),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserIdType = iif(isnotempty(TargetUserId), \"GWorkspaceProfileID\", \"\"),\n EventSeverity = iif(event_name_s in (ThreatEventTypes), \"High\", \"Informational\")\n | extend \n AdditionalFields = bag_pack\n (\n \"Is_Suspicious\",\n is_suspicious_b,\n \"Is_Second_Factor_b\",\n is_second_factor_b,\n \"Logon_Type\",\n login_type_s,\n \"Sensitive_Action_Name\",\n sensitive_action_name_s\n ),\n EventResult = case\n (\n event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"passed\",\n \"Success\",\n event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"incorrect_answer_entered\",\n \"Failure\",\n EventResult\n ),\n EventResultDetails = iif(event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"incorrect_answer_entered\", \"MFA not satisfied\", \"\"),\n RuleName = case\n (\n event_name_s == 'suspicious_login',\n \"Google has detected a suspicious login for TargetUSerName\",\n event_name_s == 'suspicious_login_less_secure_app',\n \"Google has detected a suspicious login for TargetUSerName from a less secure app\",\n event_name_s == 'suspicious_programmatic_login',\n \"Google has detected a suspicious programmatic login for TargetUserName\",\n event_name_s == 'user_signed_out_due_to_suspicious_session_cookie',\n \"Suspicious session cookie detected for user TargetUserName\",\n \"\"\n ),\n ThreatField = iif(event_name_s in (ThreatEventTypes), \"TargetUserName\", \"\"),\n ThreatFirstReportedTime = iif(event_name_s in (ThreatEventTypes), TimeGenerated, datetime(null)),\n ThreatLastReportedTime = iif(event_name_s in (ThreatEventTypes), TimeGenerated, datetime(null))\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | extend\n EventOriginalSubType = event_name_s,\n TargetAppName = \"Google Workspace - login\",\n Dst = \"Google Workspace\",\n Application = \"Google Workspace\",\n TargetAppType = \"SaaS application\",\n IpAddr = SrcIpAddr,\n User = TargetUsername,\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventProduct = \"Workspace\",\n EventVendor = \"Google\",\n Dvc=\"Workspace\",\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventUid = _ItemId\n | project-away \n *_s,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n temp*\n};\nparser\n(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationIllumioSaaSCore/vimAuthenticationIllumioSaaSCore.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationIllumioSaaSCore/vimAuthenticationIllumioSaaSCore.json index c3a8bace296..635ceefbaa0 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationIllumioSaaSCore/vimAuthenticationIllumioSaaSCore.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationIllumioSaaSCore/vimAuthenticationIllumioSaaSCore.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationIllumioSaaSCore')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationIllumioSaaSCore", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Illumio SaaS Core", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationIllumioSaaSCore", - "query": "let EventTypeLookup = datatable(\n event_type: string, // what Illumio sends\n EventType: string, // an enumerated list [ Logon, Logoff, Elevate ] event type\n EventResultDetails: string,\n EventResult: string\n)\n[\n 'user.authenticate', 'Logon', 'Other', 'Success',\n 'user.login', 'Logon', 'Other', 'Success',\n 'user.logout', 'Logoff', 'Other', 'Success',\n 'user.sign_in', 'Logon', 'Other', 'Success',\n 'user.sign_out', 'Logoff', 'Other', 'Success',\n 'user.use_expired_password', 'Logon', 'Password expired', 'Success'\n];\nlet user_events = dynamic(['user.sigin', 'user.login', 'user.sign_out', 'user.logout', 'user.authenticate', 'user.use_expired_password']); \nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n) {\n Illumio_Auditable_Events_CL\n | where not(disabled) and event_type in (user_events) // limited to user signin, login, logoff, signoff events only\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srchostname_has_any) == 0) // srchostname_has_any not available in source \n | extend \n EventProduct='Core'\n ,\n EventVendor='Illumio'\n ,\n EventSchema = 'Authentication'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.3' \n ,\n EventOriginalUid = href\n | lookup EventTypeLookup on event_type //fetch EventType, EventResultDetails, EventResult\n | where\n (eventresult == \"*\" or (EventResult == eventresult)) \n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | extend \n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n , \n TargetUsername = case( \n isnotnull(created_by.user), created_by.user.username, \n \"Unknown\"\n ),\n TargetUsernameType = \"Simple\",\n EventUid = _ItemId,\n SrcIpAddr = iff(action.src_ip == 'FILTERED', \"\", action.src_ip) \n // * prefiltering \n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n and ((array_length(eventtype_in) == 0) or EventType has_any (eventtype_in))\n // * prefiltering\n // ** Aliases\n | extend \n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n ,\n User = TargetUsername\n | project-away \n TenantId,\n href,\n pce_fqdn,\n created_by,\n event_type,\n status,\n severity,\n action,\n resource_changes,\n notifications,\n version \n };\n parser(starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Illumio SaaS Core", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationIllumioSaaSCore", + "query": "let EventTypeLookup = datatable(\n event_type: string, // what Illumio sends\n EventType: string, // an enumerated list [ Logon, Logoff, Elevate ] event type\n EventResultDetails: string,\n EventResult: string\n)\n[\n 'user.authenticate', 'Logon', 'Other', 'Success',\n 'user.login', 'Logon', 'Other', 'Success',\n 'user.logout', 'Logoff', 'Other', 'Success',\n 'user.sign_in', 'Logon', 'Other', 'Success',\n 'user.sign_out', 'Logoff', 'Other', 'Success',\n 'user.use_expired_password', 'Logon', 'Password expired', 'Success'\n];\nlet user_events = dynamic(['user.sigin', 'user.login', 'user.sign_out', 'user.logout', 'user.authenticate', 'user.use_expired_password']); \nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n) {\n Illumio_Auditable_Events_CL\n | where not(disabled) and event_type in (user_events) // limited to user signin, login, logoff, signoff events only\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srchostname_has_any) == 0) // srchostname_has_any not available in source \n | extend \n EventProduct='Core'\n ,\n EventVendor='Illumio'\n ,\n EventSchema = 'Authentication'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.3' \n ,\n EventOriginalUid = href\n | lookup EventTypeLookup on event_type //fetch EventType, EventResultDetails, EventResult\n | where\n (eventresult == \"*\" or (EventResult == eventresult)) \n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | extend \n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n , \n TargetUsername = case( \n isnotnull(created_by.user), created_by.user.username, \n \"Unknown\"\n ),\n TargetUsernameType = \"Simple\",\n EventUid = _ItemId,\n SrcIpAddr = iff(action.src_ip == 'FILTERED', \"\", action.src_ip) \n // * prefiltering \n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n and ((array_length(eventtype_in) == 0) or EventType has_any (eventtype_in))\n // * prefiltering\n // ** Aliases\n | extend \n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n ,\n User = TargetUsername\n | project-away \n TenantId,\n href,\n pce_fqdn,\n created_by,\n event_type,\n status,\n severity,\n action,\n resource_changes,\n notifications,\n version \n };\n parser(starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json index 6d61ce80dea..b14b9bdfcb5 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationM365Defender')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationM365Defender", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for M365 Defender Device Logon Events", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationM365Defender", - "query": "let EventResultDetailsLookup=datatable\n(\n EventOriginalResultDetails: string,\n EventResultDetails: string\n)\n[\n 'InvalidUserNameOrPassword', 'No such user or password'\n];\nlet EventSubTypeLookup = datatable (EventOriginalType: string, EventSubType: string)\n[ \n 'Interactive', 'Interactive',\n 'Remote interactive (RDP) logons', 'RemoteInteractive',\n 'Network', 'Remote',\n 'Batch', 'Service',\n 'Service', 'Service',\n 'Unknown', '',\n 'RemoteInteractive', 'RemoteInteractive',\n 'CachedInteractive', 'Interactive'\n];\nlet EventResultLookup = datatable (ActionType: string, EventResult: string)\n[ \n 'LogonSuccess', 'Success',\n 'LogonFailed', 'Failure',\n 'LogonAttempted', 'NA'\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n let UnixDeviceLogonEvents = (disabled: bool=false)\n{\n DeviceLogonEvents \n | where not(disabled)\n // -- prefilter\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and ((array_length(username_has_any) == 0) or (InitiatingProcessAccountName has_any (username_has_any)) or AccountName has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RemoteIP, srcipaddr_has_any_prefix))\n and ((array_length(srchostname_has_any) == 0) or (RemoteDeviceName has_any (srchostname_has_any)))\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // -- end prefilter\n | where InitiatingProcessFolderPath startswith \"/\"\n | extend \n TargetDvcOs = \"Linux\"\n ,\n ActorUsernameType = \"Simple\"\n ,\n TargetUsernameType = \"Simple\"\n | project-rename \n ActorUsername = InitiatingProcessAccountName\n ,\n ActingProcessName = InitiatingProcessFolderPath\n ,\n TargetUsername = AccountName\n | project-away \n InitiatingProcessAccountSid,\n AccountDomain,\n InitiatingProcessAccountDomain,\n InitiatingProcessFileName,\n AccountSid\n};\n let WindowsDeviceLogonEvents = (disabled: bool=false)\n{\n DeviceLogonEvents \n | where not(disabled)\n // -- prefilter\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and ((array_length(username_has_any) == 0) or (AccountName has_any (username_has_any)) or (AccountDomain has_any (username_has_any)) or (strcat(AccountDomain, '\\\\', AccountName) has_any (username_has_any)) or (InitiatingProcessAccountName has_any (username_has_any)) or (InitiatingProcessAccountDomain has_any (username_has_any)) or (strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName) has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RemoteIP, srcipaddr_has_any_prefix))\n and ((array_length(srchostname_has_any) == 0) or (RemoteDeviceName has_any (srchostname_has_any)))\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // -- end prefilter\n | where InitiatingProcessFolderPath !startswith \"/\"\n | extend \n TargetDvcOs = \"Windows\"\n ,\n TargetUserIdType = 'SID'\n ,\n ActorUserIdType = 'SID'\n ,\n ActorUsername = case\n (\n isempty(InitiatingProcessAccountName),\n \"\",\n isempty(InitiatingProcessAccountDomain),\n InitiatingProcessAccountName,\n strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)\n )\n ,\n TargetUsername = iff\n (\n isempty(AccountDomain),\n AccountName,\n strcat(AccountDomain, '\\\\', AccountName)\n ) \n ,\n TargetUsernameType = iff (AccountDomain == '', 'Simple', 'Windows')\n ,\n ActorUsernameType = iff (InitiatingProcessAccountDomain == '', 'Simple', 'Windows')\n ,\n ActingProcessName = strcat (InitiatingProcessFolderPath, '\\\\', InitiatingProcessFileName)\n | project-rename \n ActorUserId = InitiatingProcessAccountSid\n ,\n TargetUserId = AccountSid\n // -- Specific identifiers aliases\n | extend \n TargetUserSid = TargetUserId\n ,\n ActorUserSid = ActorUserId\n ,\n TargetWindowsUsername = TargetUsername\n ,\n ActorWindowsUsername = ActorUsername\n ,\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n | extend \n TargetUserType = iff\n (\n IsLocalAdmin, \n 'Admin',\n _ASIM_GetWindowsUserType (TargetWindowsUsername, TargetUserSid)\n )\n | project-away\n InitiatingProcessAccountName,\n InitiatingProcessAccountDomain,\n AccountDomain,\n AccountName,\n InitiatingProcessFolderPath,\n InitiatingProcessFileName\n};\n union \n WindowsDeviceLogonEvents (disabled=disabled),\n UnixDeviceLogonEvents (disabled=disabled)\n | project-away SourceSystem, TenantId, Timestamp, MachineGroup\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | project-rename \n EventOriginalResultDetails = FailureReason \n ,\n EventOriginalType = LogonType\n ,\n EventUid = _ItemId\n ,\n LogonProtocol = Protocol\n ,\n TargetDvcId = DeviceId\n ,\n SrcHostname = RemoteDeviceName\n ,\n ActingProcessCommandLine = InitiatingProcessCommandLine\n ,\n ActingProcessCreationTime = InitiatingProcessCreationTime\n ,\n ActingProcessMD5 = InitiatingProcessMD5\n ,\n ActingProcessSHA1 = InitiatingProcessSHA1 \n ,\n ActingProcessSHA256 = InitiatingProcessSHA256\n ,\n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel\n ,\n ActingProcessTokenElevation = InitiatingProcessTokenElevation\n ,\n ParentProcessName = InitiatingProcessParentFileName\n ,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n //??, ActingProcessName = InitiatingProcessFolderPath \n ,\n ActorUserUpn = InitiatingProcessAccountUpn\n ,\n ActorUserAadId = InitiatingProcessAccountObjectId\n ,\n SrcPortNumber = RemotePort\n | extend \n EventCount = int(1)\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventSchemaVersion = '0.1.3'\n ,\n EventType = 'Logon'\n ,\n EventVendor = 'Microsoft'\n ,\n EventProduct = 'M365 Defender for EndPoint'\n ,\n EventSchema = 'Authentication'\n ,\n TargetDvcIdType = 'MDEid'\n ,\n ActingProcessId = tostring (InitiatingProcessId)\n ,\n ParentProcessId = tostring (InitiatingProcessParentId)\n ,\n EventOriginalUid = tostring (ReportId)\n ,\n TargetSessionId = tostring (LogonId)\n ,\n SrcIpAddr = iff (RemoteIP == '-', '', RemoteIP)\n | extend\n Hash = coalesce\n (\n ActingProcessSHA256\n ,\n ActingProcessSHA1\n ,\n ActingProcessMD5\n )\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(ActingProcessSHA256, ActingProcessSHA1, ActingProcessMD5), Hash)]) \n | invoke _ASIM_ResolveFQDN('DeviceName')\n | project-rename \n TargetFQDN = FQDN\n ,\n TargetHostname = ExtractedHostname\n ,\n TargetDomainType = DomainType\n ,\n TargetDomain = Domain \n | project-away DeviceName\n | lookup EventResultDetailsLookup on EventOriginalResultDetails\n // filtering on 'eventresultdetails_in', 'TargetUsername' and 'ActorUsername'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n | lookup EventSubTypeLookup on EventOriginalType\n | lookup EventResultLookup on ActionType\n // Filtering on 'eventresult'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n EventSeverity = iff (EventResult == \"Success\", \"Informational\", \"Low\")\n // -- Specific identifiers aliases\n | extend\n TargetDvcMDEid = TargetDvcId\n ,\n DvcMDEid = TargetDvcId\n // -- Aliases\n | extend \n User = TargetUsername \n ,\n Prcess = ActingProcessName\n ,\n IpAddr = SrcIpAddr\n ,\n ActingAppName = ActingProcessName\n ,\n ActingAppType = \"Process\"\n ,\n Dvc = coalesce (TargetFQDN, TargetHostname)\n ,\n Src = coalesce (SrcIpAddr, SrcHostname)\n // -- Alias Dvc to Target\n ,\n DvcFQDN = TargetFQDN\n ,\n DvcHostname = TargetHostname\n ,\n DvcDomain = TargetDomain\n ,\n DvcDomainType = TargetDomainType\n ,\n DvcId = TargetDvcId\n ,\n DvcIdType = TargetDvcIdType\n ,\n DvcOs = TargetDvcOs\n | extend \n LogonTarget = Dvc\n ,\n Dst = Dvc\n | project-away\n ReportId,\n LogonId,\n InitiatingProcessId,\n InitiatingProcessParentId,\n ActionType,\n InitiatingProcessFileSize,\n InitiatingProcessVersionInfoCompanyName,\n InitiatingProcessVersionInfoFileDescription,\n InitiatingProcessVersionInfoInternalFileName,\n InitiatingProcessVersionInfoOriginalFileName,\n InitiatingProcessVersionInfoProductName,\n InitiatingProcessVersionInfoProductVersion,\n AppGuardContainerId,\n RemoteIPType,\n IsLocalAdmin,\n RemoteIP,\n temp*\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n) ", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for M365 Defender Device Logon Events", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationM365Defender", + "query": "let EventResultDetailsLookup=datatable\n(\n EventOriginalResultDetails: string,\n EventResultDetails: string\n)\n[\n 'InvalidUserNameOrPassword', 'No such user or password'\n];\nlet EventSubTypeLookup = datatable (EventOriginalType: string, EventSubType: string)\n[ \n 'Interactive', 'Interactive',\n 'Remote interactive (RDP) logons', 'RemoteInteractive',\n 'Network', 'Remote',\n 'Batch', 'Service',\n 'Service', 'Service',\n 'Unknown', '',\n 'RemoteInteractive', 'RemoteInteractive',\n 'CachedInteractive', 'Interactive'\n];\nlet EventResultLookup = datatable (ActionType: string, EventResult: string)\n[ \n 'LogonSuccess', 'Success',\n 'LogonFailed', 'Failure',\n 'LogonAttempted', 'NA'\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n let UnixDeviceLogonEvents = (disabled: bool=false)\n{\n DeviceLogonEvents \n | where not(disabled)\n // -- prefilter\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and ((array_length(username_has_any) == 0) or (InitiatingProcessAccountName has_any (username_has_any)) or AccountName has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RemoteIP, srcipaddr_has_any_prefix))\n and ((array_length(srchostname_has_any) == 0) or (RemoteDeviceName has_any (srchostname_has_any)))\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // -- end prefilter\n | where InitiatingProcessFolderPath startswith \"/\"\n | extend \n TargetDvcOs = \"Linux\"\n ,\n ActorUsernameType = \"Simple\"\n ,\n TargetUsernameType = \"Simple\"\n | project-rename \n ActorUsername = InitiatingProcessAccountName\n ,\n ActingProcessName = InitiatingProcessFolderPath\n ,\n TargetUsername = AccountName\n | project-away \n InitiatingProcessAccountSid,\n AccountDomain,\n InitiatingProcessAccountDomain,\n InitiatingProcessFileName,\n AccountSid\n};\n let WindowsDeviceLogonEvents = (disabled: bool=false)\n{\n DeviceLogonEvents \n | where not(disabled)\n // -- prefilter\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and ((array_length(username_has_any) == 0) or (AccountName has_any (username_has_any)) or (AccountDomain has_any (username_has_any)) or (strcat(AccountDomain, '\\\\', AccountName) has_any (username_has_any)) or (InitiatingProcessAccountName has_any (username_has_any)) or (InitiatingProcessAccountDomain has_any (username_has_any)) or (strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName) has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RemoteIP, srcipaddr_has_any_prefix))\n and ((array_length(srchostname_has_any) == 0) or (RemoteDeviceName has_any (srchostname_has_any)))\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // -- end prefilter\n | where InitiatingProcessFolderPath !startswith \"/\"\n | extend \n TargetDvcOs = \"Windows\"\n ,\n TargetUserIdType = 'SID'\n ,\n ActorUserIdType = 'SID'\n ,\n ActorUsername = case\n (\n isempty(InitiatingProcessAccountName),\n \"\",\n isempty(InitiatingProcessAccountDomain),\n InitiatingProcessAccountName,\n strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)\n )\n ,\n TargetUsername = iff\n (\n isempty(AccountDomain),\n AccountName,\n strcat(AccountDomain, '\\\\', AccountName)\n ) \n ,\n TargetUsernameType = iff (AccountDomain == '', 'Simple', 'Windows')\n ,\n ActorUsernameType = iff (InitiatingProcessAccountDomain == '', 'Simple', 'Windows')\n ,\n ActingProcessName = strcat (InitiatingProcessFolderPath, '\\\\', InitiatingProcessFileName)\n | project-rename \n ActorUserId = InitiatingProcessAccountSid\n ,\n TargetUserId = AccountSid\n // -- Specific identifiers aliases\n | extend \n TargetUserSid = TargetUserId\n ,\n ActorUserSid = ActorUserId\n ,\n TargetWindowsUsername = TargetUsername\n ,\n ActorWindowsUsername = ActorUsername\n ,\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n | extend \n TargetUserType = iff\n (\n IsLocalAdmin, \n 'Admin',\n _ASIM_GetWindowsUserType (TargetWindowsUsername, TargetUserSid)\n )\n | project-away\n InitiatingProcessAccountName,\n InitiatingProcessAccountDomain,\n AccountDomain,\n AccountName,\n InitiatingProcessFolderPath,\n InitiatingProcessFileName\n};\n union \n WindowsDeviceLogonEvents (disabled=disabled),\n UnixDeviceLogonEvents (disabled=disabled)\n | project-away SourceSystem, TenantId, Timestamp, MachineGroup\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | project-rename \n EventOriginalResultDetails = FailureReason \n ,\n EventOriginalType = LogonType\n ,\n EventUid = _ItemId\n ,\n LogonProtocol = Protocol\n ,\n TargetDvcId = DeviceId\n ,\n SrcHostname = RemoteDeviceName\n ,\n ActingProcessCommandLine = InitiatingProcessCommandLine\n ,\n ActingProcessCreationTime = InitiatingProcessCreationTime\n ,\n ActingProcessMD5 = InitiatingProcessMD5\n ,\n ActingProcessSHA1 = InitiatingProcessSHA1 \n ,\n ActingProcessSHA256 = InitiatingProcessSHA256\n ,\n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel\n ,\n ActingProcessTokenElevation = InitiatingProcessTokenElevation\n ,\n ParentProcessName = InitiatingProcessParentFileName\n ,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n //??, ActingProcessName = InitiatingProcessFolderPath \n ,\n ActorUserUpn = InitiatingProcessAccountUpn\n ,\n ActorUserAadId = InitiatingProcessAccountObjectId\n ,\n SrcPortNumber = RemotePort\n | extend \n EventCount = int(1)\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventSchemaVersion = '0.1.3'\n ,\n EventType = 'Logon'\n ,\n EventVendor = 'Microsoft'\n ,\n EventProduct = 'M365 Defender for EndPoint'\n ,\n EventSchema = 'Authentication'\n ,\n TargetDvcIdType = 'MDEid'\n ,\n ActingProcessId = tostring (InitiatingProcessId)\n ,\n ParentProcessId = tostring (InitiatingProcessParentId)\n ,\n EventOriginalUid = tostring (ReportId)\n ,\n TargetSessionId = tostring (LogonId)\n ,\n SrcIpAddr = iff (RemoteIP == '-', '', RemoteIP)\n | extend\n Hash = coalesce\n (\n ActingProcessSHA256\n ,\n ActingProcessSHA1\n ,\n ActingProcessMD5\n )\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(ActingProcessSHA256, ActingProcessSHA1, ActingProcessMD5), Hash)]) \n | invoke _ASIM_ResolveFQDN('DeviceName')\n | project-rename \n TargetFQDN = FQDN\n ,\n TargetHostname = ExtractedHostname\n ,\n TargetDomainType = DomainType\n ,\n TargetDomain = Domain \n | project-away DeviceName\n | lookup EventResultDetailsLookup on EventOriginalResultDetails\n // filtering on 'eventresultdetails_in', 'TargetUsername' and 'ActorUsername'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n | lookup EventSubTypeLookup on EventOriginalType\n | lookup EventResultLookup on ActionType\n // Filtering on 'eventresult'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n EventSeverity = iff (EventResult == \"Success\", \"Informational\", \"Low\")\n // -- Specific identifiers aliases\n | extend\n TargetDvcMDEid = TargetDvcId\n ,\n DvcMDEid = TargetDvcId\n // -- Aliases\n | extend \n User = TargetUsername \n ,\n Prcess = ActingProcessName\n ,\n IpAddr = SrcIpAddr\n ,\n ActingAppName = ActingProcessName\n ,\n ActingAppType = \"Process\"\n ,\n Dvc = coalesce (TargetFQDN, TargetHostname)\n ,\n Src = coalesce (SrcIpAddr, SrcHostname)\n // -- Alias Dvc to Target\n ,\n DvcFQDN = TargetFQDN\n ,\n DvcHostname = TargetHostname\n ,\n DvcDomain = TargetDomain\n ,\n DvcDomainType = TargetDomainType\n ,\n DvcId = TargetDvcId\n ,\n DvcIdType = TargetDvcIdType\n ,\n DvcOs = TargetDvcOs\n | extend \n LogonTarget = Dvc\n ,\n Dst = Dvc\n | project-away\n ReportId,\n LogonId,\n InitiatingProcessId,\n InitiatingProcessParentId,\n ActionType,\n InitiatingProcessFileSize,\n InitiatingProcessVersionInfoCompanyName,\n InitiatingProcessVersionInfoFileDescription,\n InitiatingProcessVersionInfoInternalFileName,\n InitiatingProcessVersionInfoOriginalFileName,\n InitiatingProcessVersionInfoProductName,\n InitiatingProcessVersionInfoProductVersion,\n AppGuardContainerId,\n RemoteIPType,\n IsLocalAdmin,\n RemoteIP,\n temp*\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n) ", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json index b07d0b1520c..83501502b45 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationMD4IoT')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationMD4IoT", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Microsoft Defender for IoT endpoint logs", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationMD4IoT", - "query": "let Authentication_MD4IoT=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n SecurityIoTRawEvent\n | where not(disabled)\n | where RawEventName == \"Login\"\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or EventDetails has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(EventDetails, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // Filtering for eventtype_in done later in the parser\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n // Filtering for eventresult done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | extend\n EventDetails = todynamic(EventDetails)\n //\n | extend\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventProduct = 'Microsoft Defender for IoT',\n EventCount=int(1),\n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = iff (EventDetails.Operation == 'Logout', 'Logoff', 'Logon'), \n EventResult = iff (EventDetails.Operation == 'LoginFailed', 'Failure', 'Success') \n // Filtering on 'eventtype_in' and 'eventresult'\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n ActingProcessId = tostring(EventDetails.ProcessId), \n ActingProcessName = tostring(EventDetails.Executable), // -- Linux input device or service used to authenticate, for example pts/1, tty1, pts/0, ssh:notty \n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"), // -- Intermediate fix\n TargetUsernameType = \"Simple\",\n TargetUsername = tostring(EventDetails.UserName)\n | extend SrcIpAddr = tostring(EventDetails.RemoteAddress)\n // Post-filtering on username_has_any and srcipaddr_has_any_prefix\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | project-rename\n DvcHostname = DeviceId, \n EventProductVersion = AgentVersion, // -- Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n //\n // -- aliases\n | extend \n User = TargetUsername, \n Process = ActingProcessName, \n Dvc = DvcHostname,\n SrcDvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr\n};\n Authentication_MD4IoT(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Microsoft Defender for IoT endpoint logs", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationMD4IoT", + "query": "let Authentication_MD4IoT=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n SecurityIoTRawEvent\n | where not(disabled)\n | where RawEventName == \"Login\"\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or EventDetails has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(EventDetails, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // Filtering for eventtype_in done later in the parser\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n // Filtering for eventresult done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | extend\n EventDetails = todynamic(EventDetails)\n //\n | extend\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventProduct = 'Microsoft Defender for IoT',\n EventCount=int(1),\n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = iff (EventDetails.Operation == 'Logout', 'Logoff', 'Logon'), \n EventResult = iff (EventDetails.Operation == 'LoginFailed', 'Failure', 'Success') \n // Filtering on 'eventtype_in' and 'eventresult'\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n ActingProcessId = tostring(EventDetails.ProcessId), \n ActingProcessName = tostring(EventDetails.Executable), // -- Linux input device or service used to authenticate, for example pts/1, tty1, pts/0, ssh:notty \n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"), // -- Intermediate fix\n TargetUsernameType = \"Simple\",\n TargetUsername = tostring(EventDetails.UserName)\n | extend SrcIpAddr = tostring(EventDetails.RemoteAddress)\n // Post-filtering on username_has_any and srcipaddr_has_any_prefix\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | project-rename\n DvcHostname = DeviceId, \n EventProductVersion = AgentVersion, // -- Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n //\n // -- aliases\n | extend \n User = TargetUsername, \n Process = ActingProcessName, \n Dvc = DvcHostname,\n SrcDvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr\n};\n Authentication_MD4IoT(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json index dc0930de85b..58322140a30 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationMicrosoftWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationMicrosoftWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Windows Security Events", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationMicrosoftWindowsEvent", - "query": "let LogonEvents=dynamic([4624, 4625]);\nlet LogoffEvents=dynamic([4634, 4647]);\nlet LogonTypes=datatable(LogonType: int, EventSubType: string)\n[\n 2, 'Interactive',\n 3, 'Remote',\n 4, 'System',\n 5, 'Service',\n 7, 'Interactive',\n 8, 'NetworkCleartext',\n 9, 'AssumeRole',\n 10, 'RemoteInteractive',\n 11, 'Interactive'\n];\n// https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000\nlet LogonStatus=datatable \n(\n EventStatus: string,\n EventOriginalResultDetails: string,\n EventResultDetails: string\n)\n[\n '0x80090325', 'SEC_E_UNTRUSTED_ROOT', 'Other',\n '0xc0000064', 'STATUS_NO_SUCH_USER', 'No such user or password',\n '0xc000006f', 'STATUS_INVALID_LOGON_HOURS', 'Logon violates policy',\n '0xc0000070', 'STATUS_INVALID_WORKSTATION', 'Logon violates policy',\n '0xc0000071', 'STATUS_PASSWORD_EXPIRED', 'Password expired',\n '0xc0000072', 'STATUS_ACCOUNT_DISABLED', 'User disabled',\n '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC', 'Other',\n '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE', 'Other',\n '0xc0000193', 'STATUS_ACCOUNT_EXPIRED', 'Account expired',\n '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN', 'Other',\n '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED', 'Other',\n '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED', 'Other',\n '0xc0000383', 'STATUS_SMARTCARD_NO_CARD', 'Other',\n '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER', 'Other',\n '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE', 'Other',\n '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET', 'Other',\n '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR', 'Other',\n '0xc0000388', 'STATUS_DOWNGRADE_DETECTED', 'Other',\n '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED', 'Other',\n '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION', 'Other',\n '0x80090308', 'SEC_E_INVALID_TOKEN', 'Other',\n '0x8009030e', 'SEC_E_NO_CREDENTIALS', 'Other',\n '0xc0000008', 'STATUS_INVALID_HANDLE', 'Other',\n '0xc0000017', 'STATUS_NO_MEMORY', 'Other',\n '0xc0000022', 'STATUS_ACCESS_DENIED', 'Other',\n '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND', 'Other',\n '0xc000005e', 'STATUS_NO_LOGON_SERVERS', 'Other',\n '0xc000006a', 'STATUS_WRONG_PASSWORD', 'Incorrect password',\n '0xc000006d', 'STATUS_LOGON_FAILURE', 'Other',\n '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION', 'Logon violates policy',\n '0xc0000073', 'STATUS_NONE_MAPPED', 'Other',\n '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE', 'Other',\n '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES', 'Other',\n '0xc00000dc', 'STATUS_INVALID_SERVER_STATE', 'Other',\n '0xc0000106', 'STATUS_NAME_TOO_LONG', 'Other',\n '0xc000010b', 'STATUS_INVALID_LOGON_TYPE', 'Logon violates policy',\n '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED', 'Logon violates policy',\n '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT', 'Logon violates policy',\n '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE', 'Other',\n '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT', 'User locked',\n '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED', 'Other'\n];\nlet WinLogon=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false)\n{ \n WindowsEvent\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or (tostring(EventData.TargetUserName) has_any (username_has_any)) or (tostring(EventData.TargetDomainName) has_any (username_has_any)) or (strcat(tostring(EventData.TargetDomainName), '\\\\', tostring(EventData.TargetUserName)) has_any (username_has_any)) or (tostring(EventData.SubjectUserName) has_any (username_has_any)) or (tostring(EventData.SubjectDomainName) has_any (username_has_any)) or (strcat(tostring(EventData.SubjectDomainName), '\\\\', tostring(EventData.SubjectUserName)) has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(tostring(EventData.IpAddress), srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0 or tostring(EventData.WorkstationName) has_any (srchostname_has_any))\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | where Provider == 'Microsoft-Windows-Security-Auditing'\n | where EventID in (LogonEvents) or EventID in (LogoffEvents)\n | project EventData, EventID, EventOriginId, Computer, TimeGenerated, _ItemId, Type\n | extend\n LogonProtocol = tostring(EventData.AuthenticationPackageName),\n SrcIpAddr = tostring(EventData.IpAddress),\n TargetPortNumber = toint(EventData.IpPort),\n LogonGuid = tostring(EventData.LogonGuid),\n LogonType = toint(EventData.LogonType),\n ActingProcessCreationTime = EventData.ProcessCreationTime,\n ActingProcessId = tostring(toint(EventData.ProcessId)),\n ActingProcessName = tostring(EventData.ProcessName),\n Status = tostring(EventData.Status),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUsername = tostring(iff (EventData.SubjectDomainName in ('-', ''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @\"\\\", EventData.SubjectUserName))),\n ActorUserId = tostring(EventData.SubjectUserSid),\n SubStatus = tostring(EventData.SubStatus),\n TargetDomainName = tostring(EventData.TargetDomainName),\n TargetSessionId = tostring(EventData.TargetLogonId),\n TargetUserId = tostring(EventData.TargetUserSid),\n TargetUsername = tostring(iff (EventData.TargetDomainName in ('-', ''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @\"\\\", EventData.TargetUserName)))\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | extend \n SrcHostname = tostring(EventData.WorkstationName),\n EventProduct = \"Security Events\"\n | extend EventStatus= iff(SubStatus == '0x0', Status, SubStatus)\n // -- creating EventMessage matching EventMessage in SecurityEvent table\n | extend\n EventMessage = case\n (\n EventID == 4634,\n \"4634 - An account was logged off.\", \n EventID == 4625,\n \"4625 - An account failed to log on.\",\n EventID == 4624,\n \"4624 - An account was successfully logged on.\",\n \"4647 - User initiated logoff.\"\n ),\n EventResult = iff(EventID == 4625, 'Failure', 'Success')\n // Filtering on 'eventresult' and 'username_has_any'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n and ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n | project-rename \n TargetDvcHostname = Computer\n ,\n EventOriginalUid = EventOriginId\n ,\n EventOriginalType=EventID\n | extend\n EventCount=int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion='0.1.3'\n ,\n ActorUserIdType='SID'\n ,\n TargetUserIdType='SID'\n ,\n EventVendor='Microsoft' \n ,\n EventStartTime =TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon') \n ,\n ActorUsernameType= iff(EventData.SubjectDomainName in ('-', ''), 'Simple', 'Windows') \n ,\n TargetUsernameType=iff (TargetDomainName in ('-', ''), 'Simple', 'Windows')\n ,\n SrcDvcOs = 'Windows'\n ,\n EventStatus= iff(SubStatus == '0x0', Status, SubStatus)\n // filtering on 'eventtype_in'\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n ,\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n ,\n EventOriginalType = tostring(EventOriginalType)\n | lookup LogonStatus on EventStatus\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n User=TargetUsername\n ,\n LogonTarget=TargetDvcHostname\n ,\n Dvc=SrcHostname\n ,\n IpAddr=SrcIpAddr\n | project-away\n EventData,\n LogonGuid,\n EventStatus,\n LogonType,\n Status,\n SubStatus,\n TargetDomainName,\n TargetDvcHostname\n};\nlet SecEventLogon =(starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false)\n{\n SecurityEvent\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or (TargetUserName has_any (username_has_any)) or (TargetDomainName has_any (username_has_any)) or (strcat(TargetDomainName, '\\\\', TargetUserName) has_any (username_has_any)) or (SubjectUserName has_any (username_has_any)) or (SubjectDomainName has_any (username_has_any)) or (strcat(SubjectDomainName, '\\\\', SubjectUserName) has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(IpAddress, srcipaddr_has_any_prefix))\n and ((array_length(srchostname_has_any) == 0) or (WorkstationName has_any (srchostname_has_any)))\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | where EventID in (LogonEvents) or \n EventID in (LogoffEvents)\n | project\n SubjectLogonId,\n SubjectUserSid,\n Activity,\n EventID,\n EventOriginId,\n AuthenticationPackageName,\n WorkstationName,\n IpAddress,\n Computer,\n TargetLogonId,\n TargetUserSid,\n SubjectDomainName,\n SubjectUserName,\n SubjectAccount,\n TimeGenerated,\n SubStatus,\n TargetDomainName,\n TargetUserName,\n AccountType,\n TargetAccount,\n Status,\n LogonType,\n Type\n | project-rename \n EventMessage = Activity\n ,\n ActorSessionId=SubjectLogonId\n ,\n TargetSessionId=TargetLogonId\n ,\n ActorUserId=SubjectUserSid\n ,\n TargetUserId =TargetUserSid\n ,\n SrcHostname = WorkstationName\n ,\n TargetDvcHostname = Computer\n ,\n EventOriginalUid = EventOriginId\n ,\n LogonProtocol=AuthenticationPackageName\n ,\n SrcIpAddr=IpAddress\n ,\n EventOriginalType=EventID\n | extend\n EventResult = iff(EventOriginalType == 4625, 'Failure', 'Success')\n ,\n EventCount=int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion='0.1.3'\n ,\n EventProduct = \"Security Events\"\n ,\n ActorUserIdType='SID'\n ,\n TargetUserIdType='SID'\n ,\n EventVendor='Microsoft' \n ,\n EventStartTime =TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon')\n ,\n ActorUsername = iff (SubjectDomainName in ('-', ''), SubjectUserName, SubjectAccount)\n ,\n ActorUsernameType= iff(SubjectDomainName in ('-', ''), 'Simple', 'Windows')\n ,\n TargetUsername = iff (TargetDomainName in ('-', ''), trim(@'\\\\', TargetUserName), trim(@'\\\\', TargetAccount))\n ,\n TargetUsernameType=iff (TargetDomainName in ('-', ''), 'Simple', 'Windows')\n ,\n SrcDvcOs = 'Windows'\n ,\n EventStatus= iff(SubStatus == '0x0', Status, SubStatus)\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n // filtering on 'eventtype_in', 'eventresult', 'TargetUsername' and 'ActorUsername'\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n and ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n | project-away TargetUserName, AccountType\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n ,\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n ,\n EventOriginalType = tostring(EventOriginalType)\n | lookup LogonStatus on EventStatus\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n User=TargetUsername\n ,\n LogonTarget=TargetDvcHostname\n ,\n Dvc=SrcHostname\n ,\n IpAddr=SrcIpAddr\n | project-away\n EventStatus,\n LogonType,\n Status,\n SubStatus,\n SubjectAccount,\n SubjectDomainName,\n SubjectUserName,\n EventStatus,\n TargetAccount,\n TargetDomainName,\n TargetDvcHostname\n};\nunion isfuzzy=true SecEventLogon(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n , WinLogon(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Windows Security Events", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationMicrosoftWindowsEvent", + "query": "let LogonEvents=dynamic([4624, 4625]);\nlet LogoffEvents=dynamic([4634, 4647]);\nlet LogonTypes=datatable(LogonType: int, EventSubType: string)\n[\n 2, 'Interactive',\n 3, 'Remote',\n 4, 'System',\n 5, 'Service',\n 7, 'Interactive',\n 8, 'NetworkCleartext',\n 9, 'AssumeRole',\n 10, 'RemoteInteractive',\n 11, 'Interactive'\n];\n// https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000\nlet LogonStatus=datatable \n(\n EventStatus: string,\n EventOriginalResultDetails: string,\n EventResultDetails: string\n)\n[\n '0x80090325', 'SEC_E_UNTRUSTED_ROOT', 'Other',\n '0xc0000064', 'STATUS_NO_SUCH_USER', 'No such user or password',\n '0xc000006f', 'STATUS_INVALID_LOGON_HOURS', 'Logon violates policy',\n '0xc0000070', 'STATUS_INVALID_WORKSTATION', 'Logon violates policy',\n '0xc0000071', 'STATUS_PASSWORD_EXPIRED', 'Password expired',\n '0xc0000072', 'STATUS_ACCOUNT_DISABLED', 'User disabled',\n '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC', 'Other',\n '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE', 'Other',\n '0xc0000193', 'STATUS_ACCOUNT_EXPIRED', 'Account expired',\n '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN', 'Other',\n '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED', 'Other',\n '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED', 'Other',\n '0xc0000383', 'STATUS_SMARTCARD_NO_CARD', 'Other',\n '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER', 'Other',\n '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE', 'Other',\n '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET', 'Other',\n '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR', 'Other',\n '0xc0000388', 'STATUS_DOWNGRADE_DETECTED', 'Other',\n '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED', 'Other',\n '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION', 'Other',\n '0x80090308', 'SEC_E_INVALID_TOKEN', 'Other',\n '0x8009030e', 'SEC_E_NO_CREDENTIALS', 'Other',\n '0xc0000008', 'STATUS_INVALID_HANDLE', 'Other',\n '0xc0000017', 'STATUS_NO_MEMORY', 'Other',\n '0xc0000022', 'STATUS_ACCESS_DENIED', 'Other',\n '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND', 'Other',\n '0xc000005e', 'STATUS_NO_LOGON_SERVERS', 'Other',\n '0xc000006a', 'STATUS_WRONG_PASSWORD', 'Incorrect password',\n '0xc000006d', 'STATUS_LOGON_FAILURE', 'Other',\n '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION', 'Logon violates policy',\n '0xc0000073', 'STATUS_NONE_MAPPED', 'Other',\n '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE', 'Other',\n '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES', 'Other',\n '0xc00000dc', 'STATUS_INVALID_SERVER_STATE', 'Other',\n '0xc0000106', 'STATUS_NAME_TOO_LONG', 'Other',\n '0xc000010b', 'STATUS_INVALID_LOGON_TYPE', 'Logon violates policy',\n '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED', 'Logon violates policy',\n '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT', 'Logon violates policy',\n '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE', 'Other',\n '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT', 'User locked',\n '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED', 'Other'\n];\nlet WinLogon=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false)\n{ \n WindowsEvent\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or (tostring(EventData.TargetUserName) has_any (username_has_any)) or (tostring(EventData.TargetDomainName) has_any (username_has_any)) or (strcat(tostring(EventData.TargetDomainName), '\\\\', tostring(EventData.TargetUserName)) has_any (username_has_any)) or (tostring(EventData.SubjectUserName) has_any (username_has_any)) or (tostring(EventData.SubjectDomainName) has_any (username_has_any)) or (strcat(tostring(EventData.SubjectDomainName), '\\\\', tostring(EventData.SubjectUserName)) has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(tostring(EventData.IpAddress), srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0 or tostring(EventData.WorkstationName) has_any (srchostname_has_any))\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | where Provider == 'Microsoft-Windows-Security-Auditing'\n | where EventID in (LogonEvents) or EventID in (LogoffEvents)\n | project EventData, EventID, EventOriginId, Computer, TimeGenerated, _ItemId, Type\n | extend\n LogonProtocol = tostring(EventData.AuthenticationPackageName),\n SrcIpAddr = tostring(EventData.IpAddress),\n TargetPortNumber = toint(EventData.IpPort),\n LogonGuid = tostring(EventData.LogonGuid),\n LogonType = toint(EventData.LogonType),\n ActingProcessCreationTime = EventData.ProcessCreationTime,\n ActingProcessId = tostring(toint(EventData.ProcessId)),\n ActingProcessName = tostring(EventData.ProcessName),\n Status = tostring(EventData.Status),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUsername = tostring(iff (EventData.SubjectDomainName in ('-', ''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @\"\\\", EventData.SubjectUserName))),\n ActorUserId = tostring(EventData.SubjectUserSid),\n SubStatus = tostring(EventData.SubStatus),\n TargetDomainName = tostring(EventData.TargetDomainName),\n TargetSessionId = tostring(EventData.TargetLogonId),\n TargetUserId = tostring(EventData.TargetUserSid),\n TargetUsername = tostring(iff (EventData.TargetDomainName in ('-', ''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @\"\\\", EventData.TargetUserName)))\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | extend \n SrcHostname = tostring(EventData.WorkstationName),\n EventProduct = \"Security Events\"\n | extend EventStatus= iff(SubStatus == '0x0', Status, SubStatus)\n // -- creating EventMessage matching EventMessage in SecurityEvent table\n | extend\n EventMessage = case\n (\n EventID == 4634,\n \"4634 - An account was logged off.\", \n EventID == 4625,\n \"4625 - An account failed to log on.\",\n EventID == 4624,\n \"4624 - An account was successfully logged on.\",\n \"4647 - User initiated logoff.\"\n ),\n EventResult = iff(EventID == 4625, 'Failure', 'Success')\n // Filtering on 'eventresult' and 'username_has_any'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n and ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n | project-rename \n TargetDvcHostname = Computer\n ,\n EventOriginalUid = EventOriginId\n ,\n EventOriginalType=EventID\n | extend\n EventCount=int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion='0.1.3'\n ,\n ActorUserIdType='SID'\n ,\n TargetUserIdType='SID'\n ,\n EventVendor='Microsoft' \n ,\n EventStartTime =TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon') \n ,\n ActorUsernameType= iff(EventData.SubjectDomainName in ('-', ''), 'Simple', 'Windows') \n ,\n TargetUsernameType=iff (TargetDomainName in ('-', ''), 'Simple', 'Windows')\n ,\n SrcDvcOs = 'Windows'\n ,\n EventStatus= iff(SubStatus == '0x0', Status, SubStatus)\n // filtering on 'eventtype_in'\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n ,\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n ,\n EventOriginalType = tostring(EventOriginalType)\n | lookup LogonStatus on EventStatus\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n User=TargetUsername\n ,\n LogonTarget=TargetDvcHostname\n ,\n Dvc=SrcHostname\n ,\n IpAddr=SrcIpAddr\n | project-away\n EventData,\n LogonGuid,\n EventStatus,\n LogonType,\n Status,\n SubStatus,\n TargetDomainName,\n TargetDvcHostname\n};\nlet SecEventLogon =(starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false)\n{\n SecurityEvent\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or (TargetUserName has_any (username_has_any)) or (TargetDomainName has_any (username_has_any)) or (strcat(TargetDomainName, '\\\\', TargetUserName) has_any (username_has_any)) or (SubjectUserName has_any (username_has_any)) or (SubjectDomainName has_any (username_has_any)) or (strcat(SubjectDomainName, '\\\\', SubjectUserName) has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(IpAddress, srcipaddr_has_any_prefix))\n and ((array_length(srchostname_has_any) == 0) or (WorkstationName has_any (srchostname_has_any)))\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | where EventID in (LogonEvents) or \n EventID in (LogoffEvents)\n | project\n SubjectLogonId,\n SubjectUserSid,\n Activity,\n EventID,\n EventOriginId,\n AuthenticationPackageName,\n WorkstationName,\n IpAddress,\n Computer,\n TargetLogonId,\n TargetUserSid,\n SubjectDomainName,\n SubjectUserName,\n SubjectAccount,\n TimeGenerated,\n SubStatus,\n TargetDomainName,\n TargetUserName,\n AccountType,\n TargetAccount,\n Status,\n LogonType,\n Type\n | project-rename \n EventMessage = Activity\n ,\n ActorSessionId=SubjectLogonId\n ,\n TargetSessionId=TargetLogonId\n ,\n ActorUserId=SubjectUserSid\n ,\n TargetUserId =TargetUserSid\n ,\n SrcHostname = WorkstationName\n ,\n TargetDvcHostname = Computer\n ,\n EventOriginalUid = EventOriginId\n ,\n LogonProtocol=AuthenticationPackageName\n ,\n SrcIpAddr=IpAddress\n ,\n EventOriginalType=EventID\n | extend\n EventResult = iff(EventOriginalType == 4625, 'Failure', 'Success')\n ,\n EventCount=int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion='0.1.3'\n ,\n EventProduct = \"Security Events\"\n ,\n ActorUserIdType='SID'\n ,\n TargetUserIdType='SID'\n ,\n EventVendor='Microsoft' \n ,\n EventStartTime =TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon')\n ,\n ActorUsername = iff (SubjectDomainName in ('-', ''), SubjectUserName, SubjectAccount)\n ,\n ActorUsernameType= iff(SubjectDomainName in ('-', ''), 'Simple', 'Windows')\n ,\n TargetUsername = iff (TargetDomainName in ('-', ''), trim(@'\\\\', TargetUserName), trim(@'\\\\', TargetAccount))\n ,\n TargetUsernameType=iff (TargetDomainName in ('-', ''), 'Simple', 'Windows')\n ,\n SrcDvcOs = 'Windows'\n ,\n EventStatus= iff(SubStatus == '0x0', Status, SubStatus)\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n // filtering on 'eventtype_in', 'eventresult', 'TargetUsername' and 'ActorUsername'\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n and ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n | project-away TargetUserName, AccountType\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n ,\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n ,\n EventOriginalType = tostring(EventOriginalType)\n | lookup LogonStatus on EventStatus\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n User=TargetUsername\n ,\n LogonTarget=TargetDvcHostname\n ,\n Dvc=SrcHostname\n ,\n IpAddr=SrcIpAddr\n | project-away\n EventStatus,\n LogonType,\n Status,\n SubStatus,\n SubjectAccount,\n SubjectDomainName,\n SubjectUserName,\n EventStatus,\n TargetAccount,\n TargetDomainName,\n TargetDvcHostname\n};\nunion isfuzzy=true SecEventLogon(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n , WinLogon(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json index afe262b6357..d43e4d61b3e 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationOktaSSO')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationOktaSSO", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Okta", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationOktaSSO", - "query": "let OktaSignin = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let emptyOctV1Table = datatable(TimeGenerated: datetime)[];\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n let OktaV1 = union isfuzzy=true emptyOctV1Table, Okta_CL \n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | extend \n outcome_result_s=column_ifexists('outcome_result_s', \"\"),\n eventType_s=column_ifexists('eventType_s', \"\"),\n legacyEventType_s=column_ifexists('legacyEventType_s', \"\"),\n client_geographicalContext_geolocation_lat_d = column_ifexists('client_geographicalContext_geolocation_lat_d', \"\"),\n client_geographicalContext_geolocation_lon_d = column_ifexists('client_geographicalContext_geolocation_lon_d', \"\"),\n actor_alternateId_s = column_ifexists('actor_alternateId_s', \"\"),\n client_ipAddress_s = column_ifexists('client_ipAddress_s', \"\")\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or actor_alternateId_s has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(client_ipAddress_s, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | where eventType_s in (OktaSigninEvents)\n | extend \n EventProduct='Okta'\n ,\n EventVendor='Okta'\n ,\n EventSchema = 'Authentication'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success', outcome_result_s in (OktaFailedOutcome), 'Failure', 'Partial')\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')\n ,\n EventSubType=legacyEventType_s\n ,\n EventMessage=column_ifexists('displayMessage_s', \"\")\n ,\n EventOriginalResultDetails=column_ifexists('outcome_reason_s', \"\")\n ,\n EventOriginalUid = column_ifexists('uuid_g', \"\")\n ,\n TargetUserIdType='OktaId'\n ,\n TargetUsernameType='UPN'\n ,\n TargetSessionId=column_ifexists('authenticationContext_externalSessionId_s', \"\")\n ,\n TargetUserId=column_ifexists('actor_id_s', \"\")\n ,\n TargetUsername=column_ifexists('actor_alternateId_s', \"\")\n ,\n TargetUserType=column_ifexists('actor_type_s', \"\")\n ,\n SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)\n ,\n SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)\n ,\n SrcDvcOs=column_ifexists('client_userAgent_os_s', \"\")\n ,\n SrcIsp=column_ifexists('securityContext_isp_s', \"\")\n ,\n SrcGeoCity=column_ifexists('client_geographicalContext_city_s', \"\")\n ,\n SrcGeoCountry=column_ifexists('client_geographicalContext_country_s', \"\")\n ,\n SrcIpAddr = column_ifexists('client_ipAddress_s', \"\")\n ,\n ActingAppName=column_ifexists('client_userAgent_browser_s', \"\")\n ,\n ActingAppType=\"Browser\"\n ,\n LogonMethod=column_ifexists('authenticationContext_credentialType_s', \"\")\n ,\n HttpUserAgent=column_ifexists('client_userAgent_rawUserAgent_s', \"\")\n // Filtering on 'eventresult' and 'eventtype_in'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ** Aliases\n | extend \n User=TargetUsername\n ,\n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n | project-away *_s, *_d, *_b, *_g, *_t;\n OktaV1\n};\nOktaSignin (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Okta", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationOktaSSO", + "query": "let OktaSignin = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let emptyOctV1Table = datatable(TimeGenerated: datetime)[];\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n let OktaV1 = union isfuzzy=true emptyOctV1Table, Okta_CL \n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | extend \n outcome_result_s=column_ifexists('outcome_result_s', \"\"),\n eventType_s=column_ifexists('eventType_s', \"\"),\n legacyEventType_s=column_ifexists('legacyEventType_s', \"\"),\n client_geographicalContext_geolocation_lat_d = column_ifexists('client_geographicalContext_geolocation_lat_d', \"\"),\n client_geographicalContext_geolocation_lon_d = column_ifexists('client_geographicalContext_geolocation_lon_d', \"\"),\n actor_alternateId_s = column_ifexists('actor_alternateId_s', \"\"),\n client_ipAddress_s = column_ifexists('client_ipAddress_s', \"\")\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or actor_alternateId_s has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(client_ipAddress_s, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | where eventType_s in (OktaSigninEvents)\n | extend \n EventProduct='Okta'\n ,\n EventVendor='Okta'\n ,\n EventSchema = 'Authentication'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success', outcome_result_s in (OktaFailedOutcome), 'Failure', 'Partial')\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')\n ,\n EventSubType=legacyEventType_s\n ,\n EventMessage=column_ifexists('displayMessage_s', \"\")\n ,\n EventOriginalResultDetails=column_ifexists('outcome_reason_s', \"\")\n ,\n EventOriginalUid = column_ifexists('uuid_g', \"\")\n ,\n TargetUserIdType='OktaId'\n ,\n TargetUsernameType='UPN'\n ,\n TargetSessionId=column_ifexists('authenticationContext_externalSessionId_s', \"\")\n ,\n TargetUserId=column_ifexists('actor_id_s', \"\")\n ,\n TargetUsername=column_ifexists('actor_alternateId_s', \"\")\n ,\n TargetUserType=column_ifexists('actor_type_s', \"\")\n ,\n SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)\n ,\n SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)\n ,\n SrcDvcOs=column_ifexists('client_userAgent_os_s', \"\")\n ,\n SrcIsp=column_ifexists('securityContext_isp_s', \"\")\n ,\n SrcGeoCity=column_ifexists('client_geographicalContext_city_s', \"\")\n ,\n SrcGeoCountry=column_ifexists('client_geographicalContext_country_s', \"\")\n ,\n SrcIpAddr = column_ifexists('client_ipAddress_s', \"\")\n ,\n ActingAppName=column_ifexists('client_userAgent_browser_s', \"\")\n ,\n ActingAppType=\"Browser\"\n ,\n LogonMethod=column_ifexists('authenticationContext_credentialType_s', \"\")\n ,\n HttpUserAgent=column_ifexists('client_userAgent_rawUserAgent_s', \"\")\n // Filtering on 'eventresult' and 'eventtype_in'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ** Aliases\n | extend \n User=TargetUsername\n ,\n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n | project-away *_s, *_d, *_b, *_g, *_t;\n OktaV1\n};\nOktaSignin (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaV2/vimAuthenticationOktaV2.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaV2/vimAuthenticationOktaV2.json index c9526004712..49461af15b2 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaV2/vimAuthenticationOktaV2.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaV2/vimAuthenticationOktaV2.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationOktaV2')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationOktaV2", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Okta", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationOktaV2", - "query": "let OktaSignin = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let emptyOctaV2Table = datatable(\n TimeGenerated: datetime,\n ActorDetailEntry: dynamic,\n ActorDisplayName: string,\n AuthenticationContext: string,\n AuthenticationProvider: string,\n AuthenticationStep: string,\n AuthenticationContextAuthenticationProvider: string,\n AuthenticationContextAuthenticationStep: int,\n AuthenticationContextCredentialProvider: string,\n AuthenticationContextInterface: string,\n AuthenticationContextIssuerId: string,\n AuthenticationContextIssuerType: string,\n DebugData: dynamic,\n DvcAction: string,\n EventResult:string,\n OriginalActorAlternateId: string,\n OriginalClientDevice: string,\n OriginalOutcomeResult: string,\n OriginalSeverity: string,\n OriginalTarget: dynamic,\n OriginalUserId: string,\n OriginalUserType: string,\n Request: dynamic,\n SecurityContextAsNumber: int,\n SecurityContextAsOrg: string,\n SecurityContextDomain: string,\n SecurityContextIsProxy: bool,\n TransactionDetail: dynamic,\n TransactionId: string,\n TransactionType: string\n)[];\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n let OktaV2 = union isfuzzy=true emptyOctaV2Table, OktaV2_CL\n | where not(disabled) \n | extend\n EventOriginalType=column_ifexists('EventOriginalType', \"\") \n ,\n OriginalActorAlternateId = column_ifexists('OriginalActorAlternateId', \"\")\n ,\n ActorUsername=column_ifexists('ActorUsername', \"\")\n ,\n SrcIpAddr = column_ifexists('SrcIpAddr', \"\")\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or ActorUsername has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | where EventOriginalType in (OktaSigninEvents)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n | extend \n EventProduct='Okta'\n ,\n EventSchema = 'Authentication'\n ,\n EventVendor='Okta'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff') \n ,\n TargetSessionId=column_ifexists('ActorSessionId', \"\")\n ,\n TargetUserId= column_ifexists('ActorUserId', \"\")\n ,\n TargetUsername=ActorUsername\n ,\n TargetUserType=column_ifexists('ActorUserType', \"\")\n ,\n TargetUserIdType=column_ifexists('ActorUserIdType', \"\")\n ,\n TargetUsernameType=column_ifexists('ActorUsernameType', \"\")\n //** extend non-normalized fields to be projected-away \n ,\n //\n ActorDetailEntry,\n ActorDisplayName\n ,\n AuthenticationContextAuthenticationProvider\n ,\n AuthenticationContextAuthenticationStep,\n AuthenticationContextCredentialProvider\n ,\n AuthenticationContextInterface\n ,\n AuthenticationContextIssuerId\n ,\n AuthenticationContextIssuerType\n ,\n DebugData,\n DvcAction\n ,\n OriginalActorAlternateId\n ,\n OriginalClientDevice\n ,\n OriginalOutcomeResult\n ,\n OriginalSeverity\n ,\n OriginalTarget,\n OriginalUserId\n ,\n OriginalUserType\n ,\n Request,\n SecurityContextAsNumber,\n SecurityContextAsOrg\n ,\n SecurityContextDomain\n ,\n SecurityContextIsProxy\n ,\n TransactionDetail,\n TransactionId\n ,\n TransactionType\n // Filtering on 'eventresult' and 'eventtype_in'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n // ** Aliases\n | extend \n User=TargetUsername\n ,\n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n | project-away\n ActorDetailEntry,\n ActorDisplayName\n ,\n AuthenticationContextAuthenticationProvider\n ,\n AuthenticationContextAuthenticationStep,\n AuthenticationContextCredentialProvider\n ,\n AuthenticationContextInterface\n ,\n AuthenticationContextIssuerId\n ,\n AuthenticationContextIssuerType\n ,\n DebugData,\n DvcAction\n ,\n OriginalActorAlternateId\n ,\n OriginalClientDevice\n ,\n OriginalOutcomeResult\n ,\n OriginalSeverity\n ,\n OriginalTarget,\n OriginalUserId\n ,\n OriginalUserType\n ,\n Request,\n SecurityContextAsNumber,\n SecurityContextAsOrg\n ,\n SecurityContextDomain\n ,\n SecurityContextIsProxy\n ,\n TransactionDetail,\n TransactionId\n ,\n TransactionType;\n OktaV2\n};\nOktaSignin (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Okta", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationOktaV2", + "query": "let OktaSignin = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let emptyOctaV2Table = datatable(\n TimeGenerated: datetime,\n ActorDetailEntry: dynamic,\n ActorDisplayName: string,\n AuthenticationContext: string,\n AuthenticationProvider: string,\n AuthenticationStep: string,\n AuthenticationContextAuthenticationProvider: string,\n AuthenticationContextAuthenticationStep: int,\n AuthenticationContextCredentialProvider: string,\n AuthenticationContextInterface: string,\n AuthenticationContextIssuerId: string,\n AuthenticationContextIssuerType: string,\n DebugData: dynamic,\n DvcAction: string,\n EventResult:string,\n OriginalActorAlternateId: string,\n OriginalClientDevice: string,\n OriginalOutcomeResult: string,\n OriginalSeverity: string,\n OriginalTarget: dynamic,\n OriginalUserId: string,\n OriginalUserType: string,\n Request: dynamic,\n SecurityContextAsNumber: int,\n SecurityContextAsOrg: string,\n SecurityContextDomain: string,\n SecurityContextIsProxy: bool,\n TransactionDetail: dynamic,\n TransactionId: string,\n TransactionType: string\n)[];\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n let OktaV2 = union isfuzzy=true emptyOctaV2Table, OktaV2_CL\n | where not(disabled) \n | extend\n EventOriginalType=column_ifexists('EventOriginalType', \"\") \n ,\n OriginalActorAlternateId = column_ifexists('OriginalActorAlternateId', \"\")\n ,\n ActorUsername=column_ifexists('ActorUsername', \"\")\n ,\n SrcIpAddr = column_ifexists('SrcIpAddr', \"\")\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or ActorUsername has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | where EventOriginalType in (OktaSigninEvents)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n | extend \n EventProduct='Okta'\n ,\n EventSchema = 'Authentication'\n ,\n EventVendor='Okta'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff') \n ,\n TargetSessionId=column_ifexists('ActorSessionId', \"\")\n ,\n TargetUserId= column_ifexists('ActorUserId', \"\")\n ,\n TargetUsername=ActorUsername\n ,\n TargetUserType=column_ifexists('ActorUserType', \"\")\n ,\n TargetUserIdType=column_ifexists('ActorUserIdType', \"\")\n ,\n TargetUsernameType=column_ifexists('ActorUsernameType', \"\")\n //** extend non-normalized fields to be projected-away \n ,\n //\n ActorDetailEntry,\n ActorDisplayName\n ,\n AuthenticationContextAuthenticationProvider\n ,\n AuthenticationContextAuthenticationStep,\n AuthenticationContextCredentialProvider\n ,\n AuthenticationContextInterface\n ,\n AuthenticationContextIssuerId\n ,\n AuthenticationContextIssuerType\n ,\n DebugData,\n DvcAction\n ,\n OriginalActorAlternateId\n ,\n OriginalClientDevice\n ,\n OriginalOutcomeResult\n ,\n OriginalSeverity\n ,\n OriginalTarget,\n OriginalUserId\n ,\n OriginalUserType\n ,\n Request,\n SecurityContextAsNumber,\n SecurityContextAsOrg\n ,\n SecurityContextDomain\n ,\n SecurityContextIsProxy\n ,\n TransactionDetail,\n TransactionId\n ,\n TransactionType\n // Filtering on 'eventresult' and 'eventtype_in'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n // ** Aliases\n | extend \n User=TargetUsername\n ,\n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n | project-away\n ActorDetailEntry,\n ActorDisplayName\n ,\n AuthenticationContextAuthenticationProvider\n ,\n AuthenticationContextAuthenticationStep,\n AuthenticationContextCredentialProvider\n ,\n AuthenticationContextInterface\n ,\n AuthenticationContextIssuerId\n ,\n AuthenticationContextIssuerType\n ,\n DebugData,\n DvcAction\n ,\n OriginalActorAlternateId\n ,\n OriginalClientDevice\n ,\n OriginalOutcomeResult\n ,\n OriginalSeverity\n ,\n OriginalTarget,\n OriginalUserId\n ,\n OriginalUserType\n ,\n Request,\n SecurityContextAsNumber,\n SecurityContextAsOrg\n ,\n SecurityContextDomain\n ,\n SecurityContextIsProxy\n ,\n TransactionDetail,\n TransactionId\n ,\n TransactionType;\n OktaV2\n};\nOktaSignin (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoCortexDataLake/vimAuthenticationPaloAltoCortexDataLake.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoCortexDataLake/vimAuthenticationPaloAltoCortexDataLake.json index 312210516d6..7832389409e 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoCortexDataLake/vimAuthenticationPaloAltoCortexDataLake.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoCortexDataLake/vimAuthenticationPaloAltoCortexDataLake.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationPaloAltoCortexDataLake')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationPaloAltoCortexDataLake", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Palo Alto Cortex Data Lake", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationPaloAltoCortexDataLake", - "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n CommonSecurityLog\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Palo Alto Networks\"\n and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"AUTH\"\n and ((array_length(username_has_any) == 0) or (AdditionalExtensions has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0 or AdditionalExtensions has_any(srchostname_has_any))\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n // eventresult filtering done later in the parser\n | extend\n EventResult = iff(Message has \"Invalid Certificate\", \"Failure\", \"Success\"),\n EventType = \"Logon\"\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (eventresult == '*' or EventResult has eventresult)\n | parse-kv AdditionalExtensions as (PanOSSourceDeviceHost: string, PanOSSourceDeviceOSFamily: string, PanOSAuthenticationProtocol: string, PanOSAuthenticatedUserDomain: string, PanOSAuthenticatedUserName: string, PanOSAuthenticatedUserUUID: string, start: string, PanOSLogSource: string, PanOSRuleMatchedUUID: string, PanOSAuthenticationDescription: string, PanOSClientTypeName: string, PanOSConfigVersion: string, PanOSMFAVendor: string, PanOSSourceDeviceCategory: string, PanOSSourceDeviceModel: string, PanOSSourceDeviceProfile: string, PanOSSourceDeviceVendor: string, PanOSUserAgentString: string, PanOSCortexDataLakeTenantID: string, PanOSSessionID: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | where ((array_length(username_has_any) == 0) or (PanOSAuthenticatedUserName has_any (username_has_any)))\n and (array_length(srchostname_has_any) == 0 or PanOSSourceDeviceHost has_any(srchostname_has_any))\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | lookup EventSeverityLookup on LogSeverity\n | extend\n EventStartTime = todatetime(start),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n TargetIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n EventMessage = Message,\n LogonMethod = case(\n FieldDeviceCustomNumber1 == 1,\n \"Username & Password\",\n FieldDeviceCustomNumber1 == 2,\n \"Multi factor authentication\",\n FieldDeviceCustomNumber1 == 3,\n \"Multi factor authentication\",\n \"\"\n ),\n AdditionalFields = bag_pack(\n \"FileName\",\n FileName,\n \"PanOSLogSource\",\n PanOSLogSource,\n \"PanOSRuleMatchedUUID\",\n PanOSRuleMatchedUUID,\n DeviceCustomNumber1Label,\n FieldDeviceCustomNumber1, \n DeviceCustomNumber2Label,\n FieldDeviceCustomNumber2,\n DeviceCustomString3Label,\n DeviceCustomString3,\n DeviceCustomString4Label,\n DeviceCustomString4,\n DeviceCustomString5Label,\n DeviceCustomString5,\n DeviceCustomString6Label,\n DeviceCustomString6,\n \"PanOSAuthenticationDescription\",\n PanOSAuthenticationDescription,\n \"PanOSClientTypeName\",\n PanOSClientTypeName,\n \"PanOSConfigVersion\",\n PanOSConfigVersion,\n \"PanOSMFAVendor\",\n PanOSMFAVendor,\n \"PanOSSourceDeviceCategory\",\n PanOSSourceDeviceCategory,\n \"PanOSSourceDeviceModel\",\n PanOSSourceDeviceModel,\n \"PanOSSourceDeviceProfile\",\n PanOSSourceDeviceProfile,\n \"PanOSSourceDeviceVendor\",\n PanOSSourceDeviceVendor\n )\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DvcId = DeviceExternalID,\n EventOriginalResultDetails = Message,\n EventOriginalSeverity = LogSeverity,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n LogonProtocol = PanOSAuthenticationProtocol,\n SrcDvcOs = PanOSSourceDeviceOSFamily,\n TargetUsername = PanOSAuthenticatedUserName,\n TargetUserId = PanOSAuthenticatedUserUUID,\n TargetDomain = PanOSAuthenticatedUserDomain,\n EventOriginalSubType = Activity,\n HttpUserAgent = PanOSUserAgentString,\n TargetDvcScopeId = PanOSCortexDataLakeTenantID,\n TargetSessionId = PanOSSessionID,\n TargetDvc = DeviceCustomString1\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = TargetIpAddr,\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n User = TargetUsername,\n IpAddr = SrcIpAddr,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetDomainType = case(\n array_length(split(DestinationUserName, \".\")) > 1,\n \"FQDN\",\n array_length(split(DestinationUserName, \"\\\\\")) > 1,\n \"Windows\",\n \"\"\n ),\n TargetUserIdType = iff(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n | extend\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n start,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n Indicator*,\n _ResourceId,\n temp_*\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Palo Alto Cortex Data Lake", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationPaloAltoCortexDataLake", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n CommonSecurityLog\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Palo Alto Networks\"\n and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"AUTH\"\n and ((array_length(username_has_any) == 0) or (AdditionalExtensions has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0 or AdditionalExtensions has_any(srchostname_has_any))\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n // eventresult filtering done later in the parser\n | extend\n EventResult = iff(Message has \"Invalid Certificate\", \"Failure\", \"Success\"),\n EventType = \"Logon\"\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (eventresult == '*' or EventResult has eventresult)\n | parse-kv AdditionalExtensions as (PanOSSourceDeviceHost: string, PanOSSourceDeviceOSFamily: string, PanOSAuthenticationProtocol: string, PanOSAuthenticatedUserDomain: string, PanOSAuthenticatedUserName: string, PanOSAuthenticatedUserUUID: string, start: string, PanOSLogSource: string, PanOSRuleMatchedUUID: string, PanOSAuthenticationDescription: string, PanOSClientTypeName: string, PanOSConfigVersion: string, PanOSMFAVendor: string, PanOSSourceDeviceCategory: string, PanOSSourceDeviceModel: string, PanOSSourceDeviceProfile: string, PanOSSourceDeviceVendor: string, PanOSUserAgentString: string, PanOSCortexDataLakeTenantID: string, PanOSSessionID: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | where ((array_length(username_has_any) == 0) or (PanOSAuthenticatedUserName has_any (username_has_any)))\n and (array_length(srchostname_has_any) == 0 or PanOSSourceDeviceHost has_any(srchostname_has_any))\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | lookup EventSeverityLookup on LogSeverity\n | extend\n EventStartTime = todatetime(start),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n TargetIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n EventMessage = Message,\n LogonMethod = case(\n FieldDeviceCustomNumber1 == 1,\n \"Username & Password\",\n FieldDeviceCustomNumber1 == 2,\n \"Multi factor authentication\",\n FieldDeviceCustomNumber1 == 3,\n \"Multi factor authentication\",\n \"\"\n ),\n AdditionalFields = bag_pack(\n \"FileName\",\n FileName,\n \"PanOSLogSource\",\n PanOSLogSource,\n \"PanOSRuleMatchedUUID\",\n PanOSRuleMatchedUUID,\n DeviceCustomNumber1Label,\n FieldDeviceCustomNumber1, \n DeviceCustomNumber2Label,\n FieldDeviceCustomNumber2,\n DeviceCustomString3Label,\n DeviceCustomString3,\n DeviceCustomString4Label,\n DeviceCustomString4,\n DeviceCustomString5Label,\n DeviceCustomString5,\n DeviceCustomString6Label,\n DeviceCustomString6,\n \"PanOSAuthenticationDescription\",\n PanOSAuthenticationDescription,\n \"PanOSClientTypeName\",\n PanOSClientTypeName,\n \"PanOSConfigVersion\",\n PanOSConfigVersion,\n \"PanOSMFAVendor\",\n PanOSMFAVendor,\n \"PanOSSourceDeviceCategory\",\n PanOSSourceDeviceCategory,\n \"PanOSSourceDeviceModel\",\n PanOSSourceDeviceModel,\n \"PanOSSourceDeviceProfile\",\n PanOSSourceDeviceProfile,\n \"PanOSSourceDeviceVendor\",\n PanOSSourceDeviceVendor\n )\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DvcId = DeviceExternalID,\n EventOriginalResultDetails = Message,\n EventOriginalSeverity = LogSeverity,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n LogonProtocol = PanOSAuthenticationProtocol,\n SrcDvcOs = PanOSSourceDeviceOSFamily,\n TargetUsername = PanOSAuthenticatedUserName,\n TargetUserId = PanOSAuthenticatedUserUUID,\n TargetDomain = PanOSAuthenticatedUserDomain,\n EventOriginalSubType = Activity,\n HttpUserAgent = PanOSUserAgentString,\n TargetDvcScopeId = PanOSCortexDataLakeTenantID,\n TargetSessionId = PanOSSessionID,\n TargetDvc = DeviceCustomString1\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = TargetIpAddr,\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n User = TargetUsername,\n IpAddr = SrcIpAddr,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetDomainType = case(\n array_length(split(DestinationUserName, \".\")) > 1,\n \"FQDN\",\n array_length(split(DestinationUserName, \"\\\\\")) > 1,\n \"Windows\",\n \"\"\n ),\n TargetUserIdType = iff(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n | extend\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n start,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n Indicator*,\n _ResourceId,\n temp_*\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/vimAuthenticationPostgreSQL.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/vimAuthenticationPostgreSQL.json index 68abe3e892f..e6237d18a30 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/vimAuthenticationPostgreSQL.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/vimAuthenticationPostgreSQL.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationPostgreSQL')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationPostgreSQL", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for PostgreSQL", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationPostgreSQL", - "query": "let PostgreSQLSignInAuthorized=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n PostgreSQL_CL\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or RawData has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n and (eventresult == \"*\" or ('Success' == eventresult))\n // ************************************************************************* \n // \n // ************************************************************************* \n | where RawData has 'connection authorized'\n | extend\n EventVendor = 'PostgreSQL'\n ,\n EventProduct = 'PostgreSQL'\n ,\n EventCount = int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.1'\n ,\n EventResult = 'Success'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventType = 'Logon'\n ,\n DvcHostname = Computer\n ,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUsername = extract(@'user=([^\\s,]+)', 1, RawData)\n ,\n EventOriginalRestultDetails = 'Connection authorized'\n // ********************** **********************************\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n // ********************** *********************************\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ************************ \n // \n // ************************\n | extend\n User=TargetUsername\n ,\n Dvc=Computer\n // ************************ \n // \n // ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\n let PostgreSQLAuthFailure1=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n PostgreSQL_CL\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or RawData has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'No such user or password' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Failure' == eventresult))\n // ************************************************************************* \n // \n // *************************************************************************\n | where RawData has 'authentication failed'\n | extend \n EventVendor = 'PostgreSQL'\n ,\n EventProduct = 'PostgreSQL'\n ,\n EventCount = int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.1'\n ,\n EventResult = 'Failure'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventType = 'Logon'\n ,\n DvcHostname = Computer\n ,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUsername = extract(@'for user\\s\"(.*?)\"', 1, RawData)\n ,\n EventResultDetails = 'No such user or password'\n ,\n EventOriginalRestultDetails = 'User authentication failed'\n // ********************** **********************************\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n // ********************** *********************************\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ************************ \n // \n // ************************\n | extend\n User=TargetUsername\n ,\n Dvc=Computer\n // ************************ \n // \n // ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\n let PostgreSQLAuthFailure2=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n PostgreSQL_CL\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or RawData has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'No such user or password' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Failure' == eventresult))\n // ************************************************************************* \n // \n // *************************************************************************\n | where RawData has_all ('role', 'does', 'not', 'exist')\n | extend \n EventVendor = 'PostgreSQL'\n ,\n EventProduct = 'PostgreSQL'\n ,\n EventCount = int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.1'\n ,\n EventResult = 'Failure'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventType = 'Logon'\n ,\n DvcHostname = Computer\n ,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUsername = extract(@'role\\s\"(.*?)\"\\sdoes', 1, RawData)\n ,\n EventResultDetails = 'No such user or password'\n ,\n EventOriginalRestultDetails = 'Role does not exist'\n // ********************** **********************************\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n // ********************** *********************************\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ************************ \n // \n // ************************\n | extend\n User=TargetUsername\n ,\n Dvc=Computer\n // ************************ \n // \n // ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\n let PostgreSQLAuthFailure3=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n PostgreSQL_CL\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or RawData has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(RawData, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'No such user or password' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Failure' == eventresult))\n // ************************************************************************* \n // \n // *************************************************************************\n | where RawData has_all ('no', 'entry', 'user')\n | extend \n EventVendor = 'PostgreSQL'\n ,\n EventProduct = 'PostgreSQL'\n ,\n EventCount = int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.1'\n ,\n EventResult = 'Failure'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventType = 'Logon'\n ,\n DvcHostname = Computer\n ,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUsername = extract(@'user\\s\"(.*?)\",', 1, RawData)\n ,\n SrcIpAddr = extract(@'host\\s\"(.*?)\",', 1, RawData)\n ,\n EventResultDetails = 'No such user or password'\n ,\n EventOriginalRestultDetails = 'No entry for user'\n // ********************** **********************************\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n // ********************** *********************************\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ************************ \n // \n // ************************\n | extend\n User=TargetUsername\n ,\n Dvc=Computer\n // ************************ \n // \n // ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\n let PostgreSQLDisconnect=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n PostgreSQL_CL\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or RawData has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(RawData, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logoff\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'Session expired' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Success' == eventresult))\n // ************************************************************************* \n // \n // *************************************************************************\n | where RawData has 'disconnection'\n | extend \n EventVendor = 'PostgreSQL'\n ,\n EventProduct = 'PostgreSQL'\n ,\n EventCount = int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.1'\n ,\n EventResult = 'Success'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventType = 'Logoff'\n ,\n DvcHostname = Computer\n ,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUsername = extract(@'user=([^\\s,]+)', 1, RawData)\n ,\n SrcIpAddr = extract(@'host=([\\d.]+)', 1, RawData)\n ,\n EventResultDetails = 'Session expired'\n ,\n EventOriginalRestultDetails = 'User session closed'\n // ********************** **********************************\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n // ********************** *********************************\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ************************ \n // \n // ************************\n | extend\n User=TargetUsername\n ,\n Dvc=Computer\n // ************************ \n // \n // ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\n union isfuzzy=false PostgreSQLSignInAuthorized(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n , PostgreSQLAuthFailure1(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n , PostgreSQLAuthFailure2(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n , PostgreSQLAuthFailure3(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n , PostgreSQLDisconnect(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for PostgreSQL", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationPostgreSQL", + "query": "let PostgreSQLSignInAuthorized=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n PostgreSQL_CL\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or RawData has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n and (eventresult == \"*\" or ('Success' == eventresult))\n // ************************************************************************* \n // \n // ************************************************************************* \n | where RawData has 'connection authorized'\n | extend\n EventVendor = 'PostgreSQL'\n ,\n EventProduct = 'PostgreSQL'\n ,\n EventCount = int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.1'\n ,\n EventResult = 'Success'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventType = 'Logon'\n ,\n DvcHostname = Computer\n ,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUsername = extract(@'user=([^\\s,]+)', 1, RawData)\n ,\n EventOriginalRestultDetails = 'Connection authorized'\n // ********************** **********************************\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n // ********************** *********************************\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ************************ \n // \n // ************************\n | extend\n User=TargetUsername\n ,\n Dvc=Computer\n // ************************ \n // \n // ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\n let PostgreSQLAuthFailure1=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n PostgreSQL_CL\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or RawData has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'No such user or password' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Failure' == eventresult))\n // ************************************************************************* \n // \n // *************************************************************************\n | where RawData has 'authentication failed'\n | extend \n EventVendor = 'PostgreSQL'\n ,\n EventProduct = 'PostgreSQL'\n ,\n EventCount = int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.1'\n ,\n EventResult = 'Failure'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventType = 'Logon'\n ,\n DvcHostname = Computer\n ,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUsername = extract(@'for user\\s\"(.*?)\"', 1, RawData)\n ,\n EventResultDetails = 'No such user or password'\n ,\n EventOriginalRestultDetails = 'User authentication failed'\n // ********************** **********************************\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n // ********************** *********************************\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ************************ \n // \n // ************************\n | extend\n User=TargetUsername\n ,\n Dvc=Computer\n // ************************ \n // \n // ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\n let PostgreSQLAuthFailure2=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n PostgreSQL_CL\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or RawData has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'No such user or password' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Failure' == eventresult))\n // ************************************************************************* \n // \n // *************************************************************************\n | where RawData has_all ('role', 'does', 'not', 'exist')\n | extend \n EventVendor = 'PostgreSQL'\n ,\n EventProduct = 'PostgreSQL'\n ,\n EventCount = int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.1'\n ,\n EventResult = 'Failure'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventType = 'Logon'\n ,\n DvcHostname = Computer\n ,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUsername = extract(@'role\\s\"(.*?)\"\\sdoes', 1, RawData)\n ,\n EventResultDetails = 'No such user or password'\n ,\n EventOriginalRestultDetails = 'Role does not exist'\n // ********************** **********************************\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n // ********************** *********************************\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ************************ \n // \n // ************************\n | extend\n User=TargetUsername\n ,\n Dvc=Computer\n // ************************ \n // \n // ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\n let PostgreSQLAuthFailure3=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n PostgreSQL_CL\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or RawData has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(RawData, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'No such user or password' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Failure' == eventresult))\n // ************************************************************************* \n // \n // *************************************************************************\n | where RawData has_all ('no', 'entry', 'user')\n | extend \n EventVendor = 'PostgreSQL'\n ,\n EventProduct = 'PostgreSQL'\n ,\n EventCount = int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.1'\n ,\n EventResult = 'Failure'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventType = 'Logon'\n ,\n DvcHostname = Computer\n ,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUsername = extract(@'user\\s\"(.*?)\",', 1, RawData)\n ,\n SrcIpAddr = extract(@'host\\s\"(.*?)\",', 1, RawData)\n ,\n EventResultDetails = 'No such user or password'\n ,\n EventOriginalRestultDetails = 'No entry for user'\n // ********************** **********************************\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n // ********************** *********************************\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ************************ \n // \n // ************************\n | extend\n User=TargetUsername\n ,\n Dvc=Computer\n // ************************ \n // \n // ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\n let PostgreSQLDisconnect=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n PostgreSQL_CL\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or RawData has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(RawData, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logoff\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'Session expired' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Success' == eventresult))\n // ************************************************************************* \n // \n // *************************************************************************\n | where RawData has 'disconnection'\n | extend \n EventVendor = 'PostgreSQL'\n ,\n EventProduct = 'PostgreSQL'\n ,\n EventCount = int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.1'\n ,\n EventResult = 'Success'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventType = 'Logoff'\n ,\n DvcHostname = Computer\n ,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUsername = extract(@'user=([^\\s,]+)', 1, RawData)\n ,\n SrcIpAddr = extract(@'host=([\\d.]+)', 1, RawData)\n ,\n EventResultDetails = 'Session expired'\n ,\n EventOriginalRestultDetails = 'User session closed'\n // ********************** **********************************\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n // ********************** *********************************\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ************************ \n // \n // ************************\n | extend\n User=TargetUsername\n ,\n Dvc=Computer\n // ************************ \n // \n // ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\n union isfuzzy=false PostgreSQLSignInAuthorized(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n , PostgreSQLAuthFailure1(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n , PostgreSQLAuthFailure2(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n , PostgreSQLAuthFailure3(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n , PostgreSQLDisconnect(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json index 570a1319836..8d13a801033 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationSalesforceSC')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationSalesforceSC", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication filtering parser for Salesforce Service Cloud", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationSalesforceSC", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n let SalesforceSchema = datatable\n(\n api_version_s: string,\n browser_type_s: string,\n cipher_suite_s: string,\n client_ip_s: string,\n delegated_user_id_s: string,\n delegated_user_name_s: string,\n event_type_s: string,\n login_key_s: string,\n login_status_s: string,\n login_type_s: string,\n login_sub_type_s: string,\n organization_id_s: string,\n platform_type_s: string,\n request_id_s: string,\n request_status_s: string,\n session_key_s: string,\n source_ip_s: string,\n timestamp_s: string,\n tls_protocol_s: string,\n uri_s: string,\n user_id_s: string,\n user_name_s: string,\n user_type_s: string,\n wave_session_id_g: string\n)[];\n let EventResultLookup = datatable\n(\n login_status_s: string,\n DvcAction: string,\n EventResultDetails: string,\n EventResult: string,\n EventSeverity: string\n)\n[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)\n[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable\n(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)\n[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable\n(\n LoginType_s: string,\n LogonMethodOriginal: string,\n LogonMethod: string\n)\n[\n \"7\", \"AppExchange\", \"Other\",\n \"A\", \"Application\", \"Other\",\n \"s\", \"Certificate-based login\", \"PKI\",\n \"k\", \"Chatter Communities External User\", \"Other\",\n \"n\", \"Chatter Communities External User Third Party SSO\", \"Other\",\n \"r\", \"Employee Login to Community\", \"Other\",\n \"z\", \"Lightning Login\", \"Username & Password\",\n \"l\", \"Networks Portal API Only\", \"Other\",\n \"6\", \"Remote Access Client\", \"Other\",\n \"i\", \"Remote Access 2.0\", \"Other\",\n \"I\", \"Other Apex API\", \"Other\",\n \"R\", \"Partner Product\", \"Other\",\n \"w\", \"Passwordless Login\", \"Passwordless\",\n \"3\", \"Customer Service Portal\", \"Other\",\n \"q\", \"Partner Portal Third-Party SSO\", \"Other\",\n \"9\", \"Partner Portal\", \"Other\",\n \"5\", \"SAML Idp Initiated SSO\", \"Other\",\n \"m\", \"SAML Chatter Communities External User SSO\", \"Other\",\n \"b\", \"SAML Customer Service Portal SSO\", \"Other\",\n \"c\", \"SAML Partner Portal SSO\", \"Other\",\n \"h\", \"SAML Site SSO\", \"Other\",\n \"8\", \"SAML Sfdc Initiated SSO\", \"Other\",\n \"E\", \"SelfService\", \"Other\",\n \"j\", \"Third Party SSO\", \"Other\"\n];\n let LogonProtocolLookup = datatable\n(\n LoginSubType_s: string,\n LogonProtocolOriginal: string,\n LogonProtocol: string\n)\n[\n \"uiup\", \"UI Username-Password\", \"Basic Auth\",\n \"oauthpassword\", \"OAuth Username-Password\", \"OAuth\",\n \"oauthtoken\", \"OAuth User-Agent\", \"OAuth\",\n \"oauthhybridtoken\", \"OAuth User-Agent for Hybrid Apps\", \"OAuth\",\n \"oauthtokenidtoken\", \"OAuth User-Agent with ID Token\", \"OAuth\",\n \"oauthclientcredential\", \"OAuth Client Credential\", \"OAuth\",\n \"oauthcode\", \"OAuth Web Server\", \"OAuth\",\n \"oauthhybridauthcode\", \"OAuth Web Server for Hybrid Apps\", \"OAuth\",\n];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)\n[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)\n[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n union isfuzzy=true\n SalesforceSchema,\n SalesforceServiceCloud_CL \n | where not(disabled)\n | extend TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0]))\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or (user_name_s has_any (username_has_any)) or (delegated_user_name_s has_any (username_has_any)))\n and ((array_length(targetappname_has_any) == 0) or ('Salesforce Dot Com(SFDC)' in~ (targetappname_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(source_ip_s, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n and event_type_s in~ (SalesforceEventType)\n // -- end pre-filtering\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=user_name_s has_any(username_has_any)\n ,\n temp_isMatchActorUsername=delegated_user_name_s has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | extend LoginType_s = login_type_s, LoginSubType_s = login_sub_type_s\n | lookup EventResultLookup on login_status_s\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | lookup EventTypeLookup on event_type_s\n // Filtering on eventtype_in\n | where ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\n | lookup LogonMethodLookup on LoginType_s\n | lookup LogonProtocolLookup on LoginSubType_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n | extend\n EventVendor = 'Salesforce',\n EventProduct='Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n TargetAppType = \"SaaS application\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s,\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s)\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated\n // Filtering on 'eventresult'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n | project-away\n *_s,\n *_t,\n *_g,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId,\n temp*\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication filtering parser for Salesforce Service Cloud", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationSalesforceSC", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n let SalesforceSchema = datatable\n(\n api_version_s: string,\n browser_type_s: string,\n cipher_suite_s: string,\n client_ip_s: string,\n delegated_user_id_s: string,\n delegated_user_name_s: string,\n event_type_s: string,\n login_key_s: string,\n login_status_s: string,\n login_type_s: string,\n login_sub_type_s: string,\n organization_id_s: string,\n platform_type_s: string,\n request_id_s: string,\n request_status_s: string,\n session_key_s: string,\n source_ip_s: string,\n timestamp_s: string,\n tls_protocol_s: string,\n uri_s: string,\n user_id_s: string,\n user_name_s: string,\n user_type_s: string,\n wave_session_id_g: string\n)[];\n let EventResultLookup = datatable\n(\n login_status_s: string,\n DvcAction: string,\n EventResultDetails: string,\n EventResult: string,\n EventSeverity: string\n)\n[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)\n[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable\n(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)\n[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable\n(\n LoginType_s: string,\n LogonMethodOriginal: string,\n LogonMethod: string\n)\n[\n \"7\", \"AppExchange\", \"Other\",\n \"A\", \"Application\", \"Other\",\n \"s\", \"Certificate-based login\", \"PKI\",\n \"k\", \"Chatter Communities External User\", \"Other\",\n \"n\", \"Chatter Communities External User Third Party SSO\", \"Other\",\n \"r\", \"Employee Login to Community\", \"Other\",\n \"z\", \"Lightning Login\", \"Username & Password\",\n \"l\", \"Networks Portal API Only\", \"Other\",\n \"6\", \"Remote Access Client\", \"Other\",\n \"i\", \"Remote Access 2.0\", \"Other\",\n \"I\", \"Other Apex API\", \"Other\",\n \"R\", \"Partner Product\", \"Other\",\n \"w\", \"Passwordless Login\", \"Passwordless\",\n \"3\", \"Customer Service Portal\", \"Other\",\n \"q\", \"Partner Portal Third-Party SSO\", \"Other\",\n \"9\", \"Partner Portal\", \"Other\",\n \"5\", \"SAML Idp Initiated SSO\", \"Other\",\n \"m\", \"SAML Chatter Communities External User SSO\", \"Other\",\n \"b\", \"SAML Customer Service Portal SSO\", \"Other\",\n \"c\", \"SAML Partner Portal SSO\", \"Other\",\n \"h\", \"SAML Site SSO\", \"Other\",\n \"8\", \"SAML Sfdc Initiated SSO\", \"Other\",\n \"E\", \"SelfService\", \"Other\",\n \"j\", \"Third Party SSO\", \"Other\"\n];\n let LogonProtocolLookup = datatable\n(\n LoginSubType_s: string,\n LogonProtocolOriginal: string,\n LogonProtocol: string\n)\n[\n \"uiup\", \"UI Username-Password\", \"Basic Auth\",\n \"oauthpassword\", \"OAuth Username-Password\", \"OAuth\",\n \"oauthtoken\", \"OAuth User-Agent\", \"OAuth\",\n \"oauthhybridtoken\", \"OAuth User-Agent for Hybrid Apps\", \"OAuth\",\n \"oauthtokenidtoken\", \"OAuth User-Agent with ID Token\", \"OAuth\",\n \"oauthclientcredential\", \"OAuth Client Credential\", \"OAuth\",\n \"oauthcode\", \"OAuth Web Server\", \"OAuth\",\n \"oauthhybridauthcode\", \"OAuth Web Server for Hybrid Apps\", \"OAuth\",\n];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)\n[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)\n[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n union isfuzzy=true\n SalesforceSchema,\n SalesforceServiceCloud_CL \n | where not(disabled)\n | extend TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0]))\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or (user_name_s has_any (username_has_any)) or (delegated_user_name_s has_any (username_has_any)))\n and ((array_length(targetappname_has_any) == 0) or ('Salesforce Dot Com(SFDC)' in~ (targetappname_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(source_ip_s, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n and event_type_s in~ (SalesforceEventType)\n // -- end pre-filtering\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=user_name_s has_any(username_has_any)\n ,\n temp_isMatchActorUsername=delegated_user_name_s has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | extend LoginType_s = login_type_s, LoginSubType_s = login_sub_type_s\n | lookup EventResultLookup on login_status_s\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | lookup EventTypeLookup on event_type_s\n // Filtering on eventtype_in\n | where ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\n | lookup LogonMethodLookup on LoginType_s\n | lookup LogonProtocolLookup on LoginSubType_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n | extend\n EventVendor = 'Salesforce',\n EventProduct='Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n TargetAppType = \"SaaS application\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s,\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s)\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated\n // Filtering on 'eventresult'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n | project-away\n *_s,\n *_t,\n *_g,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId,\n temp*\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSentinelOne/vimAuthenticationSentinelOne.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSentinelOne/vimAuthenticationSentinelOne.json index 1307258243d..7fbb93b589b 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSentinelOne/vimAuthenticationSentinelOne.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSentinelOne/vimAuthenticationSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationSentinelOne", - "query": "let EventResultDetailsLookup = datatable (comments_s: string, EventResultDetails: string)\n[\n\"invalid 2FA code\", \"Incorrect password\",\n\"IP/User mismatch\", \"No such user or password\",\n\"invalid password\", \"Incorrect password\",\n\"user temporarily locked 2FA attempt\", \"User locked\",\n\"no active site\", \"Other\"\n];\nlet EventFieldsLookup = datatable (\n activityType_d: real,\n EventType: string,\n EventResult: string,\n EventOriginalResultDetails: string\n)\n [\n 27, \"Logon\", \"Success\", \"User Logged In\",\n 33, \"Logoff\", \"Success\", \"User Logged Out\",\n 133, \"Logon\", \"Failure\", \"Existing User Login Failure\",\n 134, \"Logon\", \"Failure\", \"Unknown User Login\",\n 139, \"Logon\", \"Failure\", \"User Failed to Start an Unrestricted Session\",\n 3629, \"Logon\", \"Success\", \"Login Using Saved 2FA Recovery Code\"\n];\nlet EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\n [\n \"WINLOGONATTEMPT\", \"Logon\",\n \"WINLOGOFFATTEMPT\", \"Logoff\"\n];\nlet EventSubTypeLookup = datatable (alertInfo_loginType_s: string, EventSubType: string)\n [\n \"BATCH\", \"System\",\n \"CACHED_INTERACTIVE\", \"Interactive\",\n \"CACHED_REMOTE_INTERACTIVE\", \"RemoteInteractive\",\n \"CACHED_UNLOCK\", \"System\",\n \"INTERACTIVE\", \"Interactive\",\n \"NETWORK_CLEAR_TEXT\", \"Remote\",\n \"NETWORK_CREDENTIALS\", \"Remote\",\n \"NETWORK\", \"Remote\",\n \"REMOTE_INTERACTIVE\", \"RemoteInteractive\",\n \"SERVICE\", \"Service\",\n \"SYSTEM\", \"System\",\n \"UNLOCK\", \"System\"\n];\nlet DeviceTypeLookup = datatable (\n agentDetectionInfo_machineType_s: string,\n SrcDeviceType: string\n)\n [\n \"desktop\", \"Computer\",\n \"server\", \"Computer\",\n \"laptop\", \"Computer\",\n \"kubernetes node\", \"Other\",\n \"unknown\", \"Other\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33\n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100\n];\nlet TargetUserTypesList = dynamic([\"Regular\", \"Machine\", \"Admin\", \"System\", \"Application\", \"Service Principal\", \"Service\", \"Anonymous\"]);\nlet parser=(\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null), \nusername_has_any: dynamic = dynamic([]),\ntargetappname_has_any: dynamic = dynamic([]),\nsrcipaddr_has_any_prefix: dynamic = dynamic([]),\nsrchostname_has_any: dynamic = dynamic([]),\neventtype_in: dynamic = dynamic([]),\neventresultdetails_in: dynamic = dynamic([]),\neventresult: string = '*',\ndisabled: bool=false\n) {\nlet alldata = SentinelOne_CL\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or DataFields_s has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(DataFields_s, srcipaddr_has_any_prefix)))\n and ((array_length(srchostname_has_any) == 0) or (alertInfo_loginAccountDomain_s has_any (srchostname_has_any)))\n// Filtering for eventtype_in done later in the parser\n// Filtering for eventresultdetails_in done later in the parser\n// Filtering for eventresult done later in the parser\n;\nlet activitydata = alldata\n | where event_name_s == \"Activities.\"\n and activityType_d in (27, 33, 133, 134, 139, 3629)\n | parse-kv DataFields_s as (ipAddress: string, username: string, userScope: string, accountName: string, fullScopeDetails: string, fullScopeDetailsPath: string, role: string, scopeLevel: string, source: string, sourceType: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookup on activityType_d\n | lookup EventResultDetailsLookup on comments_s\n // Filtering on eventtype_in, eventresultdetails_in and eventresult\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails has_any (eventresultdetails_in))\n and (eventresult == '*' or EventResult has eventresult)\n | extend \n SrcIpAddr = iff(ipAddress == \"null\", \"\", ipAddress),\n EventOriginalType = tostring(toint(activityType_d)),\n TargetUsername = username,\n TargetUserScope = userScope,\n AdditionalFields = bag_pack(\n \"accountName\",\n accountName,\n \"fullScopeDetails\",\n fullScopeDetails,\n \"fullScopeDetailsPath\",\n fullScopeDetailsPath,\n \"scopeLevel\",\n scopeLevel,\n \"source\",\n source,\n \"sourceType\",\n sourceType\n ),\n TargetOriginalUserType = role,\n TargetUserType = case(\n role in (TargetUserTypesList),\n role,\n role == \"null\",\n \"\",\n \"Other\"\n )\n // Post-filtering on srcipaddr_has_any_prefix and username_has_any\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n and ((array_length(username_has_any) == 0) or DataFields_s has_any (username_has_any))\n | project-rename\n EventStartTime = createdAt_t,\n TargetUserId = userId_s,\n EventOriginalUid = activityUuid_g,\n EventMessage = primaryDescription_s\n | extend TargetUserIdType = iff(isnotempty(TargetUserId), \"Other\", \"\");\nlet alertdata = alldata\n | where event_name_s == \"Alerts.\"\n and alertInfo_eventType_s in (\"WINLOGONATTEMPT\", \"WINLOGOFFATTEMPT\")\n and array_length(eventresultdetails_in) == 0 // EventResultDetails not available in this event\n and ((array_length(username_has_any) == 0) or alertInfo_loginsUserName_s has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(alertInfo_srcMachineIp_s, srcipaddr_has_any_prefix))\n and ((array_length(srchostname_has_any) == 0) or (alertInfo_loginAccountDomain_s has_any (srchostname_has_any)))\n | lookup EventTypeLookup on alertInfo_eventType_s\n // Filtering on eventtype_in\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | lookup EventSubTypeLookup on alertInfo_loginType_s\n | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s\n | extend EventResult = iff(alertInfo_loginIsSuccessful_s == \"true\", \"Success\", \"Failure\")\n // Filtering on eventresult\n | where (eventresult == '*' or EventResult has eventresult);\nlet undefineddata = alertdata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\nlet suspiciousdata = alertdata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\nlet maliciousdata = alertdata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\nlet alertdatawiththreatfield = union undefineddata, suspiciousdata, maliciousdata\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | invoke _ASIM_ResolveSrcFQDN('alertInfo_loginAccountDomain_s')\n // Post-filtering on srchostname_has_any\n | where ((array_length(srchostname_has_any) == 0) or (SrcHostname has_any (srchostname_has_any)))\n | extend\n EventSeverity = iff(ruleInfo_severity_s == \"Critical\", \"High\", ruleInfo_severity_s),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = alertInfo_createdAt_t,\n SrcIpAddr = alertInfo_srcMachineIp_s,\n ActingAppName = sourceProcessInfo_name_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSubType = alertInfo_loginType_s,\n RuleName = ruleInfo_name_s,\n TargetUserId = alertInfo_loginAccountSid_s,\n TargetUsername = alertInfo_loginsUserName_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n Rule = RuleName,\n ActingAppType = iff(isnotempty(ActingAppName), \"Process\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetUserType = _ASIM_GetUserType(TargetUsername, TargetUserId),\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SID\", \"\");\nunion activitydata, alertdatawiththreatfield\n// mapping ASimMatchingUsername\n| extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n// ActorUsername not coming from source. Hence, not mapped.\n| extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n| extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"SentinelOne\",\n EventSchema = \"Authentication\"\n| extend\n Dvc = coalesce(DvcHostname, EventProduct),\n EventEndTime = EventStartTime,\n EventUid = _ItemId,\n User = TargetUsername\n| extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n| project-away\n *_b,\n *_d,\n *_g,\n *_s,\n *_t,\n ipAddress,\n username,\n accountName,\n fullScopeDetails,\n fullScopeDetailsPath,\n role,\n scopeLevel,\n source,\n sourceType,\n userScope,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n _ItemId,\n _ResourceId,\n ThreatConfidence_*\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationSentinelOne", + "query": "let EventResultDetailsLookup = datatable (comments_s: string, EventResultDetails: string)\n[\n\"invalid 2FA code\", \"Incorrect password\",\n\"IP/User mismatch\", \"No such user or password\",\n\"invalid password\", \"Incorrect password\",\n\"user temporarily locked 2FA attempt\", \"User locked\",\n\"no active site\", \"Other\"\n];\nlet EventFieldsLookup = datatable (\n activityType_d: real,\n EventType: string,\n EventResult: string,\n EventOriginalResultDetails: string\n)\n [\n 27, \"Logon\", \"Success\", \"User Logged In\",\n 33, \"Logoff\", \"Success\", \"User Logged Out\",\n 133, \"Logon\", \"Failure\", \"Existing User Login Failure\",\n 134, \"Logon\", \"Failure\", \"Unknown User Login\",\n 139, \"Logon\", \"Failure\", \"User Failed to Start an Unrestricted Session\",\n 3629, \"Logon\", \"Success\", \"Login Using Saved 2FA Recovery Code\"\n];\nlet EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\n [\n \"WINLOGONATTEMPT\", \"Logon\",\n \"WINLOGOFFATTEMPT\", \"Logoff\"\n];\nlet EventSubTypeLookup = datatable (alertInfo_loginType_s: string, EventSubType: string)\n [\n \"BATCH\", \"System\",\n \"CACHED_INTERACTIVE\", \"Interactive\",\n \"CACHED_REMOTE_INTERACTIVE\", \"RemoteInteractive\",\n \"CACHED_UNLOCK\", \"System\",\n \"INTERACTIVE\", \"Interactive\",\n \"NETWORK_CLEAR_TEXT\", \"Remote\",\n \"NETWORK_CREDENTIALS\", \"Remote\",\n \"NETWORK\", \"Remote\",\n \"REMOTE_INTERACTIVE\", \"RemoteInteractive\",\n \"SERVICE\", \"Service\",\n \"SYSTEM\", \"System\",\n \"UNLOCK\", \"System\"\n];\nlet DeviceTypeLookup = datatable (\n agentDetectionInfo_machineType_s: string,\n SrcDeviceType: string\n)\n [\n \"desktop\", \"Computer\",\n \"server\", \"Computer\",\n \"laptop\", \"Computer\",\n \"kubernetes node\", \"Other\",\n \"unknown\", \"Other\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33\n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100\n];\nlet TargetUserTypesList = dynamic([\"Regular\", \"Machine\", \"Admin\", \"System\", \"Application\", \"Service Principal\", \"Service\", \"Anonymous\"]);\nlet parser=(\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null), \nusername_has_any: dynamic = dynamic([]),\ntargetappname_has_any: dynamic = dynamic([]),\nsrcipaddr_has_any_prefix: dynamic = dynamic([]),\nsrchostname_has_any: dynamic = dynamic([]),\neventtype_in: dynamic = dynamic([]),\neventresultdetails_in: dynamic = dynamic([]),\neventresult: string = '*',\ndisabled: bool=false\n) {\nlet alldata = SentinelOne_CL\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or DataFields_s has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(DataFields_s, srcipaddr_has_any_prefix)))\n and ((array_length(srchostname_has_any) == 0) or (alertInfo_loginAccountDomain_s has_any (srchostname_has_any)))\n// Filtering for eventtype_in done later in the parser\n// Filtering for eventresultdetails_in done later in the parser\n// Filtering for eventresult done later in the parser\n;\nlet activitydata = alldata\n | where event_name_s == \"Activities.\"\n and activityType_d in (27, 33, 133, 134, 139, 3629)\n | parse-kv DataFields_s as (ipAddress: string, username: string, userScope: string, accountName: string, fullScopeDetails: string, fullScopeDetailsPath: string, role: string, scopeLevel: string, source: string, sourceType: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookup on activityType_d\n | lookup EventResultDetailsLookup on comments_s\n // Filtering on eventtype_in, eventresultdetails_in and eventresult\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails has_any (eventresultdetails_in))\n and (eventresult == '*' or EventResult has eventresult)\n | extend \n SrcIpAddr = iff(ipAddress == \"null\", \"\", ipAddress),\n EventOriginalType = tostring(toint(activityType_d)),\n TargetUsername = username,\n TargetUserScope = userScope,\n AdditionalFields = bag_pack(\n \"accountName\",\n accountName,\n \"fullScopeDetails\",\n fullScopeDetails,\n \"fullScopeDetailsPath\",\n fullScopeDetailsPath,\n \"scopeLevel\",\n scopeLevel,\n \"source\",\n source,\n \"sourceType\",\n sourceType\n ),\n TargetOriginalUserType = role,\n TargetUserType = case(\n role in (TargetUserTypesList),\n role,\n role == \"null\",\n \"\",\n \"Other\"\n )\n // Post-filtering on srcipaddr_has_any_prefix and username_has_any\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n and ((array_length(username_has_any) == 0) or DataFields_s has_any (username_has_any))\n | project-rename\n EventStartTime = createdAt_t,\n TargetUserId = userId_s,\n EventOriginalUid = activityUuid_g,\n EventMessage = primaryDescription_s\n | extend TargetUserIdType = iff(isnotempty(TargetUserId), \"Other\", \"\");\nlet alertdata = alldata\n | where event_name_s == \"Alerts.\"\n and alertInfo_eventType_s in (\"WINLOGONATTEMPT\", \"WINLOGOFFATTEMPT\")\n and array_length(eventresultdetails_in) == 0 // EventResultDetails not available in this event\n and ((array_length(username_has_any) == 0) or alertInfo_loginsUserName_s has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(alertInfo_srcMachineIp_s, srcipaddr_has_any_prefix))\n and ((array_length(srchostname_has_any) == 0) or (alertInfo_loginAccountDomain_s has_any (srchostname_has_any)))\n | lookup EventTypeLookup on alertInfo_eventType_s\n // Filtering on eventtype_in\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | lookup EventSubTypeLookup on alertInfo_loginType_s\n | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s\n | extend EventResult = iff(alertInfo_loginIsSuccessful_s == \"true\", \"Success\", \"Failure\")\n // Filtering on eventresult\n | where (eventresult == '*' or EventResult has eventresult);\nlet undefineddata = alertdata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\nlet suspiciousdata = alertdata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\nlet maliciousdata = alertdata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\nlet alertdatawiththreatfield = union undefineddata, suspiciousdata, maliciousdata\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | invoke _ASIM_ResolveSrcFQDN('alertInfo_loginAccountDomain_s')\n // Post-filtering on srchostname_has_any\n | where ((array_length(srchostname_has_any) == 0) or (SrcHostname has_any (srchostname_has_any)))\n | extend\n EventSeverity = iff(ruleInfo_severity_s == \"Critical\", \"High\", ruleInfo_severity_s),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = alertInfo_createdAt_t,\n SrcIpAddr = alertInfo_srcMachineIp_s,\n ActingAppName = sourceProcessInfo_name_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSubType = alertInfo_loginType_s,\n RuleName = ruleInfo_name_s,\n TargetUserId = alertInfo_loginAccountSid_s,\n TargetUsername = alertInfo_loginsUserName_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n Rule = RuleName,\n ActingAppType = iff(isnotempty(ActingAppName), \"Process\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetUserType = _ASIM_GetUserType(TargetUsername, TargetUserId),\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SID\", \"\");\nunion activitydata, alertdatawiththreatfield\n// mapping ASimMatchingUsername\n| extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n// ActorUsername not coming from source. Hence, not mapped.\n| extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n| extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"SentinelOne\",\n EventSchema = \"Authentication\"\n| extend\n Dvc = coalesce(DvcHostname, EventProduct),\n EventEndTime = EventStartTime,\n EventUid = _ItemId,\n User = TargetUsername\n| extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n| project-away\n *_b,\n *_d,\n *_g,\n *_s,\n *_t,\n ipAddress,\n username,\n accountName,\n fullScopeDetails,\n fullScopeDetailsPath,\n role,\n scopeLevel,\n source,\n sourceType,\n userScope,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n _ItemId,\n _ResourceId,\n ThreatConfidence_*\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/vimAuthenticationSshd.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/vimAuthenticationSshd.json index 29b39a6a406..e5e88a4a890 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/vimAuthenticationSshd.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/vimAuthenticationSshd.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationSshd')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationSshd", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for OpenSSH sshd", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationSshd", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n let prefilter = (T: (SyslogMessage: string, TimeGenerated: datetime))\n{\n T\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or 'sshd' in~ (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in) or \"Logoff\" in~ (eventtype_in))\n// eventresultdetails_in filtering done later in the parser\n// eventresult filtering done later in the parser\n};\n let SyslogProjects = Syslog\n | project\n TimeGenerated,\n Computer,\n SyslogMessage,\n ProcessName,\n ProcessID,\n HostIP,\n Type,\n _ItemId,\n _ResourceId,\n _SubscriptionId;\n //\n // -- Successful login\n let SSHDAccepted=(disabled: bool=false)\n{ \n // -- Parse events with the format \"Accepted password for from port ssh2\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Accepted'\n | invoke prefilter()\n | parse SyslogMessage with \"Accepted password for \" TargetUsername: string \" from \" SrcIpAddr: string \" port\" SrcPortNumber: int *\n | extend\n EventResult = 'Success'\n ,\n EventSeverity = 'Informational'\n ,\n EventType = 'Logon'\n ,\n EventCount = int(1)\n | project-away SyslogMessage, ProcessName\n};\n //\n // -- Failed login - incorrect password\n let SSHDFailed=(disabled: bool=false)\n{\n // -- Parse events with the format Failed (password|none|publickey) for from port ssh2[: RSA :]\"\n // -- Or a number of such events message repeated times: [ ]\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and (\n SyslogMessage startswith 'Failed' \n or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed')\n )\n | invoke prefilter()\n | parse SyslogMessage with * \"Failed \" * \" for \" TargetUsername: string \" from \" SrcIpAddr: string \" port\" SrcPortNumber: int *\n | parse SyslogMessage with \"message repeated\" EventCount: int \" times:\" * \n | extend\n EventResult = 'Failure'\n ,\n EventSeverity = 'Low' \n ,\n EventType = 'Logon'\n ,\n LogonMethod = iff (SyslogMessage has 'publickey', 'PKI', 'Username & password')\n ,\n EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password')\n ,\n EventCount = toint(coalesce(EventCount, 1))\n | project-away SyslogMessage, ProcessName\n};\n //\n // -- Logoff - Timeout\n let SSHDTimeout=(disabled: bool=false)\n{\n // -- Parse events with the format \"Timeout, client not responding from user yanivsh 131.107.174.198 port 7623\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Timeout'\n | invoke prefilter()\n | parse-where SyslogMessage with * \"user \" TargetUsername: string \" \" SrcIpAddr: string \" port \" SrcPortNumber: int\n | extend\n EventSeverity = 'Informational'\n ,\n EventType = 'Logoff'\n ,\n EventResult = 'Success'\n ,\n EventCount = int(1)\n | project-away SyslogMessage, ProcessName\n};\n //\n // -- Failed login - invalid user\n let SSHDInvalidUser=(disabled: bool=false)\n{\n // -- Parse events with the format \"Invalid user [] from port \"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Invalid user'\n | invoke prefilter()\n | parse SyslogMessage with \"Invalid user \" TargetUsername: string \" from \" SrcIpAddr: string \" port \" SrcPortNumber: int\n | parse SyslogMessage with \"Invalid user from \" SrcIpAddrNoUser: string \" port \" SrcPortNumberNoUser: int\n | extend\n EventResult = 'Failure'\n ,\n EventSeverity = 'Low'\n ,\n EventType = 'Logon'\n ,\n EventResultDetails = 'No such user'\n ,\n EventCount = int(1)\n ,\n SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser)\n ,\n SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser)\n | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser\n};\n //\n // -- Blocked intrusion attempts\n let SSHDABreakInAttemptMappingFailed=(disabled: bool=false)\n{\n // -- Parse events with the format \"reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"reverse mapping checking getaddrinfo for\"\n | invoke prefilter()\n | parse SyslogMessage with * \" for \" Src \" [\" SrcIpAddr \"]\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n EventResult = 'Failure'\n ,\n EventType = 'Logon'\n ,\n DvcAction = 'Block'\n ,\n TargetUsername = ''\n ,\n EventSeverity = 'Medium'\n ,\n EventCount = int(1)\n ,\n EventResultDetails = 'Logon violates policy'\n ,\n RuleName = \"Reverse mapping failed\"\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n};\n let SSHDABreakInAttemptMappingMismatch=(disabled: bool=false)\n{\n // -- Parse events with the format \"Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage has \"but this does not map back to the address\"\n | invoke prefilter()\n | parse SyslogMessage with \"Address \" SrcIpAddr: string \" maps to \" Src: string \", but this\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n EventResult = 'Failure'\n ,\n EventType = 'Logon'\n ,\n DvcAction = 'Block'\n ,\n TargetUsername = ''\n ,\n EventSeverity = 'Medium'\n ,\n EventCount = int(1)\n ,\n EventResultDetails = 'Logon violates policy'\n ,\n RuleName = \"Address to host to address mapping does not map back to address\"\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n};\n let SSHDABreakInAttemptNastyPtr=(disabled: bool=false)\n{\n // -- Parse events with the format \"Nasty PTR record \"\" is set up for , ignoring\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"Nasty PTR record\"\n | invoke prefilter()\n | parse SyslogMessage with * \"set up for \" SrcIpAddr: string \", ignoring\"\n | extend\n EventResult = 'Failure'\n ,\n EventType = 'Logon'\n ,\n DvcAction = 'Block'\n ,\n TargetUsername = ''\n ,\n EventSeverity = 'Medium'\n ,\n EventCount = int(1)\n ,\n EventResultDetails = 'Logon violates policy'\n ,\n RuleName = \"Nasty PTR record set for IP Address\"\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName\n};\n union isfuzzy=false \n SSHDAccepted (disabled=disabled)\n ,\n SSHDFailed (disabled=disabled)\n ,\n SSHDInvalidUser (disabled=disabled)\n ,\n SSHDTimeout (disabled=disabled)\n ,\n SSHDABreakInAttemptMappingFailed (disabled=disabled)\n ,\n SSHDABreakInAttemptMappingMismatch (disabled=disabled)\n ,\n SSHDABreakInAttemptNastyPtr (disabled=disabled)\n // Post-filtering\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend \n EventVendor = 'OpenBSD'\n ,\n EventProduct = 'OpenSSH'\n ,\n DvcOs = 'Linux'\n ,\n TargetDvcOs = 'Linux'\n ,\n LogonProtocol = 'ssh'\n ,\n TargetAppName = 'sshd'\n ,\n TargetAppType = 'Service'\n ,\n EventSubType = 'Remote'\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.2'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n TargetUsernameType = 'Simple'\n ,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\")\n ,\n TargetAppId = tostring(ProcessID)\n | project-away Computer, ProcessID, temp*\n | project-rename \n EventUid = _ItemId\n ,\n DvcScopeId = _SubscriptionId\n ,\n DvcId = _ResourceId\n ,\n DvcIpAddr = HostIP\n //\n // -- Aliases\n | extend\n User = TargetUsername\n ,\n Dvc = DvcHostname\n ,\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr)\n ,\n TargetDomain = DvcDomain\n ,\n TargetFQDN = DvcFQDN\n ,\n TargetDomainType = DvcDomainType\n ,\n TargetHostname = DvcHostname\n ,\n TargetDvcId = DvcId\n ,\n TargetDvcScopeId = DvcScopeId\n ,\n TargetDvcIdType = DvcDomainType\n ,\n IpAddr = DvcIpAddr\n ,\n TargetIpAddr = DvcIpAddr\n};\n parser\n (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for OpenSSH sshd", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationSshd", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n let prefilter = (T: (SyslogMessage: string, TimeGenerated: datetime))\n{\n T\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or 'sshd' in~ (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in) or \"Logoff\" in~ (eventtype_in))\n// eventresultdetails_in filtering done later in the parser\n// eventresult filtering done later in the parser\n};\n let SyslogProjects = Syslog\n | project\n TimeGenerated,\n Computer,\n SyslogMessage,\n ProcessName,\n ProcessID,\n HostIP,\n Type,\n _ItemId,\n _ResourceId,\n _SubscriptionId;\n //\n // -- Successful login\n let SSHDAccepted=(disabled: bool=false)\n{ \n // -- Parse events with the format \"Accepted password for from port ssh2\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Accepted'\n | invoke prefilter()\n | parse SyslogMessage with \"Accepted password for \" TargetUsername: string \" from \" SrcIpAddr: string \" port\" SrcPortNumber: int *\n | extend\n EventResult = 'Success'\n ,\n EventSeverity = 'Informational'\n ,\n EventType = 'Logon'\n ,\n EventCount = int(1)\n | project-away SyslogMessage, ProcessName\n};\n //\n // -- Failed login - incorrect password\n let SSHDFailed=(disabled: bool=false)\n{\n // -- Parse events with the format Failed (password|none|publickey) for from port ssh2[: RSA :]\"\n // -- Or a number of such events message repeated times: [ ]\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and (\n SyslogMessage startswith 'Failed' \n or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed')\n )\n | invoke prefilter()\n | parse SyslogMessage with * \"Failed \" * \" for \" TargetUsername: string \" from \" SrcIpAddr: string \" port\" SrcPortNumber: int *\n | parse SyslogMessage with \"message repeated\" EventCount: int \" times:\" * \n | extend\n EventResult = 'Failure'\n ,\n EventSeverity = 'Low' \n ,\n EventType = 'Logon'\n ,\n LogonMethod = iff (SyslogMessage has 'publickey', 'PKI', 'Username & password')\n ,\n EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password')\n ,\n EventCount = toint(coalesce(EventCount, 1))\n | project-away SyslogMessage, ProcessName\n};\n //\n // -- Logoff - Timeout\n let SSHDTimeout=(disabled: bool=false)\n{\n // -- Parse events with the format \"Timeout, client not responding from user yanivsh 131.107.174.198 port 7623\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Timeout'\n | invoke prefilter()\n | parse-where SyslogMessage with * \"user \" TargetUsername: string \" \" SrcIpAddr: string \" port \" SrcPortNumber: int\n | extend\n EventSeverity = 'Informational'\n ,\n EventType = 'Logoff'\n ,\n EventResult = 'Success'\n ,\n EventCount = int(1)\n | project-away SyslogMessage, ProcessName\n};\n //\n // -- Failed login - invalid user\n let SSHDInvalidUser=(disabled: bool=false)\n{\n // -- Parse events with the format \"Invalid user [] from port \"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Invalid user'\n | invoke prefilter()\n | parse SyslogMessage with \"Invalid user \" TargetUsername: string \" from \" SrcIpAddr: string \" port \" SrcPortNumber: int\n | parse SyslogMessage with \"Invalid user from \" SrcIpAddrNoUser: string \" port \" SrcPortNumberNoUser: int\n | extend\n EventResult = 'Failure'\n ,\n EventSeverity = 'Low'\n ,\n EventType = 'Logon'\n ,\n EventResultDetails = 'No such user'\n ,\n EventCount = int(1)\n ,\n SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser)\n ,\n SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser)\n | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser\n};\n //\n // -- Blocked intrusion attempts\n let SSHDABreakInAttemptMappingFailed=(disabled: bool=false)\n{\n // -- Parse events with the format \"reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"reverse mapping checking getaddrinfo for\"\n | invoke prefilter()\n | parse SyslogMessage with * \" for \" Src \" [\" SrcIpAddr \"]\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n EventResult = 'Failure'\n ,\n EventType = 'Logon'\n ,\n DvcAction = 'Block'\n ,\n TargetUsername = ''\n ,\n EventSeverity = 'Medium'\n ,\n EventCount = int(1)\n ,\n EventResultDetails = 'Logon violates policy'\n ,\n RuleName = \"Reverse mapping failed\"\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n};\n let SSHDABreakInAttemptMappingMismatch=(disabled: bool=false)\n{\n // -- Parse events with the format \"Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage has \"but this does not map back to the address\"\n | invoke prefilter()\n | parse SyslogMessage with \"Address \" SrcIpAddr: string \" maps to \" Src: string \", but this\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n EventResult = 'Failure'\n ,\n EventType = 'Logon'\n ,\n DvcAction = 'Block'\n ,\n TargetUsername = ''\n ,\n EventSeverity = 'Medium'\n ,\n EventCount = int(1)\n ,\n EventResultDetails = 'Logon violates policy'\n ,\n RuleName = \"Address to host to address mapping does not map back to address\"\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n};\n let SSHDABreakInAttemptNastyPtr=(disabled: bool=false)\n{\n // -- Parse events with the format \"Nasty PTR record \"\" is set up for , ignoring\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"Nasty PTR record\"\n | invoke prefilter()\n | parse SyslogMessage with * \"set up for \" SrcIpAddr: string \", ignoring\"\n | extend\n EventResult = 'Failure'\n ,\n EventType = 'Logon'\n ,\n DvcAction = 'Block'\n ,\n TargetUsername = ''\n ,\n EventSeverity = 'Medium'\n ,\n EventCount = int(1)\n ,\n EventResultDetails = 'Logon violates policy'\n ,\n RuleName = \"Nasty PTR record set for IP Address\"\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName\n};\n union isfuzzy=false \n SSHDAccepted (disabled=disabled)\n ,\n SSHDFailed (disabled=disabled)\n ,\n SSHDInvalidUser (disabled=disabled)\n ,\n SSHDTimeout (disabled=disabled)\n ,\n SSHDABreakInAttemptMappingFailed (disabled=disabled)\n ,\n SSHDABreakInAttemptMappingMismatch (disabled=disabled)\n ,\n SSHDABreakInAttemptNastyPtr (disabled=disabled)\n // Post-filtering\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend \n EventVendor = 'OpenBSD'\n ,\n EventProduct = 'OpenSSH'\n ,\n DvcOs = 'Linux'\n ,\n TargetDvcOs = 'Linux'\n ,\n LogonProtocol = 'ssh'\n ,\n TargetAppName = 'sshd'\n ,\n TargetAppType = 'Service'\n ,\n EventSubType = 'Remote'\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.2'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n TargetUsernameType = 'Simple'\n ,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\")\n ,\n TargetAppId = tostring(ProcessID)\n | project-away Computer, ProcessID, temp*\n | project-rename \n EventUid = _ItemId\n ,\n DvcScopeId = _SubscriptionId\n ,\n DvcId = _ResourceId\n ,\n DvcIpAddr = HostIP\n //\n // -- Aliases\n | extend\n User = TargetUsername\n ,\n Dvc = DvcHostname\n ,\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr)\n ,\n TargetDomain = DvcDomain\n ,\n TargetFQDN = DvcFQDN\n ,\n TargetDomainType = DvcDomainType\n ,\n TargetHostname = DvcHostname\n ,\n TargetDvcId = DvcId\n ,\n TargetDvcScopeId = DvcScopeId\n ,\n TargetDvcIdType = DvcDomainType\n ,\n IpAddr = DvcIpAddr\n ,\n TargetIpAddr = DvcIpAddr\n};\n parser\n (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSu/vimAuthenticationSu.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSu/vimAuthenticationSu.json index c086b304b0f..88f49e5de0e 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSu/vimAuthenticationSu.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSu/vimAuthenticationSu.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationSu')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationSu", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Linux su", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationSu", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n let prefilter = (T: (SyslogMessage: string, TimeGenerated: datetime))\n{\n T\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or ('Logoff' in~ (eventtype_in)) or ('Elevation' in~ (eventtype_in)))\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n and (eventresult == \"*\" or (eventresult == \"Success\"))\n};\n let SyslogProjects = Syslog\n | project\n TimeGenerated,\n Computer,\n SyslogMessage,\n ProcessName,\n ProcessID,\n HostIP,\n Type,\n _ItemId,\n _ResourceId,\n _SubscriptionId;\n //\n // -- Sucessful SU\n // Parses the event \"Successful su for by \"\n let SuSignInAuthorized=(disabled: bool=false)\n{\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage startswith \"Successful su for\"\n | invoke prefilter()\n | parse SyslogMessage with * \"for \" TargetUsername: string \" by \" ActorUsername: string\n | extend\n EventType = 'Elevation'\n | project-away SyslogMessage, ProcessName\n};\n // \n // -- SU end\n // Parsers the event \"pam_unix(su[-l]:session): session closed for user \"\n let SuDisconnect=(disabled: bool=false)\n{\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage has_all ('pam_unix(su', 'session): session closed for user')\n | invoke prefilter()\n | parse SyslogMessage with * \"for user \" TargetUsername: string\n | extend\n EventType = 'Logoff'\n | project-away SyslogMessage, ProcessName\n};\n union isfuzzy=false \n SuSignInAuthorized (disabled = disabled)\n ,\n SuDisconnect(disabled = disabled)\n // Post-filtering\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n and (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend\n EventVendor = 'Linux'\n ,\n EventProduct = 'su'\n ,\n DvcOs = 'Linux'\n ,\n TargetDvcOs = 'Linux'\n ,\n EventCount = int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.2'\n ,\n EventResult = 'Success'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n ActorUsernameType = 'Simple'\n ,\n TargetUsernameType = 'Simple'\n ,\n EventSeverity = 'Informational'\n ,\n ActingAppType = 'Process'\n ,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\")\n ,\n ActingAppId = tostring(ProcessID)\n | project-away Computer, ProcessID, temp*\n | project-rename \n EventUid = _ItemId\n ,\n DvcScopeId = _SubscriptionId\n ,\n DvcId = _ResourceId\n ,\n DvcIpAddr = HostIP\n //\n // -- Aliases\n | extend\n User = TargetUsername\n ,\n Dvc = DvcHostname\n ,\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr)\n ,\n TargetDomain = DvcDomain\n ,\n TargetFQDN = DvcFQDN\n ,\n TargetDomainType = DvcDomainType\n ,\n TargetHostname = DvcHostname\n ,\n TargetDvcId = DvcId\n ,\n TargetDvcScopeId = DvcScopeId\n ,\n TargetDvcIdType = DvcDomainType\n ,\n IpAddr = DvcIpAddr\n ,\n TargetIpAddr = DvcIpAddr\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Linux su", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationSu", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n let prefilter = (T: (SyslogMessage: string, TimeGenerated: datetime))\n{\n T\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or ('Logoff' in~ (eventtype_in)) or ('Elevation' in~ (eventtype_in)))\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n and (eventresult == \"*\" or (eventresult == \"Success\"))\n};\n let SyslogProjects = Syslog\n | project\n TimeGenerated,\n Computer,\n SyslogMessage,\n ProcessName,\n ProcessID,\n HostIP,\n Type,\n _ItemId,\n _ResourceId,\n _SubscriptionId;\n //\n // -- Sucessful SU\n // Parses the event \"Successful su for by \"\n let SuSignInAuthorized=(disabled: bool=false)\n{\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage startswith \"Successful su for\"\n | invoke prefilter()\n | parse SyslogMessage with * \"for \" TargetUsername: string \" by \" ActorUsername: string\n | extend\n EventType = 'Elevation'\n | project-away SyslogMessage, ProcessName\n};\n // \n // -- SU end\n // Parsers the event \"pam_unix(su[-l]:session): session closed for user \"\n let SuDisconnect=(disabled: bool=false)\n{\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage has_all ('pam_unix(su', 'session): session closed for user')\n | invoke prefilter()\n | parse SyslogMessage with * \"for user \" TargetUsername: string\n | extend\n EventType = 'Logoff'\n | project-away SyslogMessage, ProcessName\n};\n union isfuzzy=false \n SuSignInAuthorized (disabled = disabled)\n ,\n SuDisconnect(disabled = disabled)\n // Post-filtering\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n and (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend\n EventVendor = 'Linux'\n ,\n EventProduct = 'su'\n ,\n DvcOs = 'Linux'\n ,\n TargetDvcOs = 'Linux'\n ,\n EventCount = int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.2'\n ,\n EventResult = 'Success'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n ActorUsernameType = 'Simple'\n ,\n TargetUsernameType = 'Simple'\n ,\n EventSeverity = 'Informational'\n ,\n ActingAppType = 'Process'\n ,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\")\n ,\n ActingAppId = tostring(ProcessID)\n | project-away Computer, ProcessID, temp*\n | project-rename \n EventUid = _ItemId\n ,\n DvcScopeId = _SubscriptionId\n ,\n DvcId = _ResourceId\n ,\n DvcIpAddr = HostIP\n //\n // -- Aliases\n | extend\n User = TargetUsername\n ,\n Dvc = DvcHostname\n ,\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr)\n ,\n TargetDomain = DvcDomain\n ,\n TargetFQDN = DvcFQDN\n ,\n TargetDomainType = DvcDomainType\n ,\n TargetHostname = DvcHostname\n ,\n TargetDvcId = DvcId\n ,\n TargetDvcScopeId = DvcScopeId\n ,\n TargetDvcIdType = DvcDomainType\n ,\n IpAddr = DvcIpAddr\n ,\n TargetIpAddr = DvcIpAddr\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSudo/vimAuthenticationSudo.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSudo/vimAuthenticationSudo.json index 28000e1a39c..1b20464099f 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSudo/vimAuthenticationSudo.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSudo/vimAuthenticationSudo.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationSudo')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationSudo", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Syslog sudo", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationSudo", - "query": "let SudoSignInAuthorized=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n Syslog \n | where not(disabled)\n | where ProcessName == \"sudo\" and \n SyslogMessage has 'TTY=' and \n SyslogMessage has 'USER=' and\n SyslogMessage has 'COMMAND='\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0)) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'Other' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Success' == eventresult))\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename TargetUsername = USER\n | extend\n EventVendor = 'Linux',\n EventProduct = 'sudo',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventResult = 'Success',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'Logon',\n DvcHostname = Computer,\n ActorUsernameType = 'Simple',\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\n TargetUsernameType = 'Simple',\n EventResultDetails = 'Other',\n EventOriginalRestultDetails = 'Connection authorized'\n // Post-filtering on username_has_any\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n // ************************\n // \n // ************************\n | extend\n User = TargetUsername,\n Dvc = Computer\n // ************************\n // \n // ************************\n | project-away Computer, MG, SourceSystem, TenantId, temp_*\n};\nlet SudoAuthFailure1=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n Syslog\n | where not(disabled)\n | where ProcessName == \"sudo\" and (SyslogMessage has 'user NOT in sudoers' or SyslogMessage has 'incorrect password attempts')\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0)) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'No such user or password' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Failure' == eventresult))\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename \n EventUid = _ItemId,\n TargetUsername = USER\n | extend\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\n ActorUsernameType = 'Simple',\n DvcHostname = Computer,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User authentication failed',\n EventProduct = 'sudo',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'Linux',\n TargetUsernameType = 'Simple'\n // Post-filtering on username_has_any\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | project-away Computer, MG, SourceSystem, TenantId, temp_*\n};\nlet SudoDisconnect=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n Syslog \n | where not(disabled)\n | where ProcessName == \"sudo\"\n and SyslogMessage has 'session closed for user '\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0)) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logoff\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'Other' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Success' == eventresult))\n | parse SyslogMessage with * \"for user \" TargetUsername: string\n // Post-filtering on username_has_any\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n DvcHostname = Computer,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User session closed',\n EventProduct = 'sudo',\n EventResult = 'Success',\n EventResultDetails = 'Other',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logoff',\n EventVendor = 'Linux',\n TargetUsernameType = 'Simple'\n // ************************\n // \n // ************************\n | extend\n Dvc = Computer,\n User = TargetUsername\n // ************************\n // \n // ************************\n | project-away Computer, MG, SourceSystem, TenantId, temp_*\n};\nunion isfuzzy=false \n SudoSignInAuthorized(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled), \n SudoAuthFailure1(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled), \n SudoDisconnect(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Syslog sudo", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationSudo", + "query": "let SudoSignInAuthorized=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n Syslog \n | where not(disabled)\n | where ProcessName == \"sudo\" and \n SyslogMessage has 'TTY=' and \n SyslogMessage has 'USER=' and\n SyslogMessage has 'COMMAND='\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0)) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'Other' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Success' == eventresult))\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename TargetUsername = USER\n | extend\n EventVendor = 'Linux',\n EventProduct = 'sudo',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventResult = 'Success',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'Logon',\n DvcHostname = Computer,\n ActorUsernameType = 'Simple',\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\n TargetUsernameType = 'Simple',\n EventResultDetails = 'Other',\n EventOriginalRestultDetails = 'Connection authorized'\n // Post-filtering on username_has_any\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n // ************************\n // \n // ************************\n | extend\n User = TargetUsername,\n Dvc = Computer\n // ************************\n // \n // ************************\n | project-away Computer, MG, SourceSystem, TenantId, temp_*\n};\nlet SudoAuthFailure1=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n Syslog\n | where not(disabled)\n | where ProcessName == \"sudo\" and (SyslogMessage has 'user NOT in sudoers' or SyslogMessage has 'incorrect password attempts')\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0)) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'No such user or password' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Failure' == eventresult))\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename \n EventUid = _ItemId,\n TargetUsername = USER\n | extend\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\n ActorUsernameType = 'Simple',\n DvcHostname = Computer,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User authentication failed',\n EventProduct = 'sudo',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'Linux',\n TargetUsernameType = 'Simple'\n // Post-filtering on username_has_any\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | project-away Computer, MG, SourceSystem, TenantId, temp_*\n};\nlet SudoDisconnect=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n Syslog \n | where not(disabled)\n | where ProcessName == \"sudo\"\n and SyslogMessage has 'session closed for user '\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0)) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logoff\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'Other' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Success' == eventresult))\n | parse SyslogMessage with * \"for user \" TargetUsername: string\n // Post-filtering on username_has_any\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n DvcHostname = Computer,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User session closed',\n EventProduct = 'sudo',\n EventResult = 'Success',\n EventResultDetails = 'Other',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logoff',\n EventVendor = 'Linux',\n TargetUsernameType = 'Simple'\n // ************************\n // \n // ************************\n | extend\n Dvc = Computer,\n User = TargetUsername\n // ************************\n // \n // ************************\n | project-away Computer, MG, SourceSystem, TenantId, temp_*\n};\nunion isfuzzy=false \n SudoSignInAuthorized(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled), \n SudoAuthFailure1(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled), \n SudoDisconnect(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareCarbonBlackCloud/vimAuthenticationVMwareCarbonBlackCloud.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareCarbonBlackCloud/vimAuthenticationVMwareCarbonBlackCloud.json index adda7275bf8..b043e73d08b 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareCarbonBlackCloud/vimAuthenticationVMwareCarbonBlackCloud.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareCarbonBlackCloud/vimAuthenticationVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationVMwareCarbonBlackCloud", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n CarbonBlackAuditLogs_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (description_s has_any (\"logged in\", \"login\", \"second factor authentication\") and description_s !has \"connector\")\n and ((array_length(username_has_any) == 0) or (loginName_s has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(clientIp_s, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and (array_length(eventtype_in) == 0 or 'Logon' has_any (eventtype_in))\n // Filtering for eventresultdetails_in done later in the parser\n // Filtering for eventresult done later in the parser\n | extend\n EventResult = iff(description_s has \"successfully\", \"Success\", \"Failure\"),\n EventType = \"Logon\"\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (eventresult == '*' or EventResult has eventresult)\n | extend EventResultDetails = case(\n EventResult == \"Failure\" and description_s has (\"locked\"),\n \"User locked\",\n EventResult == \"Failure\" and description_s has_any (\"logged in\", \"login\"),\n \"Incorrect password\",\n EventResult == \"Failure\" and description_s has (\"second factor authentication\"),\n \"MFA not satisfied\",\n \"\"\n )\n // Filtering on eventresultdetails_in\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails has_any (eventresultdetails_in))\n | extend\n EventStartTime = unixtime_milliseconds_todatetime(eventTime_d),\n AdditionalFields = bag_pack(\"flagged\", flagged_b),\n EventSeverity = iff(flagged_b == true, \"Low\", \"Informational\"),\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"VMware\",\n EventOriginalResultDetails = iff(EventResult == \"Failure\", tostring(split(description_s, ';')[1]), \"\")\n | project-rename\n EventMessage = description_s,\n EventOriginalUid = eventId_g,\n TargetUsername = loginName_s,\n SrcIpAddr = clientIp_s,\n EventUid=_ItemId,\n EventOwner = orgName_s\n | extend\n IpAddr = SrcIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n Dvc = EventProduct,\n EventEndTime = EventStartTime,\n User = TargetUsername,\n Src = SrcIpAddr\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | project-away\n *_s,\n *_d,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n temp_*\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationVMwareCarbonBlackCloud", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n CarbonBlackAuditLogs_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (description_s has_any (\"logged in\", \"login\", \"second factor authentication\") and description_s !has \"connector\")\n and ((array_length(username_has_any) == 0) or (loginName_s has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(clientIp_s, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and (array_length(eventtype_in) == 0 or 'Logon' has_any (eventtype_in))\n // Filtering for eventresultdetails_in done later in the parser\n // Filtering for eventresult done later in the parser\n | extend\n EventResult = iff(description_s has \"successfully\", \"Success\", \"Failure\"),\n EventType = \"Logon\"\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (eventresult == '*' or EventResult has eventresult)\n | extend EventResultDetails = case(\n EventResult == \"Failure\" and description_s has (\"locked\"),\n \"User locked\",\n EventResult == \"Failure\" and description_s has_any (\"logged in\", \"login\"),\n \"Incorrect password\",\n EventResult == \"Failure\" and description_s has (\"second factor authentication\"),\n \"MFA not satisfied\",\n \"\"\n )\n // Filtering on eventresultdetails_in\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails has_any (eventresultdetails_in))\n | extend\n EventStartTime = unixtime_milliseconds_todatetime(eventTime_d),\n AdditionalFields = bag_pack(\"flagged\", flagged_b),\n EventSeverity = iff(flagged_b == true, \"Low\", \"Informational\"),\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"VMware\",\n EventOriginalResultDetails = iff(EventResult == \"Failure\", tostring(split(description_s, ';')[1]), \"\")\n | project-rename\n EventMessage = description_s,\n EventOriginalUid = eventId_g,\n TargetUsername = loginName_s,\n SrcIpAddr = clientIp_s,\n EventUid=_ItemId,\n EventOwner = orgName_s\n | extend\n IpAddr = SrcIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n Dvc = EventProduct,\n EventEndTime = EventStartTime,\n User = TargetUsername,\n Src = SrcIpAddr\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | project-away\n *_s,\n *_d,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n temp_*\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json index 896f4c2868d..83339a1ab48 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationVectraXDRAudit')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationVectraXDRAudit", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Vectra XDR Audit Logs Event", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationVectraXDRAudit", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n Audits_Data_CL\n | where not(disabled)\n and event_action_s in (\"login\", \"logout\")\n and (isnull(starttime) or event_timestamp_t >= starttime)\n and (isnull(endtime) or event_timestamp_t <= endtime)\n and ((array_length(username_has_any) == 0) or username_s has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or (\"Logon\" in~ (eventtype_in)) or (\"Logoff\" in~ (eventtype_in)))\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n // eventresult filtering done later in the parser\n | extend\n EventCount = int(1),\n EventEndTime = event_timestamp_t,\n EventProduct = 'Vectra XDR',\n EventResult = case(result_status_s == \"success\", \"Success\", result_status_s == \"failure\", \"Failure\", \"NA\"),\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventStartTime = event_timestamp_t,\n EventType = case(event_action_s == \"login\", \"Logon\", event_action_s == \"logout\", \"Logoff\", \"\"),\n EventVendor = 'Vectra',\n ActorUserId = tostring(toint(user_id_d)),\n ActorUserIdType = \"VectraUserId\",\n ActorUsernameType = \"UPN\",\n EventUid = tostring(toint(id_d))\n // Post-filtering on eventtype_in and eventresult\n | where ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\n and ((eventresult == \"*\") or (EventResult == eventresult))\n | project-rename\n DvcIpAddr = source_ip_s,\n ActorOriginalUserType = user_type_s,\n ActorUsername = username_s,\n EventMessage = Message,\n EventProductVersion = version_s\n // mapping ASimMatchingUsername\n | extend temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n // TargetUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | extend\n User = ActorUsername,\n Dvc = DvcIpAddr\n | project-away\n *_d,\n *_s,\n event_timestamp_t,\n api_client_id_g,\n TenantId,\n _ResourceId,\n RawData,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Vectra XDR Audit Logs Event", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationVectraXDRAudit", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n Audits_Data_CL\n | where not(disabled)\n and event_action_s in (\"login\", \"logout\")\n and (isnull(starttime) or event_timestamp_t >= starttime)\n and (isnull(endtime) or event_timestamp_t <= endtime)\n and ((array_length(username_has_any) == 0) or username_s has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or (\"Logon\" in~ (eventtype_in)) or (\"Logoff\" in~ (eventtype_in)))\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n // eventresult filtering done later in the parser\n | extend\n EventCount = int(1),\n EventEndTime = event_timestamp_t,\n EventProduct = 'Vectra XDR',\n EventResult = case(result_status_s == \"success\", \"Success\", result_status_s == \"failure\", \"Failure\", \"NA\"),\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventStartTime = event_timestamp_t,\n EventType = case(event_action_s == \"login\", \"Logon\", event_action_s == \"logout\", \"Logoff\", \"\"),\n EventVendor = 'Vectra',\n ActorUserId = tostring(toint(user_id_d)),\n ActorUserIdType = \"VectraUserId\",\n ActorUsernameType = \"UPN\",\n EventUid = tostring(toint(id_d))\n // Post-filtering on eventtype_in and eventresult\n | where ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\n and ((eventresult == \"*\") or (EventResult == eventresult))\n | project-rename\n DvcIpAddr = source_ip_s,\n ActorOriginalUserType = user_type_s,\n ActorUsername = username_s,\n EventMessage = Message,\n EventProductVersion = version_s\n // mapping ASimMatchingUsername\n | extend temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n // TargetUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | extend\n User = ActorUsername,\n Dvc = DvcIpAddr\n | project-away\n *_d,\n *_s,\n event_timestamp_t,\n api_client_id_g,\n TenantId,\n _ResourceId,\n RawData,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDhcpEvent/ARM/ASimDhcpEvent/ASimDhcpEvent.json b/Parsers/ASimDhcpEvent/ARM/ASimDhcpEvent/ASimDhcpEvent.json index b2026dda558..70671a450cb 100644 --- a/Parsers/ASimDhcpEvent/ARM/ASimDhcpEvent/ASimDhcpEvent.json +++ b/Parsers/ASimDhcpEvent/ARM/ASimDhcpEvent/ASimDhcpEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDhcpEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDhcpEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Dhcp event ASIM parser", - "category": "ASIM", - "FunctionAlias": "ASimDhcpEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimDhcpEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimDhcpEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimDhcpEventEmpty,\n ASimDhcpEventNative (disabled=(ASimBuiltInDisabled or ('ExcludeASimDhcpEventNative' in (DisabledParsers))))\n}; \nparser (pack=pack)\n", - "version": 1, - "functionParameters": "pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Dhcp event ASIM parser", + "category": "ASIM", + "FunctionAlias": "ASimDhcpEvent", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimDhcpEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimDhcpEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimDhcpEventEmpty,\n ASimDhcpEventNative (disabled=(ASimBuiltInDisabled or ('ExcludeASimDhcpEventNative' in (DisabledParsers)))),\n ASimDhcpEventInfobloxBloxOne (disabled=(ASimBuiltInDisabled or ('ExcludeASimDhcpInfobloxBloxOne' in (DisabledParsers))))\n}; \nparser (pack=pack)\n", + "version": 1, + "functionParameters": "pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDhcpEvent/ARM/ASimDhcpEventInfobloxBloxOne/ASimDhcpEventInfobloxBloxOne.json b/Parsers/ASimDhcpEvent/ARM/ASimDhcpEventInfobloxBloxOne/ASimDhcpEventInfobloxBloxOne.json new file mode 100644 index 00000000000..e185af5d191 --- /dev/null +++ b/Parsers/ASimDhcpEvent/ARM/ASimDhcpEventInfobloxBloxOne/ASimDhcpEventInfobloxBloxOne.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDhcpEventInfobloxBloxOne')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "DhcpEvent ASIM parser for Infoblox BloxOne", + "category": "ASIM", + "FunctionAlias": "ASimDhcpEventInfobloxBloxOne", + "query": "let EventSeverityLookup = datatable(LogSeverity:string, EventSeverity:string) [ \"0\", \"Low\", \"1\", \"Low\", \"2\", \"Low\", \"3\", \"Low\", \"4\", \"Medium\", \"5\", \"Medium\", \"6\", \"Medium\", \"7\", \"High\", \"8\", \"High\", \"9\", \"High\", \"10\", \"High\" ]; let parser = (disabled:bool=false) { CommonSecurityLog | where not(disabled) and DeviceVendor == \"Infoblox\" and DeviceEventClassID has \"DHCP\" and ApplicationProtocol == \"DHCP\" | parse-kv AdditionalExtensions as (InfoBloxLifeTime:int, InfoBloxClientId:string, InfobloxHost:string, InfobloxIPSpace:string, InfobloxSubnet:string, InfobloxRangeStart:string, InfobloxRangeEnd:string, InfobloxLeaseOp:string, InfobloxClientID:string, InfobloxDUID:string, InfobloxLeaseUUID:string, InfobloxFingerprintPr:string, InfobloxFingerprint:string, InfobloxDHCPOptions:string) with (pair_delimiter=\";\", kv_delimiter=\"=\") | lookup EventSeverityLookup on LogSeverity | invoke _ASIM_ResolveSrcFQDN('SourceHostName') | invoke _ASIM_ResolveDvcFQDN('InfobloxHost') | project-rename SrcIpAddr = SourceIP, SrcMacAddr = SourceMACAddress, DhcpLeaseDuration = InfoBloxLifeTime, DhcpSrcDHCId = InfoBloxClientId, EventOriginalSeverity = LogSeverity, EventOriginalType = DeviceEventClassID, EventUid = _ItemId | extend EventEndTime = TimeGenerated, EventStartTime = TimeGenerated, EventType = iff(Activity has_any (\"Abandon\", \"Delete\"), \"Release\", \"Assign\"), AdditionalFields = bag_pack( \"InfobloxIPSpace\", InfobloxIPSpace, \"InfobloxSubnet\", InfobloxSubnet, \"InfobloxRangeStart\", InfobloxRangeStart, \"InfobloxRangeEnd\", InfobloxRangeEnd, \"InfobloxLeaseOp\", InfobloxLeaseOp, \"InfobloxClientID\", InfobloxClientID, \"InfobloxDUID\", InfobloxDUID, \"InfobloxLeaseUUID\", InfobloxLeaseUUID, \"InfobloxFingerprintPr\", InfobloxFingerprintPr, \"InfobloxFingerprint\", InfobloxFingerprint, \"InfobloxDHCPOptions\", InfobloxDHCPOptions ), Duration = DhcpLeaseDuration, IpAddr = SrcIpAddr | extend EventCount = toint(1), EventProduct = \"BloxOne\", EventVendor = \"Infoblox\", EventResult = \"Success\", EventSchema = \"DhcpEvent\", EventSchemaVersion = \"0.1\" | project-away Source*, Destination*, Device*, AdditionalExtensions, CommunicationDirection, EventOutcome, Protocol, SimplifiedDeviceAction, ExternalID, EndTime, FieldDevice*, Flex*, File*, Old*, MaliciousIP*, OriginalLogSeverity, Process*, ReceivedBytes, SentBytes, Remote*, Request*, StartTime, TenantId, ReportReferenceLink, ReceiptTime, Indicator*, _ResourceId, ThreatConfidence, ThreatDescription, ThreatSeverity, Computer, ApplicationProtocol, CollectorHostName, ExtID, Reason, Message, Activity, Infoblox* }; parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimDhcpEvent/ARM/ASimDhcpEventInfobloxBloxOne/README.md b/Parsers/ASimDhcpEvent/ARM/ASimDhcpEventInfobloxBloxOne/README.md new file mode 100644 index 00000000000..0eb72074d0e --- /dev/null +++ b/Parsers/ASimDhcpEvent/ARM/ASimDhcpEventInfobloxBloxOne/README.md @@ -0,0 +1,18 @@ +# Infoblox BloxOne ASIM DhcpEvent Normalization Parser + +ARM template for ASIM DhcpEvent schema parser for Infoblox BloxOne. + +This ASIM parser supports normalizing Dhcp logs from Infoblox BloxOne to the ASIM DhcpEvent normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM DhcpEvent normalization schema reference](https://aka.ms/ASimDhcpEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimDhcpEvent%2FARM%2FASimDhcpEventInfobloxBloxOne%2FASimDhcpEventInfobloxBloxOne.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimDhcpEvent%2FARM%2FASimDhcpEventInfobloxBloxOne%2FASimDhcpEventInfobloxBloxOne.json) diff --git a/Parsers/ASimDhcpEvent/ARM/ASimDhcpEventNative/ASimDhcpEventNative.json b/Parsers/ASimDhcpEvent/ARM/ASimDhcpEventNative/ASimDhcpEventNative.json index 14f9d6f02da..cccf65dc751 100644 --- a/Parsers/ASimDhcpEvent/ARM/ASimDhcpEventNative/ASimDhcpEventNative.json +++ b/Parsers/ASimDhcpEvent/ARM/ASimDhcpEventNative/ASimDhcpEventNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDhcpEventNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDhcpEventNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Dhcp Event ASIM parser for Microsoft Sentinel native Dhcp Event table", - "category": "ASIM", - "FunctionAlias": "ASimDhcpEventNative", - "query": "let parser = (\n disabled:bool = false\n)\n{\n ASimDhcpEventLogs\n | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"DhcpEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n SessionId = DhcpSessionId,\n Duration = DhcpSessionDuration,\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Hostname = SrcHostname\n};\nparser (disabled = disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Dhcp Event ASIM parser for Microsoft Sentinel native Dhcp Event table", + "category": "ASIM", + "FunctionAlias": "ASimDhcpEventNative", + "query": "let parser = (\n disabled:bool = false\n)\n{\n ASimDhcpEventLogs\n | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"DhcpEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n SessionId = DhcpSessionId,\n Duration = DhcpSessionDuration,\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Hostname = SrcHostname\n};\nparser (disabled = disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDhcpEvent/ARM/FullDeploymentDhcpEvent.json b/Parsers/ASimDhcpEvent/ARM/FullDeploymentDhcpEvent.json index df82214d729..34b36498c33 100644 --- a/Parsers/ASimDhcpEvent/ARM/FullDeploymentDhcpEvent.json +++ b/Parsers/ASimDhcpEvent/ARM/FullDeploymentDhcpEvent.json @@ -38,6 +38,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimDhcpEventInfobloxBloxOne", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDhcpEvent/ARM/ASimDhcpEventInfobloxBloxOne/ASimDhcpEventInfobloxBloxOne.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -98,6 +118,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimDhcpEventInfobloxBloxOne", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDhcpEvent/ARM/vimDhcpEventInfobloxBloxOne/vimDhcpEventInfobloxBloxOne.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", diff --git a/Parsers/ASimDhcpEvent/ARM/imDhcpEvent/imDhcpEvent.json b/Parsers/ASimDhcpEvent/ARM/imDhcpEvent/imDhcpEvent.json index ec494cc7d56..5a56351b6bd 100644 --- a/Parsers/ASimDhcpEvent/ARM/imDhcpEvent/imDhcpEvent.json +++ b/Parsers/ASimDhcpEvent/ARM/imDhcpEvent/imDhcpEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/imDhcpEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "imDhcpEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Dhcp event ASIM filtering parser", - "category": "ASIM", - "FunctionAlias": "imDhcpEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimDhcpEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimDhcpEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n srchostname_has_any:dynamic=dynamic([]),\n srcusername_has_any:dynamic=dynamic([]),\n eventresult:string='*',\n pack:bool=false)\n{\nunion isfuzzy=true\n vimDhcpEventEmpty,\n vimDhcpEventNative (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, srcusername_has_any=srcusername_has_any, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimDhcpEventNative' in (DisabledParsers))))\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, srcusername_has_any=srcusername_has_any, eventresult=eventresult, pack=pack)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),srcusername_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False,pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Dhcp event ASIM filtering parser", + "category": "ASIM", + "FunctionAlias": "imDhcpEvent", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimDhcpEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimDhcpEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n srchostname_has_any:dynamic=dynamic([]),\n srcusername_has_any:dynamic=dynamic([]),\n eventresult:string='*',\n pack:bool=false)\n{\nunion isfuzzy=true\n vimDhcpEventEmpty,\n vimDhcpEventNative (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, srcusername_has_any=srcusername_has_any, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimDhcpEventNative' in (DisabledParsers)))),\n vimDhcpEventInfobloxBloxOne (starttime = starttime, endtime = endtime, srcipaddr_has_any_prefix = srcipaddr_has_any_prefix, srchostname_has_any = srchostname_has_any, srcusername_has_any = , eventresult = eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimDhcpEventInfobloxBloxOne' in (DisabledParsers))))\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, srcusername_has_any=srcusername_has_any, eventresult=eventresult, pack=pack)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),srcusername_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False,pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDhcpEvent/ARM/vimDhcpEventEmpty/vimDhcpEventEmpty.json b/Parsers/ASimDhcpEvent/ARM/vimDhcpEventEmpty/vimDhcpEventEmpty.json index d8a09bd3efc..14952ca93a0 100644 --- a/Parsers/ASimDhcpEvent/ARM/vimDhcpEventEmpty/vimDhcpEventEmpty.json +++ b/Parsers/ASimDhcpEvent/ARM/vimDhcpEventEmpty/vimDhcpEventEmpty.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDhcpEventEmpty')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDhcpEventEmpty", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Dhcp event ASIM schema function", - "category": "ASIM", - "FunctionAlias": "vimDhcpEventEmpty", - "query": "let EmptyDhcpEvents =datatable (\n TimeGenerated:datetime\n, _ResourceId:string\n, Type:string\n// ****** Event fields ******\n, EventType:string\n, EventProduct:string\n, EventProductVersion:string\n, EventCount:int\n, EventMessage:string\n, EventVendor:string\n, EventSchema:string\n, EventSchemaVersion:string\n, EventSeverity:string\n, EventSubType:string\n, EventOriginalUid:string\n, EventOriginalType:string\n, EventOriginalResultDetails:string\n, EventOriginalSeverity:string\n, EventOriginalSubType:string\n, EventStartTime:datetime\n, EventEndTime:datetime\n, EventReportUrl:string\n, EventResult: string\n, EventResultDetails: string\n, AdditionalFields:dynamic\n, EventOwner:string\n// ****** Device fields ******\n, DvcId:string\n, DvcHostname:string\n, DvcDomain:string\n, DvcDomainType:string\n, DvcFQDN:string\n, DvcIpAddr:string\n, DvcOs:string\n, DvcOsVersion:string\n, DvcMacAddr:string\n, DvcAction:string\n, DvcOriginalAction:string\n, DvcDescription: string\n, DvcIdType: string\n, DvcInterface: string\n, DvcZone: string\n, DvcScopeId:string\n, DvcScope:string\n// ****** Source User fields ******\n, SrcUserId:string\n, SrcUserUid:string\n, SrcUserIdType:string\n, SrcUserScopeId:string\n, SrcUserScope:string\n, SrcUsername:string\n, SrcUsernameType:string\n, SrcUserType:string\n, SrcOriginalUserType:string\n, SrcUserSessionId:string\n// ****** Source System fields ******\n, SrcIpAddr: string\n, SrcPortNumber:int\n, SrcHostname:string\n, SrcMacAddr:string\n, SrcDomain:string\n, SrcDomainType:string\n, SrcFQDN:string\n, SrcDescription:string\n, SrcDvcId:string\n, SrcDvcIdType:string\n, SrcDvcScopeId:string\n, SrcDvcScope:string\n, SrcDeviceType:string\n, SrcGeoCountry:string\n, SrcGeoLatitude:real\n, SrcGeoLongitude:real\n, SrcGeoRegion:string\n, SrcGeoCity:string\n, SrcRiskLevel:int\n, SrcOriginalRiskLevel:string\n// ****** Dhcp Event Fields ******\n, RequestedIpAddr:string //Optional\n, DhcpLeaseDuration:int\n, DhcpSessionId:string\n, DhcpSessionDuration:int\n, DhcpSrcDHCId:string\n, DhcpCircuitId:string\n, DhcpSubscriberId:string\n, DhcpVendorClassId:string\n, DhcpVendorClass:string\n, DhcpUserClassId:string\n, DhcpUserClass:string\n// ****** aliases ******\n, SessionId:string\n, Duration:int\n, Src: string\n, Dst: string\n, User: string\n, IpAddr:string\n, Hostname:string\n//****** Inspection fields ******\n, RuleName:string\n, RuleNumber:int\n, ThreatId:string\n, ThreatName:string\n, ThreatCategory:string\n, ThreatRiskLevel:int\n, ThreatOriginalRiskLevel:string\n, ThreatConfidence:int\n, ThreatOriginalConfidence:string\n, ThreatIsActive:bool\n, ThreatFirstReportedTime:datetime\n, ThreatLastReportedTime:datetime\n, ThreatField:string\n)[];\nEmptyDhcpEvents", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "Dhcp event ASIM schema function", + "category": "ASIM", + "FunctionAlias": "vimDhcpEventEmpty", + "query": "let EmptyDhcpEvents =datatable (\n TimeGenerated:datetime\n, _ResourceId:string\n, Type:string\n// ****** Event fields ******\n, EventType:string\n, EventProduct:string\n, EventProductVersion:string\n, EventCount:int\n, EventMessage:string\n, EventVendor:string\n, EventSchema:string\n, EventSchemaVersion:string\n, EventSeverity:string\n, EventSubType:string\n, EventOriginalUid:string\n, EventOriginalType:string\n, EventOriginalResultDetails:string\n, EventOriginalSeverity:string\n, EventOriginalSubType:string\n, EventStartTime:datetime\n, EventEndTime:datetime\n, EventReportUrl:string\n, EventResult: string\n, EventResultDetails: string\n, AdditionalFields:dynamic\n, EventOwner:string\n// ****** Device fields ******\n, DvcId:string\n, DvcHostname:string\n, DvcDomain:string\n, DvcDomainType:string\n, DvcFQDN:string\n, DvcIpAddr:string\n, DvcOs:string\n, DvcOsVersion:string\n, DvcMacAddr:string\n, DvcAction:string\n, DvcOriginalAction:string\n, DvcDescription: string\n, DvcIdType: string\n, DvcInterface: string\n, DvcZone: string\n, DvcScopeId:string\n, DvcScope:string\n// ****** Source User fields ******\n, SrcUserId:string\n, SrcUserUid:string\n, SrcUserIdType:string\n, SrcUserScopeId:string\n, SrcUserScope:string\n, SrcUsername:string\n, SrcUsernameType:string\n, SrcUserType:string\n, SrcOriginalUserType:string\n, SrcUserSessionId:string\n// ****** Source System fields ******\n, SrcIpAddr: string\n, SrcPortNumber:int\n, SrcHostname:string\n, SrcMacAddr:string\n, SrcDomain:string\n, SrcDomainType:string\n, SrcFQDN:string\n, SrcDescription:string\n, SrcDvcId:string\n, SrcDvcIdType:string\n, SrcDvcScopeId:string\n, SrcDvcScope:string\n, SrcDeviceType:string\n, SrcGeoCountry:string\n, SrcGeoLatitude:real\n, SrcGeoLongitude:real\n, SrcGeoRegion:string\n, SrcGeoCity:string\n, SrcRiskLevel:int\n, SrcOriginalRiskLevel:string\n// ****** Dhcp Event Fields ******\n, RequestedIpAddr:string //Optional\n, DhcpLeaseDuration:int\n, DhcpSessionId:string\n, DhcpSessionDuration:int\n, DhcpSrcDHCId:string\n, DhcpCircuitId:string\n, DhcpSubscriberId:string\n, DhcpVendorClassId:string\n, DhcpVendorClass:string\n, DhcpUserClassId:string\n, DhcpUserClass:string\n// ****** aliases ******\n, SessionId:string\n, Duration:int\n, Src: string\n, Dst: string\n, User: string\n, IpAddr:string\n, Hostname:string\n//****** Inspection fields ******\n, RuleName:string\n, RuleNumber:int\n, ThreatId:string\n, ThreatName:string\n, ThreatCategory:string\n, ThreatRiskLevel:int\n, ThreatOriginalRiskLevel:string\n, ThreatConfidence:int\n, ThreatOriginalConfidence:string\n, ThreatIsActive:bool\n, ThreatFirstReportedTime:datetime\n, ThreatLastReportedTime:datetime\n, ThreatField:string\n)[];\nEmptyDhcpEvents", + "version": 1 + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDhcpEvent/ARM/vimDhcpEventInfobloxBloxOne/README.md b/Parsers/ASimDhcpEvent/ARM/vimDhcpEventInfobloxBloxOne/README.md new file mode 100644 index 00000000000..a9014dad510 --- /dev/null +++ b/Parsers/ASimDhcpEvent/ARM/vimDhcpEventInfobloxBloxOne/README.md @@ -0,0 +1,18 @@ +# Infoblox BloxOne ASIM DhcpEvent Normalization Parser + +ARM template for ASIM DhcpEvent schema parser for Infoblox BloxOne. + +This ASIM parser supports normalizing DhcpEvent logs from Infoblox BloxOne to the ASIM DhcpEvent normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM DhcpEvent normalization schema reference](https://aka.ms/ASimDhcpEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimDhcpEvent%2FARM%2FvimDhcpEventInfobloxBloxOne%2FvimDhcpEventInfobloxBloxOne.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimDhcpEvent%2FARM%2FvimDhcpEventInfobloxBloxOne%2FvimDhcpEventInfobloxBloxOne.json) diff --git a/Parsers/ASimDhcpEvent/ARM/vimDhcpEventInfobloxBloxOne/vimDhcpEventInfobloxBloxOne.json b/Parsers/ASimDhcpEvent/ARM/vimDhcpEventInfobloxBloxOne/vimDhcpEventInfobloxBloxOne.json new file mode 100644 index 00000000000..2e932dfbf52 --- /dev/null +++ b/Parsers/ASimDhcpEvent/ARM/vimDhcpEventInfobloxBloxOne/vimDhcpEventInfobloxBloxOne.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDhcpEventInfobloxBloxOne')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "DhcpEvent ASIM parser for Infoblox BloxOne", + "category": "ASIM", + "FunctionAlias": "vimDhcpEventInfobloxBloxOne", + "query": "let EventSeverityLookup = datatable(LogSeverity:string, EventSeverity:string)\n [\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Medium\",\n \"5\", \"Medium\",\n \"6\", \"Medium\",\n \"7\", \"High\",\n \"8\", \"High\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n srchostname_has_any:dynamic=dynamic([]),\n srcusername_has_any:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n ) {\n CommonSecurityLog\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Infoblox\"\n and DeviceEventClassID has \"DHCP\"\n and ApplicationProtocol == \"DHCP\"\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0 or (SourceHostName has_any (srchostname_has_any)))\n and array_length(srcusername_has_any) == 0\n and ((eventresult == \"*\") or (eventresult == \"Success\"))\n | parse-kv AdditionalExtensions as (InfoBloxLifeTime:int, InfoBloxClientId:string, InfobloxHost:string, InfobloxIPSpace:string, InfobloxSubnet:string, InfobloxRangeStart:string, InfobloxRangeEnd:string, InfobloxLeaseOp:string, InfobloxClientID:string, InfobloxDUID:string, InfobloxLeaseUUID:string, InfobloxFingerprintPr:string, InfobloxFingerprint:string, InfobloxDHCPOptions:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | lookup EventSeverityLookup on LogSeverity\n | invoke _ASIM_ResolveSrcFQDN('SourceHostName')\n | invoke _ASIM_ResolveDvcFQDN('InfobloxHost')\n | project-rename\n SrcIpAddr = SourceIP,\n SrcMacAddr = SourceMACAddress,\n DhcpLeaseDuration = InfoBloxLifeTime,\n DhcpSrcDHCId = InfoBloxClientId,\n EventOriginalSeverity = LogSeverity,\n EventOriginalType = DeviceEventClassID,\n EventUid = _ItemId\n | extend\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventType = iff(Activity has_any (\"Abandon\", \"Delete\"), \"Release\", \"Assign\"),\n AdditionalFields = bag_pack(\n \"InfobloxIPSpace\",\n InfobloxIPSpace,\n \"InfobloxSubnet\",\n InfobloxSubnet,\n \"InfobloxRangeStart\",\n InfobloxRangeStart,\n \"InfobloxRangeEnd\",\n InfobloxRangeEnd,\n \"InfobloxLeaseOp\",\n InfobloxLeaseOp,\n \"InfobloxClientID\",\n InfobloxClientID,\n \"InfobloxDUID\",\n InfobloxDUID,\n \"InfobloxLeaseUUID\",\n InfobloxLeaseUUID,\n \"InfobloxFingerprintPr\",\n InfobloxFingerprintPr,\n \"InfobloxFingerprint\",\n InfobloxFingerprint,\n \"InfobloxDHCPOptions\",\n InfobloxDHCPOptions\n ),\n Duration = DhcpLeaseDuration,\n IpAddr = SrcIpAddr\n | extend\n EventCount = toint(1),\n EventProduct = \"BloxOne\",\n EventVendor = \"Infoblox\",\n EventResult = \"Success\",\n EventSchema = \"DhcpEvent\",\n EventSchemaVersion = \"0.1\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n Protocol,\n SimplifiedDeviceAction,\n ExternalID,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n StartTime,\n TenantId,\n ReportReferenceLink,\n ReceiptTime,\n Indicator*,\n _ResourceId,\n ThreatConfidence,\n ThreatDescription,\n ThreatSeverity,\n Computer,\n ApplicationProtocol,\n CollectorHostName,\n ExtID,\n Reason,\n Message,\n Activity,\n Infoblox*\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n srchostname_has_any = srchostname_has_any,\n srcusername_has_any = srcusername_has_any,\n eventresult = eventresult,\n disabled = disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),srcusername_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimDhcpEvent/ARM/vimDhcpEventNative/vimDhcpEventNative.json b/Parsers/ASimDhcpEvent/ARM/vimDhcpEventNative/vimDhcpEventNative.json index 2e774e95d43..1bd1b3c6a28 100644 --- a/Parsers/ASimDhcpEvent/ARM/vimDhcpEventNative/vimDhcpEventNative.json +++ b/Parsers/ASimDhcpEvent/ARM/vimDhcpEventNative/vimDhcpEventNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDhcpEventNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDhcpEventNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Dhcp Event ASIM filtering parser for Microsoft Sentinel native Dhcp Event table", - "category": "ASIM", - "FunctionAlias": "vimDhcpEventNative", - "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n srchostname_has_any:dynamic=dynamic([]),\n srcusername_has_any:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n)\n{\n ASimDhcpEventLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0 or (SrcHostname has_any (srchostname_has_any)))\n and (array_length(srcusername_has_any) == 0 or (SrcUsername has_any (srcusername_has_any)))\n and ((eventresult == \"*\") or (EventResult == eventresult))\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"DhcpEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n SessionId = DhcpSessionId,\n Duration = DhcpSessionDuration,\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Hostname = SrcHostname\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n srchostname_has_any = srchostname_has_any,\n srcusername_has_any = srcusername_has_any,\n eventresult = eventresult,\n disabled = disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),srcusername_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Dhcp Event ASIM filtering parser for Microsoft Sentinel native Dhcp Event table", + "category": "ASIM", + "FunctionAlias": "vimDhcpEventNative", + "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n srchostname_has_any:dynamic=dynamic([]),\n srcusername_has_any:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n)\n{\n ASimDhcpEventLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0 or (SrcHostname has_any (srchostname_has_any)))\n and (array_length(srcusername_has_any) == 0 or (SrcUsername has_any (srcusername_has_any)))\n and ((eventresult == \"*\") or (EventResult == eventresult))\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"DhcpEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n SessionId = DhcpSessionId,\n Duration = DhcpSessionDuration,\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Hostname = SrcHostname\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n srchostname_has_any = srchostname_has_any,\n srcusername_has_any = srcusername_has_any,\n eventresult = eventresult,\n disabled = disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),srcusername_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDns/ASimDns.json b/Parsers/ASimDns/ARM/ASimDns/ASimDns.json index fa7e18a9dec..88b3ce1a72c 100644 --- a/Parsers/ASimDns/ARM/ASimDns/ASimDns.json +++ b/Parsers/ASimDns/ARM/ASimDns/ASimDns.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDns')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDns", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser", - "category": "ASIM", - "FunctionAlias": "ASimDns", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimDns') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imDnsBuiltInDisabled=toscalar('ExcludeASimDnsBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimDnsEmpty,\n ASimDnsAzureFirewall (imDnsBuiltInDisabled or ('ExcludeASimASimDnsAzureFirewall' in (DisabledParsers) )),\n ASimDnsCiscoUmbrella (imDnsBuiltInDisabled or ('ExcludeASimDnsCiscoUmbrella' in (DisabledParsers) )),\n ASimDnsCorelightZeek (imDnsBuiltInDisabled or ('ExcludeASimDnsCorelightZeek' in (DisabledParsers) )),\n ASimDnsFortinetFortiGate (imDnsBuiltInDisabled or ('ExcludeASimDnsFortinetFortiGate' in (DisabledParsers) )),\n ASimDnsGcp (imDnsBuiltInDisabled or ('ExcludeASimDnsDnsGcp' in (DisabledParsers) )),\n ASimDnsInfobloxNIOS (imDnsBuiltInDisabled or ('ExcludeASimDnsInfobloxNIOS' in (DisabledParsers) )),\n ASimDnsMicrosoftNXlog (imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftNXlog' in (DisabledParsers) )),\n ASimDnsMicrosoftOMS (imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftOMS' in (DisabledParsers) )),\n ASimDnsMicrosoftSysmon (imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftSysmon' in (DisabledParsers) )),\n ASimDnsMicrosoftSysmonWindowsEvent (imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftSysmonWindowsEvent' in (DisabledParsers) )),\n ASimDnsNative (imDnsBuiltInDisabled or ('ExcludeASimDnsNative' in (DisabledParsers) )),\n ASimDnsSentinelOne (imDnsBuiltInDisabled or ('ExcludeASimDnsSentinelOne' in (DisabledParsers) )),\n ASimDnsVectraAI (imDnsBuiltInDisabled or ('ExcludeASimDnsVectraAI' in (DisabledParsers) )),\n ASimDnsZscalerZIA (imDnsBuiltInDisabled or ('ExcludeASimDnsZscalerZIA' in (DisabledParsers) ))", - "version": 1, - "functionParameters": "pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser", + "category": "ASIM", + "FunctionAlias": "ASimDns", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimDns') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imDnsBuiltInDisabled=toscalar('ExcludeASimDnsBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimDnsEmpty,\n ASimDnsAzureFirewall (imDnsBuiltInDisabled or ('ExcludeASimASimDnsAzureFirewall' in (DisabledParsers) )),\n ASimDnsCiscoUmbrella (imDnsBuiltInDisabled or ('ExcludeASimDnsCiscoUmbrella' in (DisabledParsers) )),\n ASimDnsCorelightZeek (imDnsBuiltInDisabled or ('ExcludeASimDnsCorelightZeek' in (DisabledParsers) )),\n ASimDnsFortinetFortiGate (imDnsBuiltInDisabled or ('ExcludeASimDnsFortinetFortiGate' in (DisabledParsers) )),\n ASimDnsGcp (imDnsBuiltInDisabled or ('ExcludeASimDnsDnsGcp' in (DisabledParsers) )),\n ASimDnsInfobloxNIOS (imDnsBuiltInDisabled or ('ExcludeASimDnsInfobloxNIOS' in (DisabledParsers) )),\n ASimDnsMicrosoftNXlog (imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftNXlog' in (DisabledParsers) )),\n ASimDnsMicrosoftOMS (imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftOMS' in (DisabledParsers) )),\n ASimDnsMicrosoftSysmon (imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftSysmon' in (DisabledParsers) )),\n ASimDnsMicrosoftSysmonWindowsEvent (imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftSysmonWindowsEvent' in (DisabledParsers) )),\n ASimDnsNative (imDnsBuiltInDisabled or ('ExcludeASimDnsNative' in (DisabledParsers) )),\n ASimDnsSentinelOne (imDnsBuiltInDisabled or ('ExcludeASimDnsSentinelOne' in (DisabledParsers) )),\n ASimDnsVectraAI (imDnsBuiltInDisabled or ('ExcludeASimDnsVectraAI' in (DisabledParsers) )),\n ASimDnsZscalerZIA (imDnsBuiltInDisabled or ('ExcludeASimDnsZscalerZIA' in (DisabledParsers) )),\n ASimDnsInfobloxBloxOne (imDnsBuiltInDisabled or ('ExcludeASimDnsInfobloxBloxOne' in (DisabledParsers) ))", + "version": 1, + "functionParameters": "pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsAzureFirewall/ASimDnsAzureFirewall.json b/Parsers/ASimDns/ARM/ASimDnsAzureFirewall/ASimDnsAzureFirewall.json index 0be62cfe0d3..4b8eabb7ecd 100644 --- a/Parsers/ASimDns/ARM/ASimDnsAzureFirewall/ASimDnsAzureFirewall.json +++ b/Parsers/ASimDns/ARM/ASimDnsAzureFirewall/ASimDnsAzureFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsAzureFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsAzureFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for Azure Firewall", - "category": "ASIM", - "FunctionAlias": "ASimDnsAzureFirewall", - "query": "let DNS_query=(disabled:bool=false){\n AzureDiagnostics | where not(disabled)\n // | where ResourceType == \"AZUREFIREWALLS\" -- Implicit in the next line\n | where Category == \"AzureFirewallDnsProxy\"\n | where msg_s startswith \"DNS Request:\"\n | project msg_s, TimeGenerated, ResourceId\n | parse msg_s with\n \"DNS Request: \" \n SrcIpAddr:string \":\" SrcPortNumber:int \n \" - \" EventOriginalUid:string \n \" \" DnsQueryTypeName:string \n \" \" DnsQueryClassName:string\n \" \" DnsQuery:string\n \". \" NetworkProtocol:string \n \" \" SrcBytes:int \n \" \" DnsDNSSECflag:bool \n \" \" DnsDNSSECBufferSize:int \n \" \" EventResultDetails:string \n \" \" DnsFlags:string\n \" \" DstBytes:int\n \" \" DnsNetworkDuration:double\n \"s\"\n | project-away msg_s\n | extend\n EventResult = iff (EventResultDetails == \"NOERROR\", \"Success\", \"Failure\"),\n EventSubType = \"response\",\n DnsNetworkDuration = toint(DnsNetworkDuration*1000) \n};\nlet DNS_error=(disabled:bool=false) {\n AzureDiagnostics | where not(disabled)\n // | where ResourceType == \"AZUREFIREWALLS\" -- Implicit in the next line\n | where Category == \"AzureFirewallDnsProxy\"\n | project msg_s, TimeGenerated, ResourceId\n | where msg_s startswith \" Error:\"\n | parse msg_s with \n \" Error: \" nu:string \n \" \" DnsQuery:string \n \". \" DnsQueryTypeName:string \n \": \" op:string \n \" \" NetworkProtocol:string\n \" \" SrcIpAddr:string \":\" SrcPortNumber:int \n \"->\" DstIpAddr:string \":\" DstPortNumber:int \n \": \" EventResultOriginalDetails:string\n | project-away msg_s\n | extend \n EventResult = \"Failure\",\n EventSubType = \"request\"\n};\nlet DNS = (disabled:bool=false) {\n union DNS_query(disabled), DNS_error(disabled)\n | extend\n NetworkProtocol = toupper(NetworkProtocol)\n | project-rename\n DvcId = ResourceId\n | extend\n DvcIdType = \"AzureResourceId\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"Azure Firewall\",\n EventSchema = \"Dns\",\n EventSchemaVersion = \"0.1.3\",\n EventEndTime = TimeGenerated, \n EventType = 'Query',\n DnsFlagsAuthenticated = DnsFlags has \"aa\",\n DnsFlagsAuthoritative = DnsFlags has \"ad\",\n DnsFlagsCheckingDisabled = DnsFlags has \"cd\",\n DnsFlagsRecursionAvailable = DnsFlags has \"ra\",\n DnsFlagsRecursionDesired = DnsFlags has \"rd\",\n DnsFlagsTruncates = DnsFlags has \"tc\"\n | extend\n // -- Aliases\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Dst=DstIpAddr,\n Duration = DnsNetworkDuration,\n Dvc=DvcId\n | extend\n // -- Backward Compatibility\n Query = DnsQuery,\n QueryTypeName = DnsQueryTypeName,\n ResponseCodeName = DnsResponseCodeName,\n Flags = DnsFlags\n};\nDNS(disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for Azure Firewall", + "category": "ASIM", + "FunctionAlias": "ASimDnsAzureFirewall", + "query": "let DNS_query=(disabled:bool=false){\n AzureDiagnostics | where not(disabled)\n // | where ResourceType == \"AZUREFIREWALLS\" -- Implicit in the next line\n | where Category == \"AzureFirewallDnsProxy\"\n | where msg_s startswith \"DNS Request:\"\n | project msg_s, TimeGenerated, ResourceId\n | parse msg_s with\n \"DNS Request: \" \n SrcIpAddr:string \":\" SrcPortNumber:int \n \" - \" EventOriginalUid:string \n \" \" DnsQueryTypeName:string \n \" \" DnsQueryClassName:string\n \" \" DnsQuery:string\n \". \" NetworkProtocol:string \n \" \" SrcBytes:int \n \" \" DnsDNSSECflag:bool \n \" \" DnsDNSSECBufferSize:int \n \" \" EventResultDetails:string \n \" \" DnsFlags:string\n \" \" DstBytes:int\n \" \" DnsNetworkDuration:double\n \"s\"\n | project-away msg_s\n | extend\n EventResult = iff (EventResultDetails == \"NOERROR\", \"Success\", \"Failure\"),\n EventSubType = \"response\",\n DnsNetworkDuration = toint(DnsNetworkDuration*1000) \n};\nlet DNS_error=(disabled:bool=false) {\n AzureDiagnostics | where not(disabled)\n // | where ResourceType == \"AZUREFIREWALLS\" -- Implicit in the next line\n | where Category == \"AzureFirewallDnsProxy\"\n | project msg_s, TimeGenerated, ResourceId\n | where msg_s startswith \" Error:\"\n | parse msg_s with \n \" Error: \" nu:string \n \" \" DnsQuery:string \n \". \" DnsQueryTypeName:string \n \": \" op:string \n \" \" NetworkProtocol:string\n \" \" SrcIpAddr:string \":\" SrcPortNumber:int \n \"->\" DstIpAddr:string \":\" DstPortNumber:int \n \": \" EventResultOriginalDetails:string\n | project-away msg_s\n | extend \n EventResult = \"Failure\",\n EventSubType = \"request\"\n};\nlet DNS = (disabled:bool=false) {\n union DNS_query(disabled), DNS_error(disabled)\n | extend\n NetworkProtocol = toupper(NetworkProtocol)\n | project-rename\n DvcId = ResourceId\n | extend\n DvcIdType = \"AzureResourceId\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"Azure Firewall\",\n EventSchema = \"Dns\",\n EventSchemaVersion = \"0.1.3\",\n EventEndTime = TimeGenerated, \n EventType = 'Query',\n DnsFlagsAuthenticated = DnsFlags has \"aa\",\n DnsFlagsAuthoritative = DnsFlags has \"ad\",\n DnsFlagsCheckingDisabled = DnsFlags has \"cd\",\n DnsFlagsRecursionAvailable = DnsFlags has \"ra\",\n DnsFlagsRecursionDesired = DnsFlags has \"rd\",\n DnsFlagsTruncates = DnsFlags has \"tc\"\n | extend\n // -- Aliases\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Dst=DstIpAddr,\n Duration = DnsNetworkDuration,\n Dvc=DvcId\n | extend\n // -- Backward Compatibility\n Query = DnsQuery,\n QueryTypeName = DnsQueryTypeName,\n ResponseCodeName = DnsResponseCodeName,\n Flags = DnsFlags\n};\nDNS(disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsCiscoUmbrella/ASimDnsCiscoUmbrella.json b/Parsers/ASimDns/ARM/ASimDnsCiscoUmbrella/ASimDnsCiscoUmbrella.json index 99a22f585be..565b58e3eae 100644 --- a/Parsers/ASimDns/ARM/ASimDnsCiscoUmbrella/ASimDnsCiscoUmbrella.json +++ b/Parsers/ASimDns/ARM/ASimDnsCiscoUmbrella/ASimDnsCiscoUmbrella.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsCiscoUmbrella')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsCiscoUmbrella", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for Cisco Umbrella", - "category": "ASIM", - "FunctionAlias": "ASimDnsCiscoUmbrella", - "query": "let DNSQuery_CiscoUmbrella=(disabled:bool=false){\n Cisco_Umbrella_dns_CL | where not(disabled)\n // \n // *********** Parsing\n | parse QueryType_s with DnsQueryType:int \" (\"DnsQueryTypeName:string \")\"\n //\n | project \n //\n // ******************* Mandatory\n EventCount=int(1),\n EventStartTime= column_ifexists(\"Timestamp_t\", todatetime(column_ifexists(\"Timestamp_s\",\"\"))),\n EventProduct=\"Umbrella\",\n EventVendor=\"Cisco\",\n EventSchema=\"Dns\",\n EventSchemaVersion=\"0.1.3\",\n Dvc=\"CiscoUmbrella\",\n EventType=\"Query\",\n EventResult=iff(ResponseCode_s=~'NOERROR','Success','Failure'),\n EventResultDetails=ResponseCode_s, // => ResponseCodeNames\n //\n TimeGenerated, // not handled by schema, but we need to preserve it\n SrcIpAddr=column_ifexists('InternalIp_s', ''),\n EventSubType='response',\n // ********** Renamed columns\n UrlCategory=column_ifexists('Categories_s', ''),\n DnsQuery=trim_end(@'\\.',column_ifexists('Domain_s', '')) , \n ThreatCategory=column_ifexists('Blocked_Categories_s', ''),\n SrcNatIpAddr=column_ifexists('ExternalIp_s', ''),\n DvcAction=column_ifexists('Action_s', ''),\n EventEndTime=todatetime(column_ifexists('Timestamp_t', column_ifexists('Timestamp_s',\"\") )), \n //\n // *************** keep Parsed data\n DnsQueryType, DnsQueryTypeName\n // **************Aliases\n | extend \n DnsResponseCodeName=EventResultDetails, \n DomainCategory=UrlCategory,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr\n };\nDNSQuery_CiscoUmbrella(disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for Cisco Umbrella", + "category": "ASIM", + "FunctionAlias": "ASimDnsCiscoUmbrella", + "query": "let DNSQuery_CiscoUmbrella=(disabled:bool=false){\n Cisco_Umbrella_dns_CL | where not(disabled)\n // \n // *********** Parsing\n | parse QueryType_s with DnsQueryType:int \" (\"DnsQueryTypeName:string \")\"\n //\n | project \n //\n // ******************* Mandatory\n EventCount=int(1),\n EventStartTime= column_ifexists(\"Timestamp_t\", todatetime(column_ifexists(\"Timestamp_s\",\"\"))),\n EventProduct=\"Umbrella\",\n EventVendor=\"Cisco\",\n EventSchema=\"Dns\",\n EventSchemaVersion=\"0.1.3\",\n Dvc=\"CiscoUmbrella\",\n EventType=\"Query\",\n EventResult=iff(ResponseCode_s=~'NOERROR','Success','Failure'),\n EventResultDetails=ResponseCode_s, // => ResponseCodeNames\n //\n TimeGenerated, // not handled by schema, but we need to preserve it\n SrcIpAddr=column_ifexists('InternalIp_s', ''),\n EventSubType='response',\n // ********** Renamed columns\n UrlCategory=column_ifexists('Categories_s', ''),\n DnsQuery=trim_end(@'\\.',column_ifexists('Domain_s', '')) , \n ThreatCategory=column_ifexists('Blocked_Categories_s', ''),\n SrcNatIpAddr=column_ifexists('ExternalIp_s', ''),\n DvcAction=column_ifexists('Action_s', ''),\n EventEndTime=todatetime(column_ifexists('Timestamp_t', column_ifexists('Timestamp_s',\"\") )), \n //\n // *************** keep Parsed data\n DnsQueryType, DnsQueryTypeName\n // **************Aliases\n | extend \n DnsResponseCodeName=EventResultDetails, \n DomainCategory=UrlCategory,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr\n };\nDNSQuery_CiscoUmbrella(disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsCorelightZeek/ASimDnsCorelightZeek.json b/Parsers/ASimDns/ARM/ASimDnsCorelightZeek/ASimDnsCorelightZeek.json index 58405966c07..5cefc725d39 100644 --- a/Parsers/ASimDns/ARM/ASimDnsCorelightZeek/ASimDnsCorelightZeek.json +++ b/Parsers/ASimDns/ARM/ASimDnsCorelightZeek/ASimDnsCorelightZeek.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsCorelightZeek')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsCorelightZeek", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for Corelight Zeek", - "category": "ASIM", - "FunctionAlias": "ASimDnsCorelightZeek", - "query": "let query_type_lookup=datatable(DnsQueryType:int,DnsQueryTypeName:string)[\n 0, \"Reserved\",\n 1, \"A\",\n 2, \"NS\",\n 3, \"MD\",\n 4, \"MF\",\n 5, \"CNAME\",\n 6, \"SOA\",\n 7, \"MB\",\n 8, \"MG\",\n 9, \"MR\",\n 10, \"NULL\",\n 11, \"WKS\",\n 12, \"PTR\",\n 13, \"HINFO\",\n 14, \"MINFO\",\n 15, \"MX\",\n 16, \"TXT\",\n 17, \"RP\",\n 18, \"AFSDB\",\n 19, \"X25\",\n 20, \"ISDN\",\n 21, \"RT\",\n 22, \"NSAP\",\n 23, \"NSAP-PTR\",\n 24, \"SIG\",\n 25, \"KEY\",\n 26, \"PX\",\n 27, \"GPOS\",\n 28, \"AAAA\",\n 29, \"LOC\",\n 30, \"NXT\",\n 31, \"EID\",\n 32, \"NIMLOC\",\n 33, \"SRV\",\n 34, \"ATMA\",\n 35, \"NAPTR\",\n 36, \"KX\",\n 37, \"CERT\",\n 38, \"A6\",\n 39, \"DNAME\",\n 40, \"SINK\",\n 41, \"OPT\",\n 42, \"APL\",\n 43, \"DS\",\n 44, \"SSHFP\",\n 45, \"IPSECKEY\",\n 46, \"RRSIG\",\n 47, \"NSEC\",\n 48, \"DNSKEY\",\n 49, \"DHCID\",\n 50, \"NSEC3\",\n 51, \"NSEC3PARAM\",\n 52, \"TLSA\",\n 53, \"SMIMEA\",\n 54, \"Unassigned\",\n 55, \"HIP\",\n 56, \"NINFO\",\n 57, \"RKEY\",\n 58, \"TALINK\",\n 59, \"CDS\",\n 60, \"CDNSKEY\",\n 61, \"OPENPGPKEY\",\n 62, \"CSYNC\",\n 99, \"SPF\",\n 100, \"UINFO\",\n 101, \"UID\",\n 102, \"GID\",\n 103, \"UNSPEC\",\n 104, \"NID\",\n 105, \"L32\",\n 106, \"L64\",\n 107, \"LP\",\n 108, \"EUI48\",\n 109, \"EUI64\",\n 249, \"TKEY\",\n 250, \"TSIG\",\n 251, \"IXFR\",\n 252, \"AXFR\",\n 253, \"MAILB\",\n 254, \"MAILA\",\n 255, \"ANY\",\n 256, \"URI\",\n 257, \"CAA\",\n 258, \"AVC\",\n 259, \"DOA\",\n 32768, \"TA\",\n 32769, \"DLV\"];\nlet class_lookup = datatable(DnsQueryClass:int, DnsQueryClassName: string)[\n 0, 'Reserved',\n 1, 'IN',\n 2, 'Unassigned',\n 3, 'CH',\n 4, 'HS',\n 254, 'None',\n 255, 'Any'];\nlet parser=(disabled:bool=false){\n Corelight_CL | where not(disabled)\n | project Message, TimeGenerated\n | where Message has '\"_path\":\"dns\"' or Message has '\"_path\":\"dns_red\"'\n | parse-kv Message as (\n ['\"_system_name\"']:string,\n ['\"_write_ts\"']:datetime,\n ['\"ts\"']:datetime,\n ['\"uid\"']:string,\n ['\"id.orig_h\"']:string,\n ['\"id.orig_p\"']:int,\n ['\"id.resp_h\"']:string,\n ['\"id.resp_p\"']:int,\n ['\"proto\"']:string,\n ['\"trans_id\"']:int,\n ['\"query\"']:string,\n ['\"qclass\"']:int,\n ['\"qtype\"']:int,\n ['\"AA\"']:bool,\n ['\"TC\"']:bool,\n ['\"CD\"']:bool,\n ['\"RD\"']:bool,\n ['\"RA\"']:bool,\n ['\"Z\"']:int,\n ['\"rejected\"']:bool,\n ['\"rcode\"']:int,\n ['\"rcode_name\"']:string,\n ['\"rtt\"']:real,\n ) \n with (quote = '\"')\n | parse Message with * '\"answers\":' answers:string ',\"TTLs\":' TTLs:string ',\"rejected\"' *\n | extend \n EventCount=int(1),\n EventProduct=\"Zeek\",\n EventVendor=\"Corelight\",\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.4\",\n EventType=\"Query\"\n | project-rename\n EventStartTime= ['\"ts\"'],\n EventEndTime = ['\"_write_ts\"'],\n EventOriginalUid = ['\"uid\"'],\n SrcIpAddr = ['\"id.orig_h\"'],\n SrcPortNumber = ['\"id.orig_p\"'],\n DstIpAddr = ['\"id.resp_h\"'],\n DstPortNumber = ['\"id.resp_p\"'],\n NetworkProtocol = ['\"proto\"'],\n DnsQuery = ['\"query\"'],\n DnsResponseCode = ['\"rcode\"'],\n EventResultDetails = ['\"rcode_name\"'],\n DnsFlagsAuthoritative = ['\"AA\"'],\n DnsFlagsTruncated = ['\"TC\"'],\n DnsFlagsRecursionDesired = ['\"RD\"'],\n DnsFlagsCheckingDisabled = ['\"CD\"'],\n DnsFlagsRecursionAvailable = ['\"RA\"'],\n DnsQueryClass = ['\"qclass\"'],\n DnsQueryType = ['\"qtype\"'],\n rtt = ['\"rtt\"'],\n Z = ['\"Z\"'],\n trans_id = ['\"trans_id\"'],\n rejected = ['\"rejected\"'],\n Dvc = ['\"_system_name\"']\n | lookup query_type_lookup on DnsQueryType\n | lookup class_lookup on DnsQueryClass\n | extend\n EventSubType=iff(isnull(DnsResponseCode),'request','response'),\n DnsNetworkDuration = toint(rtt*1000),\n EventResult = iff (EventResultDetails!~'NOERROR' or rejected,'Failure','Success'),\n DnsQueryTypeName = case (DnsQueryTypeName == \"\" and not(isnull(DnsQueryType)), strcat(\"TYPE\", DnsQueryType), DnsQueryTypeName),\n DnsQueryClassName = case (DnsQueryClassName == \"\" and not(isnull(DnsQueryClass)), strcat(\"CLASS\", DnsQueryClass), DnsQueryClassName),\n TransactionIdHex = tohex(toint(trans_id)),\n DnsFlagsZ = (Z != 0),\n DnsResponseName = tostring(pack ('answers', answers, 'ttls', TTLs)) // support of auth & addl to be added.\n | project-away rtt\n // Aliases\n | extend \n DnsResponseCodeName=EventResultDetails, \n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Duration=DnsNetworkDuration,\n Dst=DstIpAddr\n | project-away Message, Z, TTLs, answers, trans_id, rejected\n};\nparser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for Corelight Zeek", + "category": "ASIM", + "FunctionAlias": "ASimDnsCorelightZeek", + "query": "let query_type_lookup=datatable(DnsQueryType:int,DnsQueryTypeName:string)[\n 0, \"Reserved\",\n 1, \"A\",\n 2, \"NS\",\n 3, \"MD\",\n 4, \"MF\",\n 5, \"CNAME\",\n 6, \"SOA\",\n 7, \"MB\",\n 8, \"MG\",\n 9, \"MR\",\n 10, \"NULL\",\n 11, \"WKS\",\n 12, \"PTR\",\n 13, \"HINFO\",\n 14, \"MINFO\",\n 15, \"MX\",\n 16, \"TXT\",\n 17, \"RP\",\n 18, \"AFSDB\",\n 19, \"X25\",\n 20, \"ISDN\",\n 21, \"RT\",\n 22, \"NSAP\",\n 23, \"NSAP-PTR\",\n 24, \"SIG\",\n 25, \"KEY\",\n 26, \"PX\",\n 27, \"GPOS\",\n 28, \"AAAA\",\n 29, \"LOC\",\n 30, \"NXT\",\n 31, \"EID\",\n 32, \"NIMLOC\",\n 33, \"SRV\",\n 34, \"ATMA\",\n 35, \"NAPTR\",\n 36, \"KX\",\n 37, \"CERT\",\n 38, \"A6\",\n 39, \"DNAME\",\n 40, \"SINK\",\n 41, \"OPT\",\n 42, \"APL\",\n 43, \"DS\",\n 44, \"SSHFP\",\n 45, \"IPSECKEY\",\n 46, \"RRSIG\",\n 47, \"NSEC\",\n 48, \"DNSKEY\",\n 49, \"DHCID\",\n 50, \"NSEC3\",\n 51, \"NSEC3PARAM\",\n 52, \"TLSA\",\n 53, \"SMIMEA\",\n 54, \"Unassigned\",\n 55, \"HIP\",\n 56, \"NINFO\",\n 57, \"RKEY\",\n 58, \"TALINK\",\n 59, \"CDS\",\n 60, \"CDNSKEY\",\n 61, \"OPENPGPKEY\",\n 62, \"CSYNC\",\n 99, \"SPF\",\n 100, \"UINFO\",\n 101, \"UID\",\n 102, \"GID\",\n 103, \"UNSPEC\",\n 104, \"NID\",\n 105, \"L32\",\n 106, \"L64\",\n 107, \"LP\",\n 108, \"EUI48\",\n 109, \"EUI64\",\n 249, \"TKEY\",\n 250, \"TSIG\",\n 251, \"IXFR\",\n 252, \"AXFR\",\n 253, \"MAILB\",\n 254, \"MAILA\",\n 255, \"ANY\",\n 256, \"URI\",\n 257, \"CAA\",\n 258, \"AVC\",\n 259, \"DOA\",\n 32768, \"TA\",\n 32769, \"DLV\"];\nlet class_lookup = datatable(DnsQueryClass:int, DnsQueryClassName: string)[\n 0, 'Reserved',\n 1, 'IN',\n 2, 'Unassigned',\n 3, 'CH',\n 4, 'HS',\n 254, 'None',\n 255, 'Any'];\nlet parser=(disabled:bool=false){\n Corelight_CL | where not(disabled)\n | project Message, TimeGenerated\n | where Message has '\"_path\":\"dns\"' or Message has '\"_path\":\"dns_red\"'\n | parse-kv Message as (\n ['\"_system_name\"']:string,\n ['\"_write_ts\"']:datetime,\n ['\"ts\"']:datetime,\n ['\"uid\"']:string,\n ['\"id.orig_h\"']:string,\n ['\"id.orig_p\"']:int,\n ['\"id.resp_h\"']:string,\n ['\"id.resp_p\"']:int,\n ['\"proto\"']:string,\n ['\"trans_id\"']:int,\n ['\"query\"']:string,\n ['\"qclass\"']:int,\n ['\"qtype\"']:int,\n ['\"AA\"']:bool,\n ['\"TC\"']:bool,\n ['\"CD\"']:bool,\n ['\"RD\"']:bool,\n ['\"RA\"']:bool,\n ['\"Z\"']:int,\n ['\"rejected\"']:bool,\n ['\"rcode\"']:int,\n ['\"rcode_name\"']:string,\n ['\"rtt\"']:real,\n ) \n with (quote = '\"')\n | parse Message with * '\"answers\":' answers:string ',\"TTLs\":' TTLs:string ',\"rejected\"' *\n | extend \n EventCount=int(1),\n EventProduct=\"Zeek\",\n EventVendor=\"Corelight\",\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.4\",\n EventType=\"Query\"\n | project-rename\n EventStartTime= ['\"ts\"'],\n EventEndTime = ['\"_write_ts\"'],\n EventOriginalUid = ['\"uid\"'],\n SrcIpAddr = ['\"id.orig_h\"'],\n SrcPortNumber = ['\"id.orig_p\"'],\n DstIpAddr = ['\"id.resp_h\"'],\n DstPortNumber = ['\"id.resp_p\"'],\n NetworkProtocol = ['\"proto\"'],\n DnsQuery = ['\"query\"'],\n DnsResponseCode = ['\"rcode\"'],\n EventResultDetails = ['\"rcode_name\"'],\n DnsFlagsAuthoritative = ['\"AA\"'],\n DnsFlagsTruncated = ['\"TC\"'],\n DnsFlagsRecursionDesired = ['\"RD\"'],\n DnsFlagsCheckingDisabled = ['\"CD\"'],\n DnsFlagsRecursionAvailable = ['\"RA\"'],\n DnsQueryClass = ['\"qclass\"'],\n DnsQueryType = ['\"qtype\"'],\n rtt = ['\"rtt\"'],\n Z = ['\"Z\"'],\n trans_id = ['\"trans_id\"'],\n rejected = ['\"rejected\"'],\n Dvc = ['\"_system_name\"']\n | lookup query_type_lookup on DnsQueryType\n | lookup class_lookup on DnsQueryClass\n | extend\n EventSubType=iff(isnull(DnsResponseCode),'request','response'),\n DnsNetworkDuration = toint(rtt*1000),\n EventResult = iff (EventResultDetails!~'NOERROR' or rejected,'Failure','Success'),\n DnsQueryTypeName = case (DnsQueryTypeName == \"\" and not(isnull(DnsQueryType)), strcat(\"TYPE\", DnsQueryType), DnsQueryTypeName),\n DnsQueryClassName = case (DnsQueryClassName == \"\" and not(isnull(DnsQueryClass)), strcat(\"CLASS\", DnsQueryClass), DnsQueryClassName),\n TransactionIdHex = tohex(toint(trans_id)),\n DnsFlagsZ = (Z != 0),\n DnsResponseName = tostring(pack ('answers', answers, 'ttls', TTLs)) // support of auth & addl to be added.\n | project-away rtt\n // Aliases\n | extend \n DnsResponseCodeName=EventResultDetails, \n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Duration=DnsNetworkDuration,\n Dst=DstIpAddr\n | project-away Message, Z, TTLs, answers, trans_id, rejected\n};\nparser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsFortinetFortigate/ASimDnsFortinetFortigate.json b/Parsers/ASimDns/ARM/ASimDnsFortinetFortigate/ASimDnsFortinetFortigate.json index dada136cb5e..93423e4e572 100644 --- a/Parsers/ASimDns/ARM/ASimDnsFortinetFortigate/ASimDnsFortinetFortigate.json +++ b/Parsers/ASimDns/ARM/ASimDnsFortinetFortigate/ASimDnsFortinetFortigate.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsFortinetFortiGate')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsFortinetFortiGate", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for Fortinet FortiGate", - "category": "ASIM", - "FunctionAlias": "ASimDnsFortinetFortiGate", - "query": "let Parser = (disabled:bool=false) {\n let DeviceEventClassIDLookup = datatable(EventOriginalSubType:string,EventSubType:string, EventSeverity:string, DvcAction:string, ThreatCategory:string, ThreatField:string)[\n \"54000\", \"request\", \"Informational\", \"\", \"\", \"\",\n \"54200\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54400\", \"response\", \"Low\", \"Blocked\", \"\", \"\",\n \"54401\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54600\", \"response\", \"Low\", \"Blocked\", \"Botnet\", \"DstIpAddr\",\n \"54601\", \"response\", \"Low\", \"Blocked\", \"Botnet\", \"Domain\",\n \"54800\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54801\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54802\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54803\", \"response\", \"Low\", \"Blocked\", \"\", \"\",\n \"54804\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54805\", \"response\", \"Informational\", \"\", \"\", \"\",\n ];\n let EventOriginalResultDetailsLookup = datatable(EventOriginalResultDetails:string, EventResultDetails:string, EventResult:string)[\n \"\", \"NOERROR\", \"Success\",\n \"0\", \"NOERROR\", \"Success\",\n \"1\", \"FORMERR\", \"Failure\",\n \"2\", \"SERVFAIL\", \"Failure\",\n \"3\", \"NXDOMAIN\", \"Failure\",\n \"4\", \"NOTIMP\", \"Failure\",\n \"5\", \"REFUSED\", \"Failure\",\n \"6\", \"YXDOMAIN\", \"Failure\",\n \"7\", \"YXRRSET\", \"Failure\",\n \"8\", \"NXRRSET\", \"Failure\",\n \"9\", \"NOTAUTH\", \"Failure\",\n \"10\", \"NOTZONE\", \"Failure\",\n \"11\", \"DSOTYPENI\", \"Failure\",\n \"16\", \"BADVERS\", \"Failure\",\n \"16\", \"BADSIG\", \"Failure\",\n \"17\", \"BADKEY\", \"Failure\",\n \"18\", \"BADTIME\", \"Failure\",\n \"19\", \"BADMODE\", \"Failure\",\n \"20\", \"BADNAME\", \"Failure\",\n \"21\", \"BADALG\", \"Failure\",\n \"22\", \"BADTRUNC\", \"Failure\",\n \"23\", \"BADCOOKIE\", \"Failure\"\n ];\n let DnsQueryTypeLookup = datatable(DnsQueryType:int, DnsQueryTypeName:string)[\n 0, \"Reserved\",\n 1, \"A\",\n 2, \"NS\",\n 3, \"MD\",\n 4, \"MF\",\n 5, \"CNAME\",\n 6, \"SOA\",\n 7, \"MB\",\n 8, \"MG\",\n 9, \"MR\",\n 10, \"NULL\",\n 11, \"WKS\",\n 12, \"PTR\",\n 13, \"HINFO\",\n 14, \"MINFO\",\n 15, \"MX\",\n 16, \"TXT\",\n 17, \"RP\",\n 18, \"AFSDB\",\n 19, \"X25\",\n 20, \"ISDN\",\n 21, \"RT\",\n 22, \"NSAP\",\n 23, \"NSAP-PTR\",\n 24, \"SIG\",\n 25, \"KEY\",\n 26, \"PX\",\n 27, \"GPOS\",\n 28, \"AAAA\",\n 29, \"LOC\",\n 30, \"NXT\",\n 31, \"EID\",\n 32, \"NIMLOC\",\n 33, \"SRV\",\n 34, \"ATMA\",\n 35, \"NAPTR\",\n 36, \"KX\",\n 37, \"CERT\",\n 38, \"A6\",\n 39, \"DNAME\",\n 40, \"SINK\",\n 41, \"OPT\",\n 42, \"APL\",\n 43, \"DS\",\n 44, \"SSHFP\",\n 45, \"IPSECKEY\",\n 46, \"RRSIG\",\n 47, \"NSEC\",\n 48, \"DNSKEY\",\n 49, \"DHCID\",\n 50, \"NSEC3\",\n 51, \"NSEC3PARAM\",\n 52, \"TLSA\",\n 53, \"SMIMEA\",\n 55, \"HIP\",\n 56, \"NINFO\",\n 57, \"RKEY\",\n 58, \"TALINK\",\n 59, \"CDS\",\n 60, \"CDNSKEY\",\n 61, \"OPENPGPKEY\",\n 62, \"CSYNC\",\n 63, \"ZONEMD\",\n 64, \"SVCB\",\n 65, \"HTTPS\",\n 99, \"SPF\",\n 100, \"UINFO\",\n 101, \"UID\",\n 102, \"GID\",\n 103, \"UNSPEC\",\n 104, \"NID\",\n 105, \"L32\",\n 106, \"L64\",\n 107, \"LP\",\n 108, \"EUI48\",\n 109, \"EUI64\",\n 249, \"TKEY\",\n 250, \"TSIG\",\n 251, \"IXFR\",\n 252, \"AXFR\",\n 253, \"MAILB\",\n 254, \"MAILA\",\n 255, \"*\",\n 256, \"URI\",\n 257, \"CAA\",\n 258, \"AVC\",\n 259, \"DOA\",\n 32768, \"TA\",\n 32769, \"DLV\"\n ];\n CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Fortinet\" and \n DeviceProduct == \"Fortigate\"\n | where DeviceEventClassID in(54000,54200,54400,54401,54600,54601,54800,54801,54802,54803,54804,54805)\n | project TimeGenerated, EventOriginalSubType = DeviceEventClassID, AdditionalExtensions, EventUid = _ItemId, EventOriginalSeverity = LogSeverity, EventProductVersion = DeviceVersion ,Computer, Type, SrcIpAddr = SourceIP, SrcPortNumber = SourcePort, DstIpAddr = DestinationIP, DstPortNumber = DestinationPort, EventMessage = Message, NetworkProtocolNumber = Protocol, DvcId = DeviceExternalID, DnsSessionId = ExtID\n | lookup DeviceEventClassIDLookup on EventOriginalSubType\n | parse-kv AdditionalExtensions as (FTNTFGTlogid:string, FTNTFGTsubtype:string, FTNTFGTsrccountry:string, FTNTFGTdstcountry:string,FTNTFGTsrcintfrole:string, FTNTFGTrcode:string, FTNTFGTqname:string, FTNTFGTqtype:string, FTNTFGTxid:string, FTNTFGTqtypeval:int, FTNTFGTqclass:string, FTNTFGTcatdesc:string, FTNTFGTipaddr:string, FTNTFGTunauthuser:string, FTNTFGTuser:string, FTNTFGTbotnetip:string, sessionid:int) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | project-rename \n EventOriginalResultDetails = FTNTFGTrcode,\n EventOriginalUid = FTNTFGTlogid,\n DvcZone = FTNTFGTsrcintfrole,\n EventOriginalType = FTNTFGTsubtype,\n SrcGeoCountry = FTNTFGTsrccountry,\n DstGeoCountry = FTNTFGTdstcountry,\n DnsQuery = FTNTFGTqname,\n DnsQueryTypeName = FTNTFGTqtype,\n TransactionIdHex = FTNTFGTxid,\n DnsQueryClass = FTNTFGTqtypeval,\n DnsQueryClassName = FTNTFGTqclass,\n UrlCategory = FTNTFGTcatdesc,\n DnsResponseName = FTNTFGTipaddr,\n ThreatIpAddr = FTNTFGTbotnetip\n | extend \n DnsQueryTypeName = case(\n DnsQueryTypeName == \"Unknown\",\"\",\n DnsQueryTypeName\n )\n | lookup EventOriginalResultDetailsLookup on EventOriginalResultDetails\n | lookup DnsQueryTypeLookup on DnsQueryTypeName\n | invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n | invoke _ASIM_ResolveNetworkProtocol(\"NetworkProtocolNumber\")\n | extend \n SrcUsername = coalesce(FTNTFGTuser, FTNTFGTunauthuser),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcHostname,\n DnsResponseCodeName = EventResultDetails,\n EventType = \"Query\",\n EventSchemaVersion = \"0.1.7\",\n EventSchema = \"Dns\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventVendor = \"Fortinet\",\n EventProduct = \"FortiGate\",\n Domain = DnsQuery,\n DomainCategory = UrlCategory,\n SessionId = DnsSessionId\n | extend \n User = SrcUsername,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | project-away FTNTFGTuser, FTNTFGTunauthuser, AdditionalExtensions, Computer, NetworkProtocolNumber\n};\nParser(\n disabled = disabled\n)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for Fortinet FortiGate", + "category": "ASIM", + "FunctionAlias": "ASimDnsFortinetFortiGate", + "query": "let Parser = (disabled:bool=false) {\n let DeviceEventClassIDLookup = datatable(EventOriginalSubType:string,EventSubType:string, EventSeverity:string, DvcAction:string, ThreatCategory:string, ThreatField:string)[\n \"54000\", \"request\", \"Informational\", \"\", \"\", \"\",\n \"54200\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54400\", \"response\", \"Low\", \"Blocked\", \"\", \"\",\n \"54401\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54600\", \"response\", \"Low\", \"Blocked\", \"Botnet\", \"DstIpAddr\",\n \"54601\", \"response\", \"Low\", \"Blocked\", \"Botnet\", \"Domain\",\n \"54800\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54801\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54802\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54803\", \"response\", \"Low\", \"Blocked\", \"\", \"\",\n \"54804\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54805\", \"response\", \"Informational\", \"\", \"\", \"\",\n ];\n let EventOriginalResultDetailsLookup = datatable(EventOriginalResultDetails:string, EventResultDetails:string, EventResult:string)[\n \"\", \"NOERROR\", \"Success\",\n \"0\", \"NOERROR\", \"Success\",\n \"1\", \"FORMERR\", \"Failure\",\n \"2\", \"SERVFAIL\", \"Failure\",\n \"3\", \"NXDOMAIN\", \"Failure\",\n \"4\", \"NOTIMP\", \"Failure\",\n \"5\", \"REFUSED\", \"Failure\",\n \"6\", \"YXDOMAIN\", \"Failure\",\n \"7\", \"YXRRSET\", \"Failure\",\n \"8\", \"NXRRSET\", \"Failure\",\n \"9\", \"NOTAUTH\", \"Failure\",\n \"10\", \"NOTZONE\", \"Failure\",\n \"11\", \"DSOTYPENI\", \"Failure\",\n \"16\", \"BADVERS\", \"Failure\",\n \"16\", \"BADSIG\", \"Failure\",\n \"17\", \"BADKEY\", \"Failure\",\n \"18\", \"BADTIME\", \"Failure\",\n \"19\", \"BADMODE\", \"Failure\",\n \"20\", \"BADNAME\", \"Failure\",\n \"21\", \"BADALG\", \"Failure\",\n \"22\", \"BADTRUNC\", \"Failure\",\n \"23\", \"BADCOOKIE\", \"Failure\"\n ];\n let DnsQueryTypeLookup = datatable(DnsQueryType:int, DnsQueryTypeName:string)[\n 0, \"Reserved\",\n 1, \"A\",\n 2, \"NS\",\n 3, \"MD\",\n 4, \"MF\",\n 5, \"CNAME\",\n 6, \"SOA\",\n 7, \"MB\",\n 8, \"MG\",\n 9, \"MR\",\n 10, \"NULL\",\n 11, \"WKS\",\n 12, \"PTR\",\n 13, \"HINFO\",\n 14, \"MINFO\",\n 15, \"MX\",\n 16, \"TXT\",\n 17, \"RP\",\n 18, \"AFSDB\",\n 19, \"X25\",\n 20, \"ISDN\",\n 21, \"RT\",\n 22, \"NSAP\",\n 23, \"NSAP-PTR\",\n 24, \"SIG\",\n 25, \"KEY\",\n 26, \"PX\",\n 27, \"GPOS\",\n 28, \"AAAA\",\n 29, \"LOC\",\n 30, \"NXT\",\n 31, \"EID\",\n 32, \"NIMLOC\",\n 33, \"SRV\",\n 34, \"ATMA\",\n 35, \"NAPTR\",\n 36, \"KX\",\n 37, \"CERT\",\n 38, \"A6\",\n 39, \"DNAME\",\n 40, \"SINK\",\n 41, \"OPT\",\n 42, \"APL\",\n 43, \"DS\",\n 44, \"SSHFP\",\n 45, \"IPSECKEY\",\n 46, \"RRSIG\",\n 47, \"NSEC\",\n 48, \"DNSKEY\",\n 49, \"DHCID\",\n 50, \"NSEC3\",\n 51, \"NSEC3PARAM\",\n 52, \"TLSA\",\n 53, \"SMIMEA\",\n 55, \"HIP\",\n 56, \"NINFO\",\n 57, \"RKEY\",\n 58, \"TALINK\",\n 59, \"CDS\",\n 60, \"CDNSKEY\",\n 61, \"OPENPGPKEY\",\n 62, \"CSYNC\",\n 63, \"ZONEMD\",\n 64, \"SVCB\",\n 65, \"HTTPS\",\n 99, \"SPF\",\n 100, \"UINFO\",\n 101, \"UID\",\n 102, \"GID\",\n 103, \"UNSPEC\",\n 104, \"NID\",\n 105, \"L32\",\n 106, \"L64\",\n 107, \"LP\",\n 108, \"EUI48\",\n 109, \"EUI64\",\n 249, \"TKEY\",\n 250, \"TSIG\",\n 251, \"IXFR\",\n 252, \"AXFR\",\n 253, \"MAILB\",\n 254, \"MAILA\",\n 255, \"*\",\n 256, \"URI\",\n 257, \"CAA\",\n 258, \"AVC\",\n 259, \"DOA\",\n 32768, \"TA\",\n 32769, \"DLV\"\n ];\n CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Fortinet\" and \n DeviceProduct == \"Fortigate\"\n | where DeviceEventClassID in(54000,54200,54400,54401,54600,54601,54800,54801,54802,54803,54804,54805)\n | project TimeGenerated, EventOriginalSubType = DeviceEventClassID, AdditionalExtensions, EventUid = _ItemId, EventOriginalSeverity = LogSeverity, EventProductVersion = DeviceVersion ,Computer, Type, SrcIpAddr = SourceIP, SrcPortNumber = SourcePort, DstIpAddr = DestinationIP, DstPortNumber = DestinationPort, EventMessage = Message, NetworkProtocolNumber = Protocol, DvcId = DeviceExternalID, DnsSessionId = ExtID\n | lookup DeviceEventClassIDLookup on EventOriginalSubType\n | parse-kv AdditionalExtensions as (FTNTFGTlogid:string, FTNTFGTsubtype:string, FTNTFGTsrccountry:string, FTNTFGTdstcountry:string,FTNTFGTsrcintfrole:string, FTNTFGTrcode:string, FTNTFGTqname:string, FTNTFGTqtype:string, FTNTFGTxid:string, FTNTFGTqtypeval:int, FTNTFGTqclass:string, FTNTFGTcatdesc:string, FTNTFGTipaddr:string, FTNTFGTunauthuser:string, FTNTFGTuser:string, FTNTFGTbotnetip:string, sessionid:int) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | project-rename \n EventOriginalResultDetails = FTNTFGTrcode,\n EventOriginalUid = FTNTFGTlogid,\n DvcZone = FTNTFGTsrcintfrole,\n EventOriginalType = FTNTFGTsubtype,\n SrcGeoCountry = FTNTFGTsrccountry,\n DstGeoCountry = FTNTFGTdstcountry,\n DnsQuery = FTNTFGTqname,\n DnsQueryTypeName = FTNTFGTqtype,\n TransactionIdHex = FTNTFGTxid,\n DnsQueryClass = FTNTFGTqtypeval,\n DnsQueryClassName = FTNTFGTqclass,\n UrlCategory = FTNTFGTcatdesc,\n DnsResponseName = FTNTFGTipaddr,\n ThreatIpAddr = FTNTFGTbotnetip\n | extend \n DnsQueryTypeName = case(\n DnsQueryTypeName == \"Unknown\",\"\",\n DnsQueryTypeName\n )\n | lookup EventOriginalResultDetailsLookup on EventOriginalResultDetails\n | lookup DnsQueryTypeLookup on DnsQueryTypeName\n | invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n | invoke _ASIM_ResolveNetworkProtocol(\"NetworkProtocolNumber\")\n | extend \n SrcUsername = coalesce(FTNTFGTuser, FTNTFGTunauthuser),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcHostname,\n DnsResponseCodeName = EventResultDetails,\n EventType = \"Query\",\n EventSchemaVersion = \"0.1.7\",\n EventSchema = \"Dns\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventVendor = \"Fortinet\",\n EventProduct = \"FortiGate\",\n Domain = DnsQuery,\n DomainCategory = UrlCategory,\n SessionId = DnsSessionId\n | extend \n User = SrcUsername,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | project-away FTNTFGTuser, FTNTFGTunauthuser, AdditionalExtensions, Computer, NetworkProtocolNumber\n};\nParser(\n disabled = disabled\n)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsGcp/ASimDnsGcp.json b/Parsers/ASimDns/ARM/ASimDnsGcp/ASimDnsGcp.json index 351dcc6e736..5c14d318a61 100644 --- a/Parsers/ASimDns/ARM/ASimDnsGcp/ASimDnsGcp.json +++ b/Parsers/ASimDns/ARM/ASimDnsGcp/ASimDnsGcp.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsGcp')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsGcp", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for GCP", - "category": "ASIM", - "FunctionAlias": "ASimDnsGcp", - "query": "// https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry\nlet GCPSeverityTable=datatable(severity_s:string,EventSeverity:string)\n[\"DEFAULT\",\"Informational\",\n\"DEBUG\",\"Informational\",\n\"INFO\",\"Informational\",\n\"NOTICE\",\"Medium\",\n\"WARNING\",\"Medium\",\n\"ERROR\",\"High\",\n\"CRITICAL\",\"High\",\n\"ALERT\",\"High\",\n\"EMERGENCY\",\"High\"\n];\nlet DNSQuery_GcpDns=(disabled:bool=false){\n GCP_DNS_CL | where not(disabled)\n | project-away MG, ManagementGroupName, RawData, SourceSystem, Computer\n | where resource_type_s == \"dns_query\"\n | lookup GCPSeverityTable on severity_s\n | project-rename\n DnsQueryTypeName=payload_queryType_s,\n DnsResponseName=payload_rdata_s, \n EventResultDetails=payload_responseCode_s,\n NetworkProtocol=payload_protocol_s, \n SrcIpAddr=payload_sourceIP_s,\n EventOriginalUid=insert_id_s,\n EventOriginalSeverity=severity_s \n | extend\n DnsQuery=trim_end(@'\\.',payload_queryName_s), \n EventCount=int(1),\n EventProduct='Cloud DNS',\n EventVendor='GCP',\n EventSchema = 'Dns',\n EventSchemaVersion=\"0.1.3\",\n Dvc=\"GCPDNS\" ,\n EventType = iif (resource_type_s == \"dns_query\", \"Query\", resource_type_s),\n EventResult=iff(EventResultDetails=~'NOERROR','Success','Failure'),\n EventSubType='response',\n EventEndTime=todatetime(timestamp_t)\n | extend\n EventStartTime = EventEndTime,\n EventResult = iff (EventResultDetails=~'NOERROR','Success','Failure')\n // -- Aliases\n | extend \n DnsResponseCodeName=EventResultDetails, \n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr\n // Backward Computability\n | project-away *_s, *_d, *_b, *_t\n };\n DNSQuery_GcpDns(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for GCP", + "category": "ASIM", + "FunctionAlias": "ASimDnsGcp", + "query": "// https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry\nlet GCPSeverityTable=datatable(severity_s:string,EventSeverity:string)\n[\"DEFAULT\",\"Informational\",\n\"DEBUG\",\"Informational\",\n\"INFO\",\"Informational\",\n\"NOTICE\",\"Medium\",\n\"WARNING\",\"Medium\",\n\"ERROR\",\"High\",\n\"CRITICAL\",\"High\",\n\"ALERT\",\"High\",\n\"EMERGENCY\",\"High\"\n];\nlet DNSQuery_GcpDns=(disabled:bool=false){\n GCP_DNS_CL | where not(disabled)\n | project-away MG, ManagementGroupName, RawData, SourceSystem, Computer\n | where resource_type_s == \"dns_query\"\n | lookup GCPSeverityTable on severity_s\n | project-rename\n DnsQueryTypeName=payload_queryType_s,\n DnsResponseName=payload_rdata_s, \n EventResultDetails=payload_responseCode_s,\n NetworkProtocol=payload_protocol_s, \n SrcIpAddr=payload_sourceIP_s,\n EventOriginalUid=insert_id_s,\n EventOriginalSeverity=severity_s \n | extend\n DnsQuery=trim_end(@'\\.',payload_queryName_s), \n EventCount=int(1),\n EventProduct='Cloud DNS',\n EventVendor='GCP',\n EventSchema = 'Dns',\n EventSchemaVersion=\"0.1.3\",\n Dvc=\"GCPDNS\" ,\n EventType = iif (resource_type_s == \"dns_query\", \"Query\", resource_type_s),\n EventResult=iff(EventResultDetails=~'NOERROR','Success','Failure'),\n EventSubType='response',\n EventEndTime=todatetime(timestamp_t)\n | extend\n EventStartTime = EventEndTime,\n EventResult = iff (EventResultDetails=~'NOERROR','Success','Failure')\n // -- Aliases\n | extend \n DnsResponseCodeName=EventResultDetails, \n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr\n // Backward Computability\n | project-away *_s, *_d, *_b, *_t\n };\n DNSQuery_GcpDns(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsInfobloxBloxOne/ASimDnsInfobloxBloxOne.json b/Parsers/ASimDns/ARM/ASimDnsInfobloxBloxOne/ASimDnsInfobloxBloxOne.json new file mode 100644 index 00000000000..e4e50655a58 --- /dev/null +++ b/Parsers/ASimDns/ARM/ASimDnsInfobloxBloxOne/ASimDnsInfobloxBloxOne.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsInfobloxBloxOne')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "Dns ASIM parser for Infoblox BloxOne", + "category": "ASIM", + "FunctionAlias": "ASimDnsInfobloxBloxOne", + "query": "let EventSeverityLookup = datatable(LogSeverity:string, EventSeverity:string) [ \"0\", \"Low\", \"1\", \"Low\", \"2\", \"Low\", \"3\", \"Low\", \"4\", \"Medium\", \"5\", \"Medium\", \"6\", \"Medium\", \"7\", \"High\", \"8\", \"High\", \"9\", \"High\", \"10\", \"High\" ]; let DnsQueryTypeLookup = datatable(DnsQueryTypeName:string, DnsQueryType:int) [ \"A\", 1, \"NS\", 2, \"MD\", 3, \"MF\", 4, \"CNAME\", 5, \"SOA\", 6, \"MB\", 7, \"MG\", 8, \"MR\", 9, \"NULL\", 10, \"WKS\", 11, \"PTR\", 12, \"HINFO\", 13, \"MINFO\", 14, \"MX\", 15, \"TXT\", 16, \"RP\", 17, \"AFSDB\", 18, \"X25\", 19, \"ISDN\", 20, \"RT\", 21, \"NSAP\", 22, \"NSAPPTR\", 23, \"SIG\", 24, \"KEY\", 25, \"PX\", 26, \"GPOS\", 27, \"AAAA\", 28, \"LOC\", 29, \"NXT\", 30, \"EID\", 31, \"NIMLOC\", 32, \"SRV\", 33, \"ATMA\", 34, \"NAPTR\", 35, \"KX\", 36, \"CERT\", 37, \"A6\", 38, \"DNAME\", 39, \"SINK\", 40, \"OPT\", 41, \"APL\", 42, \"DS\", 43, \"SSHFP\", 44, \"IPSECKEY\", 45, \"RRSIG\", 46, \"NSEC\", 47, \"DNSKEY\", 48, \"DHCID\", 49, \"NSEC3\", 50, \"NSEC3PARAM\", 51, \"TLSA\", 52, \"SMIMEA\", 53, \"HIP\", 55, \"NINFO\", 56, \"RKEY\", 57, \"TALINK\", 58, \"CDS\", 59, \"CDNSKEY\", 60, \"OPENPGPKEY\", 61, \"CSYNC\", 62, \"ZONEMD\", 63, \"SVCB\", 64, \"HTTPS\", 65, \"SPF\", 99, \"UINFO\", 100, \"UID\", 101, \"GID\", 102, \"UNSPEC\", 103, \"TKEY\", 249, \"TSIG\", 250, \"IXFR\", 251, \"MAILB\", 253, \"MAILA\", 254, \"ANY\", 255, \"URI\", 256, \"CAA\", 257, \"TA\", 32768, \"DLV\", 32769 ]; let DnsResponseCodeLookup = datatable(EventResultDetails:string, DnsResponseCode:int) [ \"NOERROR\", 0, \"FORMERR\", 1, \"SERVFAIL\", 2, \"NXDOMAIN\", 3, \"NOTIMPL\", 4, \"REFUSED\", 5, \"YXDOMAIN\", 6, \"YXRRSET\", 7, \"NXRRSET\", 8, \"NOTAUTH\", 9, \"NOTZONE\", 10, \"DSOTYPENI\", 11, \"RESERVED12\", 12, \"RESERVED13\", 13, \"RESERVED14\", 14, \"RESERVED15\", 15, \"BADVERS\", 16, \"BADKEY\", 17, \"BADTIME\", 18, \"BADMODE\", 19, \"BADNAME\", 20, \"BADALG\", 21, \"BADTRUNC\", 22, \"BADCOOKIE\", 23, ]; let parser = (disabled:bool=false) { CommonSecurityLog | where not(disabled) and DeviceVendor == \"Infoblox\" and DeviceEventClassID has \"DNS\" | parse-kv AdditionalExtensions as (InfobloxDNSRCode:string, InfobloxDNSQType:string, InfobloxDNSQFlags:string) with (pair_delimiter=\";\", kv_delimiter=\"=\") | project-rename EventResultDetails = InfobloxDNSRCode, DnsQueryTypeName = InfobloxDNSQType, DnsFlags = InfobloxDNSQFlags | extend DnsQueryTypeName = tostring(split(DnsQueryTypeName, ' ')[0]) | lookup EventSeverityLookup on LogSeverity | lookup DnsQueryTypeLookup on DnsQueryTypeName | lookup DnsResponseCodeLookup on EventResultDetails | invoke _ASIM_ResolveDvcFQDN('DeviceName') | project-rename DnsQuery = DestinationDnsDomain, DvcIpAddr = DeviceAddress, SrcIpAddr = SourceIP, EventMessage = Message, EventOriginalSeverity = LogSeverity, EventOriginalType = DeviceEventClassID, SrcUsername = SourceUserName, SrcPortNumber = SourcePort, EventUid = _ItemId | extend Dvc = coalesce(DvcHostname, DvcIpAddr), EventEndTime = TimeGenerated, EventResult = iff(EventResultDetails == \"NOERROR\", \"Success\", \"Failure\"), DnsQuery = iff(substring(DnsQuery, strlen(DnsQuery) - 1, 1) == \".\", substring(DnsQuery, 0, strlen(DnsQuery) - 1), DnsQuery), EventStartTime = TimeGenerated, Src = SrcIpAddr, SrcUsernameType = _ASIM_GetUsernameType(SrcUsername), DnsResponseCodeName = EventResultDetails, IpAddr = SrcIpAddr, User = SrcUsername | extend Domain = DnsQuery | extend EventCount = toint(1), EventSchema = \"Dns\", EventSchemaVersion = \"0.1.7\", EventProduct = \"BloxOne\", EventVendor = \"Infoblox\", EventType = \"Query\", DnsQueryClass = toint(1), DnsQueryClassName = \"IN\" | project-away Source*, Destination*, Device*, AdditionalExtensions, CommunicationDirection, EventOutcome, Protocol, SimplifiedDeviceAction, ExternalID, EndTime, FieldDevice*, Flex*, File*, Old*, MaliciousIP*, OriginalLogSeverity, Process*, ReceivedBytes, SentBytes, Remote*, Request*, StartTime, TenantId, ReportReferenceLink, ReceiptTime, Indicator*, _ResourceId, ThreatConfidence, ThreatDescription, ThreatSeverity, Computer, ApplicationProtocol, ExtID, Reason }; parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimDns/ARM/ASimDnsInfobloxBloxOne/README.md b/Parsers/ASimDns/ARM/ASimDnsInfobloxBloxOne/README.md new file mode 100644 index 00000000000..5b396c81f87 --- /dev/null +++ b/Parsers/ASimDns/ARM/ASimDnsInfobloxBloxOne/README.md @@ -0,0 +1,18 @@ +# Infoblox BloxOne ASIM Dns Normalization Parser + +ARM template for ASIM Dns schema parser for Infoblox BloxOne. + +This ASIM parser supports normalizing Dns logs from Infoblox BloxOne to the ASIM Dns normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Dns normalization schema reference](https://aka.ms/ASimDnsDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimDns%2FARM%2FASimDnsInfobloxBloxOne%2FASimDnsInfobloxBloxOne.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimDns%2FARM%2FASimDnsInfobloxBloxOne%2FASimDnsInfobloxBloxOne.json) diff --git a/Parsers/ASimDns/ARM/ASimDnsInfobloxNIOS/ASimDnsInfobloxNIOS.json b/Parsers/ASimDns/ARM/ASimDnsInfobloxNIOS/ASimDnsInfobloxNIOS.json index f5cb5db9c21..017ce804bfa 100644 --- a/Parsers/ASimDns/ARM/ASimDnsInfobloxNIOS/ASimDnsInfobloxNIOS.json +++ b/Parsers/ASimDns/ARM/ASimDnsInfobloxNIOS/ASimDnsInfobloxNIOS.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsInfobloxNIOS')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsInfobloxNIOS", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for Infoblox NIOS", - "category": "ASIM", - "FunctionAlias": "ASimDnsInfobloxNIOS", - "query": "let SyslogProjected = Syslog | project SyslogMessage, ProcessName, TimeGenerated, Computer, HostIP;\nlet response = (disabled: boolean=false) {\n SyslogProjected\n | where not(disabled)\n | where ProcessName == \"named\" and SyslogMessage has_all (\"client\", \"query:\", \"response:\")\n | parse SyslogMessage with *\n \"client \" SrcIpAddr: string\n \"#\" SrcPortNumber: string\n \" \" NetworkProtocol: string\n \": query: \" DnsQuery: string\n \" \" DnsQueryClassName: string\n \" \" DnsQueryTypeName: string\n \" response: \" DnsResponseCodeName: string\n \" \" DnsFlags: string\n | extend DnsResponseNameIndex= indexof(DnsFlags, \" \")\n | extend DnsResponseName =iif(DnsResponseNameIndex != \"-1\", substring(DnsFlags, DnsResponseNameIndex+1), \"\")\n | extend DnsFlags =iif(DnsResponseNameIndex != \"-1\", substring(DnsFlags, 0, DnsResponseNameIndex), DnsFlags)\n | extend SrcPortNumber = iif(SrcPortNumber has ':',replace_string(SrcPortNumber,':',''),SrcPortNumber)\n | extend SrcPortNumber = toint(SrcPortNumber)\n | extend EventSubType = \"response\"\n | project-away SyslogMessage, ProcessName, DnsResponseNameIndex\n };\n let request = (disabled: boolean=false) {\n SyslogProjected \n | where not(disabled)\n | where ProcessName == \"named\" and SyslogMessage has_all (\"client\", \"query:\") and SyslogMessage !has \"response:\"\n | extend SyslogMessage = (split(SyslogMessage,\"client \"))[1]\n | extend SyslogMessage = iif(SyslogMessage startswith \"@\", (substring(SyslogMessage, indexof(SyslogMessage, \" \")+1)), SyslogMessage)\n | extend SyslogMessage = replace_string(SyslogMessage,\"\\\\ \",\"@@@\")\n | parse SyslogMessage with \n SrcIpAddr: string\n \"#\" SrcPortNumber: int *\n \"query: \" DnsQuery: string\n \" \" DnsQueryClassName: string\n \" \" DnsQueryTypeName: string\n \" \" DnsFlags: string\n | extend DnsQuery = replace_string (DnsQuery, '@@@', ' ')\n | extend DnsFlags= tostring((split(DnsFlags,\" \"))[0])\n | extend \n EventSubType = \"request\",\n DnsResponseCodeName = \"NA\"\n | project-away SyslogMessage, ProcessName\n };\n let parser = (disabled:boolean=false) {\n union response (disabled), request (disabled)\n | extend\n EventCount=int(1),\n EventStartTime=todatetime(TimeGenerated),\n EventEndTime=todatetime(TimeGenerated),\n EventProduct=\"NIOS\",\n EventVendor=\"Infoblox\",\n EventSchema=\"Dns\",\n EventSchemaVersion=\"0.1.3\",\n EventType=\"Query\", \n EventResult=iff(EventSubType==\"request\" or DnsResponseCodeName==\"NOERROR\",\"Success\",\"Failure\"),\n DvcIpAddr=iff (HostIP == \"Unknown IP\", \"\", HostIP)\n // -- Aliases\n | invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n | project-away Computer\n | extend\n Dvc=DvcHostname,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n EventResultDetails = DnsResponseCodeName\n | project-away HostIP\n };\n parser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for Infoblox NIOS", + "category": "ASIM", + "FunctionAlias": "ASimDnsInfobloxNIOS", + "query": "let SyslogProjected = Syslog | project SyslogMessage, ProcessName, TimeGenerated, Computer, HostIP;\nlet response = (disabled: boolean=false) {\n SyslogProjected\n | where not(disabled)\n | where ProcessName == \"named\" and SyslogMessage has_all (\"client\", \"query:\", \"response:\")\n | parse SyslogMessage with *\n \"client \" SrcIpAddr: string\n \"#\" SrcPortNumber: string\n \" \" NetworkProtocol: string\n \": query: \" DnsQuery: string\n \" \" DnsQueryClassName: string\n \" \" DnsQueryTypeName: string\n \" response: \" DnsResponseCodeName: string\n \" \" DnsFlags: string\n | extend DnsResponseNameIndex= indexof(DnsFlags, \" \")\n | extend DnsResponseName =iif(DnsResponseNameIndex != \"-1\", substring(DnsFlags, DnsResponseNameIndex+1), \"\")\n | extend DnsFlags =iif(DnsResponseNameIndex != \"-1\", substring(DnsFlags, 0, DnsResponseNameIndex), DnsFlags)\n | extend SrcPortNumber = iif(SrcPortNumber has ':',replace_string(SrcPortNumber,':',''),SrcPortNumber)\n | extend SrcPortNumber = toint(SrcPortNumber)\n | extend EventSubType = \"response\"\n | project-away SyslogMessage, ProcessName, DnsResponseNameIndex\n };\n let request = (disabled: boolean=false) {\n SyslogProjected \n | where not(disabled)\n | where ProcessName == \"named\" and SyslogMessage has_all (\"client\", \"query:\") and SyslogMessage !has \"response:\"\n | extend SyslogMessage = (split(SyslogMessage,\"client \"))[1]\n | extend SyslogMessage = iif(SyslogMessage startswith \"@\", (substring(SyslogMessage, indexof(SyslogMessage, \" \")+1)), SyslogMessage)\n | extend SyslogMessage = replace_string(SyslogMessage,\"\\\\ \",\"@@@\")\n | parse SyslogMessage with \n SrcIpAddr: string\n \"#\" SrcPortNumber: int *\n \"query: \" DnsQuery: string\n \" \" DnsQueryClassName: string\n \" \" DnsQueryTypeName: string\n \" \" DnsFlags: string\n | extend DnsQuery = replace_string (DnsQuery, '@@@', ' ')\n | extend DnsFlags= tostring((split(DnsFlags,\" \"))[0])\n | extend \n EventSubType = \"request\",\n DnsResponseCodeName = \"NA\"\n | project-away SyslogMessage, ProcessName\n };\n let parser = (disabled:boolean=false) {\n union response (disabled), request (disabled)\n | extend\n EventCount=int(1),\n EventStartTime=todatetime(TimeGenerated),\n EventEndTime=todatetime(TimeGenerated),\n EventProduct=\"NIOS\",\n EventVendor=\"Infoblox\",\n EventSchema=\"Dns\",\n EventSchemaVersion=\"0.1.3\",\n EventType=\"Query\", \n EventResult=iff(EventSubType==\"request\" or DnsResponseCodeName==\"NOERROR\",\"Success\",\"Failure\"),\n DvcIpAddr=iff (HostIP == \"Unknown IP\", \"\", HostIP)\n // -- Aliases\n | invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n | project-away Computer\n | extend\n Dvc=DvcHostname,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n EventResultDetails = DnsResponseCodeName\n | project-away HostIP\n };\n parser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsMicrosoftNXlog/ASimDnsMicrosoftNXlog.json b/Parsers/ASimDns/ARM/ASimDnsMicrosoftNXlog/ASimDnsMicrosoftNXlog.json index b8523ebd8f1..043717497be 100644 --- a/Parsers/ASimDns/ARM/ASimDnsMicrosoftNXlog/ASimDnsMicrosoftNXlog.json +++ b/Parsers/ASimDns/ARM/ASimDnsMicrosoftNXlog/ASimDnsMicrosoftNXlog.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsMicrosoftNXlog')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsMicrosoftNXlog", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for Microsoft DNS logs collected using NXlog", - "category": "ASIM", - "FunctionAlias": "ASimDnsMicrosoftNXlog", - "query": "let ASimDnsMicrosoftNXLog = (disabled:bool=false) {\nlet EventTypeTable=datatable(EventOriginalType:real,EventType:string)[\n 256, 'Query'\n , 257, 'Query'\n , 258, 'Query'\n , 259, 'Query'\n , 260, 'Query'\n , 261, 'Query'\n , 262, 'Query'\n , 263, 'Dynamic update'\n , 264, 'Dynamic update'\n , 265, 'Zone XFR'\n , 266, 'Zone XFR'\n , 267, 'Zone XFR'\n , 268, 'Zone XFR'\n , 269, 'Zone XFR'\n , 270, 'Zone XFR'\n , 271, 'Zone XFR'\n , 272, 'Zone XFR'\n , 273, 'Zone XFR'\n , 274, 'Zone XFR'\n , 275, 'Zone XFR'\n , 276, 'Zone XFR'\n , 277, 'Dynamic update'\n , 278, 'Dynamic update'\n , 279, 'Query'\n , 280, 'Query'\n];\nlet EventSubTypeTable=datatable(EventOriginalType:real,EventSubType:string)[\n 256, 'request'\n, 257, 'response'\n, 258, 'response'\n, 259, 'response'\n, 260, 'request'\n, 261, 'response'\n, 262, 'response'\n, 263, 'request'\n, 264, 'response'\n, 265, 'request'\n, 266, 'request'\n, 267, 'response'\n, 268, 'response'\n, 269, 'request'\n, 270, 'request'\n, 271, 'response'\n, 272, 'response'\n, 273, 'request'\n, 274, 'request'\n, 275, 'response'\n, 276, 'response'\n, 277, 'request'\n, 278, 'response'\n, 279, 'response'\n, 280, 'response'\n];\nlet EventResultTable=datatable(EventOriginalType:real,EventResult:string)[\n 256, 'NA'\n , 257, 'Success'\n , 258, 'Failure'\n , 259, 'Failure'\n , 260, 'NA'\n , 261, 'NA'\n , 262, 'Failure'\n , 263, 'NA'\n , 264, 'Based on RCODE'\n , 265, 'NA'\n , 266, 'NA'\n , 267, 'Based on RCODE'\n , 268, 'Based on RCODE'\n , 269, 'NA'\n , 270, 'NA'\n , 271, 'Based on RCODE'\n , 272, 'Based on RCODE'\n , 273, 'NA'\n , 274, 'NA'\n , 275, 'Success'\n , 276, 'Success'\n , 277, 'NA'\n , 278, 'Based on RCODE'\n , 279, 'NA'\n , 280, 'NA'\n];\nlet RCodeTable=datatable(DnsResponseCode:int,ResponseCodeName:string)[\n 0,'NOERROR'\n , 1,'FORMERR'\n , 2,'SERVFAIL'\n , 3,'NXDOMAIN'\n , 4,'NOTIMP'\n , 5,'REFUSED'\n , 6,'YXDOMAIN'\n , 7,'YXRRSET'\n , 8,'NXRRSET'\n , 9,'NOTAUTH'\n , 10,'NOTZONE'\n , 11,'DSOTYPENI'\n , 16,'BADVERS'\n , 16,'BADSIG'\n , 17,'BADKEY'\n , 18,'BADTIME'\n , 19,'BADMODE'\n , 20,'BADNAME'\n , 21,'BADALG'\n , 22,'BADTRUNC'\n , 23,'BADCOOKIE'\n];\nlet QTypeTable=datatable(DnsQueryType:int,QTypeName:string)[\n 0, 'Reserved'\n , 1, 'A'\n , 2, 'NS'\n , 3, 'MD'\n , 4, 'MF'\n , 5, 'CNAME'\n , 6, 'SOA'\n , 7, 'MB'\n , 8 ,'MG'\n , 9 ,'MR'\n , 10,'NULL'\n , 11,'WKS'\n , 12,'PTR'\n , 13,'HINFO'\n , 14,'MINFO'\n , 15,'MX'\n , 16,'TXT'\n , 17,'RP'\n , 18,'AFSDB'\n , 19,'X25'\n , 20,'ISDN'\n , 21,'RT'\n , 22,'NSAP'\n , 23,'NSAP-PTR'\n , 24,'SIG'\n , 25,'KEY'\n , 26,'PX'\n , 27,'GPOS'\n , 28,'AAAA'\n , 29,'LOC'\n , 30,'NXT'\n , 31,'EID'\n , 32,'NIMLOC'\n , 33,'SRV'\n , 34,'ATMA'\n , 35,'NAPTR'\n , 36,'KX'\n , 37,'CERT'\n , 38,'A6'\n , 39,'DNAME'\n , 40,'SINK'\n , 41,'OPT'\n , 42,'APL'\n , 43,'DS'\n , 44,'SSHFP'\n , 45,'IPSECKEY'\n , 46,'RRSIG'\n , 47,'NSEC'\n , 48,'DNSKEY'\n , 49,'DHCID'\n , 50,'NSEC3'\n , 51,'NSEC3PARAM'\n , 52,'TLSA'\n , 53,'SMIMEA'\n , 55,'HIP'\n , 56,'NINFO'\n , 57,'RKEY'\n , 58,'TALINK'\n , 59,'CDS'\n , 60,'CDNSKEY'\n , 61,'OPENPGPKEY'\n , 62,'CSYNC'\n , 63,'ZONEMD'\n , 64,'SVCB'\n , 65,'HTTPS'\n , 99,'SPF'\n , 100,'UINFO'\n , 101,'UID'\n , 102,'GID'\n , 103,'UNSPEC'\n , 104,'NID'\n , 105,'L32'\n , 106,'L64'\n , 107,'LP'\n , 108,'EUI48'\n , 109,'EUI64'\n , 249,'TKEY'\n , 250,'TSIG'\n , 251,'IXFR'\n , 252,'AXFR'\n , 253,'MAILB'\n , 254,'MAILA'\n , 255,'*'\n , 256,'URI'\n , 257,'CAA'\n , 258,'AVC'\n , 259,'DOA'\n , 32768,'TA'\n , 32769,'DLV'\n];\nNXLog_DNS_Server_CL | where not(disabled)\n| where EventID_d < 281\n| project-rename\n DnsFlags=Flags_s,\n DnsQuery=QNAME_s,\n DnsQueryType=QTYPE_s,\n DnsResponseCode=RCODE_s,\n DnsResponseName=PacketData_s,\n Dvc=Hostname_s,\n EventOriginalType=EventID_d,\n EventOriginalUid=GUID_g,\n EventStartTime=EventTime_t,\n SrcIpAddr=Source_s,\n EventUid=_ItemId\n| extend\n DnsQuery=trim_end(\".\",DnsQuery),\n DnsQueryType=toint(DnsQueryType),\n DnsResponseCode=toint(DnsResponseCode),\n SrcPortNumber=toint(Port_s),\n DvcHostname=Dvc,\n DvcIpAddr=HostIP_s,\n EventEndTime=EventStartTime,\n EventProduct = \"DNS Server\",\n EventSchemaVersion = \"0.1.7\",\n EventVendor = \"Microsoft\",\n EventSchema = \"Dns\",\n EventCount = int(1),\n NetworkProtocol=iff(TCP_s == \"0\",\"UDP\",\"TCP\"),\n TransactionIdHex=tohex(toint(XID_s)),\n DnsFlagsAuthenticated = tobool(AD_s),\n DnsFlagsAuthoritative = tobool(AA_s),\n DnsFlagsRecursionDesired = tobool(RD_s)\n| lookup EventTypeTable on EventOriginalType\n| lookup EventSubTypeTable on EventOriginalType\n| lookup EventResultTable on EventOriginalType\n| lookup RCodeTable on DnsResponseCode\n| lookup QTypeTable on DnsQueryType\n| extend\n EventResultDetails = case (isnotempty(ResponseCodeName), ResponseCodeName\n , DnsResponseCode between (3841 .. 4095), 'Reserved for Private Use'\n , 'Unassigned'),\n EventOriginalType = tostring(EventOriginalType)\n| extend\n Domain=DnsQuery,\n DnsResponseCodeName=EventResultDetails,\n DnsQueryTypeName = case (isnotempty(QTypeName), QTypeName\n , DnsQueryType between (66 .. 98), 'Unassigned'\n , DnsQueryType between (110 .. 248), 'Unassigned'\n , DnsQueryType between (261 .. 32767), 'Unassigned'\n , 'Unassigned'),\n EventResult=iff (EventResult == \"Based on RCODE\", iff(DnsResponseCode == 0, \"Success\", \"Failure\"),EventResult)\n | extend\n // Aliases\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n| project-away\n *_s, *_d, QTypeName, TenantId, SourceSystem, MG, ManagementGroupName, Computer, RawData, ResponseCodeName, EventReceivedTime_t, ProviderGuid_g, _ResourceId\n};\nASimDnsMicrosoftNXLog(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for Microsoft DNS logs collected using NXlog", + "category": "ASIM", + "FunctionAlias": "ASimDnsMicrosoftNXlog", + "query": "let ASimDnsMicrosoftNXLog = (disabled:bool=false) {\nlet EventTypeTable=datatable(EventOriginalType:real,EventType:string)[\n 256, 'Query'\n , 257, 'Query'\n , 258, 'Query'\n , 259, 'Query'\n , 260, 'Query'\n , 261, 'Query'\n , 262, 'Query'\n , 263, 'Dynamic update'\n , 264, 'Dynamic update'\n , 265, 'Zone XFR'\n , 266, 'Zone XFR'\n , 267, 'Zone XFR'\n , 268, 'Zone XFR'\n , 269, 'Zone XFR'\n , 270, 'Zone XFR'\n , 271, 'Zone XFR'\n , 272, 'Zone XFR'\n , 273, 'Zone XFR'\n , 274, 'Zone XFR'\n , 275, 'Zone XFR'\n , 276, 'Zone XFR'\n , 277, 'Dynamic update'\n , 278, 'Dynamic update'\n , 279, 'Query'\n , 280, 'Query'\n];\nlet EventSubTypeTable=datatable(EventOriginalType:real,EventSubType:string)[\n 256, 'request'\n, 257, 'response'\n, 258, 'response'\n, 259, 'response'\n, 260, 'request'\n, 261, 'response'\n, 262, 'response'\n, 263, 'request'\n, 264, 'response'\n, 265, 'request'\n, 266, 'request'\n, 267, 'response'\n, 268, 'response'\n, 269, 'request'\n, 270, 'request'\n, 271, 'response'\n, 272, 'response'\n, 273, 'request'\n, 274, 'request'\n, 275, 'response'\n, 276, 'response'\n, 277, 'request'\n, 278, 'response'\n, 279, 'response'\n, 280, 'response'\n];\nlet EventResultTable=datatable(EventOriginalType:real,EventResult:string)[\n 256, 'NA'\n , 257, 'Success'\n , 258, 'Failure'\n , 259, 'Failure'\n , 260, 'NA'\n , 261, 'NA'\n , 262, 'Failure'\n , 263, 'NA'\n , 264, 'Based on RCODE'\n , 265, 'NA'\n , 266, 'NA'\n , 267, 'Based on RCODE'\n , 268, 'Based on RCODE'\n , 269, 'NA'\n , 270, 'NA'\n , 271, 'Based on RCODE'\n , 272, 'Based on RCODE'\n , 273, 'NA'\n , 274, 'NA'\n , 275, 'Success'\n , 276, 'Success'\n , 277, 'NA'\n , 278, 'Based on RCODE'\n , 279, 'NA'\n , 280, 'NA'\n];\nlet RCodeTable=datatable(DnsResponseCode:int,ResponseCodeName:string)[\n 0,'NOERROR'\n , 1,'FORMERR'\n , 2,'SERVFAIL'\n , 3,'NXDOMAIN'\n , 4,'NOTIMP'\n , 5,'REFUSED'\n , 6,'YXDOMAIN'\n , 7,'YXRRSET'\n , 8,'NXRRSET'\n , 9,'NOTAUTH'\n , 10,'NOTZONE'\n , 11,'DSOTYPENI'\n , 16,'BADVERS'\n , 16,'BADSIG'\n , 17,'BADKEY'\n , 18,'BADTIME'\n , 19,'BADMODE'\n , 20,'BADNAME'\n , 21,'BADALG'\n , 22,'BADTRUNC'\n , 23,'BADCOOKIE'\n];\nlet QTypeTable=datatable(DnsQueryType:int,QTypeName:string)[\n 0, 'Reserved'\n , 1, 'A'\n , 2, 'NS'\n , 3, 'MD'\n , 4, 'MF'\n , 5, 'CNAME'\n , 6, 'SOA'\n , 7, 'MB'\n , 8 ,'MG'\n , 9 ,'MR'\n , 10,'NULL'\n , 11,'WKS'\n , 12,'PTR'\n , 13,'HINFO'\n , 14,'MINFO'\n , 15,'MX'\n , 16,'TXT'\n , 17,'RP'\n , 18,'AFSDB'\n , 19,'X25'\n , 20,'ISDN'\n , 21,'RT'\n , 22,'NSAP'\n , 23,'NSAP-PTR'\n , 24,'SIG'\n , 25,'KEY'\n , 26,'PX'\n , 27,'GPOS'\n , 28,'AAAA'\n , 29,'LOC'\n , 30,'NXT'\n , 31,'EID'\n , 32,'NIMLOC'\n , 33,'SRV'\n , 34,'ATMA'\n , 35,'NAPTR'\n , 36,'KX'\n , 37,'CERT'\n , 38,'A6'\n , 39,'DNAME'\n , 40,'SINK'\n , 41,'OPT'\n , 42,'APL'\n , 43,'DS'\n , 44,'SSHFP'\n , 45,'IPSECKEY'\n , 46,'RRSIG'\n , 47,'NSEC'\n , 48,'DNSKEY'\n , 49,'DHCID'\n , 50,'NSEC3'\n , 51,'NSEC3PARAM'\n , 52,'TLSA'\n , 53,'SMIMEA'\n , 55,'HIP'\n , 56,'NINFO'\n , 57,'RKEY'\n , 58,'TALINK'\n , 59,'CDS'\n , 60,'CDNSKEY'\n , 61,'OPENPGPKEY'\n , 62,'CSYNC'\n , 63,'ZONEMD'\n , 64,'SVCB'\n , 65,'HTTPS'\n , 99,'SPF'\n , 100,'UINFO'\n , 101,'UID'\n , 102,'GID'\n , 103,'UNSPEC'\n , 104,'NID'\n , 105,'L32'\n , 106,'L64'\n , 107,'LP'\n , 108,'EUI48'\n , 109,'EUI64'\n , 249,'TKEY'\n , 250,'TSIG'\n , 251,'IXFR'\n , 252,'AXFR'\n , 253,'MAILB'\n , 254,'MAILA'\n , 255,'*'\n , 256,'URI'\n , 257,'CAA'\n , 258,'AVC'\n , 259,'DOA'\n , 32768,'TA'\n , 32769,'DLV'\n];\nNXLog_DNS_Server_CL | where not(disabled)\n| where EventID_d < 281\n| project-rename\n DnsFlags=Flags_s,\n DnsQuery=QNAME_s,\n DnsQueryType=QTYPE_s,\n DnsResponseCode=RCODE_s,\n DnsResponseName=PacketData_s,\n Dvc=Hostname_s,\n EventOriginalType=EventID_d,\n EventOriginalUid=GUID_g,\n EventStartTime=EventTime_t,\n SrcIpAddr=Source_s,\n EventUid=_ItemId\n| extend\n DnsQuery=trim_end(\".\",DnsQuery),\n DnsQueryType=toint(DnsQueryType),\n DnsResponseCode=toint(DnsResponseCode),\n SrcPortNumber=toint(Port_s),\n DvcHostname=Dvc,\n DvcIpAddr=HostIP_s,\n EventEndTime=EventStartTime,\n EventProduct = \"DNS Server\",\n EventSchemaVersion = \"0.1.7\",\n EventVendor = \"Microsoft\",\n EventSchema = \"Dns\",\n EventCount = int(1),\n NetworkProtocol=iff(TCP_s == \"0\",\"UDP\",\"TCP\"),\n TransactionIdHex=tohex(toint(XID_s)),\n DnsFlagsAuthenticated = tobool(AD_s),\n DnsFlagsAuthoritative = tobool(AA_s),\n DnsFlagsRecursionDesired = tobool(RD_s)\n| lookup EventTypeTable on EventOriginalType\n| lookup EventSubTypeTable on EventOriginalType\n| lookup EventResultTable on EventOriginalType\n| lookup RCodeTable on DnsResponseCode\n| lookup QTypeTable on DnsQueryType\n| extend\n EventResultDetails = case (isnotempty(ResponseCodeName), ResponseCodeName\n , DnsResponseCode between (3841 .. 4095), 'Reserved for Private Use'\n , 'Unassigned'),\n EventOriginalType = tostring(EventOriginalType)\n| extend\n Domain=DnsQuery,\n DnsResponseCodeName=EventResultDetails,\n DnsQueryTypeName = case (isnotempty(QTypeName), QTypeName\n , DnsQueryType between (66 .. 98), 'Unassigned'\n , DnsQueryType between (110 .. 248), 'Unassigned'\n , DnsQueryType between (261 .. 32767), 'Unassigned'\n , 'Unassigned'),\n EventResult=iff (EventResult == \"Based on RCODE\", iff(DnsResponseCode == 0, \"Success\", \"Failure\"),EventResult)\n | extend\n // Aliases\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n| project-away\n *_s, *_d, QTypeName, TenantId, SourceSystem, MG, ManagementGroupName, Computer, RawData, ResponseCodeName, EventReceivedTime_t, ProviderGuid_g, _ResourceId\n};\nASimDnsMicrosoftNXLog(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsMicrosoftOMS/ASimDnsMicrosoftOMS.json b/Parsers/ASimDns/ARM/ASimDnsMicrosoftOMS/ASimDnsMicrosoftOMS.json index 297c6b9eb83..b02704155d0 100644 --- a/Parsers/ASimDns/ARM/ASimDnsMicrosoftOMS/ASimDnsMicrosoftOMS.json +++ b/Parsers/ASimDns/ARM/ASimDnsMicrosoftOMS/ASimDnsMicrosoftOMS.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsMicrosoftOMS')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsMicrosoftOMS", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for Windows DNS log collected using the Log Analytics agent", - "category": "ASIM", - "FunctionAlias": "ASimDnsMicrosoftOMS", - "query": "let EventTypeTable=datatable(EventOriginalType:int,EventType:string,EventSubType:string, EventResult:string)[\n 256, 'Query', 'request', 'NA'\n, 257, 'Query', 'response', 'Success'\n, 258, 'Query', 'response', 'Based on RCODE'\n, 259, 'Query', 'response', 'Based on RCODE'\n, 260, 'Query', 'request', 'NA'\n, 261, 'Query', 'response', 'NA'\n, 262, 'Query', 'response', 'Based on RCODE'\n, 263, 'Update', 'request', 'NA'\n, 264, 'Update', 'response', 'Based on RCODE'\n, 265, 'XFR', 'request', 'NA' \n, 266, 'XFR', 'request', 'NA'\n, 267, 'XFR', 'response', 'Based on RCODE'\n, 268, 'XFR', 'response', 'Based on RCODE'\n, 269, 'XFR', 'request', 'NA'\n, 270, 'XFR', 'request', 'NA'\n, 271, 'XFR', 'response', 'Based on RCODE'\n, 272, 'XFR', 'response', 'Based on RCODE'\n, 273, 'XFR', 'request', 'NA'\n, 274, 'XFR', 'request', 'NA'\n, 275, 'XFR', 'response', 'Success'\n, 276, 'XFR', 'response', 'Success'\n, 277, 'Update', 'request', 'NA'\n, 278, 'Update', 'response', 'Based on RCODE'\n, 279, 'Query', 'NA', 'NA'\n, 280, 'Query', 'NA', 'NA'\n];\nlet RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\n 0, 'NOERROR'\n , 1, \"FORMERR\"\n , 2,\"SERVFAIL\"\n , 3,'NXDOMAIN'\n , 4,'NOTIMP'\n , 5,'REFUSED'\n , 6,'YXDOMAIN'\n , 7,'YXRRSET'\n , 8,'NXRRSET'\n , 9,'NOTAUTH'\n , 10,'NOTZONE'\n , 11,'DSOTYPENI'\n , 16,'BADVERS'\n , 16,'BADSIG'\n , 17,'BADKEY'\n , 18,'BADTIME'\n , 19,'BADMODE'\n , 20,'BADNAME'\n , 21,'BADALG'\n , 22,'BADTRUNC'\n , 23,'BADCOOKIE'];\nlet QueryTypeSymbols=datatable(QTypeSeq:string,QTypeName:string)[\n\"0\", \"Reserved\",\n\"1\", \"A\",\n\"2\", \"NS\",\n\"3\", \"MD\",\n\"4\", \"MF\",\n\"5\", \"CNAME\",\n\"6\", \"SOA\",\n\"7\", \"MB\",\n\"8\", \"MG\",\n\"9\", \"MR\",\n\"10\", \"NULL\",\n\"11\", \"WKS\",\n\"12\", \"PTR\",\n\"13\", \"HINFO\",\n\"14\", \"MINFO\",\n\"15\", \"MX\",\n\"16\", \"TXT\",\n\"17\", \"RP\",\n\"18\", \"AFSDB\",\n\"19\", \"X25\",\n\"20\", \"ISDN\",\n\"21\", \"RT\",\n\"22\", \"NSAP\",\n\"23\", \"NSAP-PTR\",\n\"24\", \"SIG\",\n\"25\", \"KEY\",\n\"26\", \"PX\",\n\"27\", \"GPOS\",\n\"28\", \"AAAA\",\n\"29\", \"LOC\",\n\"30\", \"NXT\",\n\"31\", \"EID\",\n\"32\", \"NIMLOC\",\n\"33\", \"SRV\",\n\"34\", \"ATMA\",\n\"35\", \"NAPTR\",\n\"36\", \"KX\",\n\"37\", \"CERT\",\n\"38\", \"A6\",\n\"39\", \"DNAME\",\n\"40\", \"SINK\",\n\"41\", \"OPT\",\n\"42\", \"APL\",\n\"43\", \"DS\",\n\"44\", \"SSHFP\",\n\"45\", \"IPSECKEY\",\n\"46\", \"RRSIG\",\n\"47\", \"NSEC\",\n\"48\", \"DNSKEY\",\n\"49\", \"DHCID\",\n\"50\", \"NSEC3\",\n\"51\", \"NSEC3PARAM\",\n\"52\", \"TLSA\",\n\"53\", \"SMIMEA\",\n\"54\", \"Unassigned\",\n\"55\", \"HIP\",\n\"56\", \"NINFO\",\n\"57\", \"RKEY\",\n\"58\", \"TALINK\",\n\"59\", \"CDS\",\n\"60\", \"CDNSKEY\",\n\"61\", \"OPENPGPKEY\",\n\"62\", \"CSYNC\",\n\"99\", \"SPF\",\n\"100\", \"UINFO\",\n\"101\", \"UID\",\n\"102\", \"GID\",\n\"103\", \"UNSPEC\",\n\"104\", \"NID\",\n\"105\", \"L32\",\n\"106\", \"L64\",\n\"107\", \"LP\",\n\"108\", \"EUI48\",\n\"109\", \"EUI64\",\n\"249\", \"TKEY\",\n\"250\", \"TSIG\",\n\"251\", \"IXFR\",\n\"252\", \"AXFR\",\n\"253\", \"MAILB\",\n\"254\", \"MAILA\",\n\"255\", \"All\",\n\"256\", \"URI\",\n\"257\", \"CAA\",\n\"258\", \"AVC\",\n\"259\", \"DOA\",\n\"32768\", \"TA\",\n\"32769\", \"DLV\"];\nlet DNSQuery_MS=(disabled:bool=false){\n DnsEvents | where not(disabled)\n| where EventId < 500\n| lookup QueryTypeSymbols on $left.QueryType == $right.QTypeSeq\n| extend DnsQueryTypeName=coalesce(QTypeName, QueryType)\n| project-rename\n Dvc=Computer ,\n SrcIpAddr = ClientIP,\n EventMessage = Message,\n EventOriginalType = EventId,\n EventReportUrl = ReportReferenceLink,\n DnsResponseName = IPAddresses,\n DnsQuery = Name,\n DnsResponseCode = ResultCode\n| extend hostelements=split(Dvc,'.')\n| extend DvcHostname=tostring(hostelements[0])\n , DvcDomain=strcat_array( array_slice(hostelements,1,-1), '.')\n , DvcFQDN = iff(Dvc contains \".\",Dvc,\"\" )\n| extend DvcDomainType=iff(DvcFQDN !=\"\",\"FQDN\",\"\" )\n| project-away hostelements\n| extend\n EventCount=int(1),\n EventStartTime=TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"DNS Server\",\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.3\",\n EventEndTime=TimeGenerated,\n EventSeverity = tostring(Severity)\n | lookup RCodeTable on DnsResponseCode\n | lookup EventTypeTable on EventOriginalType\n | extend EventResultDetails = case (isnotempty(DnsResponseCodeName), DnsResponseCodeName\n , DnsResponseCode between (3841 .. 4095), 'Reserved for Private Use'\n , 'Unassigned'),\n EventResult = iff (EventResult == \"Based on RCODE\", iff(DnsResponseCode == 0, \"Success\", \"Failure\"),EventResult)\n// **************Aliases\n | extend\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n EventOriginalType=tostring(EventOriginalType)\n | project-away \n SubType, QTypeName, QueryType, SourceSystem, TaskCategory, Remote*, Severity, Result, Confidence, Description, IndicatorThreatType, MaliciousIP\n };\nDNSQuery_MS (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for Windows DNS log collected using the Log Analytics agent", + "category": "ASIM", + "FunctionAlias": "ASimDnsMicrosoftOMS", + "query": "let EventTypeTable=datatable(EventOriginalType:int,EventType:string,EventSubType:string, EventResult:string)[\n 256, 'Query', 'request', 'NA'\n, 257, 'Query', 'response', 'Success'\n, 258, 'Query', 'response', 'Based on RCODE'\n, 259, 'Query', 'response', 'Based on RCODE'\n, 260, 'Query', 'request', 'NA'\n, 261, 'Query', 'response', 'NA'\n, 262, 'Query', 'response', 'Based on RCODE'\n, 263, 'Update', 'request', 'NA'\n, 264, 'Update', 'response', 'Based on RCODE'\n, 265, 'XFR', 'request', 'NA' \n, 266, 'XFR', 'request', 'NA'\n, 267, 'XFR', 'response', 'Based on RCODE'\n, 268, 'XFR', 'response', 'Based on RCODE'\n, 269, 'XFR', 'request', 'NA'\n, 270, 'XFR', 'request', 'NA'\n, 271, 'XFR', 'response', 'Based on RCODE'\n, 272, 'XFR', 'response', 'Based on RCODE'\n, 273, 'XFR', 'request', 'NA'\n, 274, 'XFR', 'request', 'NA'\n, 275, 'XFR', 'response', 'Success'\n, 276, 'XFR', 'response', 'Success'\n, 277, 'Update', 'request', 'NA'\n, 278, 'Update', 'response', 'Based on RCODE'\n, 279, 'Query', 'NA', 'NA'\n, 280, 'Query', 'NA', 'NA'\n];\nlet RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\n 0, 'NOERROR'\n , 1, \"FORMERR\"\n , 2,\"SERVFAIL\"\n , 3,'NXDOMAIN'\n , 4,'NOTIMP'\n , 5,'REFUSED'\n , 6,'YXDOMAIN'\n , 7,'YXRRSET'\n , 8,'NXRRSET'\n , 9,'NOTAUTH'\n , 10,'NOTZONE'\n , 11,'DSOTYPENI'\n , 16,'BADVERS'\n , 16,'BADSIG'\n , 17,'BADKEY'\n , 18,'BADTIME'\n , 19,'BADMODE'\n , 20,'BADNAME'\n , 21,'BADALG'\n , 22,'BADTRUNC'\n , 23,'BADCOOKIE'];\nlet QueryTypeSymbols=datatable(QTypeSeq:string,QTypeName:string)[\n\"0\", \"Reserved\",\n\"1\", \"A\",\n\"2\", \"NS\",\n\"3\", \"MD\",\n\"4\", \"MF\",\n\"5\", \"CNAME\",\n\"6\", \"SOA\",\n\"7\", \"MB\",\n\"8\", \"MG\",\n\"9\", \"MR\",\n\"10\", \"NULL\",\n\"11\", \"WKS\",\n\"12\", \"PTR\",\n\"13\", \"HINFO\",\n\"14\", \"MINFO\",\n\"15\", \"MX\",\n\"16\", \"TXT\",\n\"17\", \"RP\",\n\"18\", \"AFSDB\",\n\"19\", \"X25\",\n\"20\", \"ISDN\",\n\"21\", \"RT\",\n\"22\", \"NSAP\",\n\"23\", \"NSAP-PTR\",\n\"24\", \"SIG\",\n\"25\", \"KEY\",\n\"26\", \"PX\",\n\"27\", \"GPOS\",\n\"28\", \"AAAA\",\n\"29\", \"LOC\",\n\"30\", \"NXT\",\n\"31\", \"EID\",\n\"32\", \"NIMLOC\",\n\"33\", \"SRV\",\n\"34\", \"ATMA\",\n\"35\", \"NAPTR\",\n\"36\", \"KX\",\n\"37\", \"CERT\",\n\"38\", \"A6\",\n\"39\", \"DNAME\",\n\"40\", \"SINK\",\n\"41\", \"OPT\",\n\"42\", \"APL\",\n\"43\", \"DS\",\n\"44\", \"SSHFP\",\n\"45\", \"IPSECKEY\",\n\"46\", \"RRSIG\",\n\"47\", \"NSEC\",\n\"48\", \"DNSKEY\",\n\"49\", \"DHCID\",\n\"50\", \"NSEC3\",\n\"51\", \"NSEC3PARAM\",\n\"52\", \"TLSA\",\n\"53\", \"SMIMEA\",\n\"54\", \"Unassigned\",\n\"55\", \"HIP\",\n\"56\", \"NINFO\",\n\"57\", \"RKEY\",\n\"58\", \"TALINK\",\n\"59\", \"CDS\",\n\"60\", \"CDNSKEY\",\n\"61\", \"OPENPGPKEY\",\n\"62\", \"CSYNC\",\n\"99\", \"SPF\",\n\"100\", \"UINFO\",\n\"101\", \"UID\",\n\"102\", \"GID\",\n\"103\", \"UNSPEC\",\n\"104\", \"NID\",\n\"105\", \"L32\",\n\"106\", \"L64\",\n\"107\", \"LP\",\n\"108\", \"EUI48\",\n\"109\", \"EUI64\",\n\"249\", \"TKEY\",\n\"250\", \"TSIG\",\n\"251\", \"IXFR\",\n\"252\", \"AXFR\",\n\"253\", \"MAILB\",\n\"254\", \"MAILA\",\n\"255\", \"All\",\n\"256\", \"URI\",\n\"257\", \"CAA\",\n\"258\", \"AVC\",\n\"259\", \"DOA\",\n\"32768\", \"TA\",\n\"32769\", \"DLV\"];\nlet DNSQuery_MS=(disabled:bool=false){\n DnsEvents | where not(disabled)\n| where EventId < 500\n| lookup QueryTypeSymbols on $left.QueryType == $right.QTypeSeq\n| extend DnsQueryTypeName=coalesce(QTypeName, QueryType)\n| project-rename\n Dvc=Computer ,\n SrcIpAddr = ClientIP,\n EventMessage = Message,\n EventOriginalType = EventId,\n EventReportUrl = ReportReferenceLink,\n DnsResponseName = IPAddresses,\n DnsQuery = Name,\n DnsResponseCode = ResultCode\n| extend hostelements=split(Dvc,'.')\n| extend DvcHostname=tostring(hostelements[0])\n , DvcDomain=strcat_array( array_slice(hostelements,1,-1), '.')\n , DvcFQDN = iff(Dvc contains \".\",Dvc,\"\" )\n| extend DvcDomainType=iff(DvcFQDN !=\"\",\"FQDN\",\"\" )\n| project-away hostelements\n| extend\n EventCount=int(1),\n EventStartTime=TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"DNS Server\",\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.3\",\n EventEndTime=TimeGenerated,\n EventSeverity = tostring(Severity)\n | lookup RCodeTable on DnsResponseCode\n | lookup EventTypeTable on EventOriginalType\n | extend EventResultDetails = case (isnotempty(DnsResponseCodeName), DnsResponseCodeName\n , DnsResponseCode between (3841 .. 4095), 'Reserved for Private Use'\n , 'Unassigned'),\n EventResult = iff (EventResult == \"Based on RCODE\", iff(DnsResponseCode == 0, \"Success\", \"Failure\"),EventResult)\n// **************Aliases\n | extend\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n EventOriginalType=tostring(EventOriginalType)\n | project-away \n SubType, QTypeName, QueryType, SourceSystem, TaskCategory, Remote*, Severity, Result, Confidence, Description, IndicatorThreatType, MaliciousIP\n };\nDNSQuery_MS (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsMicrosoftSysmon/ASimDnsMicrosoftSysmon.json b/Parsers/ASimDns/ARM/ASimDnsMicrosoftSysmon/ASimDnsMicrosoftSysmon.json index 76103c2736c..82f221e3f57 100644 --- a/Parsers/ASimDns/ARM/ASimDnsMicrosoftSysmon/ASimDnsMicrosoftSysmon.json +++ b/Parsers/ASimDns/ARM/ASimDnsMicrosoftSysmon/ASimDnsMicrosoftSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsMicrosoftSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsMicrosoftSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for Sysmon for Windows", - "category": "ASIM", - "FunctionAlias": "ASimDnsMicrosoftSysmon", - "query": "let parser = (disabled:bool=false) {\nlet RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\n // See https://docs.microsoft.com/windows/win32/debug/system-error-codes--9000-11999-\n 0, 'NOERROR'\n , 9001, \"FORMERR\"\n , 9002,\"SERVFAIL\"\n , 9003,'NXDOMAIN'\n , 9004,'NOTIMP'\n , 9005,'REFUSED'\n , 9006,'YXDOMAIN'\n , 9007,'YXRRSET'\n , 9008,'NXRRSET'\n , 9009,'NOTAUTH'\n , 9010,'NOTZONE'\n , 9011,'DSOTYPENI'\n , 9016,'BADVERS'\n , 9016,'BADSIG'\n , 9017,'BADKEY'\n , 9018,'BADTIME'\n , 9019,'BADMODE'\n , 9020,'BADNAME'\n , 9021,'BADALG'\n , 9022,'BADTRUNC'\n , 9023,'BADCOOKIE'\n , 1460, 'TIMEOUT'\n ];\nlet ParsedDnsEvent_Event =(disabled:bool=false) {\n Event | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Source, Type , _ItemId \n | where Source == \"Microsoft-Windows-Sysmon\" and EventID==22\n | project-away Source, EventID\n | parse-kv EventData as (\n RuleName:string,\n UtcTime:datetime, \n ProcessGuid:string,\n ProcessId:string,\n QueryName:string,\n QueryStatus:int,\n QueryResults:string,\n Image:string,\n User:string\n )\n with (regex=@'{?([^<]*?)}?')\n | project-rename \n EventEndTime = UtcTime,\n SrcProcessId = ProcessId,\n SrcProcessGuid = ProcessGuid,\n DnsQuery = QueryName,\n DnsResponseCode = QueryStatus,\n DnsResponseName = QueryResults,\n SrcProcessName = Image,\n SrcUsername = User\n | project-away EventData\n};\nParsedDnsEvent_Event(disabled)\n | lookup RCodeTable on DnsResponseCode\n | project-rename \n DvcHostname = Computer,\n // EventUid = _ItemId, \n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n | extend\n EventOriginalType = '22',\n EventCount=int(1),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'Dns',\n EventSchemaVersion=\"0.1.6\",\n EventType = 'Query',\n EventResult = iff (DnsResponseCode == 0,'Success','Failure'),\n EventStartTime = EventEndTime,\n EventSubType= 'response',\n EventSeverity= iif (DnsResponseCode == 0, 'Informational', 'Low'),\n SrcUsernameType = 'Windows',\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n DnsResponseName = iff (DnsResponseName == \"-\", \"\", DnsResponseName),\n DnsResponseCodeName = iff (DnsResponseCodeName == \"\", \"NA\", DnsResponseCodeName),\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventUid = _ItemId\n // -- Aliases\n | extend \n EventResultDetails = DnsResponseCodeName,\n Domain = DnsQuery,\n Dvc = DvcHostname,\n SrcHostname = DvcHostname,\n Hostname=DvcHostname,\n Src = DvcHostname,\n DnsResponseCode = toint(iff (DnsResponseCode > 9000 and DnsResponseCode < 9100, DnsResponseCode-9000, DnsResponseCode)),\n User = SrcUsername,\n Process = SrcProcessName,\n Rule = RuleName,\n DvcAzureResourceId = DvcId\n | project-away DvcAzureResourceId\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for Sysmon for Windows", + "category": "ASIM", + "FunctionAlias": "ASimDnsMicrosoftSysmon", + "query": "let parser = (disabled:bool=false) {\nlet RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\n // See https://docs.microsoft.com/windows/win32/debug/system-error-codes--9000-11999-\n 0, 'NOERROR'\n , 9001, \"FORMERR\"\n , 9002,\"SERVFAIL\"\n , 9003,'NXDOMAIN'\n , 9004,'NOTIMP'\n , 9005,'REFUSED'\n , 9006,'YXDOMAIN'\n , 9007,'YXRRSET'\n , 9008,'NXRRSET'\n , 9009,'NOTAUTH'\n , 9010,'NOTZONE'\n , 9011,'DSOTYPENI'\n , 9016,'BADVERS'\n , 9016,'BADSIG'\n , 9017,'BADKEY'\n , 9018,'BADTIME'\n , 9019,'BADMODE'\n , 9020,'BADNAME'\n , 9021,'BADALG'\n , 9022,'BADTRUNC'\n , 9023,'BADCOOKIE'\n , 1460, 'TIMEOUT'\n ];\nlet ParsedDnsEvent_Event =(disabled:bool=false) {\n Event | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Source, Type , _ItemId \n | where Source == \"Microsoft-Windows-Sysmon\" and EventID==22\n | project-away Source, EventID\n | parse-kv EventData as (\n RuleName:string,\n UtcTime:datetime, \n ProcessGuid:string,\n ProcessId:string,\n QueryName:string,\n QueryStatus:int,\n QueryResults:string,\n Image:string,\n User:string\n )\n with (regex=@'{?([^<]*?)}?')\n | project-rename \n EventEndTime = UtcTime,\n SrcProcessId = ProcessId,\n SrcProcessGuid = ProcessGuid,\n DnsQuery = QueryName,\n DnsResponseCode = QueryStatus,\n DnsResponseName = QueryResults,\n SrcProcessName = Image,\n SrcUsername = User\n | project-away EventData\n};\nParsedDnsEvent_Event(disabled)\n | lookup RCodeTable on DnsResponseCode\n | project-rename \n DvcHostname = Computer,\n // EventUid = _ItemId, \n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n | extend\n EventOriginalType = '22',\n EventCount=int(1),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'Dns',\n EventSchemaVersion=\"0.1.6\",\n EventType = 'Query',\n EventResult = iff (DnsResponseCode == 0,'Success','Failure'),\n EventStartTime = EventEndTime,\n EventSubType= 'response',\n EventSeverity= iif (DnsResponseCode == 0, 'Informational', 'Low'),\n SrcUsernameType = 'Windows',\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n DnsResponseName = iff (DnsResponseName == \"-\", \"\", DnsResponseName),\n DnsResponseCodeName = iff (DnsResponseCodeName == \"\", \"NA\", DnsResponseCodeName),\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventUid = _ItemId\n // -- Aliases\n | extend \n EventResultDetails = DnsResponseCodeName,\n Domain = DnsQuery,\n Dvc = DvcHostname,\n SrcHostname = DvcHostname,\n Hostname=DvcHostname,\n Src = DvcHostname,\n DnsResponseCode = toint(iff (DnsResponseCode > 9000 and DnsResponseCode < 9100, DnsResponseCode-9000, DnsResponseCode)),\n User = SrcUsername,\n Process = SrcProcessName,\n Rule = RuleName,\n DvcAzureResourceId = DvcId\n | project-away DvcAzureResourceId\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsMicrosoftSysmonWindowsEvent/ASimDnsMicrosoftSysmonWindowsEvent.json b/Parsers/ASimDns/ARM/ASimDnsMicrosoftSysmonWindowsEvent/ASimDnsMicrosoftSysmonWindowsEvent.json index 7fe54114e67..3adfdd3731d 100644 --- a/Parsers/ASimDns/ARM/ASimDnsMicrosoftSysmonWindowsEvent/ASimDnsMicrosoftSysmonWindowsEvent.json +++ b/Parsers/ASimDns/ARM/ASimDnsMicrosoftSysmonWindowsEvent/ASimDnsMicrosoftSysmonWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsMicrosoftSysmonWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsMicrosoftSysmonWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for Sysmon for Windows", - "category": "ASIM", - "FunctionAlias": "ASimDnsMicrosoftSysmonWindowsEvent", - "query": "let parser = (disabled:bool=false) {\nlet RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\n // See https://docs.microsoft.com/windows/win32/debug/system-error-codes--9000-11999-\n 0, 'NOERROR'\n , 9001, \"FORMERR\"\n , 9002,\"SERVFAIL\"\n , 9003,'NXDOMAIN'\n , 9004,'NOTIMP'\n , 9005,'REFUSED'\n , 9006,'YXDOMAIN'\n , 9007,'YXRRSET'\n , 9008,'NXRRSET'\n , 9009,'NOTAUTH'\n , 9010,'NOTZONE'\n , 9011,'DSOTYPENI'\n , 9016,'BADVERS'\n , 9016,'BADSIG'\n , 9017,'BADKEY'\n , 9018,'BADTIME'\n , 9019,'BADMODE'\n , 9020,'BADNAME'\n , 9021,'BADALG'\n , 9022,'BADTRUNC'\n , 9023,'BADCOOKIE'\n , 1460, 'TIMEOUT'\n ];\nlet ParsedDnsEvent_WindowsEvent =(disabled:bool=false) {\n WindowsEvent | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Provider, Type , _ItemId \n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 22\n | project-away Provider, EventID \n | extend \n RuleName = tostring(EventData.RuleName),\n EventEndTime = todatetime(EventData.UtcTime),\n SrcProcessGuid = tostring(EventData.ProcessGuid),\n // extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string)),\n SrcProcessId = tostring(EventData.ProcessId), \n DnsQuery = tostring(EventData.QueryName),\n DnsResponseCode = toint(EventData.QueryStatus),\n DnsResponseName = tostring(EventData.QueryResults),\n SrcProcessName = tostring(EventData.Image),\n SrcUsername = tostring(EventData.User)\n | project-away EventData\n | parse SrcProcessGuid with '{' SrcProcessGuid '}'\n};\nParsedDnsEvent_WindowsEvent(disabled)\n | lookup RCodeTable on DnsResponseCode\n | project-rename \n DvcHostname = Computer,\n // EventUid = _ItemId, \n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n | extend\n EventOriginalType = '22',\n EventCount=int(1),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'Dns',\n EventSchemaVersion=\"0.1.6\",\n EventType = 'Query',\n EventResult = iff (DnsResponseCode == 0,'Success','Failure'),\n EventStartTime = EventEndTime,\n EventSubType= 'response',\n EventSeverity= iif (DnsResponseCode == 0, 'Informational', 'Low'),\n SrcUsernameType = 'Windows',\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n DnsResponseName = iff (DnsResponseName == \"-\", \"\", DnsResponseName),\n DnsResponseCodeName = iff (DnsResponseCodeName == \"\", \"NA\", DnsResponseCodeName),\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventUid = _ItemId\n // -- Aliases\n | extend \n EventResultDetails = DnsResponseCodeName,\n Domain = DnsQuery,\n Dvc = DvcHostname,\n SrcHostname = DvcHostname,\n Hostname=DvcHostname,\n Src = DvcHostname,\n DnsResponseCode = toint(iff (DnsResponseCode > 9000 and DnsResponseCode < 9100, DnsResponseCode-9000, DnsResponseCode)),\n User = SrcUsername,\n Process = SrcProcessName,\n Rule = RuleName,\n DvcAzureResourceId = DvcId\n | project-away DvcAzureResourceId\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for Sysmon for Windows", + "category": "ASIM", + "FunctionAlias": "ASimDnsMicrosoftSysmonWindowsEvent", + "query": "let parser = (disabled:bool=false) {\nlet RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\n // See https://docs.microsoft.com/windows/win32/debug/system-error-codes--9000-11999-\n 0, 'NOERROR'\n , 9001, \"FORMERR\"\n , 9002,\"SERVFAIL\"\n , 9003,'NXDOMAIN'\n , 9004,'NOTIMP'\n , 9005,'REFUSED'\n , 9006,'YXDOMAIN'\n , 9007,'YXRRSET'\n , 9008,'NXRRSET'\n , 9009,'NOTAUTH'\n , 9010,'NOTZONE'\n , 9011,'DSOTYPENI'\n , 9016,'BADVERS'\n , 9016,'BADSIG'\n , 9017,'BADKEY'\n , 9018,'BADTIME'\n , 9019,'BADMODE'\n , 9020,'BADNAME'\n , 9021,'BADALG'\n , 9022,'BADTRUNC'\n , 9023,'BADCOOKIE'\n , 1460, 'TIMEOUT'\n ];\nlet ParsedDnsEvent_WindowsEvent =(disabled:bool=false) {\n WindowsEvent | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Provider, Type , _ItemId \n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 22\n | project-away Provider, EventID \n | extend \n RuleName = tostring(EventData.RuleName),\n EventEndTime = todatetime(EventData.UtcTime),\n SrcProcessGuid = tostring(EventData.ProcessGuid),\n // extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string)),\n SrcProcessId = tostring(EventData.ProcessId), \n DnsQuery = tostring(EventData.QueryName),\n DnsResponseCode = toint(EventData.QueryStatus),\n DnsResponseName = tostring(EventData.QueryResults),\n SrcProcessName = tostring(EventData.Image),\n SrcUsername = tostring(EventData.User)\n | project-away EventData\n | parse SrcProcessGuid with '{' SrcProcessGuid '}'\n};\nParsedDnsEvent_WindowsEvent(disabled)\n | lookup RCodeTable on DnsResponseCode\n | project-rename \n DvcHostname = Computer,\n // EventUid = _ItemId, \n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n | extend\n EventOriginalType = '22',\n EventCount=int(1),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'Dns',\n EventSchemaVersion=\"0.1.6\",\n EventType = 'Query',\n EventResult = iff (DnsResponseCode == 0,'Success','Failure'),\n EventStartTime = EventEndTime,\n EventSubType= 'response',\n EventSeverity= iif (DnsResponseCode == 0, 'Informational', 'Low'),\n SrcUsernameType = 'Windows',\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n DnsResponseName = iff (DnsResponseName == \"-\", \"\", DnsResponseName),\n DnsResponseCodeName = iff (DnsResponseCodeName == \"\", \"NA\", DnsResponseCodeName),\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventUid = _ItemId\n // -- Aliases\n | extend \n EventResultDetails = DnsResponseCodeName,\n Domain = DnsQuery,\n Dvc = DvcHostname,\n SrcHostname = DvcHostname,\n Hostname=DvcHostname,\n Src = DvcHostname,\n DnsResponseCode = toint(iff (DnsResponseCode > 9000 and DnsResponseCode < 9100, DnsResponseCode-9000, DnsResponseCode)),\n User = SrcUsername,\n Process = SrcProcessName,\n Rule = RuleName,\n DvcAzureResourceId = DvcId\n | project-away DvcAzureResourceId\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsNative/ASimDnsNative.json b/Parsers/ASimDns/ARM/ASimDnsNative/ASimDnsNative.json index 3e0c49e7abc..f708ebdfc78 100644 --- a/Parsers/ASimDns/ARM/ASimDnsNative/ASimDnsNative.json +++ b/Parsers/ASimDns/ARM/ASimDnsNative/ASimDnsNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for Microsoft Sentinel native DNS table", - "category": "ASIM", - "FunctionAlias": "ASimDnsNative", - "query": "let parser=(disabled:bool=false) \n{\n ASimDnsActivityLogs | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n Dvc = coalesce (Dvc, DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct)),\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n EventSchema = \"Dns\"\n // -- Type fixes\n | extend\n ThreatConfidence = toint(ThreatConfidence),\n ThreatFirstReportedTime = todatetime(ThreatFirstReportedTime),\n ThreatIsActive = tobool(ThreatIsActive),\n ThreatLastReportedTime = todatetime(ThreatLastReportedTime),\n ThreatOriginalRiskLevel = tostring(ThreatOriginalRiskLevel),\n ThreatRiskLevel = toint(ThreatRiskLevel) \n // -- Aliases\n | extend\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Duration = DnsNetworkDuration,\n Process = SrcProcessName,\n SessionId = DnsSessionId,\n User = SrcUsername,\n Hostname = SrcHostname,\n DvcScopeId = coalesce(DvcScopeId,_SubscriptionId)\n | project-away\n TenantId, SourceSystem, _ResourceId, _SubscriptionId\n};\nparser (disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for Microsoft Sentinel native DNS table", + "category": "ASIM", + "FunctionAlias": "ASimDnsNative", + "query": "let parser=(disabled:bool=false) \n{\n ASimDnsActivityLogs | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n Dvc = coalesce (Dvc, DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct)),\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n EventSchema = \"Dns\"\n // -- Type fixes\n | extend\n ThreatConfidence = toint(ThreatConfidence),\n ThreatFirstReportedTime = todatetime(ThreatFirstReportedTime),\n ThreatIsActive = tobool(ThreatIsActive),\n ThreatLastReportedTime = todatetime(ThreatLastReportedTime),\n ThreatOriginalRiskLevel = tostring(ThreatOriginalRiskLevel),\n ThreatRiskLevel = toint(ThreatRiskLevel) \n // -- Aliases\n | extend\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Duration = DnsNetworkDuration,\n Process = SrcProcessName,\n SessionId = DnsSessionId,\n User = SrcUsername,\n Hostname = SrcHostname,\n DvcScopeId = coalesce(DvcScopeId,_SubscriptionId)\n | project-away\n TenantId, SourceSystem, _ResourceId, _SubscriptionId\n};\nparser (disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsSentinelOne/ASimDnsSentinelOne.json b/Parsers/ASimDns/ARM/ASimDnsSentinelOne/ASimDnsSentinelOne.json index 96902f26f79..232491360bf 100644 --- a/Parsers/ASimDns/ARM/ASimDnsSentinelOne/ASimDnsSentinelOne.json +++ b/Parsers/ASimDns/ARM/ASimDnsSentinelOne/ASimDnsSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "ASimDnsSentinelOne", - "query": "let ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n[\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n[\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n[\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (disabled: bool=false) {\n let alldata = SentinelOne_CL\n | where not(disabled)\n and event_name_s == \"Alerts.\" \n and alertInfo_eventType_s == \"DNS\"\n | parse alertInfo_dnsResponse_s with * \"type: \" DnsQueryType: int \" \" RestMessage;\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maaliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maaliciousdata\n | extend \n DnsResponseCode = case(\n alertInfo_dnsResponse_s has \"NoError\" or alertInfo_dnsResponse_s has \"No Error\",\n int(0),\n alertInfo_dnsResponse_s has \"FormErr\" or alertInfo_dnsResponse_s has \"Format Error\",\n int(1),\n alertInfo_dnsResponse_s has \"ServFail\" or alertInfo_dnsResponse_s has \"Server Failure\",\n int(2),\n alertInfo_dnsResponse_s has \"NXDomain\" or alertInfo_dnsResponse_s has \"Non-Existent Domain\",\n int(3),\n alertInfo_dnsResponse_s has \"NotImp\" or alertInfo_dnsResponse_s has \"Not Implemented\",\n int(4),\n alertInfo_dnsResponse_s has \"Refused\" or alertInfo_dnsResponse_s has \"Query Refused\",\n int(5),\n alertInfo_dnsResponse_s has \"YXDomain\" or alertInfo_dnsResponse_s has \"Name Exists when it should not\",\n int(6),\n alertInfo_dnsResponse_s has \"YXRRSet\" or alertInfo_dnsResponse_s has \"RR Set Exists when it should not\",\n int(7),\n alertInfo_dnsResponse_s has \"NXRRSet\" or alertInfo_dnsResponse_s has \"RR Set that should exist does not\",\n int(8),\n alertInfo_dnsResponse_s has \"NotAuth\" or alertInfo_dnsResponse_s has \"Server Not Authoritative for zone\",\n int(9),\n alertInfo_dnsResponse_s has \"NotAuth\" or alertInfo_dnsResponse_s has \"Not Authorized\",\n int(9),\n alertInfo_dnsResponse_s has \"NotZone\" or alertInfo_dnsResponse_s has \"Name not contained in zone\",\n int(10),\n alertInfo_dnsResponse_s has \"DSOTYPENI\" or alertInfo_dnsResponse_s has \"DSO-TYPE Not Implemented\",\n int(11),\n alertInfo_dnsResponse_s has \"Unassigned\",\n int(12),\n alertInfo_dnsResponse_s has \"BADVERS\" or alertInfo_dnsResponse_s has \"Bad OPT Version\",\n int(16),\n alertInfo_dnsResponse_s has \"BADSIG\" or alertInfo_dnsResponse_s has \"TSIG Signature Failure\",\n int(16),\n alertInfo_dnsResponse_s has \"BADKEY\" or alertInfo_dnsResponse_s has \"Key not recognized\",\n int(17),\n alertInfo_dnsResponse_s has \"BADTIME\" or alertInfo_dnsResponse_s has \"Signature out of time window\",\n int(18),\n alertInfo_dnsResponse_s has \"BADMODE\" or alertInfo_dnsResponse_s has \"Bad TKEY Mode\",\n int(19),\n alertInfo_dnsResponse_s has \"BADNAME\" or alertInfo_dnsResponse_s has \"Duplicate key name\",\n int(20),\n alertInfo_dnsResponse_s has \"BADALG\" or alertInfo_dnsResponse_s has \"Algorithm not supported\",\n int(21),\n alertInfo_dnsResponse_s has \"BADTRUNC\" or alertInfo_dnsResponse_s has \"Bad Truncation\",\n int(22),\n alertInfo_dnsResponse_s has \"BADCOOKIE\" or alertInfo_dnsResponse_s has \"Bad/missing Server Cookie\",\n int(23),\n int(0)\n ),\n AdditionalFields = bag_pack(\n \"MachineType\",\n agentDetectionInfo_machineType_s,\n \"OsRevision\",\n agentDetectionInfo_osRevision_s\n )\n | extend \n DnsQueryType = iff(isempty(DnsQueryType) and DnsResponseCode == 0, int(1), DnsQueryType),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n DnsQuery = alertInfo_dnsRequest_s,\n EventUid = _ItemId,\n DnsResponseName = alertInfo_dnsResponse_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n SrcProcessId = sourceProcessInfo_pid_s,\n SrcProcessName = sourceProcessInfo_name_s,\n SrcUsername = sourceProcessInfo_user_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend\n Dvc = DvcId,\n EventEndTime = EventStartTime,\n EventResult = iff(DnsResponseCode == 0, \"Success\", \"Failure\"),\n EventResultDetails = _ASIM_LookupDnsResponseCode(DnsResponseCode),\n EventSubType = iff(isnotempty(DnsResponseName), \"Response\", \"Request\"),\n EventOriginalResultDetails = DnsResponseCode,\n DnsQueryTypeName = _ASIM_LookupDnsQueryType(DnsQueryType),\n Rule = RuleName,\n SrcDvcId = DvcId,\n SrcHostname = DvcHostname,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n Domain = DnsQuery,\n Process = SrcProcessName,\n User = SrcUsername,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | extend \n Src = SrcHostname,\n Hostname = SrcHostname,\n DnsResponseCodeName = EventResultDetails,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\")\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventSchema = \"Dns\",\n EventSchemaVersion = \"0.1.7\",\n EventType = \"Query\",\n EventVendor = \"SentinelOne\",\n DnsQueryClassName = \"IN\",\n DnsQueryClass = int(1)\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n RestMessage,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "ASimDnsSentinelOne", + "query": "let ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n[\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n[\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n[\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (disabled: bool=false) {\n let alldata = SentinelOne_CL\n | where not(disabled)\n and event_name_s == \"Alerts.\" \n and alertInfo_eventType_s == \"DNS\"\n | parse alertInfo_dnsResponse_s with * \"type: \" DnsQueryType: int \" \" RestMessage;\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maaliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maaliciousdata\n | extend \n DnsResponseCode = case(\n alertInfo_dnsResponse_s has \"NoError\" or alertInfo_dnsResponse_s has \"No Error\",\n int(0),\n alertInfo_dnsResponse_s has \"FormErr\" or alertInfo_dnsResponse_s has \"Format Error\",\n int(1),\n alertInfo_dnsResponse_s has \"ServFail\" or alertInfo_dnsResponse_s has \"Server Failure\",\n int(2),\n alertInfo_dnsResponse_s has \"NXDomain\" or alertInfo_dnsResponse_s has \"Non-Existent Domain\",\n int(3),\n alertInfo_dnsResponse_s has \"NotImp\" or alertInfo_dnsResponse_s has \"Not Implemented\",\n int(4),\n alertInfo_dnsResponse_s has \"Refused\" or alertInfo_dnsResponse_s has \"Query Refused\",\n int(5),\n alertInfo_dnsResponse_s has \"YXDomain\" or alertInfo_dnsResponse_s has \"Name Exists when it should not\",\n int(6),\n alertInfo_dnsResponse_s has \"YXRRSet\" or alertInfo_dnsResponse_s has \"RR Set Exists when it should not\",\n int(7),\n alertInfo_dnsResponse_s has \"NXRRSet\" or alertInfo_dnsResponse_s has \"RR Set that should exist does not\",\n int(8),\n alertInfo_dnsResponse_s has \"NotAuth\" or alertInfo_dnsResponse_s has \"Server Not Authoritative for zone\",\n int(9),\n alertInfo_dnsResponse_s has \"NotAuth\" or alertInfo_dnsResponse_s has \"Not Authorized\",\n int(9),\n alertInfo_dnsResponse_s has \"NotZone\" or alertInfo_dnsResponse_s has \"Name not contained in zone\",\n int(10),\n alertInfo_dnsResponse_s has \"DSOTYPENI\" or alertInfo_dnsResponse_s has \"DSO-TYPE Not Implemented\",\n int(11),\n alertInfo_dnsResponse_s has \"Unassigned\",\n int(12),\n alertInfo_dnsResponse_s has \"BADVERS\" or alertInfo_dnsResponse_s has \"Bad OPT Version\",\n int(16),\n alertInfo_dnsResponse_s has \"BADSIG\" or alertInfo_dnsResponse_s has \"TSIG Signature Failure\",\n int(16),\n alertInfo_dnsResponse_s has \"BADKEY\" or alertInfo_dnsResponse_s has \"Key not recognized\",\n int(17),\n alertInfo_dnsResponse_s has \"BADTIME\" or alertInfo_dnsResponse_s has \"Signature out of time window\",\n int(18),\n alertInfo_dnsResponse_s has \"BADMODE\" or alertInfo_dnsResponse_s has \"Bad TKEY Mode\",\n int(19),\n alertInfo_dnsResponse_s has \"BADNAME\" or alertInfo_dnsResponse_s has \"Duplicate key name\",\n int(20),\n alertInfo_dnsResponse_s has \"BADALG\" or alertInfo_dnsResponse_s has \"Algorithm not supported\",\n int(21),\n alertInfo_dnsResponse_s has \"BADTRUNC\" or alertInfo_dnsResponse_s has \"Bad Truncation\",\n int(22),\n alertInfo_dnsResponse_s has \"BADCOOKIE\" or alertInfo_dnsResponse_s has \"Bad/missing Server Cookie\",\n int(23),\n int(0)\n ),\n AdditionalFields = bag_pack(\n \"MachineType\",\n agentDetectionInfo_machineType_s,\n \"OsRevision\",\n agentDetectionInfo_osRevision_s\n )\n | extend \n DnsQueryType = iff(isempty(DnsQueryType) and DnsResponseCode == 0, int(1), DnsQueryType),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n DnsQuery = alertInfo_dnsRequest_s,\n EventUid = _ItemId,\n DnsResponseName = alertInfo_dnsResponse_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n SrcProcessId = sourceProcessInfo_pid_s,\n SrcProcessName = sourceProcessInfo_name_s,\n SrcUsername = sourceProcessInfo_user_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend\n Dvc = DvcId,\n EventEndTime = EventStartTime,\n EventResult = iff(DnsResponseCode == 0, \"Success\", \"Failure\"),\n EventResultDetails = _ASIM_LookupDnsResponseCode(DnsResponseCode),\n EventSubType = iff(isnotempty(DnsResponseName), \"Response\", \"Request\"),\n EventOriginalResultDetails = DnsResponseCode,\n DnsQueryTypeName = _ASIM_LookupDnsQueryType(DnsQueryType),\n Rule = RuleName,\n SrcDvcId = DvcId,\n SrcHostname = DvcHostname,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n Domain = DnsQuery,\n Process = SrcProcessName,\n User = SrcUsername,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | extend \n Src = SrcHostname,\n Hostname = SrcHostname,\n DnsResponseCodeName = EventResultDetails,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\")\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventSchema = \"Dns\",\n EventSchemaVersion = \"0.1.7\",\n EventType = \"Query\",\n EventVendor = \"SentinelOne\",\n DnsQueryClassName = \"IN\",\n DnsQueryClass = int(1)\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n RestMessage,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsVectraAI/ASimDnsVectraAI.json b/Parsers/ASimDns/ARM/ASimDnsVectraAI/ASimDnsVectraAI.json index 57e95cc4479..d10e484f8fc 100644 --- a/Parsers/ASimDns/ARM/ASimDnsVectraAI/ASimDnsVectraAI.json +++ b/Parsers/ASimDns/ARM/ASimDnsVectraAI/ASimDnsVectraAI.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsVectraAI')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsVectraAI", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS ASIM parser for Vectra AI Steams", - "category": "ASIM", - "FunctionAlias": "ASimDnsVectraAI", - "query": "let parser = (disabled:bool=false) {\n let NetworkProtocolLookup = datatable(proto_d:real, NetworkProtocol:string)[\n 6, 'TCP',\n 17, 'UDP'];\n let DnsClassLookup = datatable(DnsQueryClass:int, DnsQueryClassName: string)[\n 0, 'Reserved',\n 1, 'IN',\n 2, 'Unassigned',\n 3, 'CH',\n 4, 'HS',\n 254, 'None',\n 255, 'Any'\n ];\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\n VectraStream_CL\n | project-away MG, ManagementGroupName, RawData, SourceSystem, Computer\n | where metadata_type_s == 'metadata_dns'\n | project-rename\n DvcDescription = hostname_s,\n DstDescription = resp_hostname_s,\n SrcDescription = orig_hostname_s,\n DnsFlagsAuthoritative = AA_b,\n DnsFlagsRecursionAvailable = RA_b,\n DnsFlagsRecursionDesired = RD_b,\n DnsFlagsTruncated = TC_b,\n DnsResponseName = answers_s,\n DnsQuery = query_s,\n DnsQueryTypeName = qtype_name_s,\n DstIpAddr = id_resp_h_s,\n DnsSessionId = community_id_s,\n SrcIpAddr = id_orig_h_s,\n DstDvcId = resp_huid_s,\n SrcDvcId = orig_huid_s,\n DvcId = sensor_uid_s,\n EventOriginalUid = uid_s,\n SrcSessionId = orig_sluid_s,\n DstSessionId = resp_sluid_s\n | extend\n DstHostname = iff (DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\", DstDescription),\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\n NetworkProtocolVersion = toupper(id_ip_ver_s),\n DnsResponseCode = toint(rcode_d),\n DnsResponseCodeName = toupper(rcode_name_s),\n DnsQueryClass = toint(qclass_d),\n DnsQueryType = toint(qtype_d),\n DstPortNumber = toint(id_resp_p_d),\n EventCount = toint(1),\n EventEndTime = unixtime_milliseconds_todatetime(ts_d),\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\n EventProduct = 'Vectra Stream',\n EventResult = case(tolong(rcode_d) > 0, \"Failure\", \"Success\"),\n EventSchema = 'Dns', \n EventSchemaVersion='0.1.3',\n EventType = 'Query',\n EventVendor = 'Vectra AI',\n SrcDvcIdType = 'VectraId',\n DstDvcIdType = 'VectraId',\n DvcIdType = 'VectraId',\n SrcPortNumber = toint(id_orig_p_d),\n TransactionIdHex = tostring(toint(trans_id_d)),\n EventSubType = iff (saw_reply_b, \"response\", \"request\")\n | lookup DnsClassLookup on DnsQueryClass\n | lookup NetworkProtocolLookup on proto_d\n | extend\n EventResultDetails = DnsResponseCodeName,\n EventStartTime = EventEndTime,\n SessionId = DnsSessionId,\n Domain = DnsQuery,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Dvc = coalesce (DvcId, DvcDescription),\n Src = SrcIpAddr,\n Dst = DstIpAddr\n | project-away\n *_d, *_s, *_b, *_g\n };\nparser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS ASIM parser for Vectra AI Steams", + "category": "ASIM", + "FunctionAlias": "ASimDnsVectraAI", + "query": "let parser = (disabled:bool=false) {\n let NetworkProtocolLookup = datatable(proto_d:real, NetworkProtocol:string)[\n 6, 'TCP',\n 17, 'UDP'];\n let DnsClassLookup = datatable(DnsQueryClass:int, DnsQueryClassName: string)[\n 0, 'Reserved',\n 1, 'IN',\n 2, 'Unassigned',\n 3, 'CH',\n 4, 'HS',\n 254, 'None',\n 255, 'Any'\n ];\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\n VectraStream_CL\n | project-away MG, ManagementGroupName, RawData, SourceSystem, Computer\n | where metadata_type_s == 'metadata_dns'\n | project-rename\n DvcDescription = hostname_s,\n DstDescription = resp_hostname_s,\n SrcDescription = orig_hostname_s,\n DnsFlagsAuthoritative = AA_b,\n DnsFlagsRecursionAvailable = RA_b,\n DnsFlagsRecursionDesired = RD_b,\n DnsFlagsTruncated = TC_b,\n DnsResponseName = answers_s,\n DnsQuery = query_s,\n DnsQueryTypeName = qtype_name_s,\n DstIpAddr = id_resp_h_s,\n DnsSessionId = community_id_s,\n SrcIpAddr = id_orig_h_s,\n DstDvcId = resp_huid_s,\n SrcDvcId = orig_huid_s,\n DvcId = sensor_uid_s,\n EventOriginalUid = uid_s,\n SrcSessionId = orig_sluid_s,\n DstSessionId = resp_sluid_s\n | extend\n DstHostname = iff (DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\", DstDescription),\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\n NetworkProtocolVersion = toupper(id_ip_ver_s),\n DnsResponseCode = toint(rcode_d),\n DnsResponseCodeName = toupper(rcode_name_s),\n DnsQueryClass = toint(qclass_d),\n DnsQueryType = toint(qtype_d),\n DstPortNumber = toint(id_resp_p_d),\n EventCount = toint(1),\n EventEndTime = unixtime_milliseconds_todatetime(ts_d),\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\n EventProduct = 'Vectra Stream',\n EventResult = case(tolong(rcode_d) > 0, \"Failure\", \"Success\"),\n EventSchema = 'Dns', \n EventSchemaVersion='0.1.3',\n EventType = 'Query',\n EventVendor = 'Vectra AI',\n SrcDvcIdType = 'VectraId',\n DstDvcIdType = 'VectraId',\n DvcIdType = 'VectraId',\n SrcPortNumber = toint(id_orig_p_d),\n TransactionIdHex = tostring(toint(trans_id_d)),\n EventSubType = iff (saw_reply_b, \"response\", \"request\")\n | lookup DnsClassLookup on DnsQueryClass\n | lookup NetworkProtocolLookup on proto_d\n | extend\n EventResultDetails = DnsResponseCodeName,\n EventStartTime = EventEndTime,\n SessionId = DnsSessionId,\n Domain = DnsQuery,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Dvc = coalesce (DvcId, DvcDescription),\n Src = SrcIpAddr,\n Dst = DstIpAddr\n | project-away\n *_d, *_s, *_b, *_g\n };\nparser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsZscalerZIA/ASimDnsZscalerZIA.json b/Parsers/ASimDns/ARM/ASimDnsZscalerZIA/ASimDnsZscalerZIA.json index d1d724c9161..8d651820ae8 100644 --- a/Parsers/ASimDns/ARM/ASimDnsZscalerZIA/ASimDnsZscalerZIA.json +++ b/Parsers/ASimDns/ARM/ASimDnsZscalerZIA/ASimDnsZscalerZIA.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsZscalerZIA')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsZscalerZIA", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for Zscaler ZIA", - "category": "ASIM", - "FunctionAlias": "ASimDnsZscalerZIA", - "query": "let ZscalerDNSevents=(disabled:bool=false){\n CommonSecurityLog \n | where not(disabled)\n | where DeviceProduct == \"NSSDNSlog\" \n | project-rename\n Dvc=Computer , \n SrcIpAddr = SourceIP, \n SrcUsername = SourceUserName, \n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n EventProductVersion = DeviceVersion, \n DnsQueryTypeName = DeviceCustomString4, \n DnsQuery = DeviceCustomString5, \n SrcUserDepartment = DeviceCustomString1, // Not part of the standard schema\n reqaction = DeviceCustomString2, \n resaction = DeviceCustomString3, \n DvcUsername = SourceUserID,\n DvcZone = SourceUserPrivileges,\n SrcHostname = DeviceName,\n NetworkProtocol = Protocol,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message\n | extend\n EventCount=int(1), \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA DNS\", \n EventSchema = \"Dns\", \n EventSchemaVersion=\"0.1.3\", \n EventEndTime=TimeGenerated, \n SrcUsernameType = \"UPN\", \n EventSubType = iff(resaction == 'None', 'request', 'response'), \n DvcAction = iff(resaction == 'None', reqaction, resaction), \n EventResultDetails = iff (DeviceCustomString6 matches regex @'^([A-Z_]+)$', DeviceCustomString6, 'NOERROR'), \n EventType = 'Query', \n RuleName = strcat (FlexString1, \" / \", FlexString2),\n // -- Adjustment to support both old and new CSL fields.\n UrlCategory = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"), extract(\"cat=(.*)\", 1, AdditionalExtensions), \"\"), \n DnsNetworkDuration = coalesce(\n toint(column_ifexists (\"FieldDeviceCustomNumber1\", int(null))), \n toint(column_ifexists (\"DeviceCustomNumber1\",int(null)))\n )\n | extend \n EventResult = case (\n EventSubType == 'request', 'NA', \n EventResultDetails == 'NOERROR', 'Success',\n 'Failure'),\n DnsResponseName = iff (EventResultDetails == 'NOERROR', DeviceCustomString6, '')\n // -- Aliases\n | extend\n DnsResponseCodeName = EventResultDetails,\n Domain = DnsQuery,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Hostname = SrcHostname,\n Dst = DstIpAddr,\n DvcHostname = Dvc,\n Duration = DnsNetworkDuration,\n User = SrcUsername,\n // -- Entity identifier explicit aliases\n SrcUserUpn = SrcUsername\n | project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ApplicationProtocol, ReportReferenceLink, Activity, resaction, reqaction\n };\nZscalerDNSevents (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for Zscaler ZIA", + "category": "ASIM", + "FunctionAlias": "ASimDnsZscalerZIA", + "query": "let ZscalerDNSevents=(disabled:bool=false){\n CommonSecurityLog \n | where not(disabled)\n | where DeviceProduct == \"NSSDNSlog\" \n | project-rename\n Dvc=Computer , \n SrcIpAddr = SourceIP, \n SrcUsername = SourceUserName, \n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n EventProductVersion = DeviceVersion, \n DnsQueryTypeName = DeviceCustomString4, \n DnsQuery = DeviceCustomString5, \n SrcUserDepartment = DeviceCustomString1, // Not part of the standard schema\n reqaction = DeviceCustomString2, \n resaction = DeviceCustomString3, \n DvcUsername = SourceUserID,\n DvcZone = SourceUserPrivileges,\n SrcHostname = DeviceName,\n NetworkProtocol = Protocol,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message\n | extend\n EventCount=int(1), \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA DNS\", \n EventSchema = \"Dns\", \n EventSchemaVersion=\"0.1.3\", \n EventEndTime=TimeGenerated, \n SrcUsernameType = \"UPN\", \n EventSubType = iff(resaction == 'None', 'request', 'response'), \n DvcAction = iff(resaction == 'None', reqaction, resaction), \n EventResultDetails = iff (DeviceCustomString6 matches regex @'^([A-Z_]+)$', DeviceCustomString6, 'NOERROR'), \n EventType = 'Query', \n RuleName = strcat (FlexString1, \" / \", FlexString2),\n // -- Adjustment to support both old and new CSL fields.\n UrlCategory = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"), extract(\"cat=(.*)\", 1, AdditionalExtensions), \"\"), \n DnsNetworkDuration = coalesce(\n toint(column_ifexists (\"FieldDeviceCustomNumber1\", int(null))), \n toint(column_ifexists (\"DeviceCustomNumber1\",int(null)))\n )\n | extend \n EventResult = case (\n EventSubType == 'request', 'NA', \n EventResultDetails == 'NOERROR', 'Success',\n 'Failure'),\n DnsResponseName = iff (EventResultDetails == 'NOERROR', DeviceCustomString6, '')\n // -- Aliases\n | extend\n DnsResponseCodeName = EventResultDetails,\n Domain = DnsQuery,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Hostname = SrcHostname,\n Dst = DstIpAddr,\n DvcHostname = Dvc,\n Duration = DnsNetworkDuration,\n User = SrcUsername,\n // -- Entity identifier explicit aliases\n SrcUserUpn = SrcUsername\n | project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ApplicationProtocol, ReportReferenceLink, Activity, resaction, reqaction\n };\nZscalerDNSevents (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/FullDeploymentDns.json b/Parsers/ASimDns/ARM/FullDeploymentDns.json index 4bcbceae23e..1f305b78c7d 100644 --- a/Parsers/ASimDns/ARM/FullDeploymentDns.json +++ b/Parsers/ASimDns/ARM/FullDeploymentDns.json @@ -138,6 +138,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimDnsInfobloxBloxOne", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsInfobloxBloxOne/ASimDnsInfobloxBloxOne.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -458,6 +478,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimDnsInfobloxBloxOne", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsInfobloxBloxOne/vimDnsInfobloxBloxOne.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", diff --git a/Parsers/ASimDns/ARM/imDns/imDns.json b/Parsers/ASimDns/ARM/imDns/imDns.json index 3b3577558e9..da9957c2626 100644 --- a/Parsers/ASimDns/ARM/imDns/imDns.json +++ b/Parsers/ASimDns/ARM/imDns/imDns.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/imDns')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "imDns", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM filtering parser.", - "category": "ASIM", - "FunctionAlias": "imDns", - "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null) , srcipaddr:string='*' , domain_has_any:dynamic=dynamic([]) , responsecodename:string='*', response_has_ipv4:string='*' , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup', pack:bool=false ){\nlet DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimDns') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imDnsBuiltInDisabled=toscalar('ExcludeimDnsBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimDnsEmpty,\n vimDnsAzureFirewall ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsAzureFirewall' in (DisabledParsers) ))),\n vimDnsCiscoUmbrella ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsCiscoUmbrella' in (DisabledParsers) ))),\n vimDnsCorelightZeek ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsCorelightZeek' in (DisabledParsers) ))),\n vimDnsFortinetFortiGate ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsFortinetFortiGate' in (DisabledParsers) ))),\n vimDnsGcp ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsDnsGcp' in (DisabledParsers) ))),\n vimDnsInfobloxNIOS ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsInfobloxNIOS' in (DisabledParsers) ))),\n vimDnsMicrosoftNXlog ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsMicrosoftNXlog' in (DisabledParsers) ))),\n vimDnsMicrosoftOMS ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsMicrosoftOMS' in (DisabledParsers) ))),\n vimDnsMicrosoftSysmon ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsMicrosoftSysmon' in (DisabledParsers) ))),\n vimDnsMicrosoftSysmonWindowsEvent ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsMicrosoftSysmonWindowsevent' in (DisabledParsers) ))),\n vimDnsNative ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsNative' in (DisabledParsers) ))),\n vimDnsSentinelOne ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsSentinelOne' in (DisabledParsers) ))),\n vimDnsVectraAI ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsVectraAI' in (DisabledParsers) ))),\n vimDnsZscalerZIA ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsZscalerZIA' in (DisabledParsers) )))\n };\nGeneric( starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, pack=pack)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='lookup',pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM filtering parser.", + "category": "ASIM", + "FunctionAlias": "imDns", + "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null) , srcipaddr:string='*' , domain_has_any:dynamic=dynamic([]) , responsecodename:string='*', response_has_ipv4:string='*' , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup', pack:bool=false ){\nlet DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimDns') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imDnsBuiltInDisabled=toscalar('ExcludeimDnsBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimDnsEmpty,\n vimDnsAzureFirewall ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsAzureFirewall' in (DisabledParsers) ))),\n vimDnsCiscoUmbrella ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsCiscoUmbrella' in (DisabledParsers) ))),\n vimDnsCorelightZeek ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsCorelightZeek' in (DisabledParsers) ))),\n vimDnsFortinetFortiGate ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsFortinetFortiGate' in (DisabledParsers) ))),\n vimDnsGcp ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsDnsGcp' in (DisabledParsers) ))),\n vimDnsInfobloxNIOS ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsInfobloxNIOS' in (DisabledParsers) ))),\n vimDnsMicrosoftNXlog ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsMicrosoftNXlog' in (DisabledParsers) ))),\n vimDnsMicrosoftOMS ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsMicrosoftOMS' in (DisabledParsers) ))),\n vimDnsMicrosoftSysmon ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsMicrosoftSysmon' in (DisabledParsers) ))),\n vimDnsMicrosoftSysmonWindowsEvent ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsMicrosoftSysmonWindowsevent' in (DisabledParsers) ))),\n vimDnsNative ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsNative' in (DisabledParsers) ))),\n vimDnsSentinelOne ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsSentinelOne' in (DisabledParsers) ))),\n vimDnsVectraAI ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsVectraAI' in (DisabledParsers) ))),\n vimDnsZscalerZIA ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsZscalerZIA' in (DisabledParsers) ))),\n vimDnsInfobloxBloxOne ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsInfobloxBloxOne' in (DisabledParsers) )))\n };\nGeneric( starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, pack=pack)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='lookup',pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsAzureFirewall/vimDnsAzureFirewall.json b/Parsers/ASimDns/ARM/vimDnsAzureFirewall/vimDnsAzureFirewall.json index ffe674b6e5e..ede9b49614b 100644 --- a/Parsers/ASimDns/ARM/vimDnsAzureFirewall/vimDnsAzureFirewall.json +++ b/Parsers/ASimDns/ARM/vimDnsAzureFirewall/vimDnsAzureFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsAzureFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsAzureFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM filtering parser for Azure Firewall", - "category": "ASIM", - "FunctionAlias": "vimDnsAzureFirewall", - "query": "let DNS_query=(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n ){\n AzureDiagnostics | where not(disabled)\n // | where ResourceType == \"AZUREFIREWALLS\" -- Implicit in the next line\n | where Category == \"AzureFirewallDnsProxy\"\n | project msg_s, TimeGenerated, ResourceId\n | where msg_s startswith \"DNS Request:\"\n // --Pre-parsing filtering:\n | where\n // Return empty list if response IPs are passed\n (response_has_ipv4=='*')\n and (array_length(response_has_any_prefix) ==0) \n and (eventtype=='*' or eventtype in (\"Query\", \"lookup\")) // -- support both legacy and standard value \n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and (srcipaddr=='*' or has_ipv4(msg_s, srcipaddr))\n and (array_length(domain_has_any) ==0 or msg_s has_any (domain_has_any))\n and (responsecodename=='*' or msg_s has(responsecodename))\n // --\n | parse msg_s with\n \"DNS Request: \" \n SrcIpAddr:string \":\" SrcPortNumber:int \n \" - \" EventOriginalUid:string \n \" \" DnsQueryTypeName:string \n \" \" DnsQueryClassName:string\n \" \" DnsQuery:string\n \". \" NetworkProtocol:string \n \" \" SrcBytes:int \n \" \" DnsDNSSECflag:bool \n \" \" DnsDNSSECBufferSize:int \n \" \" EventResultDetails:string \n \" \" DnsFlags:string\n \" \" DstBytes:int\n \" \" DnsNetworkDuration:double\n \"s\"\n // -- Post-filtering accurately now that message is parsed\n | where\n (srcipaddr==\"*\" or SrcIpAddr==srcipaddr)\n and (array_length(domain_has_any) ==0 or DnsQuery has_any (domain_has_any))\n and (responsecodename==\"*\" or EventResultDetails has responsecodename)\n | project-away msg_s\n | extend\n EventResult = iff (EventResultDetails == \"NOERROR\", \"Success\", \"Failure\"),\n EventSubType = \"response\",\n DnsNetworkDuration = toint(DnsNetworkDuration*1000) \n};\nlet DNS_error=(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n ) {\n AzureDiagnostics\n // | where ResourceType == \"AZUREFIREWALLS\" -- Implicit in the next line\n | where Category == \"AzureFirewallDnsProxy\"\n | project msg_s, TimeGenerated, ResourceId\n | where msg_s startswith \" Error:\"\n // --Pre-parsing filtering:\n | where\n (response_has_ipv4=='*') // Return empty list if response IPs are passed\n and (array_length(response_has_any_prefix) ==0) // Return empty list if response IPs are passed\n and (eventtype=='*' or eventtype in (\"Query\", \"lookup\")) // -- support both legacy and standard value \n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and (srcipaddr=='*' or has_ipv4(msg_s, srcipaddr))\n and (array_length(domain_has_any) ==0 or msg_s has_any (domain_has_any))\n and (responsecodename=='*') // Return empty list if response code is passed\n // --\n | parse msg_s with \n \" Error: \" nu:string \n \" \" DnsQuery:string \n \". \" DnsQueryTypeName:string \n \": \" op:string \n \" \" NetworkProtocol:string\n \" \" SrcIpAddr:string \":\" SrcPortNumber:int \n \"->\" DstIpAddr:string \":\" DstPortNumber:int \n \": \" EventResultOriginalDetails:string\n // -- Post-filtering accurately now that message is parsed\n | where\n (srcipaddr==\"*\" or SrcIpAddr==srcipaddr)\n and (array_length(domain_has_any) ==0 or DnsQuery has_any (domain_has_any))\n | project-away msg_s\n | extend \n EventResult = \"Failure\",\n EventSubType = \"request\"\n};\nlet DNS = (\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n ) {\n union \n DNS_query (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled),\n DNS_error (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n | extend\n NetworkProtocol = toupper(NetworkProtocol)\n | project-rename\n DvcId = ResourceId\n | extend\n DvcIdType = \"AzureResourceId\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"Azure Firewall\",\n EventSchema = \"Dns\",\n EventSchemaVersion = \"0.1.3\",\n EventEndTime = TimeGenerated, \n EventType = 'Query',\n DnsFlagsAuthenticated = DnsFlags has \"aa\",\n DnsFlagsAuthoritative = DnsFlags has \"ad\",\n DnsFlagsCheckingDisabled = DnsFlags has \"cd\",\n DnsFlagsRecursionAvailable = DnsFlags has \"ra\",\n DnsFlagsRecursionDesired = DnsFlags has \"rd\",\n DnsFlagsTruncates = DnsFlags has \"tc\"\n | extend\n // -- Aliases\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Dst=DstIpAddr,\n Duration = DnsNetworkDuration,\n Dvc=DvcId\n | extend\n // -- Backward Compatibility\n Query = DnsQuery,\n QueryTypeName = DnsQueryTypeName,\n ResponseCodeName = DnsResponseCodeName,\n Flags = DnsFlags\n};\nDNS (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM filtering parser for Azure Firewall", + "category": "ASIM", + "FunctionAlias": "vimDnsAzureFirewall", + "query": "let DNS_query=(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n ){\n AzureDiagnostics | where not(disabled)\n // | where ResourceType == \"AZUREFIREWALLS\" -- Implicit in the next line\n | where Category == \"AzureFirewallDnsProxy\"\n | project msg_s, TimeGenerated, ResourceId\n | where msg_s startswith \"DNS Request:\"\n // --Pre-parsing filtering:\n | where\n // Return empty list if response IPs are passed\n (response_has_ipv4=='*')\n and (array_length(response_has_any_prefix) ==0) \n and (eventtype=='*' or eventtype in (\"Query\", \"lookup\")) // -- support both legacy and standard value \n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and (srcipaddr=='*' or has_ipv4(msg_s, srcipaddr))\n and (array_length(domain_has_any) ==0 or msg_s has_any (domain_has_any))\n and (responsecodename=='*' or msg_s has(responsecodename))\n // --\n | parse msg_s with\n \"DNS Request: \" \n SrcIpAddr:string \":\" SrcPortNumber:int \n \" - \" EventOriginalUid:string \n \" \" DnsQueryTypeName:string \n \" \" DnsQueryClassName:string\n \" \" DnsQuery:string\n \". \" NetworkProtocol:string \n \" \" SrcBytes:int \n \" \" DnsDNSSECflag:bool \n \" \" DnsDNSSECBufferSize:int \n \" \" EventResultDetails:string \n \" \" DnsFlags:string\n \" \" DstBytes:int\n \" \" DnsNetworkDuration:double\n \"s\"\n // -- Post-filtering accurately now that message is parsed\n | where\n (srcipaddr==\"*\" or SrcIpAddr==srcipaddr)\n and (array_length(domain_has_any) ==0 or DnsQuery has_any (domain_has_any))\n and (responsecodename==\"*\" or EventResultDetails has responsecodename)\n | project-away msg_s\n | extend\n EventResult = iff (EventResultDetails == \"NOERROR\", \"Success\", \"Failure\"),\n EventSubType = \"response\",\n DnsNetworkDuration = toint(DnsNetworkDuration*1000) \n};\nlet DNS_error=(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n ) {\n AzureDiagnostics\n // | where ResourceType == \"AZUREFIREWALLS\" -- Implicit in the next line\n | where Category == \"AzureFirewallDnsProxy\"\n | project msg_s, TimeGenerated, ResourceId\n | where msg_s startswith \" Error:\"\n // --Pre-parsing filtering:\n | where\n (response_has_ipv4=='*') // Return empty list if response IPs are passed\n and (array_length(response_has_any_prefix) ==0) // Return empty list if response IPs are passed\n and (eventtype=='*' or eventtype in (\"Query\", \"lookup\")) // -- support both legacy and standard value \n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and (srcipaddr=='*' or has_ipv4(msg_s, srcipaddr))\n and (array_length(domain_has_any) ==0 or msg_s has_any (domain_has_any))\n and (responsecodename=='*') // Return empty list if response code is passed\n // --\n | parse msg_s with \n \" Error: \" nu:string \n \" \" DnsQuery:string \n \". \" DnsQueryTypeName:string \n \": \" op:string \n \" \" NetworkProtocol:string\n \" \" SrcIpAddr:string \":\" SrcPortNumber:int \n \"->\" DstIpAddr:string \":\" DstPortNumber:int \n \": \" EventResultOriginalDetails:string\n // -- Post-filtering accurately now that message is parsed\n | where\n (srcipaddr==\"*\" or SrcIpAddr==srcipaddr)\n and (array_length(domain_has_any) ==0 or DnsQuery has_any (domain_has_any))\n | project-away msg_s\n | extend \n EventResult = \"Failure\",\n EventSubType = \"request\"\n};\nlet DNS = (\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n ) {\n union \n DNS_query (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled),\n DNS_error (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n | extend\n NetworkProtocol = toupper(NetworkProtocol)\n | project-rename\n DvcId = ResourceId\n | extend\n DvcIdType = \"AzureResourceId\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"Azure Firewall\",\n EventSchema = \"Dns\",\n EventSchemaVersion = \"0.1.3\",\n EventEndTime = TimeGenerated, \n EventType = 'Query',\n DnsFlagsAuthenticated = DnsFlags has \"aa\",\n DnsFlagsAuthoritative = DnsFlags has \"ad\",\n DnsFlagsCheckingDisabled = DnsFlags has \"cd\",\n DnsFlagsRecursionAvailable = DnsFlags has \"ra\",\n DnsFlagsRecursionDesired = DnsFlags has \"rd\",\n DnsFlagsTruncates = DnsFlags has \"tc\"\n | extend\n // -- Aliases\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Dst=DstIpAddr,\n Duration = DnsNetworkDuration,\n Dvc=DvcId\n | extend\n // -- Backward Compatibility\n Query = DnsQuery,\n QueryTypeName = DnsQueryTypeName,\n ResponseCodeName = DnsResponseCodeName,\n Flags = DnsFlags\n};\nDNS (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsCiscoUmbrella/vimDnsCiscoUmbrella.json b/Parsers/ASimDns/ARM/vimDnsCiscoUmbrella/vimDnsCiscoUmbrella.json index 2f475b1d65a..44d3b6c3e60 100644 --- a/Parsers/ASimDns/ARM/vimDnsCiscoUmbrella/vimDnsCiscoUmbrella.json +++ b/Parsers/ASimDns/ARM/vimDnsCiscoUmbrella/vimDnsCiscoUmbrella.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsCiscoUmbrella')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsCiscoUmbrella", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM filtering parser for Cisco Umbrella", - "category": "ASIM", - "FunctionAlias": "vimDnsCiscoUmbrella", - "query": "let DNSQuery_CiscoUmbrella=(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*'\n , response_has_ipv4:string='*' , response_has_any_prefix:dynamic=dynamic([])\n , eventtype:string='Query'\n , disabled:bool=false\n ){\n Cisco_Umbrella_dns_CL | where not(disabled)\n // ******************************************************************\n // Pre-parsing filterring:\n | where\n // Return empty list if response IPs are passed\n (eventtype in~ ('lookup','Query'))\n and (response_has_ipv4=='*')\n and (array_length(response_has_any_prefix) ==0) \n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and (srcipaddr=='*' or InternalIp_s==srcipaddr)\n and (array_length(domain_has_any) ==0 or Domain_s has_any (domain_has_any))\n and (responsecodename=='*' or ResponseCode_s=~responsecodename)\n // *****************************************************************\n | parse QueryType_s with DnsQueryType:int \" (\"DnsQueryTypeName:string \")\"\n //\n | project \n //\n // ******************* Mandatory\n EventCount=int(1),\n EventStartTime=todatetime(column_ifexists('Timestamp_t',column_ifexists('Timestamp_s',''))),\n EventProduct=\"Umbrella\",\n EventVendor=\"Cisco\",\n EventSchema=\"Dns\",\n EventSchemaVersion=\"0.1.3\",\n Dvc=\"CiscoUmbrella\" ,\n EventType=\"Query\",\n EventResult=iff(ResponseCode_s=~'NOERROR','Success','Failure'),\n EventResultDetails=ResponseCode_s, // => ResponseCodeNames\n //\n TimeGenerated, // not handled by schema, but we need to preserve it\n SrcIpAddr=column_ifexists('InternalIp_s', ''),\n EventSubType='response',\n // ********** Renamed columns\n UrlCategory=column_ifexists('Categories_s', ''),\n DnsQuery=trim_end(@'\\.',column_ifexists('Domain_s', '')) , \n ThreatCategory=column_ifexists('Blocked_Categories_s', ''),\n SrcNatIpAddr=column_ifexists('ExternalIp_s', ''),\n DvcAction=column_ifexists('Action_s', ''),\n EventEndTime=todatetime(column_ifexists('Timestamp_t', column_ifexists('Timestamp_s',\"\") )),\n //\n // *************** keep Parsed data\n DnsQueryType, DnsQueryTypeName\n // **************Aliases\n | extend \n DnsResponseCodeName=EventResultDetails, \n DomainCategory=UrlCategory,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr\n };\nDNSQuery_CiscoUmbrella( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM filtering parser for Cisco Umbrella", + "category": "ASIM", + "FunctionAlias": "vimDnsCiscoUmbrella", + "query": "let DNSQuery_CiscoUmbrella=(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*'\n , response_has_ipv4:string='*' , response_has_any_prefix:dynamic=dynamic([])\n , eventtype:string='Query'\n , disabled:bool=false\n ){\n Cisco_Umbrella_dns_CL | where not(disabled)\n // ******************************************************************\n // Pre-parsing filterring:\n | where\n // Return empty list if response IPs are passed\n (eventtype in~ ('lookup','Query'))\n and (response_has_ipv4=='*')\n and (array_length(response_has_any_prefix) ==0) \n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and (srcipaddr=='*' or InternalIp_s==srcipaddr)\n and (array_length(domain_has_any) ==0 or Domain_s has_any (domain_has_any))\n and (responsecodename=='*' or ResponseCode_s=~responsecodename)\n // *****************************************************************\n | parse QueryType_s with DnsQueryType:int \" (\"DnsQueryTypeName:string \")\"\n //\n | project \n //\n // ******************* Mandatory\n EventCount=int(1),\n EventStartTime=todatetime(column_ifexists('Timestamp_t',column_ifexists('Timestamp_s',''))),\n EventProduct=\"Umbrella\",\n EventVendor=\"Cisco\",\n EventSchema=\"Dns\",\n EventSchemaVersion=\"0.1.3\",\n Dvc=\"CiscoUmbrella\" ,\n EventType=\"Query\",\n EventResult=iff(ResponseCode_s=~'NOERROR','Success','Failure'),\n EventResultDetails=ResponseCode_s, // => ResponseCodeNames\n //\n TimeGenerated, // not handled by schema, but we need to preserve it\n SrcIpAddr=column_ifexists('InternalIp_s', ''),\n EventSubType='response',\n // ********** Renamed columns\n UrlCategory=column_ifexists('Categories_s', ''),\n DnsQuery=trim_end(@'\\.',column_ifexists('Domain_s', '')) , \n ThreatCategory=column_ifexists('Blocked_Categories_s', ''),\n SrcNatIpAddr=column_ifexists('ExternalIp_s', ''),\n DvcAction=column_ifexists('Action_s', ''),\n EventEndTime=todatetime(column_ifexists('Timestamp_t', column_ifexists('Timestamp_s',\"\") )),\n //\n // *************** keep Parsed data\n DnsQueryType, DnsQueryTypeName\n // **************Aliases\n | extend \n DnsResponseCodeName=EventResultDetails, \n DomainCategory=UrlCategory,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr\n };\nDNSQuery_CiscoUmbrella( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsCorelightZeek/vimDnsCorelightZeek.json b/Parsers/ASimDns/ARM/vimDnsCorelightZeek/vimDnsCorelightZeek.json index b8f48958d25..92b6f4e8d8f 100644 --- a/Parsers/ASimDns/ARM/vimDnsCorelightZeek/vimDnsCorelightZeek.json +++ b/Parsers/ASimDns/ARM/vimDnsCorelightZeek/vimDnsCorelightZeek.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsCorelightZeek')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsCorelightZeek", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM filtering parser for Corelight Zeek", - "category": "ASIM", - "FunctionAlias": "vimDnsCorelightZeek", - "query": "let query_type_lookup=datatable(DnsQueryType:int,DnsQueryTypeName:string)[\n 0, \"Reserved\",\n 1, \"A\",\n 2, \"NS\",\n 3, \"MD\",\n 4, \"MF\",\n 5, \"CNAME\",\n 6, \"SOA\",\n 7, \"MB\",\n 8, \"MG\",\n 9, \"MR\",\n 10, \"NULL\",\n 11, \"WKS\",\n 12, \"PTR\",\n 13, \"HINFO\",\n 14, \"MINFO\",\n 15, \"MX\",\n 16, \"TXT\",\n 17, \"RP\",\n 18, \"AFSDB\",\n 19, \"X25\",\n 20, \"ISDN\",\n 21, \"RT\",\n 22, \"NSAP\",\n 23, \"NSAP-PTR\",\n 24, \"SIG\",\n 25, \"KEY\",\n 26, \"PX\",\n 27, \"GPOS\",\n 28, \"AAAA\",\n 29, \"LOC\",\n 30, \"NXT\",\n 31, \"EID\",\n 32, \"NIMLOC\",\n 33, \"SRV\",\n 34, \"ATMA\",\n 35, \"NAPTR\",\n 36, \"KX\",\n 37, \"CERT\",\n 38, \"A6\",\n 39, \"DNAME\",\n 40, \"SINK\",\n 41, \"OPT\",\n 42, \"APL\",\n 43, \"DS\",\n 44, \"SSHFP\",\n 45, \"IPSECKEY\",\n 46, \"RRSIG\",\n 47, \"NSEC\",\n 48, \"DNSKEY\",\n 49, \"DHCID\",\n 50, \"NSEC3\",\n 51, \"NSEC3PARAM\",\n 52, \"TLSA\",\n 53, \"SMIMEA\",\n 54, \"Unassigned\",\n 55, \"HIP\",\n 56, \"NINFO\",\n 57, \"RKEY\",\n 58, \"TALINK\",\n 59, \"CDS\",\n 60, \"CDNSKEY\",\n 61, \"OPENPGPKEY\",\n 62, \"CSYNC\",\n 99, \"SPF\",\n 100, \"UINFO\",\n 101, \"UID\",\n 102, \"GID\",\n 103, \"UNSPEC\",\n 104, \"NID\",\n 105, \"L32\",\n 106, \"L64\",\n 107, \"LP\",\n 108, \"EUI48\",\n 109, \"EUI64\",\n 249, \"TKEY\",\n 250, \"TSIG\",\n 251, \"IXFR\",\n 252, \"AXFR\",\n 253, \"MAILB\",\n 254, \"MAILA\",\n 255, \"ANY\",\n 256, \"URI\",\n 257, \"CAA\",\n 258, \"AVC\",\n 259, \"DOA\",\n 32768, \"TA\",\n 32769, \"DLV\"];\nlet class_lookup = datatable(DnsQueryClass:int, DnsQueryClassName: string)[\n 0, 'Reserved',\n 1, 'IN',\n 2, 'Unassigned',\n 3, 'CH',\n 4, 'HS',\n 254, 'None',\n 255, 'Any'];\nlet parser=(\n starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*'\n , response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([])\n , eventtype:string='Query'\n , disabled:bool=false\n ){\n Corelight_CL | where not(disabled)\n // -- Pre-parsing filtering:\n | where\n (eventtype in~ ('lookup', 'Query'))\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (Message has '\"_path\":\"dns\"' or Message has '\"_path\":\"dns_red\"')\n and (srcipaddr=='*' or has_ipv4(Message, srcipaddr))\n and (array_length(domain_has_any) ==0 or Message has_any (domain_has_any))\n and (responsecodename=='*' or Message has responsecodename)\n and (response_has_ipv4=='*' or has_ipv4(Message,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(Message, response_has_any_prefix))\n // --\n | project Message, TimeGenerated\n | parse-kv Message as (\n ['\"_system_name\"']:string,\n ['\"_write_ts\"']:datetime,\n ['\"ts\"']:datetime,\n ['\"uid\"']:string,\n ['\"id.orig_h\"']:string,\n ['\"id.orig_p\"']:int,\n ['\"id.resp_h\"']:string,\n ['\"id.resp_p\"']:int,\n ['\"proto\"']:string,\n ['\"trans_id\"']:int,\n ['\"query\"']:string,\n ['\"qclass\"']:int,\n ['\"qtype\"']:int,\n ['\"AA\"']:bool,\n ['\"TC\"']:bool,\n ['\"CD\"']:bool,\n ['\"RD\"']:bool,\n ['\"RA\"']:bool,\n ['\"Z\"']:int,\n ['\"rejected\"']:bool,\n ['\"rcode\"']:int,\n ['\"rcode_name\"']:string,\n ['\"rtt\"']:real,\n ) \n with (quote = '\"')\n | parse Message with * '\"answers\":' answers:string ',\"TTLs\":' TTLs:string ',\"rejected\"' *\n // -- Post-filtering accurately now that message is parsed\n | where\n (srcipaddr==\"*\" or srcipaddr==['\"id.orig_h\"'])\n and (array_length(domain_has_any) ==0 or ['\"query\"'] has_any (domain_has_any))\n and (responsecodename==\"*\" or ['\"rcode_name\"'] has responsecodename)\n and (response_has_ipv4=='*' or has_ipv4(answers,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(answers, response_has_any_prefix))\n | extend \n EventCount=int(1),\n EventProduct=\"Zeek\",\n EventVendor=\"Corelight\",\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.4\",\n EventType=\"Query\"\n | project-rename\n EventStartTime= ['\"ts\"'],\n EventEndTime = ['\"_write_ts\"'],\n EventOriginalUid = ['\"uid\"'],\n SrcIpAddr = ['\"id.orig_h\"'],\n SrcPortNumber = ['\"id.orig_p\"'],\n DstIpAddr = ['\"id.resp_h\"'],\n DstPortNumber = ['\"id.resp_p\"'],\n NetworkProtocol = ['\"proto\"'],\n DnsQuery = ['\"query\"'],\n DnsResponseCode = ['\"rcode\"'],\n EventResultDetails = ['\"rcode_name\"'],\n DnsFlagsAuthoritative = ['\"AA\"'],\n DnsFlagsTruncated = ['\"TC\"'],\n DnsFlagsRecursionDesired = ['\"RD\"'],\n DnsFlagsCheckingDisabled = ['\"CD\"'],\n DnsFlagsRecursionAvailable = ['\"RA\"'],\n DnsQueryClass = ['\"qclass\"'],\n DnsQueryType = ['\"qtype\"'],\n rtt = ['\"rtt\"'],\n Z = ['\"Z\"'],\n trans_id = ['\"trans_id\"'],\n rejected = ['\"rejected\"'],\n Dvc = ['\"_system_name\"']\n | lookup query_type_lookup on DnsQueryType\n | lookup class_lookup on DnsQueryClass\n | extend\n EventSubType=iff(isnull(DnsResponseCode),'request','response'),\n DnsNetworkDuration = toint(rtt*1000),\n EventResult = iff (EventResultDetails!~'NOERROR' or rejected,'Failure','Success'),\n DnsQueryTypeName = case (DnsQueryTypeName == \"\" and not(isnull(DnsQueryType)), strcat(\"TYPE\", DnsQueryType), DnsQueryTypeName),\n DnsQueryClassName = case (DnsQueryClassName == \"\" and not(isnull(DnsQueryClass)), strcat(\"CLASS\", DnsQueryClass), DnsQueryClassName),\n TransactionIdHex = tohex(toint(trans_id)),\n DnsFlagsZ = (Z != 0),\n DnsResponseName = tostring(pack ('answers', answers, 'ttls', TTLs)) // support of auth & addl to be added.\n | project-away rtt\n // Aliases\n | extend \n DnsResponseCodeName=EventResultDetails, \n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Duration=DnsNetworkDuration,\n Dst=DstIpAddr\n | project-away Message, Z, TTLs, answers, trans_id, rejected\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM filtering parser for Corelight Zeek", + "category": "ASIM", + "FunctionAlias": "vimDnsCorelightZeek", + "query": "let query_type_lookup=datatable(DnsQueryType:int,DnsQueryTypeName:string)[\n 0, \"Reserved\",\n 1, \"A\",\n 2, \"NS\",\n 3, \"MD\",\n 4, \"MF\",\n 5, \"CNAME\",\n 6, \"SOA\",\n 7, \"MB\",\n 8, \"MG\",\n 9, \"MR\",\n 10, \"NULL\",\n 11, \"WKS\",\n 12, \"PTR\",\n 13, \"HINFO\",\n 14, \"MINFO\",\n 15, \"MX\",\n 16, \"TXT\",\n 17, \"RP\",\n 18, \"AFSDB\",\n 19, \"X25\",\n 20, \"ISDN\",\n 21, \"RT\",\n 22, \"NSAP\",\n 23, \"NSAP-PTR\",\n 24, \"SIG\",\n 25, \"KEY\",\n 26, \"PX\",\n 27, \"GPOS\",\n 28, \"AAAA\",\n 29, \"LOC\",\n 30, \"NXT\",\n 31, \"EID\",\n 32, \"NIMLOC\",\n 33, \"SRV\",\n 34, \"ATMA\",\n 35, \"NAPTR\",\n 36, \"KX\",\n 37, \"CERT\",\n 38, \"A6\",\n 39, \"DNAME\",\n 40, \"SINK\",\n 41, \"OPT\",\n 42, \"APL\",\n 43, \"DS\",\n 44, \"SSHFP\",\n 45, \"IPSECKEY\",\n 46, \"RRSIG\",\n 47, \"NSEC\",\n 48, \"DNSKEY\",\n 49, \"DHCID\",\n 50, \"NSEC3\",\n 51, \"NSEC3PARAM\",\n 52, \"TLSA\",\n 53, \"SMIMEA\",\n 54, \"Unassigned\",\n 55, \"HIP\",\n 56, \"NINFO\",\n 57, \"RKEY\",\n 58, \"TALINK\",\n 59, \"CDS\",\n 60, \"CDNSKEY\",\n 61, \"OPENPGPKEY\",\n 62, \"CSYNC\",\n 99, \"SPF\",\n 100, \"UINFO\",\n 101, \"UID\",\n 102, \"GID\",\n 103, \"UNSPEC\",\n 104, \"NID\",\n 105, \"L32\",\n 106, \"L64\",\n 107, \"LP\",\n 108, \"EUI48\",\n 109, \"EUI64\",\n 249, \"TKEY\",\n 250, \"TSIG\",\n 251, \"IXFR\",\n 252, \"AXFR\",\n 253, \"MAILB\",\n 254, \"MAILA\",\n 255, \"ANY\",\n 256, \"URI\",\n 257, \"CAA\",\n 258, \"AVC\",\n 259, \"DOA\",\n 32768, \"TA\",\n 32769, \"DLV\"];\nlet class_lookup = datatable(DnsQueryClass:int, DnsQueryClassName: string)[\n 0, 'Reserved',\n 1, 'IN',\n 2, 'Unassigned',\n 3, 'CH',\n 4, 'HS',\n 254, 'None',\n 255, 'Any'];\nlet parser=(\n starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*'\n , response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([])\n , eventtype:string='Query'\n , disabled:bool=false\n ){\n Corelight_CL | where not(disabled)\n // -- Pre-parsing filtering:\n | where\n (eventtype in~ ('lookup', 'Query'))\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (Message has '\"_path\":\"dns\"' or Message has '\"_path\":\"dns_red\"')\n and (srcipaddr=='*' or has_ipv4(Message, srcipaddr))\n and (array_length(domain_has_any) ==0 or Message has_any (domain_has_any))\n and (responsecodename=='*' or Message has responsecodename)\n and (response_has_ipv4=='*' or has_ipv4(Message,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(Message, response_has_any_prefix))\n // --\n | project Message, TimeGenerated\n | parse-kv Message as (\n ['\"_system_name\"']:string,\n ['\"_write_ts\"']:datetime,\n ['\"ts\"']:datetime,\n ['\"uid\"']:string,\n ['\"id.orig_h\"']:string,\n ['\"id.orig_p\"']:int,\n ['\"id.resp_h\"']:string,\n ['\"id.resp_p\"']:int,\n ['\"proto\"']:string,\n ['\"trans_id\"']:int,\n ['\"query\"']:string,\n ['\"qclass\"']:int,\n ['\"qtype\"']:int,\n ['\"AA\"']:bool,\n ['\"TC\"']:bool,\n ['\"CD\"']:bool,\n ['\"RD\"']:bool,\n ['\"RA\"']:bool,\n ['\"Z\"']:int,\n ['\"rejected\"']:bool,\n ['\"rcode\"']:int,\n ['\"rcode_name\"']:string,\n ['\"rtt\"']:real,\n ) \n with (quote = '\"')\n | parse Message with * '\"answers\":' answers:string ',\"TTLs\":' TTLs:string ',\"rejected\"' *\n // -- Post-filtering accurately now that message is parsed\n | where\n (srcipaddr==\"*\" or srcipaddr==['\"id.orig_h\"'])\n and (array_length(domain_has_any) ==0 or ['\"query\"'] has_any (domain_has_any))\n and (responsecodename==\"*\" or ['\"rcode_name\"'] has responsecodename)\n and (response_has_ipv4=='*' or has_ipv4(answers,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(answers, response_has_any_prefix))\n | extend \n EventCount=int(1),\n EventProduct=\"Zeek\",\n EventVendor=\"Corelight\",\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.4\",\n EventType=\"Query\"\n | project-rename\n EventStartTime= ['\"ts\"'],\n EventEndTime = ['\"_write_ts\"'],\n EventOriginalUid = ['\"uid\"'],\n SrcIpAddr = ['\"id.orig_h\"'],\n SrcPortNumber = ['\"id.orig_p\"'],\n DstIpAddr = ['\"id.resp_h\"'],\n DstPortNumber = ['\"id.resp_p\"'],\n NetworkProtocol = ['\"proto\"'],\n DnsQuery = ['\"query\"'],\n DnsResponseCode = ['\"rcode\"'],\n EventResultDetails = ['\"rcode_name\"'],\n DnsFlagsAuthoritative = ['\"AA\"'],\n DnsFlagsTruncated = ['\"TC\"'],\n DnsFlagsRecursionDesired = ['\"RD\"'],\n DnsFlagsCheckingDisabled = ['\"CD\"'],\n DnsFlagsRecursionAvailable = ['\"RA\"'],\n DnsQueryClass = ['\"qclass\"'],\n DnsQueryType = ['\"qtype\"'],\n rtt = ['\"rtt\"'],\n Z = ['\"Z\"'],\n trans_id = ['\"trans_id\"'],\n rejected = ['\"rejected\"'],\n Dvc = ['\"_system_name\"']\n | lookup query_type_lookup on DnsQueryType\n | lookup class_lookup on DnsQueryClass\n | extend\n EventSubType=iff(isnull(DnsResponseCode),'request','response'),\n DnsNetworkDuration = toint(rtt*1000),\n EventResult = iff (EventResultDetails!~'NOERROR' or rejected,'Failure','Success'),\n DnsQueryTypeName = case (DnsQueryTypeName == \"\" and not(isnull(DnsQueryType)), strcat(\"TYPE\", DnsQueryType), DnsQueryTypeName),\n DnsQueryClassName = case (DnsQueryClassName == \"\" and not(isnull(DnsQueryClass)), strcat(\"CLASS\", DnsQueryClass), DnsQueryClassName),\n TransactionIdHex = tohex(toint(trans_id)),\n DnsFlagsZ = (Z != 0),\n DnsResponseName = tostring(pack ('answers', answers, 'ttls', TTLs)) // support of auth & addl to be added.\n | project-away rtt\n // Aliases\n | extend \n DnsResponseCodeName=EventResultDetails, \n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Duration=DnsNetworkDuration,\n Dst=DstIpAddr\n | project-away Message, Z, TTLs, answers, trans_id, rejected\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsEmpty/vimDnsEmpty.json b/Parsers/ASimDns/ARM/vimDnsEmpty/vimDnsEmpty.json index d4444e4f9f4..d5018ae68b0 100644 --- a/Parsers/ASimDns/ARM/vimDnsEmpty/vimDnsEmpty.json +++ b/Parsers/ASimDns/ARM/vimDnsEmpty/vimDnsEmpty.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsEmpty')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsEmpty", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM schema function", - "category": "ASIM", - "FunctionAlias": "vimDnsEmpty", - "query": "let EmptyNewDnsEvents=datatable(\n _ResourceId: string,\n AdditionalFields: dynamic,\n DnsFlags: string,\n DnsFlagsAuthenticated: bool,\n DnsFlagsAuthoritative: bool,\n DnsFlagsCheckingDisabled: bool,\n DnsFlagsRecursionAvailable: bool,\n DnsFlagsRecursionDesired: bool,\n DnsFlagsTruncated: bool,\n DnsFlagsZ: bool,\n DnsNetworkDuration: int,\n DnsQuery: string,\n DnsQueryClass: int,\n DnsQueryClassName: string,\n DnsQueryType: int,\n DnsQueryTypeName: string,\n DnsResponseCode: int,\n DnsResponseCodeName: string,\n DnsResponseIpCity: string,\n DnsResponseIpCountry: string,\n DnsResponseIpLatitude: real,\n DnsResponseIpLongitude: real,\n DnsResponseIpRegion: string,\n DnsResponseName: string,\n DnsSessionId: string,\n Domain: string,\n DomainCategory: string,\n Dst: string,\n DstDescription: string,\n DstDeviceType: string,\n DstDomain: string,\n DstDomainType: string,\n DstDvcId: string,\n DstDvcIdType: string,\n DstDvcScopeId: string,\n DstDvcScope: string,\n DstFQDN: string,\n DstGeoCity: string,\n DstGeoCountry: string,\n DstGeoLatitude: real,\n DstGeoLongitude: real,\n DstGeoRegion: string,\n DstHostname: string,\n DstIpAddr: string,\n DstPortNumber: int,\n DstRiskLevel: int,\n DstOriginalRiskLevel: string,\n Duration: int,\n Dvc: string,\n DvcAction: string,\n DvcDescription: string,\n DvcDomain: string,\n DvcDomainType: string,\n DvcFQDN: string,\n DvcHostname: string,\n DvcId: string,\n DvcIdType: string,\n DvcInterface: string,\n DvcIpAddr: string,\n DvcMacAddr: string,\n DvcOriginalAction: string,\n DvcOs: string,\n DvcOsVersion: string,\n DvcScope: string,\n DvcScopeId: string,\n DvcZone: string,\n EventCount: int,\n EventEndTime: datetime,\n EventMessage: string,\n EventOriginalSeverity: string,\n EventOriginalSubType: string,\n EventOriginalType: string,\n EventOriginalUid: string,\n EventOwner: string,\n EventProduct: string,\n EventProductVersion: string,\n EventReportUrl: string,\n EventResult: string,\n EventResultDetails: string,\n EventSchema: string,\n EventSchemaVersion: string,\n EventSeverity: string,\n EventStartTime: datetime,\n EventSubType: string,\n EventType: string,\n EventUid: string,\n EventVendor: string,\n Hostname: string,\n IpAddr: string,\n NetworkProtocol: string,\n NetworkProtocolVersion: string,\n Process: string,\n Rule: string,\n RuleName: string,\n RuleNumber: int,\n SessionId: string,\n Src: string,\n SrcDescription: string,\n SrcDeviceType: string,\n SrcDomain: string,\n SrcDomainType: string,\n SrcDvcId: string,\n SrcDvcIdType: string,\n SrcDvcScope: string,\n SrcDvcScopeId: string,\n SrcFQDN: string,\n SrcGeoCity: string,\n SrcGeoCountry: string,\n SrcGeoLatitude: real,\n SrcGeoLongitude: real,\n SrcGeoRegion: string,\n SrcHostname: string,\n SrcIpAddr: string,\n SrcOriginalRiskLevel: string,\n SrcOriginalUserType: string,\n SrcPortNumber: int,\n SrcProcessGuid: string,\n SrcProcessId: string,\n SrcProcessName: string,\n SrcRiskLevel: int,\n SrcUserId: string,\n SrcUserAadId: string,\n SrcUserSid: string,\n SrcUserAWSId: string,\n SrcUserOktaId: string,\n SrcUserUid: string,\n SrcUserIdType: string,\n SrcUserScope: string,\n SrcUserScopeId: string,\n SrcUsername: string,\n SrcUsernameType: string,\n SrcUserType: string,\n SrcUserSessionId: string,\n TenantId: string,\n ThreatCategory: string,\n ThreatConfidence: int,\n ThreatField: string,\n ThreatFirstReportedTime: datetime,\n ThreatId: string,\n ThreatIpAddr: string,\n ThreatIsActive: bool,\n ThreatLastReportedTime: datetime,\n ThreatName: string,\n ThreatOriginalConfidence: string,\n ThreatOriginalRiskLevel: string,\n ThreatRiskLevel: int,\n TimeGenerated: datetime,\n TransactionIdHex: string,\n Type: string,\n UrlCategory: string,\n User: string\n)[];\nEmptyNewDnsEvents \n", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM schema function", + "category": "ASIM", + "FunctionAlias": "vimDnsEmpty", + "query": "let EmptyNewDnsEvents=datatable(\n _ResourceId: string,\n AdditionalFields: dynamic,\n DnsFlags: string,\n DnsFlagsAuthenticated: bool,\n DnsFlagsAuthoritative: bool,\n DnsFlagsCheckingDisabled: bool,\n DnsFlagsRecursionAvailable: bool,\n DnsFlagsRecursionDesired: bool,\n DnsFlagsTruncated: bool,\n DnsFlagsZ: bool,\n DnsNetworkDuration: int,\n DnsQuery: string,\n DnsQueryClass: int,\n DnsQueryClassName: string,\n DnsQueryType: int,\n DnsQueryTypeName: string,\n DnsResponseCode: int,\n DnsResponseCodeName: string,\n DnsResponseIpCity: string,\n DnsResponseIpCountry: string,\n DnsResponseIpLatitude: real,\n DnsResponseIpLongitude: real,\n DnsResponseIpRegion: string,\n DnsResponseName: string,\n DnsSessionId: string,\n Domain: string,\n DomainCategory: string,\n Dst: string,\n DstDescription: string,\n DstDeviceType: string,\n DstDomain: string,\n DstDomainType: string,\n DstDvcId: string,\n DstDvcIdType: string,\n DstDvcScopeId: string,\n DstDvcScope: string,\n DstFQDN: string,\n DstGeoCity: string,\n DstGeoCountry: string,\n DstGeoLatitude: real,\n DstGeoLongitude: real,\n DstGeoRegion: string,\n DstHostname: string,\n DstIpAddr: string,\n DstPortNumber: int,\n DstRiskLevel: int,\n DstOriginalRiskLevel: string,\n Duration: int,\n Dvc: string,\n DvcAction: string,\n DvcDescription: string,\n DvcDomain: string,\n DvcDomainType: string,\n DvcFQDN: string,\n DvcHostname: string,\n DvcId: string,\n DvcIdType: string,\n DvcInterface: string,\n DvcIpAddr: string,\n DvcMacAddr: string,\n DvcOriginalAction: string,\n DvcOs: string,\n DvcOsVersion: string,\n DvcScope: string,\n DvcScopeId: string,\n DvcZone: string,\n EventCount: int,\n EventEndTime: datetime,\n EventMessage: string,\n EventOriginalSeverity: string,\n EventOriginalSubType: string,\n EventOriginalType: string,\n EventOriginalUid: string,\n EventOwner: string,\n EventProduct: string,\n EventProductVersion: string,\n EventReportUrl: string,\n EventResult: string,\n EventResultDetails: string,\n EventSchema: string,\n EventSchemaVersion: string,\n EventSeverity: string,\n EventStartTime: datetime,\n EventSubType: string,\n EventType: string,\n EventUid: string,\n EventVendor: string,\n Hostname: string,\n IpAddr: string,\n NetworkProtocol: string,\n NetworkProtocolVersion: string,\n Process: string,\n Rule: string,\n RuleName: string,\n RuleNumber: int,\n SessionId: string,\n Src: string,\n SrcDescription: string,\n SrcDeviceType: string,\n SrcDomain: string,\n SrcDomainType: string,\n SrcDvcId: string,\n SrcDvcIdType: string,\n SrcDvcScope: string,\n SrcDvcScopeId: string,\n SrcFQDN: string,\n SrcGeoCity: string,\n SrcGeoCountry: string,\n SrcGeoLatitude: real,\n SrcGeoLongitude: real,\n SrcGeoRegion: string,\n SrcHostname: string,\n SrcIpAddr: string,\n SrcOriginalRiskLevel: string,\n SrcOriginalUserType: string,\n SrcPortNumber: int,\n SrcProcessGuid: string,\n SrcProcessId: string,\n SrcProcessName: string,\n SrcRiskLevel: int,\n SrcUserId: string,\n SrcUserAadId: string,\n SrcUserSid: string,\n SrcUserAWSId: string,\n SrcUserOktaId: string,\n SrcUserUid: string,\n SrcUserIdType: string,\n SrcUserScope: string,\n SrcUserScopeId: string,\n SrcUsername: string,\n SrcUsernameType: string,\n SrcUserType: string,\n SrcUserSessionId: string,\n TenantId: string,\n ThreatCategory: string,\n ThreatConfidence: int,\n ThreatField: string,\n ThreatFirstReportedTime: datetime,\n ThreatId: string,\n ThreatIpAddr: string,\n ThreatIsActive: bool,\n ThreatLastReportedTime: datetime,\n ThreatName: string,\n ThreatOriginalConfidence: string,\n ThreatOriginalRiskLevel: string,\n ThreatRiskLevel: int,\n TimeGenerated: datetime,\n TransactionIdHex: string,\n Type: string,\n UrlCategory: string,\n User: string\n)[];\nEmptyNewDnsEvents \n", + "version": 1 + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsFortinetFortigate/vimDnsFortinetFortigate.json b/Parsers/ASimDns/ARM/vimDnsFortinetFortigate/vimDnsFortinetFortigate.json index a3d00632d29..418312c8234 100644 --- a/Parsers/ASimDns/ARM/vimDnsFortinetFortigate/vimDnsFortinetFortigate.json +++ b/Parsers/ASimDns/ARM/vimDnsFortinetFortigate/vimDnsFortinetFortigate.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsFortinetFortiGate')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsFortinetFortiGate", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for Fortinet FortiGate", - "category": "ASIM", - "FunctionAlias": "vimDnsFortinetFortiGate", - "query": "let Parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr: string='*', \n domain_has_any: dynamic=dynamic([]),\n responsecodename: string='*',\n response_has_ipv4: string='*',\n response_has_any_prefix: dynamic=dynamic([]),\n eventtype: string='Query',\n disabled: bool=false\n ) {\n let DeviceEventClassIDLookup = datatable(EventOriginalSubType:string,EventSubType:string, EventSeverity:string, DvcAction:string, ThreatCategory:string, ThreatField:string)[\n \"54000\", \"request\", \"Informational\", \"\", \"\", \"\",\n \"54200\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54400\", \"response\", \"Low\", \"Blocked\", \"\", \"\",\n \"54401\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54600\", \"response\", \"Low\", \"Blocked\", \"Botnet\", \"DstIpAddr\",\n \"54601\", \"response\", \"Low\", \"Blocked\", \"Botnet\", \"Domain\",\n \"54800\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54801\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54802\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54803\", \"response\", \"Low\", \"Blocked\", \"\", \"\",\n \"54804\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54805\", \"response\", \"Informational\", \"\", \"\", \"\",\n ];\n let EventOriginalResultDetailsLookup = datatable(EventOriginalResultDetails:string, EventResultDetails:string, EventResult:string)[\n \"\", \"NOERROR\", \"Success\",\n \"0\", \"NOERROR\", \"Success\",\n \"1\", \"FORMERR\", \"Failure\",\n \"2\", \"SERVFAIL\", \"Failure\",\n \"3\", \"NXDOMAIN\", \"Failure\",\n \"4\", \"NOTIMP\", \"Failure\",\n \"5\", \"REFUSED\", \"Failure\",\n \"6\", \"YXDOMAIN\", \"Failure\",\n \"7\", \"YXRRSET\", \"Failure\",\n \"8\", \"NXRRSET\", \"Failure\",\n \"9\", \"NOTAUTH\", \"Failure\",\n \"10\", \"NOTZONE\", \"Failure\",\n \"11\", \"DSOTYPENI\", \"Failure\",\n \"16\", \"BADVERS\", \"Failure\",\n \"16\", \"BADSIG\", \"Failure\",\n \"17\", \"BADKEY\", \"Failure\",\n \"18\", \"BADTIME\", \"Failure\",\n \"19\", \"BADMODE\", \"Failure\",\n \"20\", \"BADNAME\", \"Failure\",\n \"21\", \"BADALG\", \"Failure\",\n \"22\", \"BADTRUNC\", \"Failure\",\n \"23\", \"BADCOOKIE\", \"Failure\"\n ];\n let DnsResponseCodeNameLookup = toscalar(\n EventOriginalResultDetailsLookup\n | where not(disabled)\n | where (responsecodename == '*' or EventResultDetails =~ responsecodename)\n | project EventOriginalResultDetails\n );\n let DnsQueryTypeLookup = datatable(DnsQueryType:int, DnsQueryTypeName:string)[\n 0, \"Reserved\",\n 1, \"A\",\n 2, \"NS\",\n 3, \"MD\",\n 4, \"MF\",\n 5, \"CNAME\",\n 6, \"SOA\",\n 7, \"MB\",\n 8, \"MG\",\n 9, \"MR\",\n 10, \"NULL\",\n 11, \"WKS\",\n 12, \"PTR\",\n 13, \"HINFO\",\n 14, \"MINFO\",\n 15, \"MX\",\n 16, \"TXT\",\n 17, \"RP\",\n 18, \"AFSDB\",\n 19, \"X25\",\n 20, \"ISDN\",\n 21, \"RT\",\n 22, \"NSAP\",\n 23, \"NSAP-PTR\",\n 24, \"SIG\",\n 25, \"KEY\",\n 26, \"PX\",\n 27, \"GPOS\",\n 28, \"AAAA\",\n 29, \"LOC\",\n 30, \"NXT\",\n 31, \"EID\",\n 32, \"NIMLOC\",\n 33, \"SRV\",\n 34, \"ATMA\",\n 35, \"NAPTR\",\n 36, \"KX\",\n 37, \"CERT\",\n 38, \"A6\",\n 39, \"DNAME\",\n 40, \"SINK\",\n 41, \"OPT\",\n 42, \"APL\",\n 43, \"DS\",\n 44, \"SSHFP\",\n 45, \"IPSECKEY\",\n 46, \"RRSIG\",\n 47, \"NSEC\",\n 48, \"DNSKEY\",\n 49, \"DHCID\",\n 50, \"NSEC3\",\n 51, \"NSEC3PARAM\",\n 52, \"TLSA\",\n 53, \"SMIMEA\",\n 55, \"HIP\",\n 56, \"NINFO\",\n 57, \"RKEY\",\n 58, \"TALINK\",\n 59, \"CDS\",\n 60, \"CDNSKEY\",\n 61, \"OPENPGPKEY\",\n 62, \"CSYNC\",\n 63, \"ZONEMD\",\n 64, \"SVCB\",\n 65, \"HTTPS\",\n 99, \"SPF\",\n 100, \"UINFO\",\n 101, \"UID\",\n 102, \"GID\",\n 103, \"UNSPEC\",\n 104, \"NID\",\n 105, \"L32\",\n 106, \"L64\",\n 107, \"LP\",\n 108, \"EUI48\",\n 109, \"EUI64\",\n 249, \"TKEY\",\n 250, \"TSIG\",\n 251, \"IXFR\",\n 252, \"AXFR\",\n 253, \"MAILB\",\n 254, \"MAILA\",\n 255, \"*\",\n 256, \"URI\",\n 257, \"CAA\",\n 258, \"AVC\",\n 259, \"DOA\",\n 32768, \"TA\",\n 32769, \"DLV\"\n ];\n CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and\n (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"Fortinet\" and \n DeviceProduct == \"Fortigate\"\n | where DeviceEventClassID in(54000,54200,54400,54401,54600,54601,54800,54801,54802,54803,54804,54805)\n | where (srcipaddr == \"*\" or SourceIP == srcipaddr) and\n (array_length(domain_has_any) == 0 or AdditionalExtensions has_any (domain_has_any)) and\n (responsecodename == '*' or AdditionalExtensions has DnsResponseCodeNameLookup) and\n (response_has_ipv4 == '*' or has_ipv4(AdditionalExtensions, response_has_ipv4)) and \n (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(AdditionalExtensions, response_has_any_prefix)) and\n (eventtype=='*' or eventtype in (\"Query\", \"lookup\")) // -- support both legacy and standard value \n | project TimeGenerated, EventOriginalSubType = DeviceEventClassID, AdditionalExtensions, EventUid = _ItemId, EventOriginalSeverity = LogSeverity, EventProductVersion = DeviceVersion ,Computer, Type, SrcIpAddr = SourceIP, SrcPortNumber = SourcePort, DstIpAddr = DestinationIP, DstPortNumber = DestinationPort, EventMessage = Message, NetworkProtocolNumber = Protocol, DvcId = DeviceExternalID, DnsSessionId = ExtID\n | lookup DeviceEventClassIDLookup on EventOriginalSubType\n | parse-kv AdditionalExtensions as (FTNTFGTlogid:string, FTNTFGTsubtype:string, FTNTFGTsrccountry:string, FTNTFGTdstcountry:string,FTNTFGTsrcintfrole:string, FTNTFGTrcode:string, FTNTFGTqname:string, FTNTFGTqtype:string, FTNTFGTxid:string, FTNTFGTqtypeval:int, FTNTFGTqclass:string, FTNTFGTcatdesc:string, FTNTFGTipaddr:string, FTNTFGTunauthuser:string, FTNTFGTuser:string, FTNTFGTbotnetip:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | where (array_length(domain_has_any) == 0 or FTNTFGTqname has_any (domain_has_any)) and\n (responsecodename == '*' or FTNTFGTrcode == DnsResponseCodeNameLookup) and\n (response_has_ipv4 == '*' or has_ipv4(FTNTFGTipaddr, response_has_ipv4)) and\n (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(FTNTFGTipaddr, response_has_any_prefix))\n | project-rename \n EventOriginalResultDetails = FTNTFGTrcode,\n EventOriginalUid = FTNTFGTlogid,\n DvcZone = FTNTFGTsrcintfrole,\n EventOriginalType = FTNTFGTsubtype,\n SrcGeoCountry = FTNTFGTsrccountry,\n DstGeoCountry = FTNTFGTdstcountry,\n DnsQuery = FTNTFGTqname,\n DnsQueryTypeName = FTNTFGTqtype,\n TransactionIdHex = FTNTFGTxid,\n DnsQueryClass = FTNTFGTqtypeval,\n DnsQueryClassName = FTNTFGTqclass,\n UrlCategory = FTNTFGTcatdesc,\n DnsResponseName = FTNTFGTipaddr,\n ThreatIpAddr = FTNTFGTbotnetip\n | extend \n DnsQueryTypeName = case(\n DnsQueryTypeName == \"Unknown\",\"\",\n DnsQueryTypeName\n )\n | lookup EventOriginalResultDetailsLookup on EventOriginalResultDetails\n | lookup DnsQueryTypeLookup on DnsQueryTypeName\n | invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n | invoke _ASIM_ResolveNetworkProtocol(\"NetworkProtocolNumber\")\n | extend \n SrcUsername = coalesce(FTNTFGTuser, FTNTFGTunauthuser),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcHostname,\n DnsResponseCodeName = EventResultDetails,\n EventType = \"Query\",\n EventSchemaVersion = \"0.1.7\",\n EventSchema = \"Dns\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventVendor = \"Fortinet\",\n EventProduct = \"FortiGate\",\n Domain = DnsQuery,\n DomainCategory = UrlCategory\n | extend \n User = SrcUsername,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | project-away FTNTFGTuser, FTNTFGTunauthuser, AdditionalExtensions, Computer, NetworkProtocolNumber\n};\nParser(\n starttime = starttime,\n endtime = endtime,\n srcipaddr = srcipaddr,\n domain_has_any = domain_has_any,\n responsecodename = responsecodename, \n response_has_ipv4 = response_has_ipv4, \n response_has_any_prefix = response_has_any_prefix, \n eventtype = eventtype, \n disabled = disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for Fortinet FortiGate", + "category": "ASIM", + "FunctionAlias": "vimDnsFortinetFortiGate", + "query": "let Parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr: string='*', \n domain_has_any: dynamic=dynamic([]),\n responsecodename: string='*',\n response_has_ipv4: string='*',\n response_has_any_prefix: dynamic=dynamic([]),\n eventtype: string='Query',\n disabled: bool=false\n ) {\n let DeviceEventClassIDLookup = datatable(EventOriginalSubType:string,EventSubType:string, EventSeverity:string, DvcAction:string, ThreatCategory:string, ThreatField:string)[\n \"54000\", \"request\", \"Informational\", \"\", \"\", \"\",\n \"54200\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54400\", \"response\", \"Low\", \"Blocked\", \"\", \"\",\n \"54401\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54600\", \"response\", \"Low\", \"Blocked\", \"Botnet\", \"DstIpAddr\",\n \"54601\", \"response\", \"Low\", \"Blocked\", \"Botnet\", \"Domain\",\n \"54800\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54801\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54802\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54803\", \"response\", \"Low\", \"Blocked\", \"\", \"\",\n \"54804\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54805\", \"response\", \"Informational\", \"\", \"\", \"\",\n ];\n let EventOriginalResultDetailsLookup = datatable(EventOriginalResultDetails:string, EventResultDetails:string, EventResult:string)[\n \"\", \"NOERROR\", \"Success\",\n \"0\", \"NOERROR\", \"Success\",\n \"1\", \"FORMERR\", \"Failure\",\n \"2\", \"SERVFAIL\", \"Failure\",\n \"3\", \"NXDOMAIN\", \"Failure\",\n \"4\", \"NOTIMP\", \"Failure\",\n \"5\", \"REFUSED\", \"Failure\",\n \"6\", \"YXDOMAIN\", \"Failure\",\n \"7\", \"YXRRSET\", \"Failure\",\n \"8\", \"NXRRSET\", \"Failure\",\n \"9\", \"NOTAUTH\", \"Failure\",\n \"10\", \"NOTZONE\", \"Failure\",\n \"11\", \"DSOTYPENI\", \"Failure\",\n \"16\", \"BADVERS\", \"Failure\",\n \"16\", \"BADSIG\", \"Failure\",\n \"17\", \"BADKEY\", \"Failure\",\n \"18\", \"BADTIME\", \"Failure\",\n \"19\", \"BADMODE\", \"Failure\",\n \"20\", \"BADNAME\", \"Failure\",\n \"21\", \"BADALG\", \"Failure\",\n \"22\", \"BADTRUNC\", \"Failure\",\n \"23\", \"BADCOOKIE\", \"Failure\"\n ];\n let DnsResponseCodeNameLookup = toscalar(\n EventOriginalResultDetailsLookup\n | where not(disabled)\n | where (responsecodename == '*' or EventResultDetails =~ responsecodename)\n | project EventOriginalResultDetails\n );\n let DnsQueryTypeLookup = datatable(DnsQueryType:int, DnsQueryTypeName:string)[\n 0, \"Reserved\",\n 1, \"A\",\n 2, \"NS\",\n 3, \"MD\",\n 4, \"MF\",\n 5, \"CNAME\",\n 6, \"SOA\",\n 7, \"MB\",\n 8, \"MG\",\n 9, \"MR\",\n 10, \"NULL\",\n 11, \"WKS\",\n 12, \"PTR\",\n 13, \"HINFO\",\n 14, \"MINFO\",\n 15, \"MX\",\n 16, \"TXT\",\n 17, \"RP\",\n 18, \"AFSDB\",\n 19, \"X25\",\n 20, \"ISDN\",\n 21, \"RT\",\n 22, \"NSAP\",\n 23, \"NSAP-PTR\",\n 24, \"SIG\",\n 25, \"KEY\",\n 26, \"PX\",\n 27, \"GPOS\",\n 28, \"AAAA\",\n 29, \"LOC\",\n 30, \"NXT\",\n 31, \"EID\",\n 32, \"NIMLOC\",\n 33, \"SRV\",\n 34, \"ATMA\",\n 35, \"NAPTR\",\n 36, \"KX\",\n 37, \"CERT\",\n 38, \"A6\",\n 39, \"DNAME\",\n 40, \"SINK\",\n 41, \"OPT\",\n 42, \"APL\",\n 43, \"DS\",\n 44, \"SSHFP\",\n 45, \"IPSECKEY\",\n 46, \"RRSIG\",\n 47, \"NSEC\",\n 48, \"DNSKEY\",\n 49, \"DHCID\",\n 50, \"NSEC3\",\n 51, \"NSEC3PARAM\",\n 52, \"TLSA\",\n 53, \"SMIMEA\",\n 55, \"HIP\",\n 56, \"NINFO\",\n 57, \"RKEY\",\n 58, \"TALINK\",\n 59, \"CDS\",\n 60, \"CDNSKEY\",\n 61, \"OPENPGPKEY\",\n 62, \"CSYNC\",\n 63, \"ZONEMD\",\n 64, \"SVCB\",\n 65, \"HTTPS\",\n 99, \"SPF\",\n 100, \"UINFO\",\n 101, \"UID\",\n 102, \"GID\",\n 103, \"UNSPEC\",\n 104, \"NID\",\n 105, \"L32\",\n 106, \"L64\",\n 107, \"LP\",\n 108, \"EUI48\",\n 109, \"EUI64\",\n 249, \"TKEY\",\n 250, \"TSIG\",\n 251, \"IXFR\",\n 252, \"AXFR\",\n 253, \"MAILB\",\n 254, \"MAILA\",\n 255, \"*\",\n 256, \"URI\",\n 257, \"CAA\",\n 258, \"AVC\",\n 259, \"DOA\",\n 32768, \"TA\",\n 32769, \"DLV\"\n ];\n CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and\n (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"Fortinet\" and \n DeviceProduct == \"Fortigate\"\n | where DeviceEventClassID in(54000,54200,54400,54401,54600,54601,54800,54801,54802,54803,54804,54805)\n | where (srcipaddr == \"*\" or SourceIP == srcipaddr) and\n (array_length(domain_has_any) == 0 or AdditionalExtensions has_any (domain_has_any)) and\n (responsecodename == '*' or AdditionalExtensions has DnsResponseCodeNameLookup) and\n (response_has_ipv4 == '*' or has_ipv4(AdditionalExtensions, response_has_ipv4)) and \n (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(AdditionalExtensions, response_has_any_prefix)) and\n (eventtype=='*' or eventtype in (\"Query\", \"lookup\")) // -- support both legacy and standard value \n | project TimeGenerated, EventOriginalSubType = DeviceEventClassID, AdditionalExtensions, EventUid = _ItemId, EventOriginalSeverity = LogSeverity, EventProductVersion = DeviceVersion ,Computer, Type, SrcIpAddr = SourceIP, SrcPortNumber = SourcePort, DstIpAddr = DestinationIP, DstPortNumber = DestinationPort, EventMessage = Message, NetworkProtocolNumber = Protocol, DvcId = DeviceExternalID, DnsSessionId = ExtID\n | lookup DeviceEventClassIDLookup on EventOriginalSubType\n | parse-kv AdditionalExtensions as (FTNTFGTlogid:string, FTNTFGTsubtype:string, FTNTFGTsrccountry:string, FTNTFGTdstcountry:string,FTNTFGTsrcintfrole:string, FTNTFGTrcode:string, FTNTFGTqname:string, FTNTFGTqtype:string, FTNTFGTxid:string, FTNTFGTqtypeval:int, FTNTFGTqclass:string, FTNTFGTcatdesc:string, FTNTFGTipaddr:string, FTNTFGTunauthuser:string, FTNTFGTuser:string, FTNTFGTbotnetip:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | where (array_length(domain_has_any) == 0 or FTNTFGTqname has_any (domain_has_any)) and\n (responsecodename == '*' or FTNTFGTrcode == DnsResponseCodeNameLookup) and\n (response_has_ipv4 == '*' or has_ipv4(FTNTFGTipaddr, response_has_ipv4)) and\n (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(FTNTFGTipaddr, response_has_any_prefix))\n | project-rename \n EventOriginalResultDetails = FTNTFGTrcode,\n EventOriginalUid = FTNTFGTlogid,\n DvcZone = FTNTFGTsrcintfrole,\n EventOriginalType = FTNTFGTsubtype,\n SrcGeoCountry = FTNTFGTsrccountry,\n DstGeoCountry = FTNTFGTdstcountry,\n DnsQuery = FTNTFGTqname,\n DnsQueryTypeName = FTNTFGTqtype,\n TransactionIdHex = FTNTFGTxid,\n DnsQueryClass = FTNTFGTqtypeval,\n DnsQueryClassName = FTNTFGTqclass,\n UrlCategory = FTNTFGTcatdesc,\n DnsResponseName = FTNTFGTipaddr,\n ThreatIpAddr = FTNTFGTbotnetip\n | extend \n DnsQueryTypeName = case(\n DnsQueryTypeName == \"Unknown\",\"\",\n DnsQueryTypeName\n )\n | lookup EventOriginalResultDetailsLookup on EventOriginalResultDetails\n | lookup DnsQueryTypeLookup on DnsQueryTypeName\n | invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n | invoke _ASIM_ResolveNetworkProtocol(\"NetworkProtocolNumber\")\n | extend \n SrcUsername = coalesce(FTNTFGTuser, FTNTFGTunauthuser),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcHostname,\n DnsResponseCodeName = EventResultDetails,\n EventType = \"Query\",\n EventSchemaVersion = \"0.1.7\",\n EventSchema = \"Dns\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventVendor = \"Fortinet\",\n EventProduct = \"FortiGate\",\n Domain = DnsQuery,\n DomainCategory = UrlCategory\n | extend \n User = SrcUsername,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | project-away FTNTFGTuser, FTNTFGTunauthuser, AdditionalExtensions, Computer, NetworkProtocolNumber\n};\nParser(\n starttime = starttime,\n endtime = endtime,\n srcipaddr = srcipaddr,\n domain_has_any = domain_has_any,\n responsecodename = responsecodename, \n response_has_ipv4 = response_has_ipv4, \n response_has_any_prefix = response_has_any_prefix, \n eventtype = eventtype, \n disabled = disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsGcp/vimDnsGcp.json b/Parsers/ASimDns/ARM/vimDnsGcp/vimDnsGcp.json index ba8ace4a43a..302acb70cf1 100644 --- a/Parsers/ASimDns/ARM/vimDnsGcp/vimDnsGcp.json +++ b/Parsers/ASimDns/ARM/vimDnsGcp/vimDnsGcp.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsGcp')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsGcp", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM filtering parser for GCP", - "category": "ASIM", - "FunctionAlias": "vimDnsGcp", - "query": "// https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry\nlet GCPSeverityTable=datatable(severity_s:string,EventSeverity:string)\n[\"DEFAULT\",\"Informational\",\n\"DEBUG\",\"Informational\",\n\"INFO\",\"Informational\",\n\"NOTICE\",\"Medium\",\n\"WARNING\",\"Medium\",\n\"ERROR\",\"High\",\n\"CRITICAL\",\"High\",\n\"ALERT\",\"High\",\n\"EMERGENCY\",\"High\"\n];\nlet DNSQuery_GcpDns=(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n){\n GCP_DNS_CL | where not(disabled)\n | project-away MG, ManagementGroupName, RawData, SourceSystem, Computer\n | where resource_type_s == \"dns_query\"\n // Pre-parsing filtering:\n | where\n (eventtype in ('lookup', 'Query')) // -- for now we support only lookup events\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (srcipaddr=='*' or has_ipv4(payload_sourceIP_s, srcipaddr))\n and (array_length(domain_has_any) ==0 or payload_queryName_s has_any (domain_has_any))\n and (responsecodename=='*' or payload_responseCode_s == responsecodename)\n and (response_has_ipv4=='*' or has_ipv4(payload_rdata_s,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(payload_rdata_s, response_has_any_prefix))\n // *****************************************************************\n | lookup GCPSeverityTable on severity_s\n | project-rename\n DnsQueryTypeName=payload_queryType_s,\n DnsResponseName=payload_rdata_s, \n EventResultDetails=payload_responseCode_s,\n NetworkProtocol=payload_protocol_s, \n SrcIpAddr=payload_sourceIP_s,\n EventOriginalUid=insert_id_s,\n EventOriginalSeverity=severity_s \n | extend\n DnsQuery=trim_end(@'\\.',payload_queryName_s), \n EventCount=int(1),\n EventProduct='Cloud DNS',\n EventVendor='GCP',\n EventSchema='Dns',\n EventSchemaVersion=\"0.1.3\",\n Dvc=\"GCPDNS\" ,\n EventType = iif (resource_type_s == \"dns_query\", \"Query\", resource_type_s),\n EventResult=iff(EventResultDetails=~'NOERROR','Success','Failure'),\n EventSubType='response',\n EventEndTime=todatetime(timestamp_t)\n | extend\n EventStartTime = EventEndTime,\n EventResult = iff (EventResultDetails=~'NOERROR','Success','Failure')\n // -- Aliases\n | extend \n DnsResponseCodeName=EventResultDetails, \n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr\n | project-away *_s, *_d, *_b, *_t\n };\n DNSQuery_GcpDns (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM filtering parser for GCP", + "category": "ASIM", + "FunctionAlias": "vimDnsGcp", + "query": "// https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry\nlet GCPSeverityTable=datatable(severity_s:string,EventSeverity:string)\n[\"DEFAULT\",\"Informational\",\n\"DEBUG\",\"Informational\",\n\"INFO\",\"Informational\",\n\"NOTICE\",\"Medium\",\n\"WARNING\",\"Medium\",\n\"ERROR\",\"High\",\n\"CRITICAL\",\"High\",\n\"ALERT\",\"High\",\n\"EMERGENCY\",\"High\"\n];\nlet DNSQuery_GcpDns=(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n){\n GCP_DNS_CL | where not(disabled)\n | project-away MG, ManagementGroupName, RawData, SourceSystem, Computer\n | where resource_type_s == \"dns_query\"\n // Pre-parsing filtering:\n | where\n (eventtype in ('lookup', 'Query')) // -- for now we support only lookup events\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (srcipaddr=='*' or has_ipv4(payload_sourceIP_s, srcipaddr))\n and (array_length(domain_has_any) ==0 or payload_queryName_s has_any (domain_has_any))\n and (responsecodename=='*' or payload_responseCode_s == responsecodename)\n and (response_has_ipv4=='*' or has_ipv4(payload_rdata_s,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(payload_rdata_s, response_has_any_prefix))\n // *****************************************************************\n | lookup GCPSeverityTable on severity_s\n | project-rename\n DnsQueryTypeName=payload_queryType_s,\n DnsResponseName=payload_rdata_s, \n EventResultDetails=payload_responseCode_s,\n NetworkProtocol=payload_protocol_s, \n SrcIpAddr=payload_sourceIP_s,\n EventOriginalUid=insert_id_s,\n EventOriginalSeverity=severity_s \n | extend\n DnsQuery=trim_end(@'\\.',payload_queryName_s), \n EventCount=int(1),\n EventProduct='Cloud DNS',\n EventVendor='GCP',\n EventSchema='Dns',\n EventSchemaVersion=\"0.1.3\",\n Dvc=\"GCPDNS\" ,\n EventType = iif (resource_type_s == \"dns_query\", \"Query\", resource_type_s),\n EventResult=iff(EventResultDetails=~'NOERROR','Success','Failure'),\n EventSubType='response',\n EventEndTime=todatetime(timestamp_t)\n | extend\n EventStartTime = EventEndTime,\n EventResult = iff (EventResultDetails=~'NOERROR','Success','Failure')\n // -- Aliases\n | extend \n DnsResponseCodeName=EventResultDetails, \n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr\n | project-away *_s, *_d, *_b, *_t\n };\n DNSQuery_GcpDns (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsInfobloxBloxOne/README.md b/Parsers/ASimDns/ARM/vimDnsInfobloxBloxOne/README.md new file mode 100644 index 00000000000..627180a82f4 --- /dev/null +++ b/Parsers/ASimDns/ARM/vimDnsInfobloxBloxOne/README.md @@ -0,0 +1,18 @@ +# Infoblox BloxOne ASIM Dns Normalization Parser + +ARM template for ASIM Dns schema parser for Infoblox BloxOne. + +This ASIM parser supports normalizing Dns logs from Infoblox BloxOne to the ASIM Dns normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Dns normalization schema reference](https://aka.ms/ASimDnsDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimDns%2FARM%2FvimDnsInfobloxBloxOne%2FvimDnsInfobloxBloxOne.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimDns%2FARM%2FvimDnsInfobloxBloxOne%2FvimDnsInfobloxBloxOne.json) diff --git a/Parsers/ASimDns/ARM/vimDnsInfobloxBloxOne/vimDnsInfobloxBloxOne.json b/Parsers/ASimDns/ARM/vimDnsInfobloxBloxOne/vimDnsInfobloxBloxOne.json new file mode 100644 index 00000000000..3e704cde7c5 --- /dev/null +++ b/Parsers/ASimDns/ARM/vimDnsInfobloxBloxOne/vimDnsInfobloxBloxOne.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsInfobloxBloxOne')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "Dns ASIM parser for Infoblox BloxOne", + "category": "ASIM", + "FunctionAlias": "vimDnsInfobloxBloxOne", + "query": "let EventSeverityLookup = datatable(LogSeverity:string, EventSeverity:string)\n [\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Medium\",\n \"5\", \"Medium\",\n \"6\", \"Medium\",\n \"7\", \"High\",\n \"8\", \"High\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet DnsQueryTypeLookup = datatable(DnsQueryTypeName:string, DnsQueryType:int)\n [\n \"A\", 1,\n \"NS\", 2,\n \"MD\", 3,\n \"MF\", 4,\n \"CNAME\", 5,\n \"SOA\", 6,\n \"MB\", 7,\n \"MG\", 8,\n \"MR\", 9,\n \"NULL\", 10,\n \"WKS\", 11,\n \"PTR\", 12,\n \"HINFO\", 13,\n \"MINFO\", 14,\n \"MX\", 15,\n \"TXT\", 16,\n \"RP\", 17,\n \"AFSDB\", 18,\n \"X25\", 19,\n \"ISDN\", 20, \n \"RT\", 21, \n \"NSAP\", 22, \n \"NSAPPTR\", 23, \n \"SIG\", 24, \n \"KEY\", 25, \n \"PX\", 26, \n \"GPOS\", 27, \n \"AAAA\", 28, \n \"LOC\", 29, \n \"NXT\", 30, \n \"EID\", 31, \n \"NIMLOC\", 32, \n \"SRV\", 33, \n \"ATMA\", 34, \n \"NAPTR\", 35, \n \"KX\", 36, \n \"CERT\", 37, \n \"A6\", 38, \n \"DNAME\", 39, \n \"SINK\", 40, \n \"OPT\", 41, \n \"APL\", 42, \n \"DS\", 43, \n \"SSHFP\", 44, \n \"IPSECKEY\", 45, \n \"RRSIG\", 46, \n \"NSEC\", 47, \n \"DNSKEY\", 48, \n \"DHCID\", 49, \n \"NSEC3\", 50, \n \"NSEC3PARAM\", 51, \n \"TLSA\", 52, \n \"SMIMEA\", 53, \n \"HIP\", 55, \n \"NINFO\", 56, \n \"RKEY\", 57, \n \"TALINK\", 58, \n \"CDS\", 59, \n \"CDNSKEY\", 60, \n \"OPENPGPKEY\", 61, \n \"CSYNC\", 62, \n \"ZONEMD\", 63, \n \"SVCB\", 64, \n \"HTTPS\", 65, \n \"SPF\", 99, \n \"UINFO\", 100, \n \"UID\", 101, \n \"GID\", 102, \n \"UNSPEC\", 103, \n \"TKEY\", 249, \n \"TSIG\", 250, \n \"IXFR\", 251, \n \"MAILB\", 253, \n \"MAILA\", 254, \n \"ANY\", 255, \n \"URI\", 256, \n \"CAA\", 257, \n \"TA\", 32768, \n \"DLV\", 32769 \n];\nlet DnsResponseCodeLookup = datatable(EventResultDetails:string, DnsResponseCode:int)\n [\n \"NOERROR\", 0, \n \"FORMERR\", 1, \n \"SERVFAIL\", 2, \n \"NXDOMAIN\", 3, \n \"NOTIMPL\", 4, \n \"REFUSED\", 5, \n \"YXDOMAIN\", 6, \n \"YXRRSET\", 7, \n \"NXRRSET\", 8, \n \"NOTAUTH\", 9, \n \"NOTZONE\", 10, \n \"DSOTYPENI\", 11, \n \"RESERVED12\", 12,\n \"RESERVED13\", 13,\n \"RESERVED14\", 14,\n \"RESERVED15\", 15,\n \"BADVERS\", 16, \n \"BADKEY\", 17, \n \"BADTIME\", 18, \n \"BADMODE\", 19, \n \"BADNAME\", 20, \n \"BADALG\", 21, \n \"BADTRUNC\", 22, \n \"BADCOOKIE\", 23, \n ];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr: string='*', \n domain_has_any: dynamic=dynamic([]),\n responsecodename: string='*',\n response_has_ipv4: string='*',\n response_has_any_prefix: dynamic=dynamic([]),\n eventtype: string='Query',\n disabled: bool=false\n ) {\n CommonSecurityLog\n | where not(disabled)\n and (eventtype == '*' or eventtype == \"Query\")\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Infoblox\" \n and DeviceEventClassID has \"DNS\"\n and (srcipaddr==\"*\" or has_ipv4(SourceIP, srcipaddr))\n and response_has_ipv4 == '*'\n and array_length(response_has_any_prefix) == 0\n | project-rename \n DnsQuery = DestinationDnsDomain\n | extend\n DnsQuery = iff(substring(DnsQuery, strlen(DnsQuery) - 1, 1) == \".\", substring(DnsQuery, 0, strlen(DnsQuery) - 1), DnsQuery)\n | where array_length(domain_has_any) == 0 or DnsQuery has_any (domain_has_any)\n | parse-kv AdditionalExtensions as (InfobloxDNSRCode:string, InfobloxDNSQType:string, InfobloxDNSQFlags:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | where responsecodename == '*' or (InfobloxDNSRCode =~ responsecodename)\n | project-rename \n EventResultDetails = InfobloxDNSRCode,\n DnsQueryTypeName = InfobloxDNSQType,\n DnsFlags = InfobloxDNSQFlags\n | extend DnsQueryTypeName = tostring(split(DnsQueryTypeName, ' ')[0])\n | lookup EventSeverityLookup on LogSeverity\n | lookup DnsQueryTypeLookup on DnsQueryTypeName\n | lookup DnsResponseCodeLookup on EventResultDetails\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | project-rename \n DvcIpAddr = DeviceAddress,\n SrcIpAddr = SourceIP,\n EventMessage = Message,\n EventOriginalSeverity = LogSeverity,\n EventOriginalType = DeviceEventClassID,\n SrcUsername = SourceUserName,\n SrcPortNumber = SourcePort,\n EventUid = _ItemId\n | extend\n Dvc = coalesce(DvcHostname, DvcIpAddr),\n EventEndTime = TimeGenerated,\n EventResult = iff(EventResultDetails == \"NOERROR\", \"Success\", \"Failure\"),\n EventStartTime = TimeGenerated,\n Src = SrcIpAddr,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n DnsResponseCodeName = EventResultDetails,\n IpAddr = SrcIpAddr,\n User = SrcUsername\n | extend Domain = DnsQuery\n | extend\n EventCount = toint(1),\n EventSchema = \"Dns\",\n EventSchemaVersion = \"0.1.7\",\n EventProduct = \"BloxOne\",\n EventVendor = \"Infoblox\",\n EventType = \"Query\",\n DnsQueryClass = toint(1),\n DnsQueryClassName = \"IN\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n Protocol,\n SimplifiedDeviceAction,\n ExternalID,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n StartTime,\n TenantId,\n ReportReferenceLink,\n ReceiptTime,\n Indicator*,\n _ResourceId,\n ThreatConfidence,\n ThreatDescription,\n ThreatSeverity,\n Computer,\n ApplicationProtocol,\n ExtID,\n Reason\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n srcipaddr=srcipaddr,\n domain_has_any=domain_has_any,\n responsecodename=responsecodename, \n response_has_ipv4=response_has_ipv4, \n response_has_any_prefix=response_has_any_prefix, \n eventtype=eventtype, \n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimDns/ARM/vimDnsInfobloxNIOS/vimDnsInfobloxNIOS.json b/Parsers/ASimDns/ARM/vimDnsInfobloxNIOS/vimDnsInfobloxNIOS.json index 7de97e43273..22e97b15aef 100644 --- a/Parsers/ASimDns/ARM/vimDnsInfobloxNIOS/vimDnsInfobloxNIOS.json +++ b/Parsers/ASimDns/ARM/vimDnsInfobloxNIOS/vimDnsInfobloxNIOS.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsInfobloxNIOS')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsInfobloxNIOS", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM filtering parser for Infoblox NIOS", - "category": "ASIM", - "FunctionAlias": "vimDnsInfobloxNIOS", - "query": "let SyslogProjected = Syslog | project SyslogMessage, ProcessName, TimeGenerated, Computer, HostIP;\nlet response = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr:string=\"*\", \n domain_has_any:dynamic=dynamic([]), \n responsecodename:string=\"*\", \n response_has_ipv4:string=\"*\",\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string=\"Query\",\n disabled:bool=false\n) \n{\n SyslogProjected\n | where not(disabled)\n and (eventtype in~ ('lookup', 'Query'))\n // -- Pre filtering\n | where\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n | where ProcessName == \"named\" and SyslogMessage has_all (\"client\", \"query:\", \"response:\")\n | where \n (srcipaddr==\"*\" or has_ipv4(SyslogMessage, srcipaddr))\n and (array_length(domain_has_any) == 0 or SyslogMessage has_any (domain_has_any))\n and (responsecodename==\"*\" or SyslogMessage has responsecodename)\n and (array_length(response_has_any_prefix)==0 or has_any_ipv4_prefix(SyslogMessage, response_has_any_prefix))\n and (response_has_ipv4=='*' or has_ipv4(SyslogMessage,response_has_ipv4))\n | parse SyslogMessage with *\n \"client \" SrcIpAddr: string\n \"#\" SrcPortNumber: string\n \" \" NetworkProtocol: string\n \": query: \" DnsQuery: string\n \" \" DnsQueryClassName: string\n \" \" DnsQueryTypeName: string\n \" response: \" DnsResponseCodeName: string\n \" \" DnsFlags: string\n | extend DnsResponseNameIndex= indexof(DnsFlags, \" \")\n | extend DnsResponseName =iif(DnsResponseNameIndex != \"-1\", substring(DnsFlags, DnsResponseNameIndex+1), \"\")\n | extend DnsFlags =iif(DnsResponseNameIndex != \"-1\", substring(DnsFlags, 0, DnsResponseNameIndex), DnsFlags)\n | extend SrcPortNumber = iif(SrcPortNumber has ':',replace_string(SrcPortNumber,':',''),SrcPortNumber)\n | extend SrcPortNumber = toint(SrcPortNumber)\n | extend EventSubType = \"response\"\n | project-away SyslogMessage, ProcessName, DnsResponseNameIndex\n};\nlet request =(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr:string=\"*\", \n domain_has_any:dynamic=dynamic([]), \n responsecodename:string=\"*\", \n response_has_ipv4:string=\"*\",\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string=\"Query\",\n disabled:bool=false\n) \n{\n SyslogProjected \n | where not(disabled)\n // -- Pre filtering\n and (eventtype in~ ('lookup', 'Query'))\n and (responsecodename==\"*\")\n and (array_length(response_has_any_prefix)==0)\n and (response_has_ipv4=='*')\n | where\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n | where ProcessName == \"named\" and SyslogMessage has_all (\"client\", \"query:\") and SyslogMessage !has \"response:\"\n | where \n (srcipaddr==\"*\" or has_ipv4(SyslogMessage, srcipaddr))\n and (array_length(domain_has_any) == 0 or SyslogMessage has_any (domain_has_any))\n | extend SyslogMessage = (split(SyslogMessage,\"client \"))[1]\n | extend SyslogMessage = iif(SyslogMessage startswith \"@\", (substring(SyslogMessage, indexof(SyslogMessage, \" \")+1)), SyslogMessage)\n | extend SyslogMessage = replace_string(SyslogMessage,\"\\\\ \",\"@@@\")\n | parse SyslogMessage with \n SrcIpAddr: string\n \"#\" SrcPortNumber: int *\n \"query: \" DnsQuery: string\n \" \" DnsQueryClassName: string\n \" \" DnsQueryTypeName: string\n \" \" DnsFlags: string\n | extend DnsQuery = replace_string (DnsQuery, '@@@', ' ')\n | extend DnsFlags= tostring((split(DnsFlags,\" \"))[0])\n | extend \n EventSubType = \"request\",\n DnsResponseCodeName = \"NA\"\n | project-away SyslogMessage, ProcessName\n};\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr:string=\"*\", \n domain_has_any:dynamic=dynamic([]), \n responsecodename:string=\"*\", \n response_has_ipv4:string=\"*\",\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string=\"Query\",\n disabled:bool=false\n) \n{\n union \n response (\n starttime=starttime, \n endtime=endtime, \n srcipaddr=srcipaddr,\n domain_has_any=domain_has_any,\n responsecodename=responsecodename, \n response_has_ipv4=response_has_ipv4, \n response_has_any_prefix=response_has_any_prefix, \n eventtype=eventtype, \n disabled=disabled\n ),\n request (\n starttime=starttime, \n endtime=endtime, \n srcipaddr=srcipaddr,\n domain_has_any=domain_has_any,\n responsecodename=responsecodename, \n response_has_ipv4=response_has_ipv4, \n response_has_any_prefix=response_has_any_prefix, \n eventtype=eventtype, \n disabled=disabled\n ) \n // -- Post-filtering\n | where\n (srcipaddr==\"*\" or SrcIpAddr==srcipaddr)\n and (array_length(domain_has_any) ==0 or DnsQuery has_any (domain_has_any))\n and (responsecodename==\"*\" or DnsResponseCodeName has responsecodename)\n and (array_length(response_has_any_prefix) ==0 or has_any_ipv4_prefix(DnsResponseName, response_has_any_prefix))\n and (response_has_ipv4 == '*' or has_ipv4(DnsResponseName,response_has_ipv4))\n | extend\n EventCount=int(1),\n EventStartTime=todatetime(TimeGenerated),\n EventEndTime=todatetime(TimeGenerated),\n EventProduct=\"NIOS\",\n EventVendor=\"Infoblox\",\n EventSchema=\"Dns\",\n EventSchemaVersion=\"0.1.3\",\n EventType=\"Query\", \n EventResult=iff(EventSubType==\"request\" or DnsResponseCodeName==\"NOERROR\",\"Success\",\"Failure\"),\n DvcIpAddr=iff (HostIP == \"Unknown IP\", \"\", HostIP)\n // -- Aliases\n | invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n | project-away Computer\n | extend\n Dvc=DvcHostname,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n EventResultDetails = DnsResponseCodeName\n | project-away HostIP\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n srcipaddr=srcipaddr,\n domain_has_any=domain_has_any,\n responsecodename=responsecodename, \n response_has_ipv4=response_has_ipv4, \n response_has_any_prefix=response_has_any_prefix, \n eventtype=eventtype, \n disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM filtering parser for Infoblox NIOS", + "category": "ASIM", + "FunctionAlias": "vimDnsInfobloxNIOS", + "query": "let SyslogProjected = Syslog | project SyslogMessage, ProcessName, TimeGenerated, Computer, HostIP;\nlet response = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr:string=\"*\", \n domain_has_any:dynamic=dynamic([]), \n responsecodename:string=\"*\", \n response_has_ipv4:string=\"*\",\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string=\"Query\",\n disabled:bool=false\n) \n{\n SyslogProjected\n | where not(disabled)\n and (eventtype in~ ('lookup', 'Query'))\n // -- Pre filtering\n | where\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n | where ProcessName == \"named\" and SyslogMessage has_all (\"client\", \"query:\", \"response:\")\n | where \n (srcipaddr==\"*\" or has_ipv4(SyslogMessage, srcipaddr))\n and (array_length(domain_has_any) == 0 or SyslogMessage has_any (domain_has_any))\n and (responsecodename==\"*\" or SyslogMessage has responsecodename)\n and (array_length(response_has_any_prefix)==0 or has_any_ipv4_prefix(SyslogMessage, response_has_any_prefix))\n and (response_has_ipv4=='*' or has_ipv4(SyslogMessage,response_has_ipv4))\n | parse SyslogMessage with *\n \"client \" SrcIpAddr: string\n \"#\" SrcPortNumber: string\n \" \" NetworkProtocol: string\n \": query: \" DnsQuery: string\n \" \" DnsQueryClassName: string\n \" \" DnsQueryTypeName: string\n \" response: \" DnsResponseCodeName: string\n \" \" DnsFlags: string\n | extend DnsResponseNameIndex= indexof(DnsFlags, \" \")\n | extend DnsResponseName =iif(DnsResponseNameIndex != \"-1\", substring(DnsFlags, DnsResponseNameIndex+1), \"\")\n | extend DnsFlags =iif(DnsResponseNameIndex != \"-1\", substring(DnsFlags, 0, DnsResponseNameIndex), DnsFlags)\n | extend SrcPortNumber = iif(SrcPortNumber has ':',replace_string(SrcPortNumber,':',''),SrcPortNumber)\n | extend SrcPortNumber = toint(SrcPortNumber)\n | extend EventSubType = \"response\"\n | project-away SyslogMessage, ProcessName, DnsResponseNameIndex\n};\nlet request =(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr:string=\"*\", \n domain_has_any:dynamic=dynamic([]), \n responsecodename:string=\"*\", \n response_has_ipv4:string=\"*\",\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string=\"Query\",\n disabled:bool=false\n) \n{\n SyslogProjected \n | where not(disabled)\n // -- Pre filtering\n and (eventtype in~ ('lookup', 'Query'))\n and (responsecodename==\"*\")\n and (array_length(response_has_any_prefix)==0)\n and (response_has_ipv4=='*')\n | where\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n | where ProcessName == \"named\" and SyslogMessage has_all (\"client\", \"query:\") and SyslogMessage !has \"response:\"\n | where \n (srcipaddr==\"*\" or has_ipv4(SyslogMessage, srcipaddr))\n and (array_length(domain_has_any) == 0 or SyslogMessage has_any (domain_has_any))\n | extend SyslogMessage = (split(SyslogMessage,\"client \"))[1]\n | extend SyslogMessage = iif(SyslogMessage startswith \"@\", (substring(SyslogMessage, indexof(SyslogMessage, \" \")+1)), SyslogMessage)\n | extend SyslogMessage = replace_string(SyslogMessage,\"\\\\ \",\"@@@\")\n | parse SyslogMessage with \n SrcIpAddr: string\n \"#\" SrcPortNumber: int *\n \"query: \" DnsQuery: string\n \" \" DnsQueryClassName: string\n \" \" DnsQueryTypeName: string\n \" \" DnsFlags: string\n | extend DnsQuery = replace_string (DnsQuery, '@@@', ' ')\n | extend DnsFlags= tostring((split(DnsFlags,\" \"))[0])\n | extend \n EventSubType = \"request\",\n DnsResponseCodeName = \"NA\"\n | project-away SyslogMessage, ProcessName\n};\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr:string=\"*\", \n domain_has_any:dynamic=dynamic([]), \n responsecodename:string=\"*\", \n response_has_ipv4:string=\"*\",\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string=\"Query\",\n disabled:bool=false\n) \n{\n union \n response (\n starttime=starttime, \n endtime=endtime, \n srcipaddr=srcipaddr,\n domain_has_any=domain_has_any,\n responsecodename=responsecodename, \n response_has_ipv4=response_has_ipv4, \n response_has_any_prefix=response_has_any_prefix, \n eventtype=eventtype, \n disabled=disabled\n ),\n request (\n starttime=starttime, \n endtime=endtime, \n srcipaddr=srcipaddr,\n domain_has_any=domain_has_any,\n responsecodename=responsecodename, \n response_has_ipv4=response_has_ipv4, \n response_has_any_prefix=response_has_any_prefix, \n eventtype=eventtype, \n disabled=disabled\n ) \n // -- Post-filtering\n | where\n (srcipaddr==\"*\" or SrcIpAddr==srcipaddr)\n and (array_length(domain_has_any) ==0 or DnsQuery has_any (domain_has_any))\n and (responsecodename==\"*\" or DnsResponseCodeName has responsecodename)\n and (array_length(response_has_any_prefix) ==0 or has_any_ipv4_prefix(DnsResponseName, response_has_any_prefix))\n and (response_has_ipv4 == '*' or has_ipv4(DnsResponseName,response_has_ipv4))\n | extend\n EventCount=int(1),\n EventStartTime=todatetime(TimeGenerated),\n EventEndTime=todatetime(TimeGenerated),\n EventProduct=\"NIOS\",\n EventVendor=\"Infoblox\",\n EventSchema=\"Dns\",\n EventSchemaVersion=\"0.1.3\",\n EventType=\"Query\", \n EventResult=iff(EventSubType==\"request\" or DnsResponseCodeName==\"NOERROR\",\"Success\",\"Failure\"),\n DvcIpAddr=iff (HostIP == \"Unknown IP\", \"\", HostIP)\n // -- Aliases\n | invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n | project-away Computer\n | extend\n Dvc=DvcHostname,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n EventResultDetails = DnsResponseCodeName\n | project-away HostIP\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n srcipaddr=srcipaddr,\n domain_has_any=domain_has_any,\n responsecodename=responsecodename, \n response_has_ipv4=response_has_ipv4, \n response_has_any_prefix=response_has_any_prefix, \n eventtype=eventtype, \n disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsMicrosoftNXlog/vimDnsMicrosoftNXlog.json b/Parsers/ASimDns/ARM/vimDnsMicrosoftNXlog/vimDnsMicrosoftNXlog.json index d5a9ef9261a..28934315d71 100644 --- a/Parsers/ASimDns/ARM/vimDnsMicrosoftNXlog/vimDnsMicrosoftNXlog.json +++ b/Parsers/ASimDns/ARM/vimDnsMicrosoftNXlog/vimDnsMicrosoftNXlog.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsMicrosoftNXlog')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsMicrosoftNXlog", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM filtering parser for Microsoft DNS logs collected using NXlog", - "category": "ASIM", - "FunctionAlias": "vimDnsMicrosoftNXlog", - "query": "let ASimDnsMicrosoftNXLog = (\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n ){\nlet EventTypeTable=datatable(EventOriginalType:real,EventType:string)[\n 256, 'Query'\n , 257, 'Query'\n , 258, 'Query'\n , 259, 'Query'\n , 260, 'Query'\n , 261, 'Query'\n , 262, 'Query'\n , 263, 'Dynamic update'\n , 264, 'Dynamic update'\n , 265, 'Zone XFR'\n , 266, 'Zone XFR'\n , 267, 'Zone XFR'\n , 268, 'Zone XFR'\n , 269, 'Zone XFR'\n , 270, 'Zone XFR'\n , 271, 'Zone XFR'\n , 272, 'Zone XFR'\n , 273, 'Zone XFR'\n , 274, 'Zone XFR'\n , 275, 'Zone XFR'\n , 276, 'Zone XFR'\n , 277, 'Dynamic update'\n , 278, 'Dynamic update'\n , 279, 'Query'\n , 280, 'Query'\n];\nlet EventSubTypeTable=datatable(EventOriginalType:real,EventSubType:string)[\n 256, 'request'\n, 257, 'response'\n, 258, 'response'\n, 259, 'response'\n, 260, 'request'\n, 261, 'response'\n, 262, 'response'\n, 263, 'request'\n, 264, 'response'\n, 265, 'request'\n, 266, 'request'\n, 267, 'response'\n, 268, 'response'\n, 269, 'request'\n, 270, 'request'\n, 271, 'response'\n, 272, 'response'\n, 273, 'request'\n, 274, 'request'\n, 275, 'response'\n, 276, 'response'\n, 277, 'request'\n, 278, 'response'\n, 279, 'response'\n, 280, 'response'\n];\nlet EventResultTable=datatable(EventOriginalType:real,EventResult:string)[\n 256, 'NA'\n , 257, 'Success'\n , 258, 'Failure'\n , 259, 'Failure'\n , 260, 'NA'\n , 261, 'NA'\n , 262, 'Failure'\n , 263, 'NA'\n , 264, 'Based on RCODE'\n , 265, 'NA'\n , 266, 'NA'\n , 267, 'Based on RCODE'\n , 268, 'Based on RCODE'\n , 269, 'NA'\n , 270, 'NA'\n , 271, 'Based on RCODE'\n , 272, 'Based on RCODE'\n , 273, 'NA'\n , 274, 'NA'\n , 275, 'Success'\n , 276, 'Success'\n , 277, 'NA'\n , 278, 'Based on RCODE'\n , 279, 'NA'\n , 280, 'NA'\n];\nlet RCodeTable=datatable(DnsResponseCode:int,ResponseCodeName:string)[\n 0,'NOERROR'\n , 1,'FORMERR'\n , 2,'SERVFAIL'\n , 3,'NXDOMAIN'\n , 4,'NOTIMP'\n , 5,'REFUSED'\n , 6,'YXDOMAIN'\n , 7,'YXRRSET'\n , 8,'NXRRSET'\n , 9,'NOTAUTH'\n , 10,'NOTZONE'\n , 11,'DSOTYPENI'\n , 16,'BADVERS'\n , 16,'BADSIG'\n , 17,'BADKEY'\n , 18,'BADTIME'\n , 19,'BADMODE'\n , 20,'BADNAME'\n , 21,'BADALG'\n , 22,'BADTRUNC'\n , 23,'BADCOOKIE'\n];\nlet QTypeTable=datatable(DnsQueryType:int,QTypeName:string)[\n 0, 'Reserved'\n , 1, 'A'\n , 2, 'NS'\n , 3, 'MD'\n , 4, 'MF'\n , 5, 'CNAME'\n , 6, 'SOA'\n , 7, 'MB'\n , 8 ,'MG'\n , 9 ,'MR'\n , 10,'NULL'\n , 11,'WKS'\n , 12,'PTR'\n , 13,'HINFO'\n , 14,'MINFO'\n , 15,'MX'\n , 16,'TXT'\n , 17,'RP'\n , 18,'AFSDB'\n , 19,'X25'\n , 20,'ISDN'\n , 21,'RT'\n , 22,'NSAP'\n , 23,'NSAP-PTR'\n , 24,'SIG'\n , 25,'KEY'\n , 26,'PX'\n , 27,'GPOS'\n , 28,'AAAA'\n , 29,'LOC'\n , 30,'NXT'\n , 31,'EID'\n , 32,'NIMLOC'\n , 33,'SRV'\n , 34,'ATMA'\n , 35,'NAPTR'\n , 36,'KX'\n , 37,'CERT'\n , 38,'A6'\n , 39,'DNAME'\n , 40,'SINK'\n , 41,'OPT'\n , 42,'APL'\n , 43,'DS'\n , 44,'SSHFP'\n , 45,'IPSECKEY'\n , 46,'RRSIG'\n , 47,'NSEC'\n , 48,'DNSKEY'\n , 49,'DHCID'\n , 50,'NSEC3'\n , 51,'NSEC3PARAM'\n , 52,'TLSA'\n , 53,'SMIMEA'\n , 55,'HIP'\n , 56,'NINFO'\n , 57,'RKEY'\n , 58,'TALINK'\n , 59,'CDS'\n , 60,'CDNSKEY'\n , 61,'OPENPGPKEY'\n , 62,'CSYNC'\n , 63,'ZONEMD'\n , 64,'SVCB'\n , 65,'HTTPS'\n , 99,'SPF'\n , 100,'UINFO'\n , 101,'UID'\n , 102,'GID'\n , 103,'UNSPEC'\n , 104,'NID'\n , 105,'L32'\n , 106,'L64'\n , 107,'LP'\n , 108,'EUI48'\n , 109,'EUI64'\n , 249,'TKEY'\n , 250,'TSIG'\n , 251,'IXFR'\n , 252,'AXFR'\n , 253,'MAILB'\n , 254,'MAILA'\n , 255,'*'\n , 256,'URI'\n , 257,'CAA'\n , 258,'AVC'\n , 259,'DOA'\n , 32768,'TA'\n , 32769,'DLV'\n];\nNXLog_DNS_Server_CL | where not(disabled)\n| where EventID_d < 281\n| project-rename \n EventOriginalType=EventID_d\n| lookup EventTypeTable on EventOriginalType\n| extend\n eventtype = iff (eventtype == \"lookup\", \"Query\", eventtype)\n// Pre-parsing filtering:\n | where\n // Return empty list if response IPs are passed\n (response_has_ipv4=='*')\n and (array_length(response_has_any_prefix) ==0) \n and (eventtype=='*' or EventType == eventtype) \n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and (srcipaddr=='*' or Source_s==srcipaddr)\n and (array_length(domain_has_any) ==0 or QNAME_s has_any (domain_has_any))\n and (responsecodename=='*' or RCODE_s=~responsecodename)\n// --\n| project-rename\n DnsFlags=Flags_s,\n DnsQuery=QNAME_s,\n DnsQueryType=QTYPE_s,\n DnsResponseCode=RCODE_s,\n DnsResponseName=PacketData_s,\n Dvc=Hostname_s,\n EventOriginalUid=GUID_g,\n EventStartTime=EventTime_t,\n SrcIpAddr=Source_s,\n EventUid=_ItemId\n| extend\n DnsQuery=trim_end(\".\",DnsQuery),\n DnsQueryType=toint(DnsQueryType),\n DnsResponseCode=toint(DnsResponseCode),\n SrcPortNumber=toint(Port_s),\n DvcHostname=Dvc,\n DvcIpAddr=HostIP_s,\n EventEndTime=EventStartTime,\n EventProduct = \"DNS Server\",\n EventSchemaVersion = \"0.1.7\",\n EventVendor = \"Microsoft\",\n EventSchema = \"Dns\",\n EventCount = int(1),\n NetworkProtocol=iff(TCP_s == \"0\",\"UDP\",\"TCP\"),\n TransactionIdHex=tohex(toint(XID_s)),\n DnsFlagsAuthenticated = tobool(AD_s),\n DnsFlagsAuthoritative = tobool(AA_s),\n DnsFlagsRecursionDesired = tobool(RD_s)\n| lookup EventSubTypeTable on EventOriginalType\n| lookup EventResultTable on EventOriginalType\n| lookup RCodeTable on DnsResponseCode\n| lookup QTypeTable on DnsQueryType\n| extend\n EventResultDetails = case (isnotempty(ResponseCodeName), ResponseCodeName\n , DnsResponseCode between (3841 .. 4095), 'Reserved for Private Use'\n , 'Unassigned'),\n EventOriginalType = tostring(EventOriginalType)\n| extend\n Domain=DnsQuery,\n DnsResponseCodeName=EventResultDetails,\n DnsQueryTypeName = case (isnotempty(QTypeName), QTypeName\n , DnsQueryType between (66 .. 98), 'Unassigned'\n , DnsQueryType between (110 .. 248), 'Unassigned'\n , DnsQueryType between (261 .. 32767), 'Unassigned'\n , 'Unassigned'),\n EventResult=iff (EventResult == \"Based on RCODE\", iff(DnsResponseCode == 0, \"Success\", \"Failure\"),EventResult)\n| extend\n // Aliases\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n| project-away\n *_s, *_d, QTypeName, TenantId, SourceSystem, MG, ManagementGroupName, Computer, RawData, ResponseCodeName, EventReceivedTime_t, ProviderGuid_g, _ResourceId, eventtype\n};\nASimDnsMicrosoftNXLog (\n starttime=starttime,\n endtime=endtime,\n srcipaddr=srcipaddr,\n domain_has_any=domain_has_any,\n responsecodename=responsecodename,\n response_has_ipv4=response_has_ipv4,\n response_has_any_prefix=response_has_any_prefix,\n eventtype=eventtype,\n disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM filtering parser for Microsoft DNS logs collected using NXlog", + "category": "ASIM", + "FunctionAlias": "vimDnsMicrosoftNXlog", + "query": "let ASimDnsMicrosoftNXLog = (\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n ){\nlet EventTypeTable=datatable(EventOriginalType:real,EventType:string)[\n 256, 'Query'\n , 257, 'Query'\n , 258, 'Query'\n , 259, 'Query'\n , 260, 'Query'\n , 261, 'Query'\n , 262, 'Query'\n , 263, 'Dynamic update'\n , 264, 'Dynamic update'\n , 265, 'Zone XFR'\n , 266, 'Zone XFR'\n , 267, 'Zone XFR'\n , 268, 'Zone XFR'\n , 269, 'Zone XFR'\n , 270, 'Zone XFR'\n , 271, 'Zone XFR'\n , 272, 'Zone XFR'\n , 273, 'Zone XFR'\n , 274, 'Zone XFR'\n , 275, 'Zone XFR'\n , 276, 'Zone XFR'\n , 277, 'Dynamic update'\n , 278, 'Dynamic update'\n , 279, 'Query'\n , 280, 'Query'\n];\nlet EventSubTypeTable=datatable(EventOriginalType:real,EventSubType:string)[\n 256, 'request'\n, 257, 'response'\n, 258, 'response'\n, 259, 'response'\n, 260, 'request'\n, 261, 'response'\n, 262, 'response'\n, 263, 'request'\n, 264, 'response'\n, 265, 'request'\n, 266, 'request'\n, 267, 'response'\n, 268, 'response'\n, 269, 'request'\n, 270, 'request'\n, 271, 'response'\n, 272, 'response'\n, 273, 'request'\n, 274, 'request'\n, 275, 'response'\n, 276, 'response'\n, 277, 'request'\n, 278, 'response'\n, 279, 'response'\n, 280, 'response'\n];\nlet EventResultTable=datatable(EventOriginalType:real,EventResult:string)[\n 256, 'NA'\n , 257, 'Success'\n , 258, 'Failure'\n , 259, 'Failure'\n , 260, 'NA'\n , 261, 'NA'\n , 262, 'Failure'\n , 263, 'NA'\n , 264, 'Based on RCODE'\n , 265, 'NA'\n , 266, 'NA'\n , 267, 'Based on RCODE'\n , 268, 'Based on RCODE'\n , 269, 'NA'\n , 270, 'NA'\n , 271, 'Based on RCODE'\n , 272, 'Based on RCODE'\n , 273, 'NA'\n , 274, 'NA'\n , 275, 'Success'\n , 276, 'Success'\n , 277, 'NA'\n , 278, 'Based on RCODE'\n , 279, 'NA'\n , 280, 'NA'\n];\nlet RCodeTable=datatable(DnsResponseCode:int,ResponseCodeName:string)[\n 0,'NOERROR'\n , 1,'FORMERR'\n , 2,'SERVFAIL'\n , 3,'NXDOMAIN'\n , 4,'NOTIMP'\n , 5,'REFUSED'\n , 6,'YXDOMAIN'\n , 7,'YXRRSET'\n , 8,'NXRRSET'\n , 9,'NOTAUTH'\n , 10,'NOTZONE'\n , 11,'DSOTYPENI'\n , 16,'BADVERS'\n , 16,'BADSIG'\n , 17,'BADKEY'\n , 18,'BADTIME'\n , 19,'BADMODE'\n , 20,'BADNAME'\n , 21,'BADALG'\n , 22,'BADTRUNC'\n , 23,'BADCOOKIE'\n];\nlet QTypeTable=datatable(DnsQueryType:int,QTypeName:string)[\n 0, 'Reserved'\n , 1, 'A'\n , 2, 'NS'\n , 3, 'MD'\n , 4, 'MF'\n , 5, 'CNAME'\n , 6, 'SOA'\n , 7, 'MB'\n , 8 ,'MG'\n , 9 ,'MR'\n , 10,'NULL'\n , 11,'WKS'\n , 12,'PTR'\n , 13,'HINFO'\n , 14,'MINFO'\n , 15,'MX'\n , 16,'TXT'\n , 17,'RP'\n , 18,'AFSDB'\n , 19,'X25'\n , 20,'ISDN'\n , 21,'RT'\n , 22,'NSAP'\n , 23,'NSAP-PTR'\n , 24,'SIG'\n , 25,'KEY'\n , 26,'PX'\n , 27,'GPOS'\n , 28,'AAAA'\n , 29,'LOC'\n , 30,'NXT'\n , 31,'EID'\n , 32,'NIMLOC'\n , 33,'SRV'\n , 34,'ATMA'\n , 35,'NAPTR'\n , 36,'KX'\n , 37,'CERT'\n , 38,'A6'\n , 39,'DNAME'\n , 40,'SINK'\n , 41,'OPT'\n , 42,'APL'\n , 43,'DS'\n , 44,'SSHFP'\n , 45,'IPSECKEY'\n , 46,'RRSIG'\n , 47,'NSEC'\n , 48,'DNSKEY'\n , 49,'DHCID'\n , 50,'NSEC3'\n , 51,'NSEC3PARAM'\n , 52,'TLSA'\n , 53,'SMIMEA'\n , 55,'HIP'\n , 56,'NINFO'\n , 57,'RKEY'\n , 58,'TALINK'\n , 59,'CDS'\n , 60,'CDNSKEY'\n , 61,'OPENPGPKEY'\n , 62,'CSYNC'\n , 63,'ZONEMD'\n , 64,'SVCB'\n , 65,'HTTPS'\n , 99,'SPF'\n , 100,'UINFO'\n , 101,'UID'\n , 102,'GID'\n , 103,'UNSPEC'\n , 104,'NID'\n , 105,'L32'\n , 106,'L64'\n , 107,'LP'\n , 108,'EUI48'\n , 109,'EUI64'\n , 249,'TKEY'\n , 250,'TSIG'\n , 251,'IXFR'\n , 252,'AXFR'\n , 253,'MAILB'\n , 254,'MAILA'\n , 255,'*'\n , 256,'URI'\n , 257,'CAA'\n , 258,'AVC'\n , 259,'DOA'\n , 32768,'TA'\n , 32769,'DLV'\n];\nNXLog_DNS_Server_CL | where not(disabled)\n| where EventID_d < 281\n| project-rename \n EventOriginalType=EventID_d\n| lookup EventTypeTable on EventOriginalType\n| extend\n eventtype = iff (eventtype == \"lookup\", \"Query\", eventtype)\n// Pre-parsing filtering:\n | where\n // Return empty list if response IPs are passed\n (response_has_ipv4=='*')\n and (array_length(response_has_any_prefix) ==0) \n and (eventtype=='*' or EventType == eventtype) \n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and (srcipaddr=='*' or Source_s==srcipaddr)\n and (array_length(domain_has_any) ==0 or QNAME_s has_any (domain_has_any))\n and (responsecodename=='*' or RCODE_s=~responsecodename)\n// --\n| project-rename\n DnsFlags=Flags_s,\n DnsQuery=QNAME_s,\n DnsQueryType=QTYPE_s,\n DnsResponseCode=RCODE_s,\n DnsResponseName=PacketData_s,\n Dvc=Hostname_s,\n EventOriginalUid=GUID_g,\n EventStartTime=EventTime_t,\n SrcIpAddr=Source_s,\n EventUid=_ItemId\n| extend\n DnsQuery=trim_end(\".\",DnsQuery),\n DnsQueryType=toint(DnsQueryType),\n DnsResponseCode=toint(DnsResponseCode),\n SrcPortNumber=toint(Port_s),\n DvcHostname=Dvc,\n DvcIpAddr=HostIP_s,\n EventEndTime=EventStartTime,\n EventProduct = \"DNS Server\",\n EventSchemaVersion = \"0.1.7\",\n EventVendor = \"Microsoft\",\n EventSchema = \"Dns\",\n EventCount = int(1),\n NetworkProtocol=iff(TCP_s == \"0\",\"UDP\",\"TCP\"),\n TransactionIdHex=tohex(toint(XID_s)),\n DnsFlagsAuthenticated = tobool(AD_s),\n DnsFlagsAuthoritative = tobool(AA_s),\n DnsFlagsRecursionDesired = tobool(RD_s)\n| lookup EventSubTypeTable on EventOriginalType\n| lookup EventResultTable on EventOriginalType\n| lookup RCodeTable on DnsResponseCode\n| lookup QTypeTable on DnsQueryType\n| extend\n EventResultDetails = case (isnotempty(ResponseCodeName), ResponseCodeName\n , DnsResponseCode between (3841 .. 4095), 'Reserved for Private Use'\n , 'Unassigned'),\n EventOriginalType = tostring(EventOriginalType)\n| extend\n Domain=DnsQuery,\n DnsResponseCodeName=EventResultDetails,\n DnsQueryTypeName = case (isnotempty(QTypeName), QTypeName\n , DnsQueryType between (66 .. 98), 'Unassigned'\n , DnsQueryType between (110 .. 248), 'Unassigned'\n , DnsQueryType between (261 .. 32767), 'Unassigned'\n , 'Unassigned'),\n EventResult=iff (EventResult == \"Based on RCODE\", iff(DnsResponseCode == 0, \"Success\", \"Failure\"),EventResult)\n| extend\n // Aliases\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n| project-away\n *_s, *_d, QTypeName, TenantId, SourceSystem, MG, ManagementGroupName, Computer, RawData, ResponseCodeName, EventReceivedTime_t, ProviderGuid_g, _ResourceId, eventtype\n};\nASimDnsMicrosoftNXLog (\n starttime=starttime,\n endtime=endtime,\n srcipaddr=srcipaddr,\n domain_has_any=domain_has_any,\n responsecodename=responsecodename,\n response_has_ipv4=response_has_ipv4,\n response_has_any_prefix=response_has_any_prefix,\n eventtype=eventtype,\n disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsMicrosoftOMS/vimDnsMicrosoftOMS.json b/Parsers/ASimDns/ARM/vimDnsMicrosoftOMS/vimDnsMicrosoftOMS.json index a13a4892cc5..e468e41c4f7 100644 --- a/Parsers/ASimDns/ARM/vimDnsMicrosoftOMS/vimDnsMicrosoftOMS.json +++ b/Parsers/ASimDns/ARM/vimDnsMicrosoftOMS/vimDnsMicrosoftOMS.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsMicrosoftOMS')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsMicrosoftOMS", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM filtering parser for Windows DNS log collected using the Log Analytics agent", - "category": "ASIM", - "FunctionAlias": "vimDnsMicrosoftOMS", - "query": "let EventTypeTable=datatable(EventId:int,EventType:string,EventSubType:string, EventResult:string)[\n 256, 'Query', 'request', 'NA'\n , 257, 'Query', 'response', 'Success'\n , 258, 'Query', 'response', 'Based on RCODE'\n , 259, 'Query', 'response', 'Based on RCODE'\n , 260, 'Query', 'request', 'NA'\n , 261, 'Query', 'response', 'NA'\n , 262, 'Query', 'response', 'Based on RCODE'\n , 263, 'Update', 'request', 'NA'\n , 264, 'Update', 'response', 'Based on RCODE'\n , 265, 'XFR', 'request', 'NA' \n , 266, 'XFR', 'request', 'NA'\n , 267, 'XFR', 'response', 'Based on RCODE'\n , 268, 'XFR', 'response', 'Based on RCODE'\n , 269, 'XFR', 'request', 'NA'\n , 270, 'XFR', 'request', 'NA'\n , 271, 'XFR', 'response', 'Based on RCODE'\n , 272, 'XFR', 'response', 'Based on RCODE'\n , 273, 'XFR', 'request', 'NA'\n , 274, 'XFR', 'request', 'NA'\n , 275, 'XFR', 'response', 'Success'\n , 276, 'XFR', 'response', 'Success'\n , 277, 'Update', 'request', 'NA'\n , 278, 'Update', 'response', 'Based on RCODE'\n , 279, 'Query', 'NA', 'NA'\n , 280, 'Query', 'NA', 'NA'\n ];\n let RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\n 0, 'NOERROR'\n , 1, \"FORMERR\"\n , 2,\"SERVFAIL\"\n , 3,'NXDOMAIN'\n , 4,'NOTIMP'\n , 5,'REFUSED'\n , 6,'YXDOMAIN'\n , 7,'YXRRSET'\n , 8,'NXRRSET'\n , 9,'NOTAUTH'\n , 10,'NOTZONE'\n , 11,'DSOTYPENI'\n , 16,'BADVERS'\n , 16,'BADSIG'\n , 17,'BADKEY'\n , 18,'BADTIME'\n , 19,'BADMODE'\n , 20,'BADNAME'\n , 21,'BADALG'\n , 22,'BADTRUNC'\n , 23,'BADCOOKIE'];\n let QueryTypeSymbols=datatable(QTypeSeq:string,QTypeName:string)[\n \"0\", \"Reserved\",\n \"1\", \"A\",\n \"2\", \"NS\",\n \"3\", \"MD\",\n \"4\", \"MF\",\n \"5\", \"CNAME\",\n \"6\", \"SOA\",\n \"7\", \"MB\",\n \"8\", \"MG\",\n \"9\", \"MR\",\n \"10\", \"NULL\",\n \"11\", \"WKS\",\n \"12\", \"PTR\",\n \"13\", \"HINFO\",\n \"14\", \"MINFO\",\n \"15\", \"MX\",\n \"16\", \"TXT\",\n \"17\", \"RP\",\n \"18\", \"AFSDB\",\n \"19\", \"X25\",\n \"20\", \"ISDN\",\n \"21\", \"RT\",\n \"22\", \"NSAP\",\n \"23\", \"NSAP-PTR\",\n \"24\", \"SIG\",\n \"25\", \"KEY\",\n \"26\", \"PX\",\n \"27\", \"GPOS\",\n \"28\", \"AAAA\",\n \"29\", \"LOC\",\n \"30\", \"NXT\",\n \"31\", \"EID\",\n \"32\", \"NIMLOC\",\n \"33\", \"SRV\",\n \"34\", \"ATMA\",\n \"35\", \"NAPTR\",\n \"36\", \"KX\",\n \"37\", \"CERT\",\n \"38\", \"A6\",\n \"39\", \"DNAME\",\n \"40\", \"SINK\",\n \"41\", \"OPT\",\n \"42\", \"APL\",\n \"43\", \"DS\",\n \"44\", \"SSHFP\",\n \"45\", \"IPSECKEY\",\n \"46\", \"RRSIG\",\n \"47\", \"NSEC\",\n \"48\", \"DNSKEY\",\n \"49\", \"DHCID\",\n \"50\", \"NSEC3\",\n \"51\", \"NSEC3PARAM\",\n \"52\", \"TLSA\",\n \"53\", \"SMIMEA\",\n \"54\", \"Unassigned\",\n \"55\", \"HIP\",\n \"56\", \"NINFO\",\n \"57\", \"RKEY\",\n \"58\", \"TALINK\",\n \"59\", \"CDS\",\n \"60\", \"CDNSKEY\",\n \"61\", \"OPENPGPKEY\",\n \"62\", \"CSYNC\",\n \"99\", \"SPF\",\n \"100\", \"UINFO\",\n \"101\", \"UID\",\n \"102\", \"GID\",\n \"103\", \"UNSPEC\",\n \"104\", \"NID\",\n \"105\", \"L32\",\n \"106\", \"L64\",\n \"107\", \"LP\",\n \"108\", \"EUI48\",\n \"109\", \"EUI64\",\n \"249\", \"TKEY\",\n \"250\", \"TSIG\",\n \"251\", \"IXFR\",\n \"252\", \"AXFR\",\n \"253\", \"MAILB\",\n \"254\", \"MAILA\",\n \"255\", \"All\",\n \"256\", \"URI\",\n \"257\", \"CAA\",\n \"258\", \"AVC\",\n \"259\", \"DOA\",\n \"32768\", \"TA\",\n \"32769\", \"DLV\"];\n let DNSQuery_MS=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr:string='*',\n domain_has_any:dynamic=dynamic([]),\n responsecodename:string='*', \n response_has_ipv4:string='*',\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string='Query',\n disabled:bool=false\n ){\n let rcodenames=toscalar(RCodeTable | where DnsResponseCodeName == responsecodename | project DnsResponseCode);\n DnsEvents | where not(disabled)\n // ******************************************************************\n // Pre-parsing filtering:\n | where\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (srcipaddr=='*' or ClientIP==srcipaddr)\n and (array_length(domain_has_any) ==0 or Name has_any (domain_has_any))\n and (responsecodename=='*' or ResultCode == rcodenames)\n and (response_has_ipv4=='*' or has_ipv4(IPAddresses,response_has_ipv4) )\n and (array_length(response_has_any_prefix) ==0 or has_any_ipv4_prefix(IPAddresses, response_has_any_prefix) )\n // *****************************************************************\n | where EventId < 500\n | lookup QueryTypeSymbols on $left.QueryType == $right.QTypeSeq\n | extend DnsQueryTypeName=coalesce(QTypeName, QueryType)\n | lookup EventTypeTable on EventId\n // late filtering:\n | extend\n eventtype = iff (eventtype == \"lookup\", \"Query\", eventtype)\n | where (eventtype == \"*\" or eventtype == EventType)\n | project-rename\n Dvc=Computer ,\n SrcIpAddr = ClientIP,\n // DnsQueryTypeName=QueryType,\n EventMessage = Message,\n EventReportUrl = ReportReferenceLink,\n DnsResponseName = IPAddresses,\n DnsQuery = Name,\n DnsResponseCode = ResultCode\n | extend hostelements=split(Dvc,'.')\n | extend DvcHostname=tostring(hostelements[0])\n , DvcDomain=strcat_array( array_slice(hostelements,1,-1), '.')\n , DvcFQDN = iff(Dvc contains \".\",Dvc,\"\" )\n | extend DvcDomainType=iff(DvcFQDN !=\"\",\"FQDN\",\"\" )\n | project-away hostelements\n | extend\n EventCount=int(1),\n EventStartTime=TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"DNS Server\",\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.3\",\n EventEndTime=TimeGenerated,\n EventSeverity = tostring(Severity),\n EventOriginalType = tostring(EventId)\n | lookup RCodeTable on DnsResponseCode\n | extend EventResultDetails = case (isnotempty(DnsResponseCodeName), DnsResponseCodeName\n , DnsResponseCode between (3841 .. 4095), 'Reserved for Private Use'\n , 'Unassigned'),\n EventResult = iff (EventResult == \"Based on RCODE\", iff(DnsResponseCode == 0, \"Success\", \"Failure\"),EventResult)\n // **************Aliases\n | extend\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=srcipaddr\n | project-away \n SubType, QTypeName, QueryType, SourceSystem, TaskCategory, Remote*, Severity, Result, Confidence, Description, IndicatorThreatType, MaliciousIP, eventtype, EventId\n };\n DNSQuery_MS (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM filtering parser for Windows DNS log collected using the Log Analytics agent", + "category": "ASIM", + "FunctionAlias": "vimDnsMicrosoftOMS", + "query": "let EventTypeTable=datatable(EventId:int,EventType:string,EventSubType:string, EventResult:string)[\n 256, 'Query', 'request', 'NA'\n , 257, 'Query', 'response', 'Success'\n , 258, 'Query', 'response', 'Based on RCODE'\n , 259, 'Query', 'response', 'Based on RCODE'\n , 260, 'Query', 'request', 'NA'\n , 261, 'Query', 'response', 'NA'\n , 262, 'Query', 'response', 'Based on RCODE'\n , 263, 'Update', 'request', 'NA'\n , 264, 'Update', 'response', 'Based on RCODE'\n , 265, 'XFR', 'request', 'NA' \n , 266, 'XFR', 'request', 'NA'\n , 267, 'XFR', 'response', 'Based on RCODE'\n , 268, 'XFR', 'response', 'Based on RCODE'\n , 269, 'XFR', 'request', 'NA'\n , 270, 'XFR', 'request', 'NA'\n , 271, 'XFR', 'response', 'Based on RCODE'\n , 272, 'XFR', 'response', 'Based on RCODE'\n , 273, 'XFR', 'request', 'NA'\n , 274, 'XFR', 'request', 'NA'\n , 275, 'XFR', 'response', 'Success'\n , 276, 'XFR', 'response', 'Success'\n , 277, 'Update', 'request', 'NA'\n , 278, 'Update', 'response', 'Based on RCODE'\n , 279, 'Query', 'NA', 'NA'\n , 280, 'Query', 'NA', 'NA'\n ];\n let RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\n 0, 'NOERROR'\n , 1, \"FORMERR\"\n , 2,\"SERVFAIL\"\n , 3,'NXDOMAIN'\n , 4,'NOTIMP'\n , 5,'REFUSED'\n , 6,'YXDOMAIN'\n , 7,'YXRRSET'\n , 8,'NXRRSET'\n , 9,'NOTAUTH'\n , 10,'NOTZONE'\n , 11,'DSOTYPENI'\n , 16,'BADVERS'\n , 16,'BADSIG'\n , 17,'BADKEY'\n , 18,'BADTIME'\n , 19,'BADMODE'\n , 20,'BADNAME'\n , 21,'BADALG'\n , 22,'BADTRUNC'\n , 23,'BADCOOKIE'];\n let QueryTypeSymbols=datatable(QTypeSeq:string,QTypeName:string)[\n \"0\", \"Reserved\",\n \"1\", \"A\",\n \"2\", \"NS\",\n \"3\", \"MD\",\n \"4\", \"MF\",\n \"5\", \"CNAME\",\n \"6\", \"SOA\",\n \"7\", \"MB\",\n \"8\", \"MG\",\n \"9\", \"MR\",\n \"10\", \"NULL\",\n \"11\", \"WKS\",\n \"12\", \"PTR\",\n \"13\", \"HINFO\",\n \"14\", \"MINFO\",\n \"15\", \"MX\",\n \"16\", \"TXT\",\n \"17\", \"RP\",\n \"18\", \"AFSDB\",\n \"19\", \"X25\",\n \"20\", \"ISDN\",\n \"21\", \"RT\",\n \"22\", \"NSAP\",\n \"23\", \"NSAP-PTR\",\n \"24\", \"SIG\",\n \"25\", \"KEY\",\n \"26\", \"PX\",\n \"27\", \"GPOS\",\n \"28\", \"AAAA\",\n \"29\", \"LOC\",\n \"30\", \"NXT\",\n \"31\", \"EID\",\n \"32\", \"NIMLOC\",\n \"33\", \"SRV\",\n \"34\", \"ATMA\",\n \"35\", \"NAPTR\",\n \"36\", \"KX\",\n \"37\", \"CERT\",\n \"38\", \"A6\",\n \"39\", \"DNAME\",\n \"40\", \"SINK\",\n \"41\", \"OPT\",\n \"42\", \"APL\",\n \"43\", \"DS\",\n \"44\", \"SSHFP\",\n \"45\", \"IPSECKEY\",\n \"46\", \"RRSIG\",\n \"47\", \"NSEC\",\n \"48\", \"DNSKEY\",\n \"49\", \"DHCID\",\n \"50\", \"NSEC3\",\n \"51\", \"NSEC3PARAM\",\n \"52\", \"TLSA\",\n \"53\", \"SMIMEA\",\n \"54\", \"Unassigned\",\n \"55\", \"HIP\",\n \"56\", \"NINFO\",\n \"57\", \"RKEY\",\n \"58\", \"TALINK\",\n \"59\", \"CDS\",\n \"60\", \"CDNSKEY\",\n \"61\", \"OPENPGPKEY\",\n \"62\", \"CSYNC\",\n \"99\", \"SPF\",\n \"100\", \"UINFO\",\n \"101\", \"UID\",\n \"102\", \"GID\",\n \"103\", \"UNSPEC\",\n \"104\", \"NID\",\n \"105\", \"L32\",\n \"106\", \"L64\",\n \"107\", \"LP\",\n \"108\", \"EUI48\",\n \"109\", \"EUI64\",\n \"249\", \"TKEY\",\n \"250\", \"TSIG\",\n \"251\", \"IXFR\",\n \"252\", \"AXFR\",\n \"253\", \"MAILB\",\n \"254\", \"MAILA\",\n \"255\", \"All\",\n \"256\", \"URI\",\n \"257\", \"CAA\",\n \"258\", \"AVC\",\n \"259\", \"DOA\",\n \"32768\", \"TA\",\n \"32769\", \"DLV\"];\n let DNSQuery_MS=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr:string='*',\n domain_has_any:dynamic=dynamic([]),\n responsecodename:string='*', \n response_has_ipv4:string='*',\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string='Query',\n disabled:bool=false\n ){\n let rcodenames=toscalar(RCodeTable | where DnsResponseCodeName == responsecodename | project DnsResponseCode);\n DnsEvents | where not(disabled)\n // ******************************************************************\n // Pre-parsing filtering:\n | where\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (srcipaddr=='*' or ClientIP==srcipaddr)\n and (array_length(domain_has_any) ==0 or Name has_any (domain_has_any))\n and (responsecodename=='*' or ResultCode == rcodenames)\n and (response_has_ipv4=='*' or has_ipv4(IPAddresses,response_has_ipv4) )\n and (array_length(response_has_any_prefix) ==0 or has_any_ipv4_prefix(IPAddresses, response_has_any_prefix) )\n // *****************************************************************\n | where EventId < 500\n | lookup QueryTypeSymbols on $left.QueryType == $right.QTypeSeq\n | extend DnsQueryTypeName=coalesce(QTypeName, QueryType)\n | lookup EventTypeTable on EventId\n // late filtering:\n | extend\n eventtype = iff (eventtype == \"lookup\", \"Query\", eventtype)\n | where (eventtype == \"*\" or eventtype == EventType)\n | project-rename\n Dvc=Computer ,\n SrcIpAddr = ClientIP,\n // DnsQueryTypeName=QueryType,\n EventMessage = Message,\n EventReportUrl = ReportReferenceLink,\n DnsResponseName = IPAddresses,\n DnsQuery = Name,\n DnsResponseCode = ResultCode\n | extend hostelements=split(Dvc,'.')\n | extend DvcHostname=tostring(hostelements[0])\n , DvcDomain=strcat_array( array_slice(hostelements,1,-1), '.')\n , DvcFQDN = iff(Dvc contains \".\",Dvc,\"\" )\n | extend DvcDomainType=iff(DvcFQDN !=\"\",\"FQDN\",\"\" )\n | project-away hostelements\n | extend\n EventCount=int(1),\n EventStartTime=TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"DNS Server\",\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.3\",\n EventEndTime=TimeGenerated,\n EventSeverity = tostring(Severity),\n EventOriginalType = tostring(EventId)\n | lookup RCodeTable on DnsResponseCode\n | extend EventResultDetails = case (isnotempty(DnsResponseCodeName), DnsResponseCodeName\n , DnsResponseCode between (3841 .. 4095), 'Reserved for Private Use'\n , 'Unassigned'),\n EventResult = iff (EventResult == \"Based on RCODE\", iff(DnsResponseCode == 0, \"Success\", \"Failure\"),EventResult)\n // **************Aliases\n | extend\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=srcipaddr\n | project-away \n SubType, QTypeName, QueryType, SourceSystem, TaskCategory, Remote*, Severity, Result, Confidence, Description, IndicatorThreatType, MaliciousIP, eventtype, EventId\n };\n DNSQuery_MS (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsMicrosoftSysmon/vimDnsMicrosoftSysmon.json b/Parsers/ASimDns/ARM/vimDnsMicrosoftSysmon/vimDnsMicrosoftSysmon.json index 934a79b7b7f..cb4712b9cfd 100644 --- a/Parsers/ASimDns/ARM/vimDnsMicrosoftSysmon/vimDnsMicrosoftSysmon.json +++ b/Parsers/ASimDns/ARM/vimDnsMicrosoftSysmon/vimDnsMicrosoftSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsMicrosoftSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsMicrosoftSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM filtering parser for Sysmon for Windows", - "category": "ASIM", - "FunctionAlias": "vimDnsMicrosoftSysmon", - "query": "let RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\n // See https://docs.microsoft.com/windows/win32/debug/system-error-codes--9000-11999-\n 0, 'NOERROR'\n, 9001, \"FORMERR\"\n, 9002,\"SERVFAIL\"\n, 9003,'NXDOMAIN'\n, 9004,'NOTIMP'\n, 9005,'REFUSED'\n, 9006,'YXDOMAIN'\n, 9007,'YXRRSET'\n, 9008,'NXRRSET'\n, 9009,'NOTAUTH'\n, 9010,'NOTZONE'\n, 9011,'DSOTYPENI'\n, 9016,'BADVERS'\n, 9016,'BADSIG'\n, 9017,'BADKEY'\n, 9018,'BADTIME'\n, 9019,'BADMODE'\n, 9020,'BADNAME'\n, 9021,'BADALG'\n, 9022,'BADTRUNC'\n, 9023,'BADCOOKIE'\n, 1460, 'TIMEOUT'\n];\nlet ParsedDnsEvent_Event =(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n) \n{\n Event | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Source, Type , _ItemId \n | where Source == \"Microsoft-Windows-Sysmon\" and EventID==22\n | project-away Source, EventID\n // -- Pre-parsing filtering (srcipaddr not available, responsecodename not optimizable)\n | where\n (eventtype in~ ('Query', 'lookup'))\n and (srcipaddr=='*')\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(domain_has_any) ==0 or EventData has_any (domain_has_any))\n and (response_has_ipv4=='*' or has_ipv4(EventData,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(EventData, response_has_any_prefix))\n // --\n | parse-kv EventData as (\n RuleName:string,\n UtcTime:datetime, \n ProcessGuid:string,\n ProcessId:string,\n QueryName:string,\n QueryStatus:int,\n QueryResults:string,\n Image:string,\n User:string\n )\n with (regex=@'{?([^<]*?)}?')\n | project-rename \n EventEndTime = UtcTime,\n SrcProcessId = ProcessId,\n SrcProcessGuid = ProcessGuid,\n DnsQuery = QueryName,\n DnsResponseCode = QueryStatus,\n DnsResponseName = QueryResults,\n SrcProcessName = Image,\n SrcUsername = User\n | project-away EventData \n // -- Post-filtering tests differnt for Event and WindowsEvent\n | lookup RCodeTable on DnsResponseCode\n | where (responsecodename==\"*\" or DnsResponseCodeName has responsecodename) // -- filter is not optimized\n // --\n };\nlet ParsedDnsEvent=(\n starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*'\n , response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) \n , eventtype:string='lookup'\n , disabled:bool=false\n) \n{\n ParsedDnsEvent_Event (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n// -- Post-filtering accurately now that message is parsed\n| where\n (array_length(domain_has_any) == 0 or DnsQuery has_any (domain_has_any))\n and (response_has_ipv4=='*' or has_ipv4(DnsResponseName,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(DnsResponseName, response_has_any_prefix))\n// --\n| project-rename \n DvcHostname = Computer,\n //EventUid = _ItemId,\n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n| extend\n EventOriginalType = '22',\n EventCount=int(1),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'Dns',\n EventSchemaVersion=\"0.1.6\",\n EventType = 'Query',\n EventResult = iff (DnsResponseCode == 0,'Success','Failure'),\n EventStartTime = EventEndTime,\n EventSubType= 'response',\n EventSeverity= iif (DnsResponseCode == 0, 'Informational', 'Low'),\n SrcUsernameType = 'Windows',\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n DnsResponseName = iff (DnsResponseName == \"-\", \"\", DnsResponseName),\n DnsResponseCodeName = iff (DnsResponseCodeName == \"\", \"NA\", DnsResponseCodeName),\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventUid = _ItemId\n// -- Aliases\n| extend \n EventResultDetails = DnsResponseCodeName,\n Domain = DnsQuery,\n Dvc = DvcHostname,\n SrcHostname = DvcHostname,\n Src = DvcHostname,\n Hostname=DvcHostname,\n DnsResponseCode = toint(iff (DnsResponseCode > 9000 and DnsResponseCode < 9100, DnsResponseCode-9000, DnsResponseCode)),\n User = SrcUsername,\n Process = SrcProcessName,\n Rule = RuleName,\n DvcAzureResourceId = DvcId\n | project-away DvcAzureResourceId\n};\nParsedDnsEvent (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM filtering parser for Sysmon for Windows", + "category": "ASIM", + "FunctionAlias": "vimDnsMicrosoftSysmon", + "query": "let RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\n // See https://docs.microsoft.com/windows/win32/debug/system-error-codes--9000-11999-\n 0, 'NOERROR'\n, 9001, \"FORMERR\"\n, 9002,\"SERVFAIL\"\n, 9003,'NXDOMAIN'\n, 9004,'NOTIMP'\n, 9005,'REFUSED'\n, 9006,'YXDOMAIN'\n, 9007,'YXRRSET'\n, 9008,'NXRRSET'\n, 9009,'NOTAUTH'\n, 9010,'NOTZONE'\n, 9011,'DSOTYPENI'\n, 9016,'BADVERS'\n, 9016,'BADSIG'\n, 9017,'BADKEY'\n, 9018,'BADTIME'\n, 9019,'BADMODE'\n, 9020,'BADNAME'\n, 9021,'BADALG'\n, 9022,'BADTRUNC'\n, 9023,'BADCOOKIE'\n, 1460, 'TIMEOUT'\n];\nlet ParsedDnsEvent_Event =(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n) \n{\n Event | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Source, Type , _ItemId \n | where Source == \"Microsoft-Windows-Sysmon\" and EventID==22\n | project-away Source, EventID\n // -- Pre-parsing filtering (srcipaddr not available, responsecodename not optimizable)\n | where\n (eventtype in~ ('Query', 'lookup'))\n and (srcipaddr=='*')\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(domain_has_any) ==0 or EventData has_any (domain_has_any))\n and (response_has_ipv4=='*' or has_ipv4(EventData,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(EventData, response_has_any_prefix))\n // --\n | parse-kv EventData as (\n RuleName:string,\n UtcTime:datetime, \n ProcessGuid:string,\n ProcessId:string,\n QueryName:string,\n QueryStatus:int,\n QueryResults:string,\n Image:string,\n User:string\n )\n with (regex=@'{?([^<]*?)}?')\n | project-rename \n EventEndTime = UtcTime,\n SrcProcessId = ProcessId,\n SrcProcessGuid = ProcessGuid,\n DnsQuery = QueryName,\n DnsResponseCode = QueryStatus,\n DnsResponseName = QueryResults,\n SrcProcessName = Image,\n SrcUsername = User\n | project-away EventData \n // -- Post-filtering tests differnt for Event and WindowsEvent\n | lookup RCodeTable on DnsResponseCode\n | where (responsecodename==\"*\" or DnsResponseCodeName has responsecodename) // -- filter is not optimized\n // --\n };\nlet ParsedDnsEvent=(\n starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*'\n , response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) \n , eventtype:string='lookup'\n , disabled:bool=false\n) \n{\n ParsedDnsEvent_Event (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n// -- Post-filtering accurately now that message is parsed\n| where\n (array_length(domain_has_any) == 0 or DnsQuery has_any (domain_has_any))\n and (response_has_ipv4=='*' or has_ipv4(DnsResponseName,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(DnsResponseName, response_has_any_prefix))\n// --\n| project-rename \n DvcHostname = Computer,\n //EventUid = _ItemId,\n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n| extend\n EventOriginalType = '22',\n EventCount=int(1),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'Dns',\n EventSchemaVersion=\"0.1.6\",\n EventType = 'Query',\n EventResult = iff (DnsResponseCode == 0,'Success','Failure'),\n EventStartTime = EventEndTime,\n EventSubType= 'response',\n EventSeverity= iif (DnsResponseCode == 0, 'Informational', 'Low'),\n SrcUsernameType = 'Windows',\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n DnsResponseName = iff (DnsResponseName == \"-\", \"\", DnsResponseName),\n DnsResponseCodeName = iff (DnsResponseCodeName == \"\", \"NA\", DnsResponseCodeName),\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventUid = _ItemId\n// -- Aliases\n| extend \n EventResultDetails = DnsResponseCodeName,\n Domain = DnsQuery,\n Dvc = DvcHostname,\n SrcHostname = DvcHostname,\n Src = DvcHostname,\n Hostname=DvcHostname,\n DnsResponseCode = toint(iff (DnsResponseCode > 9000 and DnsResponseCode < 9100, DnsResponseCode-9000, DnsResponseCode)),\n User = SrcUsername,\n Process = SrcProcessName,\n Rule = RuleName,\n DvcAzureResourceId = DvcId\n | project-away DvcAzureResourceId\n};\nParsedDnsEvent (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsMicrosoftSysmonWindowsEvent/vimDnsMicrosoftSysmonWindowsEvent.json b/Parsers/ASimDns/ARM/vimDnsMicrosoftSysmonWindowsEvent/vimDnsMicrosoftSysmonWindowsEvent.json index cf7354bb805..ea7cffaa16c 100644 --- a/Parsers/ASimDns/ARM/vimDnsMicrosoftSysmonWindowsEvent/vimDnsMicrosoftSysmonWindowsEvent.json +++ b/Parsers/ASimDns/ARM/vimDnsMicrosoftSysmonWindowsEvent/vimDnsMicrosoftSysmonWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsMicrosoftSysmonWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsMicrosoftSysmonWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM filtering parser for Sysmon for Windows", - "category": "ASIM", - "FunctionAlias": "vimDnsMicrosoftSysmonWindowsEvent", - "query": "let RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\n // See https://docs.microsoft.com/windows/win32/debug/system-error-codes--9000-11999-\n 0, 'NOERROR'\n, 9001, \"FORMERR\"\n, 9002,\"SERVFAIL\"\n, 9003,'NXDOMAIN'\n, 9004,'NOTIMP'\n, 9005,'REFUSED'\n, 9006,'YXDOMAIN'\n, 9007,'YXRRSET'\n, 9008,'NXRRSET'\n, 9009,'NOTAUTH'\n, 9010,'NOTZONE'\n, 9011,'DSOTYPENI'\n, 9016,'BADVERS'\n, 9016,'BADSIG'\n, 9017,'BADKEY'\n, 9018,'BADTIME'\n, 9019,'BADMODE'\n, 9020,'BADNAME'\n, 9021,'BADALG'\n, 9022,'BADTRUNC'\n, 9023,'BADCOOKIE'\n, 1460, 'TIMEOUT'\n];\nlet ParsedDnsEvent_WindowsEvent =(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup'\n , disabled:bool=false\n) \n{\n WindowsEvent | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Provider, Type , _ItemId \n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 22\n | project-away Provider, EventID\n // -- Pre-parsing filtering (srcipaddr not available)\n | where\n (eventtype=='lookup')\n and (srcipaddr=='*')\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(domain_has_any) ==0 or EventData has_any (domain_has_any))\n and (response_has_ipv4=='*' or has_ipv4(EventData,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(EventData, response_has_any_prefix))\n | extend DnsResponseCode = toint(EventData.QueryStatus)\n | lookup RCodeTable on DnsResponseCode\n | where (responsecodename==\"*\" or DnsResponseCodeName has responsecodename) // -- filter is not optimized\n // --\n | extend \n RuleName = tostring(EventData.RuleName),\n EventEndTime = todatetime(EventData.UtcTime),\n SrcProcessGuid = tostring(EventData.ProcessGuid),\n SrcProcessId = tostring(EventData.ProcessId), \n DnsQuery = tostring(EventData.QueryName),\n DnsResponseName = tostring(EventData.QueryResults),\n SrcProcessName = tostring(EventData.Image),\n SrcUsername = tostring(EventData.User),\n EventUid = _ItemId\n | project-away EventData\n | parse SrcProcessGuid with '{' SrcProcessGuid '}'\n};\nlet ParsedDnsEvent=(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup'\n , disabled:bool=false\n) \n{\n ParsedDnsEvent_WindowsEvent (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n// -- Post-filtering accurately now that message is parsed\n| where\n (array_length(domain_has_any) == 0 or DnsQuery has_any (domain_has_any))\n and (response_has_ipv4=='*' or has_ipv4(DnsResponseName,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(DnsResponseName, response_has_any_prefix))\n// --\n| project-rename \n DvcHostname = Computer,\n //EventUid = _ItemId,\n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n| extend\n EventOriginalType = '22',\n EventCount=int(1),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'Dns',\n EventSchemaVersion=\"0.1.6\",\n EventType = 'Query',\n EventResult = iff (DnsResponseCode == 0,'Success','Failure'),\n EventStartTime = EventEndTime,\n EventSubType= 'response',\n EventSeverity= iif (DnsResponseCode == 0, 'Informational', 'Low'),\n SrcUsernameType = 'Windows',\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n DnsResponseName = iff (DnsResponseName == \"-\", \"\", DnsResponseName),\n DnsResponseCodeName = iff (DnsResponseCodeName == \"\", \"NA\", DnsResponseCodeName),\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\")\n// -- Aliases\n| extend \n EventResultDetails = DnsResponseCodeName,\n Domain = DnsQuery,\n Dvc = DvcHostname,\n SrcHostname = DvcHostname,\n Src = DvcHostname,\n Hostname=DvcHostname,\n DnsResponseCode = toint(iff (DnsResponseCode > 9000 and DnsResponseCode < 9100, DnsResponseCode-9000, DnsResponseCode)),\n User = SrcUsername,\n Process = SrcProcessName,\n Rule = RuleName,\n DvcAzureResourceId = DvcId\n | project-away DvcAzureResourceId\n};\nParsedDnsEvent (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM filtering parser for Sysmon for Windows", + "category": "ASIM", + "FunctionAlias": "vimDnsMicrosoftSysmonWindowsEvent", + "query": "let RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\n // See https://docs.microsoft.com/windows/win32/debug/system-error-codes--9000-11999-\n 0, 'NOERROR'\n, 9001, \"FORMERR\"\n, 9002,\"SERVFAIL\"\n, 9003,'NXDOMAIN'\n, 9004,'NOTIMP'\n, 9005,'REFUSED'\n, 9006,'YXDOMAIN'\n, 9007,'YXRRSET'\n, 9008,'NXRRSET'\n, 9009,'NOTAUTH'\n, 9010,'NOTZONE'\n, 9011,'DSOTYPENI'\n, 9016,'BADVERS'\n, 9016,'BADSIG'\n, 9017,'BADKEY'\n, 9018,'BADTIME'\n, 9019,'BADMODE'\n, 9020,'BADNAME'\n, 9021,'BADALG'\n, 9022,'BADTRUNC'\n, 9023,'BADCOOKIE'\n, 1460, 'TIMEOUT'\n];\nlet ParsedDnsEvent_WindowsEvent =(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup'\n , disabled:bool=false\n) \n{\n WindowsEvent | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Provider, Type , _ItemId \n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 22\n | project-away Provider, EventID\n // -- Pre-parsing filtering (srcipaddr not available)\n | where\n (eventtype=='lookup')\n and (srcipaddr=='*')\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(domain_has_any) ==0 or EventData has_any (domain_has_any))\n and (response_has_ipv4=='*' or has_ipv4(EventData,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(EventData, response_has_any_prefix))\n | extend DnsResponseCode = toint(EventData.QueryStatus)\n | lookup RCodeTable on DnsResponseCode\n | where (responsecodename==\"*\" or DnsResponseCodeName has responsecodename) // -- filter is not optimized\n // --\n | extend \n RuleName = tostring(EventData.RuleName),\n EventEndTime = todatetime(EventData.UtcTime),\n SrcProcessGuid = tostring(EventData.ProcessGuid),\n SrcProcessId = tostring(EventData.ProcessId), \n DnsQuery = tostring(EventData.QueryName),\n DnsResponseName = tostring(EventData.QueryResults),\n SrcProcessName = tostring(EventData.Image),\n SrcUsername = tostring(EventData.User),\n EventUid = _ItemId\n | project-away EventData\n | parse SrcProcessGuid with '{' SrcProcessGuid '}'\n};\nlet ParsedDnsEvent=(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup'\n , disabled:bool=false\n) \n{\n ParsedDnsEvent_WindowsEvent (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n// -- Post-filtering accurately now that message is parsed\n| where\n (array_length(domain_has_any) == 0 or DnsQuery has_any (domain_has_any))\n and (response_has_ipv4=='*' or has_ipv4(DnsResponseName,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(DnsResponseName, response_has_any_prefix))\n// --\n| project-rename \n DvcHostname = Computer,\n //EventUid = _ItemId,\n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n| extend\n EventOriginalType = '22',\n EventCount=int(1),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'Dns',\n EventSchemaVersion=\"0.1.6\",\n EventType = 'Query',\n EventResult = iff (DnsResponseCode == 0,'Success','Failure'),\n EventStartTime = EventEndTime,\n EventSubType= 'response',\n EventSeverity= iif (DnsResponseCode == 0, 'Informational', 'Low'),\n SrcUsernameType = 'Windows',\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n DnsResponseName = iff (DnsResponseName == \"-\", \"\", DnsResponseName),\n DnsResponseCodeName = iff (DnsResponseCodeName == \"\", \"NA\", DnsResponseCodeName),\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\")\n// -- Aliases\n| extend \n EventResultDetails = DnsResponseCodeName,\n Domain = DnsQuery,\n Dvc = DvcHostname,\n SrcHostname = DvcHostname,\n Src = DvcHostname,\n Hostname=DvcHostname,\n DnsResponseCode = toint(iff (DnsResponseCode > 9000 and DnsResponseCode < 9100, DnsResponseCode-9000, DnsResponseCode)),\n User = SrcUsername,\n Process = SrcProcessName,\n Rule = RuleName,\n DvcAzureResourceId = DvcId\n | project-away DvcAzureResourceId\n};\nParsedDnsEvent (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsNative/vimDnsNative.json b/Parsers/ASimDns/ARM/vimDnsNative/vimDnsNative.json index 4f8f1e332ff..046ee3c427d 100644 --- a/Parsers/ASimDns/ARM/vimDnsNative/vimDnsNative.json +++ b/Parsers/ASimDns/ARM/vimDnsNative/vimDnsNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM filtering parser for Microsoft Sentinel native DNS table", - "category": "ASIM", - "FunctionAlias": "vimDnsNative", - "query": "let parser=\n(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr:string='*',\n domain_has_any:dynamic=dynamic([]),\n responsecodename:string='*', \n response_has_ipv4:string='*',\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string='Query',\n disabled:bool=false\n)\n{\n ASimDnsActivityLogs | where not(disabled)\n // -- Pre-parsing filtering:\n | where\n (response_has_ipv4=='*') and (array_length(response_has_any_prefix) == 0) // -- Check that unsupported filters are set to default\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (srcipaddr=='*' or SrcIpAddr==srcipaddr)\n and (array_length(domain_has_any) ==0 or DnsQuery has_any (domain_has_any))\n and (responsecodename=='*' or EventResultDetails == responsecodename)\n and (eventtype == \"*\" or eventtype == EventType or (eventtype == \"lookup\" and EventType == \"Query\")) // -- Support \"lookup\" as value for backward compatibility\n // --\n | project-rename\n EventUid = _ItemId\n | extend\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n Dvc = coalesce (Dvc, DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct)),\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n EventSchema = \"Dns\"\n // -- Type fixes\n | extend\n ThreatConfidence = toint(ThreatConfidence),\n ThreatFirstReportedTime = todatetime(ThreatFirstReportedTime),\n ThreatIsActive = tobool(ThreatIsActive),\n ThreatLastReportedTime = todatetime(ThreatLastReportedTime),\n ThreatOriginalRiskLevel = tostring(ThreatOriginalRiskLevel),\n ThreatRiskLevel = toint(ThreatRiskLevel)\n // -- Aliases here\n | extend\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n SessionId=DnsSessionId,\n Duration = DnsNetworkDuration,\n Process = SrcProcessName,\n User = SrcUsername,\n Hostname = SrcHostname,\n DvcScopeId = coalesce(DvcScopeId,_SubscriptionId)\n | project-away\n TenantId, SourceSystem, _ResourceId, _SubscriptionId\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM filtering parser for Microsoft Sentinel native DNS table", + "category": "ASIM", + "FunctionAlias": "vimDnsNative", + "query": "let parser=\n(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr:string='*',\n domain_has_any:dynamic=dynamic([]),\n responsecodename:string='*', \n response_has_ipv4:string='*',\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string='Query',\n disabled:bool=false\n)\n{\n ASimDnsActivityLogs | where not(disabled)\n // -- Pre-parsing filtering:\n | where\n (response_has_ipv4=='*') and (array_length(response_has_any_prefix) == 0) // -- Check that unsupported filters are set to default\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (srcipaddr=='*' or SrcIpAddr==srcipaddr)\n and (array_length(domain_has_any) ==0 or DnsQuery has_any (domain_has_any))\n and (responsecodename=='*' or EventResultDetails == responsecodename)\n and (eventtype == \"*\" or eventtype == EventType or (eventtype == \"lookup\" and EventType == \"Query\")) // -- Support \"lookup\" as value for backward compatibility\n // --\n | project-rename\n EventUid = _ItemId\n | extend\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n Dvc = coalesce (Dvc, DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct)),\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n EventSchema = \"Dns\"\n // -- Type fixes\n | extend\n ThreatConfidence = toint(ThreatConfidence),\n ThreatFirstReportedTime = todatetime(ThreatFirstReportedTime),\n ThreatIsActive = tobool(ThreatIsActive),\n ThreatLastReportedTime = todatetime(ThreatLastReportedTime),\n ThreatOriginalRiskLevel = tostring(ThreatOriginalRiskLevel),\n ThreatRiskLevel = toint(ThreatRiskLevel)\n // -- Aliases here\n | extend\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n SessionId=DnsSessionId,\n Duration = DnsNetworkDuration,\n Process = SrcProcessName,\n User = SrcUsername,\n Hostname = SrcHostname,\n DvcScopeId = coalesce(DvcScopeId,_SubscriptionId)\n | project-away\n TenantId, SourceSystem, _ResourceId, _SubscriptionId\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsSentinelOne/vimDnsSentinelOne.json b/Parsers/ASimDns/ARM/vimDnsSentinelOne/vimDnsSentinelOne.json index 5466c32b384..35a5d3f2824 100644 --- a/Parsers/ASimDns/ARM/vimDnsSentinelOne/vimDnsSentinelOne.json +++ b/Parsers/ASimDns/ARM/vimDnsSentinelOne/vimDnsSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "vimDnsSentinelOne", - "query": "let ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr: string='*', \n domain_has_any: dynamic=dynamic([]),\n responsecodename: string='*',\n response_has_ipv4: string='*',\n response_has_any_prefix: dynamic=dynamic([]),\n eventtype: string='Query',\n disabled: bool=false\n ) {\n let alldata = SentinelOne_CL\n | where not(disabled)\n and (eventtype == '*' or eventtype == \"Query\")\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and event_name_s == \"Alerts.\" \n and alertInfo_eventType_s == \"DNS\"\n and srcipaddr == '*'\n and (array_length(domain_has_any) == 0 or alertInfo_dnsRequest_s has_any (domain_has_any))\n and (response_has_ipv4 == '*' or has_ipv4(alertInfo_dnsResponse_s, response_has_ipv4))\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(alertInfo_dnsResponse_s, response_has_any_prefix))\n | parse alertInfo_dnsResponse_s with * \"type: \" DnsQueryType: int \" \" RestMessage;\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maaliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maaliciousdata\n | extend \n DnsResponseCode = case(\n alertInfo_dnsResponse_s has \"NoError\" or alertInfo_dnsResponse_s has \"No Error\",\n int(0),\n alertInfo_dnsResponse_s has \"FormErr\" or alertInfo_dnsResponse_s has \"Format Error\",\n int(1),\n alertInfo_dnsResponse_s has \"ServFail\" or alertInfo_dnsResponse_s has \"Server Failure\",\n int(2),\n alertInfo_dnsResponse_s has \"NXDomain\" or alertInfo_dnsResponse_s has \"Non-Existent Domain\",\n int(3),\n alertInfo_dnsResponse_s has \"NotImp\" or alertInfo_dnsResponse_s has \"Not Implemented\",\n int(4),\n alertInfo_dnsResponse_s has \"Refused\" or alertInfo_dnsResponse_s has \"Query Refused\",\n int(5),\n alertInfo_dnsResponse_s has \"YXDomain\" or alertInfo_dnsResponse_s has \"Name Exists when it should not\",\n int(6),\n alertInfo_dnsResponse_s has \"YXRRSet\" or alertInfo_dnsResponse_s has \"RR Set Exists when it should not\",\n int(7),\n alertInfo_dnsResponse_s has \"NXRRSet\" or alertInfo_dnsResponse_s has \"RR Set that should exist does not\",\n int(8),\n alertInfo_dnsResponse_s has \"NotAuth\" or alertInfo_dnsResponse_s has \"Server Not Authoritative for zone\",\n int(9),\n alertInfo_dnsResponse_s has \"NotAuth\" or alertInfo_dnsResponse_s has \"Not Authorized\",\n int(9),\n alertInfo_dnsResponse_s has \"NotZone\" or alertInfo_dnsResponse_s has \"Name not contained in zone\",\n int(10),\n alertInfo_dnsResponse_s has \"DSOTYPENI\" or alertInfo_dnsResponse_s has \"DSO-TYPE Not Implemented\",\n int(11),\n alertInfo_dnsResponse_s has \"Unassigned\",\n int(12),\n alertInfo_dnsResponse_s has \"BADVERS\" or alertInfo_dnsResponse_s has \"Bad OPT Version\",\n int(16),\n alertInfo_dnsResponse_s has \"BADSIG\" or alertInfo_dnsResponse_s has \"TSIG Signature Failure\",\n int(16),\n alertInfo_dnsResponse_s has \"BADKEY\" or alertInfo_dnsResponse_s has \"Key not recognized\",\n int(17),\n alertInfo_dnsResponse_s has \"BADTIME\" or alertInfo_dnsResponse_s has \"Signature out of time window\",\n int(18),\n alertInfo_dnsResponse_s has \"BADMODE\" or alertInfo_dnsResponse_s has \"Bad TKEY Mode\",\n int(19),\n alertInfo_dnsResponse_s has \"BADNAME\" or alertInfo_dnsResponse_s has \"Duplicate key name\",\n int(20),\n alertInfo_dnsResponse_s has \"BADALG\" or alertInfo_dnsResponse_s has \"Algorithm not supported\",\n int(21),\n alertInfo_dnsResponse_s has \"BADTRUNC\" or alertInfo_dnsResponse_s has \"Bad Truncation\",\n int(22),\n alertInfo_dnsResponse_s has \"BADCOOKIE\" or alertInfo_dnsResponse_s has \"Bad/missing Server Cookie\",\n int(23),\n int(0)\n ),\n AdditionalFields = bag_pack(\n \"MachineType\",\n agentDetectionInfo_machineType_s,\n \"OsRevision\",\n agentDetectionInfo_osRevision_s\n )\n | extend EventResultDetails = _ASIM_LookupDnsResponseCode(DnsResponseCode)\n | where (responsecodename == '*' or EventResultDetails =~ responsecodename)\n | extend \n DnsQueryType = iff(isempty(DnsQueryType) and DnsResponseCode == 0, int(1), DnsQueryType),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n DnsQuery = alertInfo_dnsRequest_s,\n EventUid = _ItemId,\n DnsResponseName = alertInfo_dnsResponse_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n SrcProcessId = sourceProcessInfo_pid_s,\n SrcProcessName = sourceProcessInfo_name_s,\n SrcUsername = sourceProcessInfo_user_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend\n Dvc = DvcId,\n EventEndTime = EventStartTime,\n EventResult = iff(DnsResponseCode == 0, \"Success\", \"Failure\"),\n EventSubType = iff(isnotempty(DnsResponseName), \"Response\", \"Request\"),\n EventOriginalResultDetails = DnsResponseCode,\n DnsQueryTypeName = _ASIM_LookupDnsQueryType(DnsQueryType),\n Rule = RuleName,\n SrcDvcId = DvcId,\n SrcHostname = DvcHostname,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n Domain = DnsQuery,\n Process = SrcProcessName,\n User = SrcUsername,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | extend \n Src = SrcHostname,\n Hostname = SrcHostname,\n DnsResponseCodeName = EventResultDetails,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\")\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventSchema = \"Dns\",\n EventSchemaVersion = \"0.1.7\",\n EventType = \"Query\",\n EventVendor = \"SentinelOne\",\n DnsQueryClassName = \"IN\",\n DnsQueryClass = int(1)\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n RestMessage,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n srcipaddr=srcipaddr,\n domain_has_any=domain_has_any,\n responsecodename=responsecodename, \n response_has_ipv4=response_has_ipv4, \n response_has_any_prefix=response_has_any_prefix, \n eventtype=eventtype, \n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "vimDnsSentinelOne", + "query": "let ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr: string='*', \n domain_has_any: dynamic=dynamic([]),\n responsecodename: string='*',\n response_has_ipv4: string='*',\n response_has_any_prefix: dynamic=dynamic([]),\n eventtype: string='Query',\n disabled: bool=false\n ) {\n let alldata = SentinelOne_CL\n | where not(disabled)\n and (eventtype == '*' or eventtype == \"Query\")\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and event_name_s == \"Alerts.\" \n and alertInfo_eventType_s == \"DNS\"\n and srcipaddr == '*'\n and (array_length(domain_has_any) == 0 or alertInfo_dnsRequest_s has_any (domain_has_any))\n and (response_has_ipv4 == '*' or has_ipv4(alertInfo_dnsResponse_s, response_has_ipv4))\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(alertInfo_dnsResponse_s, response_has_any_prefix))\n | parse alertInfo_dnsResponse_s with * \"type: \" DnsQueryType: int \" \" RestMessage;\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maaliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maaliciousdata\n | extend \n DnsResponseCode = case(\n alertInfo_dnsResponse_s has \"NoError\" or alertInfo_dnsResponse_s has \"No Error\",\n int(0),\n alertInfo_dnsResponse_s has \"FormErr\" or alertInfo_dnsResponse_s has \"Format Error\",\n int(1),\n alertInfo_dnsResponse_s has \"ServFail\" or alertInfo_dnsResponse_s has \"Server Failure\",\n int(2),\n alertInfo_dnsResponse_s has \"NXDomain\" or alertInfo_dnsResponse_s has \"Non-Existent Domain\",\n int(3),\n alertInfo_dnsResponse_s has \"NotImp\" or alertInfo_dnsResponse_s has \"Not Implemented\",\n int(4),\n alertInfo_dnsResponse_s has \"Refused\" or alertInfo_dnsResponse_s has \"Query Refused\",\n int(5),\n alertInfo_dnsResponse_s has \"YXDomain\" or alertInfo_dnsResponse_s has \"Name Exists when it should not\",\n int(6),\n alertInfo_dnsResponse_s has \"YXRRSet\" or alertInfo_dnsResponse_s has \"RR Set Exists when it should not\",\n int(7),\n alertInfo_dnsResponse_s has \"NXRRSet\" or alertInfo_dnsResponse_s has \"RR Set that should exist does not\",\n int(8),\n alertInfo_dnsResponse_s has \"NotAuth\" or alertInfo_dnsResponse_s has \"Server Not Authoritative for zone\",\n int(9),\n alertInfo_dnsResponse_s has \"NotAuth\" or alertInfo_dnsResponse_s has \"Not Authorized\",\n int(9),\n alertInfo_dnsResponse_s has \"NotZone\" or alertInfo_dnsResponse_s has \"Name not contained in zone\",\n int(10),\n alertInfo_dnsResponse_s has \"DSOTYPENI\" or alertInfo_dnsResponse_s has \"DSO-TYPE Not Implemented\",\n int(11),\n alertInfo_dnsResponse_s has \"Unassigned\",\n int(12),\n alertInfo_dnsResponse_s has \"BADVERS\" or alertInfo_dnsResponse_s has \"Bad OPT Version\",\n int(16),\n alertInfo_dnsResponse_s has \"BADSIG\" or alertInfo_dnsResponse_s has \"TSIG Signature Failure\",\n int(16),\n alertInfo_dnsResponse_s has \"BADKEY\" or alertInfo_dnsResponse_s has \"Key not recognized\",\n int(17),\n alertInfo_dnsResponse_s has \"BADTIME\" or alertInfo_dnsResponse_s has \"Signature out of time window\",\n int(18),\n alertInfo_dnsResponse_s has \"BADMODE\" or alertInfo_dnsResponse_s has \"Bad TKEY Mode\",\n int(19),\n alertInfo_dnsResponse_s has \"BADNAME\" or alertInfo_dnsResponse_s has \"Duplicate key name\",\n int(20),\n alertInfo_dnsResponse_s has \"BADALG\" or alertInfo_dnsResponse_s has \"Algorithm not supported\",\n int(21),\n alertInfo_dnsResponse_s has \"BADTRUNC\" or alertInfo_dnsResponse_s has \"Bad Truncation\",\n int(22),\n alertInfo_dnsResponse_s has \"BADCOOKIE\" or alertInfo_dnsResponse_s has \"Bad/missing Server Cookie\",\n int(23),\n int(0)\n ),\n AdditionalFields = bag_pack(\n \"MachineType\",\n agentDetectionInfo_machineType_s,\n \"OsRevision\",\n agentDetectionInfo_osRevision_s\n )\n | extend EventResultDetails = _ASIM_LookupDnsResponseCode(DnsResponseCode)\n | where (responsecodename == '*' or EventResultDetails =~ responsecodename)\n | extend \n DnsQueryType = iff(isempty(DnsQueryType) and DnsResponseCode == 0, int(1), DnsQueryType),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n DnsQuery = alertInfo_dnsRequest_s,\n EventUid = _ItemId,\n DnsResponseName = alertInfo_dnsResponse_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n SrcProcessId = sourceProcessInfo_pid_s,\n SrcProcessName = sourceProcessInfo_name_s,\n SrcUsername = sourceProcessInfo_user_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend\n Dvc = DvcId,\n EventEndTime = EventStartTime,\n EventResult = iff(DnsResponseCode == 0, \"Success\", \"Failure\"),\n EventSubType = iff(isnotempty(DnsResponseName), \"Response\", \"Request\"),\n EventOriginalResultDetails = DnsResponseCode,\n DnsQueryTypeName = _ASIM_LookupDnsQueryType(DnsQueryType),\n Rule = RuleName,\n SrcDvcId = DvcId,\n SrcHostname = DvcHostname,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n Domain = DnsQuery,\n Process = SrcProcessName,\n User = SrcUsername,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | extend \n Src = SrcHostname,\n Hostname = SrcHostname,\n DnsResponseCodeName = EventResultDetails,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\")\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventSchema = \"Dns\",\n EventSchemaVersion = \"0.1.7\",\n EventType = \"Query\",\n EventVendor = \"SentinelOne\",\n DnsQueryClassName = \"IN\",\n DnsQueryClass = int(1)\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n RestMessage,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n srcipaddr=srcipaddr,\n domain_has_any=domain_has_any,\n responsecodename=responsecodename, \n response_has_ipv4=response_has_ipv4, \n response_has_any_prefix=response_has_any_prefix, \n eventtype=eventtype, \n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsVectraAI/vimDnsVectraAI.json b/Parsers/ASimDns/ARM/vimDnsVectraAI/vimDnsVectraAI.json index bb811883333..1e1bfbfd363 100644 --- a/Parsers/ASimDns/ARM/vimDnsVectraAI/vimDnsVectraAI.json +++ b/Parsers/ASimDns/ARM/vimDnsVectraAI/vimDnsVectraAI.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsVectraAI')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsVectraAI", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS ASIM parser for Vectra AI Steams", - "category": "ASIM", - "FunctionAlias": "vimDnsVectraAI", - "query": "let parser=\n(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr:string='*',\n domain_has_any:dynamic=dynamic([]),\n responsecodename:string='*', \n response_has_ipv4:string='*',\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string='Query',\n disabled:bool=false\n) \n{\n let NetworkProtocolLookup = datatable(proto_d:real, NetworkProtocol:string)[\n 6, 'TCP',\n 17, 'UDP'];\n let DnsClassLookup = datatable(DnsQueryClass:int, DnsQueryClassName: string)[\n 0, 'Reserved',\n 1, 'IN',\n 2, 'Unassigned',\n 3, 'CH',\n 4, 'HS',\n 254, 'None',\n 255, 'Any'\n ];\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\n VectraStream_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | project-away MG, ManagementGroupName, RawData, SourceSystem, Computer\n | where metadata_type_s == 'metadata_dns'\n | where (srcipaddr == '*' or id_orig_h_s == srcipaddr)\n | where (array_length(domain_has_any) == 0 or query_s has_any(domain_has_any))\n | where (responsecodename == '*' or rcode_name_s =~ responsecodename)\n | where (response_has_ipv4 == '*' or has_ipv4(answers_s, response_has_ipv4))\n | where (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(answers_s, response_has_any_prefix))\n | where (eventtype == '*' or eventtype in~ ('Query', 'lookup'))\n | project-rename\n DvcDescription = hostname_s,\n DstDescription = resp_hostname_s,\n SrcDescription = orig_hostname_s,\n DnsFlagsAuthoritative = AA_b,\n DnsFlagsRecursionAvailable = RA_b,\n DnsFlagsRecursionDesired = RD_b,\n DnsFlagsTruncated = TC_b,\n DnsResponseName = answers_s,\n DnsQuery = query_s,\n DnsQueryTypeName = qtype_name_s,\n DstIpAddr = id_resp_h_s,\n DnsSessionId = community_id_s,\n SrcIpAddr = id_orig_h_s,\n DstDvcId = resp_huid_s,\n SrcDvcId = orig_huid_s,\n DvcId = sensor_uid_s,\n EventOriginalUid = uid_s\n | extend\n DstHostname = iff (DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\", DstDescription),\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\n NetworkProtocolVersion = toupper(id_ip_ver_s),\n DnsResponseCode = toint(rcode_d),\n DnsResponseCodeName = toupper(rcode_name_s),\n DnsQueryClass = toint(qclass_d),\n DnsQueryType = toint(qtype_d),\n DstPortNumber = toint(id_resp_p_d),\n EventCount = toint(1),\n EventEndTime = unixtime_milliseconds_todatetime(ts_d),\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\n EventProduct = 'Vectra Stream',\n EventResult = case(tolong(rcode_d) > 0, \"Failure\", \"Success\"),\n EventSchema = 'Dns', \n EventSchemaVersion='0.1.3',\n EventType = 'Query',\n EventVendor = 'Vectra AI',\n SrcDvcIdType = 'VectraId',\n DstDvcIdType = 'VectraId',\n DvcIdType = 'VectraId',\n SrcPortNumber = toint(id_orig_p_d),\n TransactionIdHex = tostring(toint(trans_id_d)),\n EventSubType = iff (saw_reply_b, \"response\", \"request\")\n | lookup DnsClassLookup on DnsQueryClass\n | lookup NetworkProtocolLookup on proto_d\n | extend\n EventResultDetails = DnsResponseCodeName,\n EventStartTime = EventEndTime,\n SessionId = DnsSessionId,\n Domain = DnsQuery,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Dvc = coalesce (DvcId, DvcDescription),\n Src = SrcIpAddr,\n Dst = DstIpAddr\n | project-away\n *_d, *_s, *_b, *_g\n };\nparser(starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS ASIM parser for Vectra AI Steams", + "category": "ASIM", + "FunctionAlias": "vimDnsVectraAI", + "query": "let parser=\n(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr:string='*',\n domain_has_any:dynamic=dynamic([]),\n responsecodename:string='*', \n response_has_ipv4:string='*',\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string='Query',\n disabled:bool=false\n) \n{\n let NetworkProtocolLookup = datatable(proto_d:real, NetworkProtocol:string)[\n 6, 'TCP',\n 17, 'UDP'];\n let DnsClassLookup = datatable(DnsQueryClass:int, DnsQueryClassName: string)[\n 0, 'Reserved',\n 1, 'IN',\n 2, 'Unassigned',\n 3, 'CH',\n 4, 'HS',\n 254, 'None',\n 255, 'Any'\n ];\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\n VectraStream_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | project-away MG, ManagementGroupName, RawData, SourceSystem, Computer\n | where metadata_type_s == 'metadata_dns'\n | where (srcipaddr == '*' or id_orig_h_s == srcipaddr)\n | where (array_length(domain_has_any) == 0 or query_s has_any(domain_has_any))\n | where (responsecodename == '*' or rcode_name_s =~ responsecodename)\n | where (response_has_ipv4 == '*' or has_ipv4(answers_s, response_has_ipv4))\n | where (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(answers_s, response_has_any_prefix))\n | where (eventtype == '*' or eventtype in~ ('Query', 'lookup'))\n | project-rename\n DvcDescription = hostname_s,\n DstDescription = resp_hostname_s,\n SrcDescription = orig_hostname_s,\n DnsFlagsAuthoritative = AA_b,\n DnsFlagsRecursionAvailable = RA_b,\n DnsFlagsRecursionDesired = RD_b,\n DnsFlagsTruncated = TC_b,\n DnsResponseName = answers_s,\n DnsQuery = query_s,\n DnsQueryTypeName = qtype_name_s,\n DstIpAddr = id_resp_h_s,\n DnsSessionId = community_id_s,\n SrcIpAddr = id_orig_h_s,\n DstDvcId = resp_huid_s,\n SrcDvcId = orig_huid_s,\n DvcId = sensor_uid_s,\n EventOriginalUid = uid_s\n | extend\n DstHostname = iff (DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\", DstDescription),\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\n NetworkProtocolVersion = toupper(id_ip_ver_s),\n DnsResponseCode = toint(rcode_d),\n DnsResponseCodeName = toupper(rcode_name_s),\n DnsQueryClass = toint(qclass_d),\n DnsQueryType = toint(qtype_d),\n DstPortNumber = toint(id_resp_p_d),\n EventCount = toint(1),\n EventEndTime = unixtime_milliseconds_todatetime(ts_d),\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\n EventProduct = 'Vectra Stream',\n EventResult = case(tolong(rcode_d) > 0, \"Failure\", \"Success\"),\n EventSchema = 'Dns', \n EventSchemaVersion='0.1.3',\n EventType = 'Query',\n EventVendor = 'Vectra AI',\n SrcDvcIdType = 'VectraId',\n DstDvcIdType = 'VectraId',\n DvcIdType = 'VectraId',\n SrcPortNumber = toint(id_orig_p_d),\n TransactionIdHex = tostring(toint(trans_id_d)),\n EventSubType = iff (saw_reply_b, \"response\", \"request\")\n | lookup DnsClassLookup on DnsQueryClass\n | lookup NetworkProtocolLookup on proto_d\n | extend\n EventResultDetails = DnsResponseCodeName,\n EventStartTime = EventEndTime,\n SessionId = DnsSessionId,\n Domain = DnsQuery,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Dvc = coalesce (DvcId, DvcDescription),\n Src = SrcIpAddr,\n Dst = DstIpAddr\n | project-away\n *_d, *_s, *_b, *_g\n };\nparser(starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsZscalerZIA/vimDnsZscalerZIA.json b/Parsers/ASimDns/ARM/vimDnsZscalerZIA/vimDnsZscalerZIA.json index 7f3dadca516..4e7d3c0d9ea 100644 --- a/Parsers/ASimDns/ARM/vimDnsZscalerZIA/vimDnsZscalerZIA.json +++ b/Parsers/ASimDns/ARM/vimDnsZscalerZIA/vimDnsZscalerZIA.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsZscalerZIA')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsZscalerZIA", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM filtering parser for Zscaler ZIA", - "category": "ASIM", - "FunctionAlias": "vimDnsZscalerZIA", - "query": "let ZscalerDNSevents=(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n){\n CommonSecurityLog \n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n | where not(disabled)\n | where DeviceProduct == \"NSSDNSlog\"\n // -- Pre-parsing filtering\n | where\n (eventtype in~ ('lookup', 'Query')\n and (srcipaddr=='*' or SourceIP==srcipaddr)\n and (array_length(domain_has_any) == 0 or DeviceCustomString5 has_any (domain_has_any))\n and (response_has_ipv4=='*' or has_ipv4(DeviceCustomString6,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(DeviceCustomString6, response_has_any_prefix))\n and (responsecodename in ('*', 'NOERROR') or DeviceCustomString6 =~ responsecodename)) // NOERROR is determined only later\n | extend\n EventResultDetails = iff (DeviceCustomString6 matches regex @'^([A-Z_]+)$', DeviceCustomString6, 'NOERROR')\n | where\n (responsecodename=='*' or EventResultDetails =~ responsecodename)\n // --\n | project-rename\n Dvc=Computer , \n SrcIpAddr = SourceIP, \n SrcUsername = SourceUserName,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n EventProductVersion = DeviceVersion, \n DnsQueryTypeName = DeviceCustomString4, \n DnsQuery = DeviceCustomString5, \n SrcUserDepartment = DeviceCustomString1, // Not part of the standard schema\n reqaction = DeviceCustomString2, \n resaction = DeviceCustomString3, \n DvcUsername = SourceUserID,\n DvcZone = SourceUserPrivileges,\n SrcHostname = DeviceName,\n NetworkProtocol = Protocol,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message\n | extend\n EventCount=int(1), \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA DNS\", \n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.3\", \n EventEndTime=TimeGenerated, \n SrcUsernameType = \"UPN\",\n EventSubType = iff(resaction == 'None', 'request', 'response'), \n DvcAction = iff(resaction == 'None', reqaction, resaction), \n EventType = 'Query', \n RuleName = strcat (FlexString1, \" / \", FlexString2),\n // -- Adjustment to support both old and new CSL fields.\n UrlCategory = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"), extract(\"cat=(.*)\", 1, AdditionalExtensions), \"\"), \n DnsNetworkDuration = coalesce(\n toint(column_ifexists (\"FieldDeviceCustomNumber1\", int(null))), \n toint(column_ifexists (\"DeviceCustomNumber1\",int(null)))\n )\n | extend \n EventResult = case (\n EventSubType == 'request', 'NA', \n EventResultDetails == 'NOERROR', 'Success',\n 'Failure'),\n DnsResponseName = iff (EventResultDetails == 'NOERROR', DeviceCustomString6, '')\n // -- Aliases\n | extend\n DnsResponseCodeName = EventResultDetails,\n Domain = DnsQuery,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Hostname = SrcHostname,\n Dst = DstIpAddr,\n DvcHostname = Dvc,\n Duration = DnsNetworkDuration,\n User = SrcUsername,\n // -- Entity identifier explicit aliases\n SrcUserUpn = SrcUsername\n | project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ApplicationProtocol, ReportReferenceLink, Activity, resaction, reqaction\n };\nZscalerDNSevents (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM filtering parser for Zscaler ZIA", + "category": "ASIM", + "FunctionAlias": "vimDnsZscalerZIA", + "query": "let ZscalerDNSevents=(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n){\n CommonSecurityLog \n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n | where not(disabled)\n | where DeviceProduct == \"NSSDNSlog\"\n // -- Pre-parsing filtering\n | where\n (eventtype in~ ('lookup', 'Query')\n and (srcipaddr=='*' or SourceIP==srcipaddr)\n and (array_length(domain_has_any) == 0 or DeviceCustomString5 has_any (domain_has_any))\n and (response_has_ipv4=='*' or has_ipv4(DeviceCustomString6,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(DeviceCustomString6, response_has_any_prefix))\n and (responsecodename in ('*', 'NOERROR') or DeviceCustomString6 =~ responsecodename)) // NOERROR is determined only later\n | extend\n EventResultDetails = iff (DeviceCustomString6 matches regex @'^([A-Z_]+)$', DeviceCustomString6, 'NOERROR')\n | where\n (responsecodename=='*' or EventResultDetails =~ responsecodename)\n // --\n | project-rename\n Dvc=Computer , \n SrcIpAddr = SourceIP, \n SrcUsername = SourceUserName,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n EventProductVersion = DeviceVersion, \n DnsQueryTypeName = DeviceCustomString4, \n DnsQuery = DeviceCustomString5, \n SrcUserDepartment = DeviceCustomString1, // Not part of the standard schema\n reqaction = DeviceCustomString2, \n resaction = DeviceCustomString3, \n DvcUsername = SourceUserID,\n DvcZone = SourceUserPrivileges,\n SrcHostname = DeviceName,\n NetworkProtocol = Protocol,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message\n | extend\n EventCount=int(1), \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA DNS\", \n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.3\", \n EventEndTime=TimeGenerated, \n SrcUsernameType = \"UPN\",\n EventSubType = iff(resaction == 'None', 'request', 'response'), \n DvcAction = iff(resaction == 'None', reqaction, resaction), \n EventType = 'Query', \n RuleName = strcat (FlexString1, \" / \", FlexString2),\n // -- Adjustment to support both old and new CSL fields.\n UrlCategory = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"), extract(\"cat=(.*)\", 1, AdditionalExtensions), \"\"), \n DnsNetworkDuration = coalesce(\n toint(column_ifexists (\"FieldDeviceCustomNumber1\", int(null))), \n toint(column_ifexists (\"DeviceCustomNumber1\",int(null)))\n )\n | extend \n EventResult = case (\n EventSubType == 'request', 'NA', \n EventResultDetails == 'NOERROR', 'Success',\n 'Failure'),\n DnsResponseName = iff (EventResultDetails == 'NOERROR', DeviceCustomString6, '')\n // -- Aliases\n | extend\n DnsResponseCodeName = EventResultDetails,\n Domain = DnsQuery,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Hostname = SrcHostname,\n Dst = DstIpAddr,\n DvcHostname = Dvc,\n Duration = DnsNetworkDuration,\n User = SrcUsername,\n // -- Entity identifier explicit aliases\n SrcUserUpn = SrcUsername\n | project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ApplicationProtocol, ReportReferenceLink, Activity, resaction, reqaction\n };\nZscalerDNSevents (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEvent/ASimFileEvent.json b/Parsers/ASimFileEvent/ARM/ASimFileEvent/ASimFileEvent.json index 1dfda1eab21..e455ffbddea 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEvent/ASimFileEvent.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEvent/ASimFileEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File event ASIM parser", - "category": "ASIM", - "FunctionAlias": "ASimFileEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimFile') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimFileEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimFileEventEmpty,\n ASimFileEventLinuxSysmonFileCreated(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventLinuxSysmonFileCreated' in (DisabledParsers) ))),\n ASimFileEventLinuxSysmonFileDeleted(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventLinuxSysmonFileDeleted' in (DisabledParsers) ))),\n ASimFileEventAzureBlobStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureBlobStorage' in (DisabledParsers) ))),\n ASimFileEventMicrosoft365D(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoft365D' in (DisabledParsers) ))),\n ASimFileEventAzureFileStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureFileStorage' in (DisabledParsers) ))),\n ASimFileEventAzureQueueStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureQueueStorage' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSharePoint(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSharePoint' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSysmon(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSysmon' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSysmonWindowsEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))),\n ASimFileEventAzureTableStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureTableStorage' in (DisabledParsers) ))),\n ASimFileEventMicrosoftWindowsEvents(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftWindowsEvents' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSecurityEvents(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSecurityEvents' in (DisabledParsers) ))),\n ASimFileEventNative(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventNative' in (DisabledParsers) ))),\n ASimFileEventSentinelOne(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventSentinelOne' in (DisabledParsers) ))),\n ASimFileEventVMwareCarbonBlackCloud(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventVMwareCarbonBlackCloud' in (DisabledParsers) ))),\n ASimFileEventGoogleWorkspace(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventGoogleWorkspace' in (DisabledParsers) )))\n };\n parser (pack=pack)\n", - "version": 1, - "functionParameters": "pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File event ASIM parser", + "category": "ASIM", + "FunctionAlias": "ASimFileEvent", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimFile') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimFileEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimFileEventEmpty,\n ASimFileEventLinuxSysmonFileCreated(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventLinuxSysmonFileCreated' in (DisabledParsers) ))),\n ASimFileEventLinuxSysmonFileDeleted(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventLinuxSysmonFileDeleted' in (DisabledParsers) ))),\n ASimFileEventAzureBlobStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureBlobStorage' in (DisabledParsers) ))),\n ASimFileEventMicrosoft365D(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoft365D' in (DisabledParsers) ))),\n ASimFileEventAzureFileStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureFileStorage' in (DisabledParsers) ))),\n ASimFileEventAzureQueueStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureQueueStorage' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSharePoint(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSharePoint' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSysmon(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSysmon' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSysmonWindowsEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))),\n ASimFileEventAzureTableStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureTableStorage' in (DisabledParsers) ))),\n ASimFileEventMicrosoftWindowsEvents(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftWindowsEvents' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSecurityEvents(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSecurityEvents' in (DisabledParsers) ))),\n ASimFileEventNative(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventNative' in (DisabledParsers) ))),\n ASimFileEventSentinelOne(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventSentinelOne' in (DisabledParsers) ))),\n ASimFileEventVMwareCarbonBlackCloud(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventVMwareCarbonBlackCloud' in (DisabledParsers) ))),\n ASimFileEventGoogleWorkspace(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventGoogleWorkspace' in (DisabledParsers) )))\n };\n parser (pack=pack)\n", + "version": 1, + "functionParameters": "pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventAzureBlobStorage/ASimFileEventAzureBlobStorage.json b/Parsers/ASimFileEvent/ARM/ASimFileEventAzureBlobStorage/ASimFileEventAzureBlobStorage.json index c3d5f4a32c8..d552ccaef2a 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventAzureBlobStorage/ASimFileEventAzureBlobStorage.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventAzureBlobStorage/ASimFileEventAzureBlobStorage.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventAzureBlobStorage')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventAzureBlobStorage", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Activity ASIM parser for Azure Blob Storage", - "category": "ASIM", - "FunctionAlias": "ASimFileEventAzureBlobStorage", - "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(disabled: bool=false)\n{\n let bloboperations=datatable(OperationName: string, EventType: string)\n[\n \"PutBlock\", \"FileCreated\",\n \"PutBlob\", \"FileCreated\",\n \"PutPage\", \"FileCreated\",\n \"CreateContainer\", \"FolderCreated\",\n \"CopyBlob\", \"FileCopied\",\n \"QueryBlobContents\", \"FileAccessed\",\n \"GetBlob\", \"FileAccessed\",\n \"AppendBlock\", \"FileModified\",\n \"ClearPage\", \"FileModified\",\n \"PutBlockFromURL\", \"FileModified\",\n \"DeleteBlob\", \"FileDeleted\",\n \"DeleteContainer\", \"FolderDeleted\"\n];\n StorageBlobLogs\n | where not(disabled)\n // **** relevant data filtering;\n | where OperationName in (bloboperations)\n //\n | lookup bloboperations on OperationName\n | project-rename \n EventOriginalUid = CorrelationId\n ,\n EventOriginalType=OperationName\n ,\n HttpUserAgent=UserAgentHeader\n ,\n TargetUrl=Uri\n | extend \n EventCount=int(1)\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n ,\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n ,\n EventProduct='Azure File Storage' \n ,\n EventVendor='Microsoft'\n ,\n EventSchemaVersion='0.1.0'\n ,\n TargetFilePath=tostring(split(TargetUrl, '?')[0]) \n ,\n TargetFilePathType='URL'\n ,\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\n ,\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[1])\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\n // Aliases\n | extend \n FilePath=TargetFilePath\n};\nparser (disabled = disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Activity ASIM parser for Azure Blob Storage", + "category": "ASIM", + "FunctionAlias": "ASimFileEventAzureBlobStorage", + "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(disabled: bool=false)\n{\n let bloboperations=datatable(OperationName: string, EventType: string)\n[\n \"PutBlock\", \"FileCreated\",\n \"PutBlob\", \"FileCreated\",\n \"PutPage\", \"FileCreated\",\n \"CreateContainer\", \"FolderCreated\",\n \"CopyBlob\", \"FileCopied\",\n \"QueryBlobContents\", \"FileAccessed\",\n \"GetBlob\", \"FileAccessed\",\n \"AppendBlock\", \"FileModified\",\n \"ClearPage\", \"FileModified\",\n \"PutBlockFromURL\", \"FileModified\",\n \"DeleteBlob\", \"FileDeleted\",\n \"DeleteContainer\", \"FolderDeleted\"\n];\n StorageBlobLogs\n | where not(disabled)\n // **** relevant data filtering;\n | where OperationName in (bloboperations)\n //\n | lookup bloboperations on OperationName\n | project-rename \n EventOriginalUid = CorrelationId\n ,\n EventOriginalType=OperationName\n ,\n HttpUserAgent=UserAgentHeader\n ,\n TargetUrl=Uri\n | extend \n EventCount=int(1)\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n ,\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n ,\n EventProduct='Azure File Storage' \n ,\n EventVendor='Microsoft'\n ,\n EventSchemaVersion='0.1.0'\n ,\n TargetFilePath=tostring(split(TargetUrl, '?')[0]) \n ,\n TargetFilePathType='URL'\n ,\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\n ,\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[1])\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\n // Aliases\n | extend \n FilePath=TargetFilePath\n};\nparser (disabled = disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventAzureFileStorage/ASimFileEventAzureFileStorage.json b/Parsers/ASimFileEvent/ARM/ASimFileEventAzureFileStorage/ASimFileEventAzureFileStorage.json index d66a6c84c8b..cae7100caa6 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventAzureFileStorage/ASimFileEventAzureFileStorage.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventAzureFileStorage/ASimFileEventAzureFileStorage.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventAzureFileStorage')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventAzureFileStorage", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Activity ASIM parser for Azure File Storage", - "category": "ASIM", - "FunctionAlias": "ASimFileEventAzureFileStorage", - "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(disabled:bool=false){\nlet fileoperations=datatable(OperationName:string, EventType:string)[\n\"DeleteFile\", \"FileDeleted\"\n, \"DeleteDirectory\", \"FolderDeleted\"\n, \"GetFile\", \"FileAccessed\"\n, \"CopyFile\", \"FileCopied\"\n, \"CreateFileSnapshot\", \"FileCreated\"\n, \"CreateDirectory\", \"FolderCreated\"\n, \"CreateFile\", \"FileCreated\"\n, \"CreateShare\", \"FolderCreated\"\n, \"DeleteShare\", \"FileDeleted\"\n, \"PutRange\", \"FileModified\"\n, \"CopyFileDestination\", \"FileCopied\"\n, \"CopyFileSource\", \"FileCopied\"\n];\nStorageFileLogs\n| where not(disabled)\n// **** relevant data filtering;\n| where OperationName in (fileoperations)\n//\n| extend \n EventCount=int(1)\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n//\t, EventType :string ---> see lookup below\n , EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n \t, EventOriginalUid = CorrelationId\n , EventOriginalType=OperationName\n , EventProduct='Azure File Storage' \n , EventVendor='Microsoft'\n , EventSchemaVersion='0.1.0'\n\t, TargetFilePath=tostring(split(Uri,'?')[0]) \n\t, TargetFilePathType='URL'\n \t, TargetUrl=Uri\n , SrcIpAddr=tostring(split(CallerIpAddress,':')[0])\n , SrcPortNumber=tostring(split(CallerIpAddress,':')[0])\n \t, HttpUserAgent=UserAgentHeader\n| extend TargetFileName=tostring(split(TargetFilePath,'/')[-1])\n| lookup fileoperations on OperationName\n// Aliases\n| extend \n FilePath=TargetFilePath\n };\nparser (disabled = disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Activity ASIM parser for Azure File Storage", + "category": "ASIM", + "FunctionAlias": "ASimFileEventAzureFileStorage", + "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(disabled:bool=false){\nlet fileoperations=datatable(OperationName:string, EventType:string)[\n\"DeleteFile\", \"FileDeleted\"\n, \"DeleteDirectory\", \"FolderDeleted\"\n, \"GetFile\", \"FileAccessed\"\n, \"CopyFile\", \"FileCopied\"\n, \"CreateFileSnapshot\", \"FileCreated\"\n, \"CreateDirectory\", \"FolderCreated\"\n, \"CreateFile\", \"FileCreated\"\n, \"CreateShare\", \"FolderCreated\"\n, \"DeleteShare\", \"FileDeleted\"\n, \"PutRange\", \"FileModified\"\n, \"CopyFileDestination\", \"FileCopied\"\n, \"CopyFileSource\", \"FileCopied\"\n];\nStorageFileLogs\n| where not(disabled)\n// **** relevant data filtering;\n| where OperationName in (fileoperations)\n//\n| extend \n EventCount=int(1)\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n//\t, EventType :string ---> see lookup below\n , EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n \t, EventOriginalUid = CorrelationId\n , EventOriginalType=OperationName\n , EventProduct='Azure File Storage' \n , EventVendor='Microsoft'\n , EventSchemaVersion='0.1.0'\n\t, TargetFilePath=tostring(split(Uri,'?')[0]) \n\t, TargetFilePathType='URL'\n \t, TargetUrl=Uri\n , SrcIpAddr=tostring(split(CallerIpAddress,':')[0])\n , SrcPortNumber=tostring(split(CallerIpAddress,':')[0])\n \t, HttpUserAgent=UserAgentHeader\n| extend TargetFileName=tostring(split(TargetFilePath,'/')[-1])\n| lookup fileoperations on OperationName\n// Aliases\n| extend \n FilePath=TargetFilePath\n };\nparser (disabled = disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventAzureQueueStorage/ASimFileEventAzureQueueStorage.json b/Parsers/ASimFileEvent/ARM/ASimFileEventAzureQueueStorage/ASimFileEventAzureQueueStorage.json index 8c06b130232..966e33d2762 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventAzureQueueStorage/ASimFileEventAzureQueueStorage.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventAzureQueueStorage/ASimFileEventAzureQueueStorage.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventAzureQueueStorage')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventAzureQueueStorage", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Activity ASIM parser for Azure Queue Storage", - "category": "ASIM", - "FunctionAlias": "ASimFileEventAzureQueueStorage", - "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(disabled: bool=false)\n{\n let queueoperations=datatable(OperationName: string, EventType: string)\n[\n \"ClearMessages\", \"FileDeleted\"\n ,\n \"CreateQueue\", \"FileCreated\"\n ,\n \"DeleteQueue\", \"FileDeleted\"\n ,\n \"DeleteMessage\", \"FileDeleted\"\n ,\n \"GetQueue\", \"FileAccessed\"\n ,\n \"GetMessage\", \"FileAccessed\"\n ,\n \"GetMessages\", \"FileAccessed\"\n ,\n \"PeekMessage\", \"FileAccessed\"\n ,\n \"PeekMessages\", \"FileAccessed\"\n ,\n \"PutMessage\", \"FileCreated\"\n ,\n \"UpdateMessage\", \"FileModified\" \n];\n StorageQueueLogs\n | where not(disabled)\n // **** relevant data filtering;\n | where OperationName in (queueoperations)\n //\n | extend \n EventCount=int(1)\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n ,\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n ,\n EventOriginalUid = CorrelationId\n ,\n EventOriginalType=OperationName\n ,\n EventProduct='Azure File Storage' \n ,\n EventVendor='Microsoft'\n ,\n EventSchemaVersion='0.1.0'\n ,\n TargetFilePath=tostring(split(Uri, '?')[0]) \n ,\n TargetFilePathType='URL'\n ,\n TargetUrl=Uri\n ,\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\n ,\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[0])\n ,\n HttpUserAgent=UserAgentHeader\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\n | lookup queueoperations on OperationName\n // Aliases\n | extend \n FilePath=TargetFilePath\n};\nparser (disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Activity ASIM parser for Azure Queue Storage", + "category": "ASIM", + "FunctionAlias": "ASimFileEventAzureQueueStorage", + "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(disabled: bool=false)\n{\n let queueoperations=datatable(OperationName: string, EventType: string)\n[\n \"ClearMessages\", \"FileDeleted\"\n ,\n \"CreateQueue\", \"FileCreated\"\n ,\n \"DeleteQueue\", \"FileDeleted\"\n ,\n \"DeleteMessage\", \"FileDeleted\"\n ,\n \"GetQueue\", \"FileAccessed\"\n ,\n \"GetMessage\", \"FileAccessed\"\n ,\n \"GetMessages\", \"FileAccessed\"\n ,\n \"PeekMessage\", \"FileAccessed\"\n ,\n \"PeekMessages\", \"FileAccessed\"\n ,\n \"PutMessage\", \"FileCreated\"\n ,\n \"UpdateMessage\", \"FileModified\" \n];\n StorageQueueLogs\n | where not(disabled)\n // **** relevant data filtering;\n | where OperationName in (queueoperations)\n //\n | extend \n EventCount=int(1)\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n ,\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n ,\n EventOriginalUid = CorrelationId\n ,\n EventOriginalType=OperationName\n ,\n EventProduct='Azure File Storage' \n ,\n EventVendor='Microsoft'\n ,\n EventSchemaVersion='0.1.0'\n ,\n TargetFilePath=tostring(split(Uri, '?')[0]) \n ,\n TargetFilePathType='URL'\n ,\n TargetUrl=Uri\n ,\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\n ,\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[0])\n ,\n HttpUserAgent=UserAgentHeader\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\n | lookup queueoperations on OperationName\n // Aliases\n | extend \n FilePath=TargetFilePath\n};\nparser (disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventAzureTableStorage/ASimFileEventAzureTableStorage.json b/Parsers/ASimFileEvent/ARM/ASimFileEventAzureTableStorage/ASimFileEventAzureTableStorage.json index f9c39d9f89d..b2721b7104d 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventAzureTableStorage/ASimFileEventAzureTableStorage.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventAzureTableStorage/ASimFileEventAzureTableStorage.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventAzureTableStorage')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventAzureTableStorage", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Activity ASIM parser for Azure Table Storage", - "category": "ASIM", - "FunctionAlias": "ASimFileEventAzureTableStorage", - "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(disabled:bool=false){\nlet tableoperations=datatable(OperationName:string, EventType:string)[\n, \"CreateTable\", \"FileCreated\"\n, \"DeleteTable\", \"FileDeleted\"\n, \"DeleteEntity\", \"FileModified\"\n, \"InsertEntity\", \"FileModified\"\n, \"InsertOrMergeEntity\", \"FileModified\"\n, \"InsertOrReplaceEntity\", \"FileModified\"\n, \"QueryEntity\", \"FileAccessed\"\n, \"QueryEntities\", \"FileAccessed\"\n, \"QueryTable\", \"FileAccessed\"\n, \"QueryTables\", \"FileAccessed\"\n, \"UpdateEntity\", \"FileModified\"\n, \"MergeEntity\", \"FileModified\"\n ];\n StorageTableLogs\n | where not(disabled)\n // **** relevant data filtering;\n | where OperationName in (tableoperations)\n //\n | extend \n EventCount=int(1)\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n , EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n , EventOriginalUid = CorrelationId\n , EventOriginalType=OperationName\n , EventProduct='Azure File Storage' \n , EventVendor='Microsoft'\n , EventSchemaVersion='0.1.0'\n , TargetFilePath=tostring(split(Uri,'?')[0]) \n , TargetFilePathType='URL'\n , TargetUrl=Uri\n , SrcIpAddr=tostring(split(CallerIpAddress,':')[0])\n , SrcPortNumber=tostring(split(CallerIpAddress,':')[0])\n , HttpUserAgent=UserAgentHeader\n | extend TargetFileName=tostring(split(TargetFilePath,'/')['-1'])\n | lookup tableoperations on OperationName\n // Aliases\n | extend \n FilePath=TargetFilePath\n };\n parser (disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Activity ASIM parser for Azure Table Storage", + "category": "ASIM", + "FunctionAlias": "ASimFileEventAzureTableStorage", + "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(disabled:bool=false){\nlet tableoperations=datatable(OperationName:string, EventType:string)[\n, \"CreateTable\", \"FileCreated\"\n, \"DeleteTable\", \"FileDeleted\"\n, \"DeleteEntity\", \"FileModified\"\n, \"InsertEntity\", \"FileModified\"\n, \"InsertOrMergeEntity\", \"FileModified\"\n, \"InsertOrReplaceEntity\", \"FileModified\"\n, \"QueryEntity\", \"FileAccessed\"\n, \"QueryEntities\", \"FileAccessed\"\n, \"QueryTable\", \"FileAccessed\"\n, \"QueryTables\", \"FileAccessed\"\n, \"UpdateEntity\", \"FileModified\"\n, \"MergeEntity\", \"FileModified\"\n ];\n StorageTableLogs\n | where not(disabled)\n // **** relevant data filtering;\n | where OperationName in (tableoperations)\n //\n | extend \n EventCount=int(1)\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n , EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n , EventOriginalUid = CorrelationId\n , EventOriginalType=OperationName\n , EventProduct='Azure File Storage' \n , EventVendor='Microsoft'\n , EventSchemaVersion='0.1.0'\n , TargetFilePath=tostring(split(Uri,'?')[0]) \n , TargetFilePathType='URL'\n , TargetUrl=Uri\n , SrcIpAddr=tostring(split(CallerIpAddress,':')[0])\n , SrcPortNumber=tostring(split(CallerIpAddress,':')[0])\n , HttpUserAgent=UserAgentHeader\n | extend TargetFileName=tostring(split(TargetFilePath,'/')['-1'])\n | lookup tableoperations on OperationName\n // Aliases\n | extend \n FilePath=TargetFilePath\n };\n parser (disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventGoogleWorkspace/ASimFileEventGoogleWorkspace.json b/Parsers/ASimFileEvent/ARM/ASimFileEventGoogleWorkspace/ASimFileEventGoogleWorkspace.json index 9e9bbc90481..5c915d28366 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventGoogleWorkspace/ASimFileEventGoogleWorkspace.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventGoogleWorkspace/ASimFileEventGoogleWorkspace.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventGoogleWorkspace')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventGoogleWorkspace", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File events ASIM parser for Google Workspace", - "category": "ASIM", - "FunctionAlias": "ASimFileEventGoogleWorkspace", - "query": "let parser = (\n disabled: bool = false\n ) {\n let GoogleWorkspaceSchema = datatable (\n event_name_s: string,\n event_type_s: string,\n id_uniqueQualifier_s: string,\n actor_email_s: string,\n actor_profileId_s: string,\n IPAddress: string,\n doc_type_s: string,\n doc_title_s: string,\n originating_app_id_s: string,\n id_applicationName_s: string,\n old_value_s: string,\n new_value_s: string,\n destination_folder_title_s: string,\n source_folder_title_s: string,\n copy_type_s: string,\n target_user_s: string,\n doc_id_s: string,\n primary_event_b: bool,\n billable_b: bool,\n owner_s: string,\n owner_is_shared_drive_b: bool,\n is_encrypted_b: bool,\n visibility_s: string,\n shared_drive_id_s: string,\n destination_folder_id_s: string,\n source_folder_id_s: string,\n TimeGenerated: datetime,\n _ResourceId: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n RawData: string,\n SourceSystem: string,\n TenantId: string,\n _ItemId: string\n)[];\n let EventFieldsLookup = datatable (\n EventOriginalSubType: string,\n EventType: string,\n EventSubType: string\n)\n [\n \"download\", \"FileAccessed\", \"Download\",\n \"edit\", \"FileModified\", \"Checkin\",\n \"upload\", \"FileCreated\", \"Upload\",\n \"create\", \"FileCreated\", \"Checkin\",\n \"rename\", \"FileRenamed\", \"\",\n \"view\", \"FileAccessed\", \"Preview\",\n \"preview\", \"FileAccessed\", \"Preview\",\n \"copy\", \"FileCopied\", \"\",\n \"source_copy\", \"FileCopied\", \"\",\n \"delete\", \"FileDeleted\", \"\",\n \"trash\", \"FileDeleted\", \"Recycle\",\n \"move\", \"FileMoved\", \"\",\n \"untrash\", \"FileCreatedOrModified\", \"Checkin\",\n \"deny_access_request\", \"FileAccessed\", \"Preview\",\n \"expire_access_request\", \"FileAccessed\", \"Preview\",\n \"request_access\", \"FileAccessed\", \"Preview\",\n \"add_to_folder\", \"FileCreated\", \"Checkin\",\n \"approval_canceled\", \"FileAccessed\", \"\",\n \"approval_comment_added\", \"FileAccessed\", \"\",\n \"approval_completed\", \"FileAccessed\", \"Preview\",\n \"approval_decisions_reset\", \"FileAccessed\", \"\",\n \"approval_due_time_change\", \"FileAccessed\", \"\",\n \"approval_requested\", \"FileAccessed\", \"Preview\",\n \"approval_reviewer_change\", \"FileAccessed\", \"\",\n \"approval_reviewer_responded\", \"FileAccessed\", \"\",\n \"create_comment\", \"FileModified\", \"Checkin\",\n \"delete_comment\", \"FileModified\", \"Checkin\",\n \"edit_comment\", \"FileModified\", \"Checkin\",\n \"reassign_comment\", \"FileModified\", \"Checkin\",\n \"reopen_comment\", \"FileModified\", \"Checkin\",\n \"resolve_comment\", \"FileModified\", \"Checkin\",\n \"add_lock\", \"FileModified\", \"\",\n \"print\", \"FileAccessed\", \"Print\",\n \"remove_from_folder\", \"FileDeleted\", \"\",\n \"remove_lock\", \"FileModified\", \"\",\n];\n let SupportedEventNames = EventFieldsLookup\n | project EventOriginalSubType;\n union isfuzzy=true GoogleWorkspaceSchema, GWorkspace_ReportsAPI_drive_CL\n | where not(disabled)\n | where event_name_s in (SupportedEventNames)\n | lookup EventFieldsLookup on $left.event_name_s == $right.EventOriginalSubType\n | project-rename \n EventOriginalUid = id_uniqueQualifier_s,\n ActorUsername = actor_email_s,\n ActorUserId = actor_profileId_s,\n SrcIpAddr = IPAddress,\n TargetFileMimeType = doc_type_s,\n TargetFilePath = doc_title_s,\n ActingAppId = originating_app_id_s,\n EventOriginalType=event_type_s\n | extend\n TargetAppName = iif(id_applicationName_s == 'drive', \"Google Workspace - Drive\", \"\"),\n TargetAppType = iif(id_applicationName_s == 'drive', \"SaaS application\", \"\"),\n ActorUserIdType = iif(isnotempty(ActorUserId), \"GWorkspaceProfileID\", \"\"),\n SrcFilePath = iif(event_name_s has_any ('rename', 'copy', 'source_copy'), old_value_s, \"\"),\n TargetFilePath = iif(event_name_s has ('source_copy'), new_value_s, TargetFilePath),\n TargetFileDirectory = iif(event_name_s has_any ('move'), destination_folder_title_s, \"\"),\n SrcFileDirectory = iif(event_name_s has_any ('move'), source_folder_title_s, \"\"),\n EventType = case(\n TargetFileMimeType == \"folder\" and event_name_s == \"create\",\n \"FolderCreated\",\n TargetFileMimeType == \"folder\" and event_name_s == \"rename\",\n \"FolderModified\",\n TargetFileMimeType == \"folder\" and event_name_s == \"delete\",\n \"FolderDeleted\",\n TargetFileMimeType == \"folder\" and event_name_s == \"trash\",\n \"FolderDeleted\",\n TargetFileMimeType == \"folder\" and event_name_s == \"move\",\n \"FolderMoved\",\n TargetFileMimeType == \"folder\" and event_name_s == \"untrash\",\n \"FolderCreated\",\n EventType\n ),\n EventSubType = case(\n TargetFileMimeType == \"folder\" and event_name_s == \"create\",\n \"\",\n TargetFileMimeType == \"folder\" and event_name_s == \"trash\",\n \"\",\n TargetFileMimeType == \"folder\" and event_name_s == \"untrash\",\n \"\",\n EventSubType\n ),\n EventMessage = case(\n event_name_s == 'download',\n strcat(ActorUsername, \" deleted an item\"),\n event_name_s == 'edit',\n strcat(ActorUsername, \" edited an item\"),\n event_name_s == 'upload',\n strcat(ActorUsername, \" uploaded an item\"),\n event_name_s == 'create',\n strcat(ActorUsername, \" created an item\"),\n event_name_s == 'rename',\n strcat(ActorUsername, \" renamed \", old_value_s, \" to \", TargetFilePath),\n event_name_s == 'view',\n strcat(ActorUsername, \" viewed an item\"),\n event_name_s == 'preview',\n strcat(ActorUsername, \" previewed an item\"),\n event_name_s == 'copy',\n strcat(ActorUsername, \" created a copy of original document \", old_value_s),\n event_name_s == 'delete',\n strcat(ActorUsername, \" deleted an item\"),\n event_name_s == 'trash',\n strcat(ActorUsername, \" trashed an item\"),\n event_name_s == 'move',\n strcat(ActorUsername, \" moved an item from \", source_folder_title_s, \" to \", destination_folder_title_s),\n event_name_s == 'untrash',\n strcat(ActorUsername, \" restored an item\"),\n event_name_s == 'source_copy',\n strcat(ActorUsername, \" copied this item, creating a new item \", copy_type_s, \" your organication \", new_value_s),\n event_name_s == 'deny_access_request',\n strcat(ActorUsername, \" denied an access request for \", target_user_s),\n event_name_s == 'expire_access_request',\n strcat(\"An access request for \", target_user_s, \" expired \"),\n event_name_s == 'request_access',\n strcat(ActorUsername, \" requested access to an item for \", target_user_s),\n event_name_s == 'add_to_folder',\n strcat(ActorUsername, \" added an item to \", destination_folder_title_s),\n event_name_s == 'approval_canceled',\n strcat(ActorUsername, \" canceled an approval on an item\"),\n event_name_s == 'approval_comment_added',\n strcat(ActorUsername, \" added a comment on an approval on an item\"),\n event_name_s == 'approval_completed',\n \"An approval was completed\",\n event_name_s == 'approval_decisions_reset',\n \"Approval decisions were reset\",\n event_name_s == 'approval_due_time_change',\n strcat(ActorUsername, \" requested a due time change on an approval\"),\n event_name_s == 'approval_requested',\n strcat(ActorUsername, \" requested approval on an item\"),\n event_name_s == 'approval_reviewer_change',\n strcat(ActorUsername, \" requested a reviewer change on an approval\"),\n event_name_s == 'approval_reviewer_responded',\n strcat(ActorUsername, \" reviewed an approval on an item\"),\n event_name_s == 'create_comment',\n strcat(ActorUsername, \" created a comment\"),\n event_name_s == 'delete_comment',\n strcat(ActorUsername, \" deleted a comment\"),\n event_name_s == 'edit_comment',\n strcat(ActorUsername, \" edited a comment\"),\n event_name_s == 'reassign_comment',\n strcat(ActorUsername, \" reassigned a comment\"),\n event_name_s == 'reopen_comment',\n strcat(ActorUsername, \" reopened a comment\"),\n event_name_s == 'resolve_comment',\n strcat(ActorUsername, \" resolved a comment\"),\n event_name_s == 'add_lock',\n strcat(ActorUsername, \" locked an item\"),\n event_name_s == 'print',\n strcat(ActorUsername, \" printed an item\"),\n event_name_s == 'remove_from_folder',\n strcat(ActorUsername, \" removed an item from from \", source_folder_title_s),\n event_name_s == 'remove_lock',\n strcat(ActorUsername, \" unlocked an item\"),\n \"\"\n ),\n AdditionalFields = bag_pack(\n \"Doc_Id\",\n doc_id_s,\n \"Primary_Event\",\n primary_event_b,\n \"Billable\",\n billable_b,\n \"Owner\",\n owner_s,\n \"Owner_Is_Shared_Drive\",\n owner_is_shared_drive_b,\n \"Is_Encrypted\",\n is_encrypted_b,\n \"Visibility\",\n visibility_s,\n \"Copy_Type\",\n copy_type_s,\n \"Shared_Drive_Id\",\n shared_drive_id_s,\n \"Destination_Folder_Id\",\n destination_folder_id_s,\n \"Source_Folder_Id\",\n source_folder_id_s\n )\n | extend\n EventOriginalSubType = event_name_s,\n Application = TargetAppName,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n TargetFileName=TargetFilePath,\n FilePath = TargetFilePath,\n TargetFilePathType = iif(isnotempty(TargetFilePath), \"FileNameOnly\", \"\"),\n SrcFilePathType = iif(isnotempty(SrcFilePath), \"FileNameOnly\", \"\"),\n FileName = TargetFilePath,\n SrcFileName = SrcFilePath,\n User = ActorUsername,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventProduct = \"Workspace\",\n EventVendor = \"Google\",\n EventResult = \"Success\",\n EventSchemaVersion = \"0.2.1\",\n EventSchema = \"FileEvent\",\n EventUid = _ItemId,\n Dvc = \"Workspace\"\n | project-away \n *_s,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId\n};\nparser (disabled = disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File events ASIM parser for Google Workspace", + "category": "ASIM", + "FunctionAlias": "ASimFileEventGoogleWorkspace", + "query": "let parser = (\n disabled: bool = false\n ) {\n let GoogleWorkspaceSchema = datatable (\n event_name_s: string,\n event_type_s: string,\n id_uniqueQualifier_s: string,\n actor_email_s: string,\n actor_profileId_s: string,\n IPAddress: string,\n doc_type_s: string,\n doc_title_s: string,\n originating_app_id_s: string,\n id_applicationName_s: string,\n old_value_s: string,\n new_value_s: string,\n destination_folder_title_s: string,\n source_folder_title_s: string,\n copy_type_s: string,\n target_user_s: string,\n doc_id_s: string,\n primary_event_b: bool,\n billable_b: bool,\n owner_s: string,\n owner_is_shared_drive_b: bool,\n is_encrypted_b: bool,\n visibility_s: string,\n shared_drive_id_s: string,\n destination_folder_id_s: string,\n source_folder_id_s: string,\n TimeGenerated: datetime,\n _ResourceId: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n RawData: string,\n SourceSystem: string,\n TenantId: string,\n _ItemId: string\n)[];\n let EventFieldsLookup = datatable (\n EventOriginalSubType: string,\n EventType: string,\n EventSubType: string\n)\n [\n \"download\", \"FileAccessed\", \"Download\",\n \"edit\", \"FileModified\", \"Checkin\",\n \"upload\", \"FileCreated\", \"Upload\",\n \"create\", \"FileCreated\", \"Checkin\",\n \"rename\", \"FileRenamed\", \"\",\n \"view\", \"FileAccessed\", \"Preview\",\n \"preview\", \"FileAccessed\", \"Preview\",\n \"copy\", \"FileCopied\", \"\",\n \"source_copy\", \"FileCopied\", \"\",\n \"delete\", \"FileDeleted\", \"\",\n \"trash\", \"FileDeleted\", \"Recycle\",\n \"move\", \"FileMoved\", \"\",\n \"untrash\", \"FileCreatedOrModified\", \"Checkin\",\n \"deny_access_request\", \"FileAccessed\", \"Preview\",\n \"expire_access_request\", \"FileAccessed\", \"Preview\",\n \"request_access\", \"FileAccessed\", \"Preview\",\n \"add_to_folder\", \"FileCreated\", \"Checkin\",\n \"approval_canceled\", \"FileAccessed\", \"\",\n \"approval_comment_added\", \"FileAccessed\", \"\",\n \"approval_completed\", \"FileAccessed\", \"Preview\",\n \"approval_decisions_reset\", \"FileAccessed\", \"\",\n \"approval_due_time_change\", \"FileAccessed\", \"\",\n \"approval_requested\", \"FileAccessed\", \"Preview\",\n \"approval_reviewer_change\", \"FileAccessed\", \"\",\n \"approval_reviewer_responded\", \"FileAccessed\", \"\",\n \"create_comment\", \"FileModified\", \"Checkin\",\n \"delete_comment\", \"FileModified\", \"Checkin\",\n \"edit_comment\", \"FileModified\", \"Checkin\",\n \"reassign_comment\", \"FileModified\", \"Checkin\",\n \"reopen_comment\", \"FileModified\", \"Checkin\",\n \"resolve_comment\", \"FileModified\", \"Checkin\",\n \"add_lock\", \"FileModified\", \"\",\n \"print\", \"FileAccessed\", \"Print\",\n \"remove_from_folder\", \"FileDeleted\", \"\",\n \"remove_lock\", \"FileModified\", \"\",\n];\n let SupportedEventNames = EventFieldsLookup\n | project EventOriginalSubType;\n union isfuzzy=true GoogleWorkspaceSchema, GWorkspace_ReportsAPI_drive_CL\n | where not(disabled)\n | where event_name_s in (SupportedEventNames)\n | lookup EventFieldsLookup on $left.event_name_s == $right.EventOriginalSubType\n | project-rename \n EventOriginalUid = id_uniqueQualifier_s,\n ActorUsername = actor_email_s,\n ActorUserId = actor_profileId_s,\n SrcIpAddr = IPAddress,\n TargetFileMimeType = doc_type_s,\n TargetFilePath = doc_title_s,\n ActingAppId = originating_app_id_s,\n EventOriginalType=event_type_s\n | extend\n TargetAppName = iif(id_applicationName_s == 'drive', \"Google Workspace - Drive\", \"\"),\n TargetAppType = iif(id_applicationName_s == 'drive', \"SaaS application\", \"\"),\n ActorUserIdType = iif(isnotempty(ActorUserId), \"GWorkspaceProfileID\", \"\"),\n SrcFilePath = iif(event_name_s has_any ('rename', 'copy', 'source_copy'), old_value_s, \"\"),\n TargetFilePath = iif(event_name_s has ('source_copy'), new_value_s, TargetFilePath),\n TargetFileDirectory = iif(event_name_s has_any ('move'), destination_folder_title_s, \"\"),\n SrcFileDirectory = iif(event_name_s has_any ('move'), source_folder_title_s, \"\"),\n EventType = case(\n TargetFileMimeType == \"folder\" and event_name_s == \"create\",\n \"FolderCreated\",\n TargetFileMimeType == \"folder\" and event_name_s == \"rename\",\n \"FolderModified\",\n TargetFileMimeType == \"folder\" and event_name_s == \"delete\",\n \"FolderDeleted\",\n TargetFileMimeType == \"folder\" and event_name_s == \"trash\",\n \"FolderDeleted\",\n TargetFileMimeType == \"folder\" and event_name_s == \"move\",\n \"FolderMoved\",\n TargetFileMimeType == \"folder\" and event_name_s == \"untrash\",\n \"FolderCreated\",\n EventType\n ),\n EventSubType = case(\n TargetFileMimeType == \"folder\" and event_name_s == \"create\",\n \"\",\n TargetFileMimeType == \"folder\" and event_name_s == \"trash\",\n \"\",\n TargetFileMimeType == \"folder\" and event_name_s == \"untrash\",\n \"\",\n EventSubType\n ),\n EventMessage = case(\n event_name_s == 'download',\n strcat(ActorUsername, \" deleted an item\"),\n event_name_s == 'edit',\n strcat(ActorUsername, \" edited an item\"),\n event_name_s == 'upload',\n strcat(ActorUsername, \" uploaded an item\"),\n event_name_s == 'create',\n strcat(ActorUsername, \" created an item\"),\n event_name_s == 'rename',\n strcat(ActorUsername, \" renamed \", old_value_s, \" to \", TargetFilePath),\n event_name_s == 'view',\n strcat(ActorUsername, \" viewed an item\"),\n event_name_s == 'preview',\n strcat(ActorUsername, \" previewed an item\"),\n event_name_s == 'copy',\n strcat(ActorUsername, \" created a copy of original document \", old_value_s),\n event_name_s == 'delete',\n strcat(ActorUsername, \" deleted an item\"),\n event_name_s == 'trash',\n strcat(ActorUsername, \" trashed an item\"),\n event_name_s == 'move',\n strcat(ActorUsername, \" moved an item from \", source_folder_title_s, \" to \", destination_folder_title_s),\n event_name_s == 'untrash',\n strcat(ActorUsername, \" restored an item\"),\n event_name_s == 'source_copy',\n strcat(ActorUsername, \" copied this item, creating a new item \", copy_type_s, \" your organication \", new_value_s),\n event_name_s == 'deny_access_request',\n strcat(ActorUsername, \" denied an access request for \", target_user_s),\n event_name_s == 'expire_access_request',\n strcat(\"An access request for \", target_user_s, \" expired \"),\n event_name_s == 'request_access',\n strcat(ActorUsername, \" requested access to an item for \", target_user_s),\n event_name_s == 'add_to_folder',\n strcat(ActorUsername, \" added an item to \", destination_folder_title_s),\n event_name_s == 'approval_canceled',\n strcat(ActorUsername, \" canceled an approval on an item\"),\n event_name_s == 'approval_comment_added',\n strcat(ActorUsername, \" added a comment on an approval on an item\"),\n event_name_s == 'approval_completed',\n \"An approval was completed\",\n event_name_s == 'approval_decisions_reset',\n \"Approval decisions were reset\",\n event_name_s == 'approval_due_time_change',\n strcat(ActorUsername, \" requested a due time change on an approval\"),\n event_name_s == 'approval_requested',\n strcat(ActorUsername, \" requested approval on an item\"),\n event_name_s == 'approval_reviewer_change',\n strcat(ActorUsername, \" requested a reviewer change on an approval\"),\n event_name_s == 'approval_reviewer_responded',\n strcat(ActorUsername, \" reviewed an approval on an item\"),\n event_name_s == 'create_comment',\n strcat(ActorUsername, \" created a comment\"),\n event_name_s == 'delete_comment',\n strcat(ActorUsername, \" deleted a comment\"),\n event_name_s == 'edit_comment',\n strcat(ActorUsername, \" edited a comment\"),\n event_name_s == 'reassign_comment',\n strcat(ActorUsername, \" reassigned a comment\"),\n event_name_s == 'reopen_comment',\n strcat(ActorUsername, \" reopened a comment\"),\n event_name_s == 'resolve_comment',\n strcat(ActorUsername, \" resolved a comment\"),\n event_name_s == 'add_lock',\n strcat(ActorUsername, \" locked an item\"),\n event_name_s == 'print',\n strcat(ActorUsername, \" printed an item\"),\n event_name_s == 'remove_from_folder',\n strcat(ActorUsername, \" removed an item from from \", source_folder_title_s),\n event_name_s == 'remove_lock',\n strcat(ActorUsername, \" unlocked an item\"),\n \"\"\n ),\n AdditionalFields = bag_pack(\n \"Doc_Id\",\n doc_id_s,\n \"Primary_Event\",\n primary_event_b,\n \"Billable\",\n billable_b,\n \"Owner\",\n owner_s,\n \"Owner_Is_Shared_Drive\",\n owner_is_shared_drive_b,\n \"Is_Encrypted\",\n is_encrypted_b,\n \"Visibility\",\n visibility_s,\n \"Copy_Type\",\n copy_type_s,\n \"Shared_Drive_Id\",\n shared_drive_id_s,\n \"Destination_Folder_Id\",\n destination_folder_id_s,\n \"Source_Folder_Id\",\n source_folder_id_s\n )\n | extend\n EventOriginalSubType = event_name_s,\n Application = TargetAppName,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n TargetFileName=TargetFilePath,\n FilePath = TargetFilePath,\n TargetFilePathType = iif(isnotempty(TargetFilePath), \"FileNameOnly\", \"\"),\n SrcFilePathType = iif(isnotempty(SrcFilePath), \"FileNameOnly\", \"\"),\n FileName = TargetFilePath,\n SrcFileName = SrcFilePath,\n User = ActorUsername,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventProduct = \"Workspace\",\n EventVendor = \"Google\",\n EventResult = \"Success\",\n EventSchemaVersion = \"0.2.1\",\n EventSchema = \"FileEvent\",\n EventUid = _ItemId,\n Dvc = \"Workspace\"\n | project-away \n *_s,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId\n};\nparser (disabled = disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventLinuxSysmonFileCreated/ASimFileEventLinuxSysmonFileCreated.json b/Parsers/ASimFileEvent/ARM/ASimFileEventLinuxSysmonFileCreated/ASimFileEventLinuxSysmonFileCreated.json index 433d75b8b3f..e01e8ea3e04 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventLinuxSysmonFileCreated/ASimFileEventLinuxSysmonFileCreated.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventLinuxSysmonFileCreated/ASimFileEventLinuxSysmonFileCreated.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventLinuxSysmonFileCreated')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventLinuxSysmonFileCreated", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File create Activity ASIM parser for Sysmon for Linux", - "category": "ASIM", - "FunctionAlias": "ASimFileEventLinuxSysmonFileCreated", - "query": "let parser = (\n disabled: bool=false\n)\n{\nSyslog\n| where not(disabled)\n| where SyslogMessage has_all ('11')\n| parse SyslogMessage with *\n ''msgEventRecordID:string''\n *\n //''msgComputer:string''\n ''\n * \n ''msgProcessGuid:string''\n ''msgProcessId:string''\n ''msgImage:string''\n ''msgTargetFileName:string''\n ''msgCreationUtcTime:datetime''*\n| parse SyslogMessage with *''ActorUsername ''*\n| extend\n EventCount=int(1)\n , EventStartTime =TimeGenerated \n , EventEndTime=TimeGenerated\n , EventType = 'FileCreated'\n , EventResult ='Success'\n , EventOriginalType ='11' \n , EventProduct='Sysmon for Linux'\n , EventProductVersion='v13.22'\n , EventVendor ='Microsoft'\n , EventSchemaVersion ='0.1.0'\n , DvcOs = 'Linux'\n , TargetFilePathType='Unix'\n , ActorUserType = iff(isnotempty(ActorUsername),'Simple', '') // make sure user type is okay\n| project-rename\n DvcHostname=Computer\n , EventOriginalUid=msgEventRecordID\n , ActingProcessName =msgImage\n , ActingProcessId=msgProcessId\n , ActingProcessGuid=msgProcessGuid\n , TargetFilePath =msgTargetFileName\n , TargetFileCreationTime =msgCreationUtcTime\n // ------ Alias\n| extend\n Process=ActingProcessName\n , FilePath=TargetFilePath\n , Dvc = DvcHostname\n , User = ActorUsername\n| project-away SyslogMessage\n};\nparser (disabled = disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File create Activity ASIM parser for Sysmon for Linux", + "category": "ASIM", + "FunctionAlias": "ASimFileEventLinuxSysmonFileCreated", + "query": "let parser = (\n disabled: bool=false\n)\n{\nSyslog\n| where not(disabled)\n| where SyslogMessage has_all ('11')\n| parse SyslogMessage with *\n ''msgEventRecordID:string''\n *\n //''msgComputer:string''\n ''\n * \n ''msgProcessGuid:string''\n ''msgProcessId:string''\n ''msgImage:string''\n ''msgTargetFileName:string''\n ''msgCreationUtcTime:datetime''*\n| parse SyslogMessage with *''ActorUsername ''*\n| extend\n EventCount=int(1)\n , EventStartTime =TimeGenerated \n , EventEndTime=TimeGenerated\n , EventType = 'FileCreated'\n , EventResult ='Success'\n , EventOriginalType ='11' \n , EventProduct='Sysmon for Linux'\n , EventProductVersion='v13.22'\n , EventVendor ='Microsoft'\n , EventSchemaVersion ='0.1.0'\n , DvcOs = 'Linux'\n , TargetFilePathType='Unix'\n , ActorUserType = iff(isnotempty(ActorUsername),'Simple', '') // make sure user type is okay\n| project-rename\n DvcHostname=Computer\n , EventOriginalUid=msgEventRecordID\n , ActingProcessName =msgImage\n , ActingProcessId=msgProcessId\n , ActingProcessGuid=msgProcessGuid\n , TargetFilePath =msgTargetFileName\n , TargetFileCreationTime =msgCreationUtcTime\n // ------ Alias\n| extend\n Process=ActingProcessName\n , FilePath=TargetFilePath\n , Dvc = DvcHostname\n , User = ActorUsername\n| project-away SyslogMessage\n};\nparser (disabled = disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventLinuxSysmonFileDeleted/ASimFileEventLinuxSysmonFileDeleted.json b/Parsers/ASimFileEvent/ARM/ASimFileEventLinuxSysmonFileDeleted/ASimFileEventLinuxSysmonFileDeleted.json index 1dc3ef2954f..8826b7fe75c 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventLinuxSysmonFileDeleted/ASimFileEventLinuxSysmonFileDeleted.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventLinuxSysmonFileDeleted/ASimFileEventLinuxSysmonFileDeleted.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventLinuxSysmonFileDeleted')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventLinuxSysmonFileDeleted", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File delete activity ASIM parser for Sysmon for Linux", - "category": "ASIM", - "FunctionAlias": "ASimFileEventLinuxSysmonFileDeleted", - "query": "let parser = (\n disabled: bool=false\n ) {\n Syslog\n | where not(disabled)\n | where SyslogMessage has ('23', '26')\t\n | parse SyslogMessage with \n ''msgEventId: string''\n *\n ''msgEventRecordID: string''\n *\n ''msgComputer: string''\n ''\n *\n '{'msgProcessGuid: string'}'\n ''msgProcessId: string''\n ''msgUser: string''\n ''msgImage: string''\n ''msgTargetFilename: string''\n ''msgHashes: string'' *\t\n | extend\n EventCount=int(1)\n ,\n EventStartTime =TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType = 'FileDeleted'\n ,\n EventResult ='Success' \n ,\n EventProduct='Sysmon for Linux'\n ,\n EventProductVersion='v13.22' \n ,\n EventVendor ='Microsoft'\n ,\n EventSchemaVersion ='0.1.0'\n ,\n DvcOs = 'Linux'\n ,\n TargetFilePathType='Unix'\n ,\n ActorUsernameType='Simple'\n | project-rename\n DvcHostname=Computer\n ,\n EventOriginalUid=msgEventRecordID\n ,\n EventOriginalType =msgEventId \n ,\n ActorUsername=msgUser\n ,\n ActingProcessName =msgImage\n ,\n ActingProcessId=msgProcessId\n ,\n ActingProcessGuid=msgProcessGuid\n ,\n TargetFilePath =msgTargetFilename\n // ------ Alias\n | extend\n Process=ActingProcessName\n ,\n FilePath=TargetFilePath\n ,\n Dvc =DvcHostname\n ,\n User=ActorUsername\n | project-away SyslogMessage\n};\nparser (disabled = disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File delete activity ASIM parser for Sysmon for Linux", + "category": "ASIM", + "FunctionAlias": "ASimFileEventLinuxSysmonFileDeleted", + "query": "let parser = (\n disabled: bool=false\n ) {\n Syslog\n | where not(disabled)\n | where SyslogMessage has ('23', '26')\t\n | parse SyslogMessage with \n ''msgEventId: string''\n *\n ''msgEventRecordID: string''\n *\n ''msgComputer: string''\n ''\n *\n '{'msgProcessGuid: string'}'\n ''msgProcessId: string''\n ''msgUser: string''\n ''msgImage: string''\n ''msgTargetFilename: string''\n ''msgHashes: string'' *\t\n | extend\n EventCount=int(1)\n ,\n EventStartTime =TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType = 'FileDeleted'\n ,\n EventResult ='Success' \n ,\n EventProduct='Sysmon for Linux'\n ,\n EventProductVersion='v13.22' \n ,\n EventVendor ='Microsoft'\n ,\n EventSchemaVersion ='0.1.0'\n ,\n DvcOs = 'Linux'\n ,\n TargetFilePathType='Unix'\n ,\n ActorUsernameType='Simple'\n | project-rename\n DvcHostname=Computer\n ,\n EventOriginalUid=msgEventRecordID\n ,\n EventOriginalType =msgEventId \n ,\n ActorUsername=msgUser\n ,\n ActingProcessName =msgImage\n ,\n ActingProcessId=msgProcessId\n ,\n ActingProcessGuid=msgProcessGuid\n ,\n TargetFilePath =msgTargetFilename\n // ------ Alias\n | extend\n Process=ActingProcessName\n ,\n FilePath=TargetFilePath\n ,\n Dvc =DvcHostname\n ,\n User=ActorUsername\n | project-away SyslogMessage\n};\nparser (disabled = disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoft365D/ASimFileEventMicrosoft365D.json b/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoft365D/ASimFileEventMicrosoft365D.json index 844f2a4d1df..d3101e5376f 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoft365D/ASimFileEventMicrosoft365D.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoft365D/ASimFileEventMicrosoft365D.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventMicrosoft365D')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventMicrosoft365D", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Event ASIM parser for Microsoft 365 Defender for Endpoint", - "category": "ASIM", - "FunctionAlias": "ASimFileEventMicrosoft365D", - "query": "let protocols = dynamic(['smb']);\nlet parser=(disabled:bool=false){\n let remote_events = \n DeviceFileEvents\n | where not(disabled)\n | where isnotempty(RequestAccountName)\n | project-rename \n SrcIpAddr = RequestSourceIP,\n ActorUserSid = RequestAccountSid,\n TargetUserSid = InitiatingProcessAccountSid,\n TargetUserAadId = InitiatingProcessAccountObjectId,\n TargetUserUpn = InitiatingProcessAccountUpn\n | extend\n ActorWindowsUsername = strcat(RequestAccountDomain,'\\\\', RequestAccountName),\n TargetWindowsUsername = strcat(InitiatingProcessAccountDomain,'\\\\', InitiatingProcessAccountName),\n ActorUserUpn = \"\",\n ActorUserAadId = \"\"\n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorWindowsUsername, ActorUserSid),\n TargetUserType = _ASIM_GetWindowsUserType(TargetWindowsUsername, TargetUserSid)\n | extend\n SrcPortNumber = toint(RequestSourcePort),\n TargetUsername = coalesce(TargetUserUpn, TargetWindowsUsername),\n TargetUsernameType = iff(isempty(TargetUserUpn), 'Windows', 'UPN'),\n TargetUserId = coalesce(TargetUserAadId, TargetUserSid), \n TargetUserIdType = iff(isempty(TargetUserSid),'AADID','SID'),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n ;\n let local_events = \n DeviceFileEvents\n | where not(disabled)\n | where isempty(RequestAccountName) \n | project-rename\n ActorUserSid = InitiatingProcessAccountSid,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn\n | extend \n ActorWindowsUsername = strcat(InitiatingProcessAccountDomain,'\\\\', InitiatingProcessAccountName) \n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorWindowsUsername, ActorUserSid)\n | project-away RequestAccountSid, RequestSourceIP\n ;\n union \n remote_events\n , \n local_events\n | project-rename\n EventType = ActionType,\n DvcId = DeviceId,\n TargetFileMD5 = MD5,\n TargetFileSHA1 = SHA1,\n TargetFileSHA256 = SHA256,\n ActingProcessCommandLine = InitiatingProcessCommandLine,\n ActingProcessName =InitiatingProcessFolderPath,\n ActingProcessMD5 = InitiatingProcessMD5,\n ActingProcessSHA1 = InitiatingProcessSHA1,\n ActingProcessSHA256 = InitiatingProcessSHA256,\n ActingProcessParentFileName = InitiatingProcessParentFileName,\n ActingProcessCreationTime = InitiatingProcessCreationTime,\n ActingProcessParentCreationTime = InitiatingProcessParentCreationTime,\n TargetFileName = FileName,\n SrcFileName = PreviousFileName\n | extend\n DvcOs = iff(FolderPath startswith \"/\", \"Linux\", \"Windows\"),\n TargetFileSize = tolong(FileSize)\n | extend\n EventCount = int(1),\n EventOriginalUid = tostring(ReportId),\n ActingProcessId = tostring(InitiatingProcessId),\n EventStartTime = Timestamp, \n EventEndTime= Timestamp,\n EventResult = 'Success',\n EventProduct = 'M365 Defender for Endpoint',\n EventSchema = 'FileEvent',\n EventVendor = 'Microsoft',\n EventSeverity = 'Informational',\n EventSchemaVersion = '0.2.1',\n DvcIdType = \"MDEid\",\n ActorUsername = coalesce(ActorUserUpn, ActorWindowsUsername),\n ActorUsernameType = iff(isempty(ActorUserUpn), 'Windows', 'UPN'),\n ActorUserId = coalesce(ActorUserAadId, ActorUserSid), \n ActorUserIdType = iff(isempty(ActorUserSid),'AADID','SID'),\n TargetFilePath = strcat(FolderPath, iff(DvcOs == \"Linux\", \"/\", \"\\\\\"), TargetFileName),\n TargetFilePathType = iff(DvcOs == \"Linux\", \"Unix\", \"Windows Local\"),\n SrcFilePath = strcat(PreviousFolderPath, iff(DvcOs == \"Linux\", \"/\", \"\\\\\"), SrcFileName),\n SrcFilePathType = iff(DvcOs == \"Linux\", \"Unix\", \"Windows Local\"),\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5),\n NetworkApplicationProtocol = iff (RequestProtocol in (protocols), toupper(RequestProtocol), \"\")\n | invoke _ASIM_ResolveDvcFQDN ('DeviceName')\n | project-away DeviceName\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5),Hash)]) \n // ****** Aliases\n | extend \n User = ActorUsername,\n Dvc = coalesce(DvcFQDN, DvcHostname),\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n CommandLine = ActingProcessCommandLine,\n DvcMDEid = DvcId,\n FileName = TargetFileName\n | project-away MachineGroup, ReportId, SourceSystem, Initiating*, Timestamp, TenantId, Request*, PreviousFolderPath, FolderPath, AppGuardContainerId\n | project-away ShareName, IsAzureInfoProtectionApplied, FileOrigin*, Sensitivity*\n };\n parser (disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Event ASIM parser for Microsoft 365 Defender for Endpoint", + "category": "ASIM", + "FunctionAlias": "ASimFileEventMicrosoft365D", + "query": "let protocols = dynamic(['smb']);\nlet parser=(disabled:bool=false){\n let remote_events = \n DeviceFileEvents\n | where not(disabled)\n | where isnotempty(RequestAccountName)\n | project-rename \n SrcIpAddr = RequestSourceIP,\n ActorUserSid = RequestAccountSid,\n TargetUserSid = InitiatingProcessAccountSid,\n TargetUserAadId = InitiatingProcessAccountObjectId,\n TargetUserUpn = InitiatingProcessAccountUpn\n | extend\n ActorWindowsUsername = strcat(RequestAccountDomain,'\\\\', RequestAccountName),\n TargetWindowsUsername = strcat(InitiatingProcessAccountDomain,'\\\\', InitiatingProcessAccountName),\n ActorUserUpn = \"\",\n ActorUserAadId = \"\"\n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorWindowsUsername, ActorUserSid),\n TargetUserType = _ASIM_GetWindowsUserType(TargetWindowsUsername, TargetUserSid)\n | extend\n SrcPortNumber = toint(RequestSourcePort),\n TargetUsername = coalesce(TargetUserUpn, TargetWindowsUsername),\n TargetUsernameType = iff(isempty(TargetUserUpn), 'Windows', 'UPN'),\n TargetUserId = coalesce(TargetUserAadId, TargetUserSid), \n TargetUserIdType = iff(isempty(TargetUserSid),'AADID','SID'),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n ;\n let local_events = \n DeviceFileEvents\n | where not(disabled)\n | where isempty(RequestAccountName) \n | project-rename\n ActorUserSid = InitiatingProcessAccountSid,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn\n | extend \n ActorWindowsUsername = strcat(InitiatingProcessAccountDomain,'\\\\', InitiatingProcessAccountName) \n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorWindowsUsername, ActorUserSid)\n | project-away RequestAccountSid, RequestSourceIP\n ;\n union \n remote_events\n , \n local_events\n | project-rename\n EventType = ActionType,\n DvcId = DeviceId,\n TargetFileMD5 = MD5,\n TargetFileSHA1 = SHA1,\n TargetFileSHA256 = SHA256,\n ActingProcessCommandLine = InitiatingProcessCommandLine,\n ActingProcessName =InitiatingProcessFolderPath,\n ActingProcessMD5 = InitiatingProcessMD5,\n ActingProcessSHA1 = InitiatingProcessSHA1,\n ActingProcessSHA256 = InitiatingProcessSHA256,\n ActingProcessParentFileName = InitiatingProcessParentFileName,\n ActingProcessCreationTime = InitiatingProcessCreationTime,\n ActingProcessParentCreationTime = InitiatingProcessParentCreationTime,\n TargetFileName = FileName,\n SrcFileName = PreviousFileName\n | extend\n DvcOs = iff(FolderPath startswith \"/\", \"Linux\", \"Windows\"),\n TargetFileSize = tolong(FileSize)\n | extend\n EventCount = int(1),\n EventOriginalUid = tostring(ReportId),\n ActingProcessId = tostring(InitiatingProcessId),\n EventStartTime = Timestamp, \n EventEndTime= Timestamp,\n EventResult = 'Success',\n EventProduct = 'M365 Defender for Endpoint',\n EventSchema = 'FileEvent',\n EventVendor = 'Microsoft',\n EventSeverity = 'Informational',\n EventSchemaVersion = '0.2.1',\n DvcIdType = \"MDEid\",\n ActorUsername = coalesce(ActorUserUpn, ActorWindowsUsername),\n ActorUsernameType = iff(isempty(ActorUserUpn), 'Windows', 'UPN'),\n ActorUserId = coalesce(ActorUserAadId, ActorUserSid), \n ActorUserIdType = iff(isempty(ActorUserSid),'AADID','SID'),\n TargetFilePath = strcat(FolderPath, iff(DvcOs == \"Linux\", \"/\", \"\\\\\"), TargetFileName),\n TargetFilePathType = iff(DvcOs == \"Linux\", \"Unix\", \"Windows Local\"),\n SrcFilePath = strcat(PreviousFolderPath, iff(DvcOs == \"Linux\", \"/\", \"\\\\\"), SrcFileName),\n SrcFilePathType = iff(DvcOs == \"Linux\", \"Unix\", \"Windows Local\"),\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5),\n NetworkApplicationProtocol = iff (RequestProtocol in (protocols), toupper(RequestProtocol), \"\")\n | invoke _ASIM_ResolveDvcFQDN ('DeviceName')\n | project-away DeviceName\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5),Hash)]) \n // ****** Aliases\n | extend \n User = ActorUsername,\n Dvc = coalesce(DvcFQDN, DvcHostname),\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n CommandLine = ActingProcessCommandLine,\n DvcMDEid = DvcId,\n FileName = TargetFileName\n | project-away MachineGroup, ReportId, SourceSystem, Initiating*, Timestamp, TenantId, Request*, PreviousFolderPath, FolderPath, AppGuardContainerId\n | project-away ShareName, IsAzureInfoProtectionApplied, FileOrigin*, Sensitivity*\n };\n parser (disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSecurityEvents/ASimFileEventMicrosoftSecurityEvents.json b/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSecurityEvents/ASimFileEventMicrosoftSecurityEvents.json index 8b66fdf35d3..7bb87089da5 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSecurityEvents/ASimFileEventMicrosoftSecurityEvents.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSecurityEvents/ASimFileEventMicrosoftSecurityEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventMicrosoftSecurityEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventMicrosoftSecurityEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Event ASIM parser for Microsoft Windows Events", - "category": "ASIM", - "FunctionAlias": "ASimFileEventMicrosoftSecurityEvents", - "query": "let Parser=(disabled:bool=false)\n{\nlet EventTypeLookup = datatable (AccessMask:string,EventType:string)\n[\n \"0x1\", \"ObjectAccessed\"\n , \"0x10\", \"MetadataModified\"\n , \"0x100\", \"MetadataModified\"\n , \"0x10000\", \"ObjectDeleted\"\n , \"0x2\", \"ObjectModified\"\n , \"0x20000\", \"MetadataAccessed\"\n , \"0x4\", \"ObjectModified\"\n , \"0x40\", \"ObjectDeleted\"\n , \"0x40000\", \"MetadataModified\"\n , \"0x6\", \"ObjectModified\"\n , \"0x8\", \"MetadataAccessed\"\n , \"0x80\", \"MetadataAccessed\"\n , \"0x80000\", \"MetadataModified\"\n];\nlet UserTypeLookup = datatable (AccountType:string, ActorUserType:string)\n[\n 'User', 'Regular',\n 'Machine', 'Machine'\n]; \nlet KnownSIDs = datatable (sid:string, username:string, type:string)\n[\n 'S-1-5-18', 'Local System', 'Simple',\n 'S-1-0-0', 'Nobody', 'Simple'\n];\nSecurityEvent\n| where not(disabled)\n| where EventID == 4663 \n and ObjectType == \"File\"\n and ObjectName !startswith @\"\\Device\\\"\n| project TimeGenerated, EventID, AccessMask, ProcessName, SubjectUserSid, AccountType, Computer, ObjectName, ProcessId, SubjectUserName, SubjectAccount, SubjectLogonId, HandleId,Type\n| lookup EventTypeLookup on AccessMask\n| lookup UserTypeLookup on AccountType\n| lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n| extend ActingProcessName = ProcessName\n , ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\n , ActorUsernameType = iff(SubjectUserName == '-',type, 'Windows')\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , TargetFilePath = ObjectName\n , TargetFilePathFormat = \"Windows Local\"\n , ActingProcessId = tostring(toint(ProcessId))\n , EventOriginalType = tostring(EventID)\n , ActorUserIdType=\"SID\"\n , TargetFilePathType=\"Windows Local\"\n| project-away EventID, ProcessId, AccountType, username\n| project-rename ActorUserId = SubjectUserSid\n , DvcHostname = Computer\n , Process = ProcessName\n , FilePath = ObjectName\n , ActorSessionId = SubjectLogonId\n , FileSessionId = HandleId\n| extend EventSchema = \"FileEvent\"\n , EventSchemaVersion = \"0.1.1\"\n , EventResult = \"Success\"\n , EventCount = int(1)\n , EventVendor = 'Microsoft'\n , EventProduct = 'Security Events'\n , Dvc = DvcHostname\n , ActorWindowsUsername = ActorUsername\n , User = ActorUsername\n , ActorUserSid = ActorUserId\n | project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat,type\n};\nParser (disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Event ASIM parser for Microsoft Windows Events", + "category": "ASIM", + "FunctionAlias": "ASimFileEventMicrosoftSecurityEvents", + "query": "let Parser=(disabled:bool=false)\n{\nlet EventTypeLookup = datatable (AccessMask:string,EventType:string)\n[\n \"0x1\", \"ObjectAccessed\"\n , \"0x10\", \"MetadataModified\"\n , \"0x100\", \"MetadataModified\"\n , \"0x10000\", \"ObjectDeleted\"\n , \"0x2\", \"ObjectModified\"\n , \"0x20000\", \"MetadataAccessed\"\n , \"0x4\", \"ObjectModified\"\n , \"0x40\", \"ObjectDeleted\"\n , \"0x40000\", \"MetadataModified\"\n , \"0x6\", \"ObjectModified\"\n , \"0x8\", \"MetadataAccessed\"\n , \"0x80\", \"MetadataAccessed\"\n , \"0x80000\", \"MetadataModified\"\n];\nlet UserTypeLookup = datatable (AccountType:string, ActorUserType:string)\n[\n 'User', 'Regular',\n 'Machine', 'Machine'\n]; \nlet KnownSIDs = datatable (sid:string, username:string, type:string)\n[\n 'S-1-5-18', 'Local System', 'Simple',\n 'S-1-0-0', 'Nobody', 'Simple'\n];\nSecurityEvent\n| where not(disabled)\n| where EventID == 4663 \n and ObjectType == \"File\"\n and ObjectName !startswith @\"\\Device\\\"\n| project TimeGenerated, EventID, AccessMask, ProcessName, SubjectUserSid, AccountType, Computer, ObjectName, ProcessId, SubjectUserName, SubjectAccount, SubjectLogonId, HandleId,Type\n| lookup EventTypeLookup on AccessMask\n| lookup UserTypeLookup on AccountType\n| lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n| extend ActingProcessName = ProcessName\n , ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\n , ActorUsernameType = iff(SubjectUserName == '-',type, 'Windows')\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , TargetFilePath = ObjectName\n , TargetFilePathFormat = \"Windows Local\"\n , ActingProcessId = tostring(toint(ProcessId))\n , EventOriginalType = tostring(EventID)\n , ActorUserIdType=\"SID\"\n , TargetFilePathType=\"Windows Local\"\n| project-away EventID, ProcessId, AccountType, username\n| project-rename ActorUserId = SubjectUserSid\n , DvcHostname = Computer\n , Process = ProcessName\n , FilePath = ObjectName\n , ActorSessionId = SubjectLogonId\n , FileSessionId = HandleId\n| extend EventSchema = \"FileEvent\"\n , EventSchemaVersion = \"0.1.1\"\n , EventResult = \"Success\"\n , EventCount = int(1)\n , EventVendor = 'Microsoft'\n , EventProduct = 'Security Events'\n , Dvc = DvcHostname\n , ActorWindowsUsername = ActorUsername\n , User = ActorUsername\n , ActorUserSid = ActorUserId\n | project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat,type\n};\nParser (disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSharePoint/ASimFileEventMicrosoftSharePoint.json b/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSharePoint/ASimFileEventMicrosoftSharePoint.json index 219be7f1070..eb6a2dbbb96 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSharePoint/ASimFileEventMicrosoftSharePoint.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSharePoint/ASimFileEventMicrosoftSharePoint.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventMicrosoftSharePoint')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventMicrosoftSharePoint", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Activity ASIM parser for Sharepoint and OneDrive for business", - "category": "ASIM", - "FunctionAlias": "ASimFileEventMicrosoftSharePoint", - "query": "let _ASIM_ResolveActorUsername = (T:(*), UsernameField: string) { \n T\n | extend ActorUsername = column_ifexists(UsernameField,\"\")\n | extend windows = ActorUsername has '\\\\'\n | extend \n ActorUsernameType = iff (windows, \"Windows\", \"UPN\"),\n ActorUserUpn = iff (windows, \"\", ActorUsername),\n ActorWindowsUsername = iff (windows, ActorUsername, \"\")\n};\n let operations = datatable (Operation:string, EventType:string, EventSubType:string) [\n \"FileUploaded\", \"FileCreated\", \"Upload\",\n \"FileAccessedExtended\", \"FileAccessed\", \"Extended\",\n \"FileRecycled\", \"FileDeleted\", \"Recycle\",\n \"FileDeleted\", \"FileDeleted\", \"\",\n \"FileAccessed\", \"FileAccessed\", \"\",\n \"FolderCreated\", \"FolderCreated\", \"\",\n \"FilePreviewed\", \"FileAccessed\", \"Preview\",\n \"FileDownloaded\", \"FileAccessed\", \"Download\",\n \"FileSyncDownloadedFull\", \"FileAccessed\", \"Download\",\n \"FolderModified\", \"FolderModified\", \"\",\n \"FileModifiedExtended\", \"FolderModified\", \"Extended\",\n \"FileModified\", \"FolderModified\", \"\",\n \"FileVersionsAllDeleted\", \"FolderDeleted\", \"Versions\",\n \"FileSyncUploadedFull\", \"FileCreated\", \"Upload\",\n \"FileSensitivityLabelApplied\", \"FileAttributesUpdated\", \"\",\n \"FileSensitivityLabelChanged\", \"FileAttributesUpdated\", \"\",\n \"FileSensitivityLabelRemoved\", \"FileAttributesUpdated\", \"\",\n \"SiteDeleted\", \"FolderDeleted\", \"Site\",\n \"FileRenamed\", \"FileRenamed\", \"\",\n \"FileMoved\", \"FileMoved\", \"\",\n \"FileCopied\", \"FileCopied\", \"\",\n \"FolderCopied\", \"FolderCopied\", \"\",\n \"FolderMoved\", \"FolderMoved\", \"\",\n \"FolderRenamed\", \"FolderRenamed\", \"\",\n \"FolderRecycled\", \"FolderDeleted\", \"Recycle\",\n \"FolderDeleted\", \"FolderDeleted\", \"\",\n \"FileCheckedIn\", \"FileCreatedOrModified\", \"Checkin\",\n \"FileCheckedOut\", \"FileAccessed\", \"Checkout\"\n ];\n let multiple_file_operations = dynamic([\n \"FileRenamed\",\n \"FileMoved\",\n \"FileCopied\",\n \"FolderCopied\",\n \"FolderMoved\",\n \"FolderRenamed\"\n ]);\n let parser=(disabled:bool=false){\n let OfficeActivityProjected = \n OfficeActivity\n | where not(disabled)\n | where RecordType == \"SharePointFileOperation\" and Operation != \"FileMalwareDetected\"\n | project Operation, OrganizationId, OrganizationName, SourceRecordId, OfficeWorkload, UserId, ClientIP, UserAgent, Start_Time, TimeGenerated, Type, OfficeObjectId, SourceFileName, SourceFileExtension, DestinationFileName, DestinationFileExtension, Site_Url, DestinationRelativeUrl, UserKey, MachineDomainInfo, MachineId; // ,_ItemId \n let SingleFileOperationEvents = \n OfficeActivityProjected\n | where Operation !in (multiple_file_operations)\n | project-rename \n TargetFilePath = OfficeObjectId,\n TargetFileName = SourceFileName,\n TargetFileExtension = SourceFileExtension\n | extend \n TargetFilePathType = \"URL\"\n | project-away DestinationFileName, DestinationFileExtension, DestinationRelativeUrl\n ;\n // single in dest: SiteDeleted\n let MultipleFileOperationsEvents = \n OfficeActivityProjected\n | where Operation in (multiple_file_operations)\n | project-rename \n SrcFilePath = OfficeObjectId,\n TargetFileName = DestinationFileName,\n TargetFileExtension = DestinationFileExtension,\n SrcFileName = SourceFileName,\n SrcFileExtension = SourceFileExtension\n | extend \n TargetFilePath = strcat (Site_Url, DestinationRelativeUrl, \"/\", TargetFileName),\n TargetFilePathType = \"URL\",\n SrcFilePathType = \"URL\"\n | project-away DestinationRelativeUrl\n ;\n union SingleFileOperationEvents, MultipleFileOperationsEvents\n | lookup operations on Operation\n | invoke _ASIM_ResolveActorUsername('UserId')\n | project-away UserId\n | project-rename \n EventOriginalType = Operation,\n ActorScopeId = OrganizationId,\n ActorScope = OrganizationName,\n EventOriginalUid = SourceRecordId,\n EventProduct = OfficeWorkload,\n ActorUserId = UserKey,\n HttpUserAgent = UserAgent,\n SrcIpAddr = ClientIP,\n EventStartTime = Start_Time,\n // EvetUid = _ItemId,\n TargetUrl = Site_Url,\n SrcDvcId = MachineId,\n SrcDvcScopeId = MachineDomainInfo\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime = TimeGenerated,\n EventResult = \"Success\",\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.1',\n EventSchema = \"FileEvent\",\n ActorUserIdType = 'Other',\n SrcDvcIdType = 'Other',\n TargetAppName = EventProduct,\n TargetAppType = 'SaaS application',\n Dvc = strcat ('Microsoft ', EventProduct)\n // Aliases\n | extend \n User = ActorUsername,\n FilePath = TargetFilePath,\n FileName = TargetFileName,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Url = TargetUrl,\n Dvc = EventProduct,\n Application = EventProduct\n};\nparser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Activity ASIM parser for Sharepoint and OneDrive for business", + "category": "ASIM", + "FunctionAlias": "ASimFileEventMicrosoftSharePoint", + "query": "let _ASIM_ResolveActorUsername = (T:(*), UsernameField: string) { \n T\n | extend ActorUsername = column_ifexists(UsernameField,\"\")\n | extend windows = ActorUsername has '\\\\'\n | extend \n ActorUsernameType = iff (windows, \"Windows\", \"UPN\"),\n ActorUserUpn = iff (windows, \"\", ActorUsername),\n ActorWindowsUsername = iff (windows, ActorUsername, \"\")\n};\n let operations = datatable (Operation:string, EventType:string, EventSubType:string) [\n \"FileUploaded\", \"FileCreated\", \"Upload\",\n \"FileAccessedExtended\", \"FileAccessed\", \"Extended\",\n \"FileRecycled\", \"FileDeleted\", \"Recycle\",\n \"FileDeleted\", \"FileDeleted\", \"\",\n \"FileAccessed\", \"FileAccessed\", \"\",\n \"FolderCreated\", \"FolderCreated\", \"\",\n \"FilePreviewed\", \"FileAccessed\", \"Preview\",\n \"FileDownloaded\", \"FileAccessed\", \"Download\",\n \"FileSyncDownloadedFull\", \"FileAccessed\", \"Download\",\n \"FolderModified\", \"FolderModified\", \"\",\n \"FileModifiedExtended\", \"FolderModified\", \"Extended\",\n \"FileModified\", \"FolderModified\", \"\",\n \"FileVersionsAllDeleted\", \"FolderDeleted\", \"Versions\",\n \"FileSyncUploadedFull\", \"FileCreated\", \"Upload\",\n \"FileSensitivityLabelApplied\", \"FileAttributesUpdated\", \"\",\n \"FileSensitivityLabelChanged\", \"FileAttributesUpdated\", \"\",\n \"FileSensitivityLabelRemoved\", \"FileAttributesUpdated\", \"\",\n \"SiteDeleted\", \"FolderDeleted\", \"Site\",\n \"FileRenamed\", \"FileRenamed\", \"\",\n \"FileMoved\", \"FileMoved\", \"\",\n \"FileCopied\", \"FileCopied\", \"\",\n \"FolderCopied\", \"FolderCopied\", \"\",\n \"FolderMoved\", \"FolderMoved\", \"\",\n \"FolderRenamed\", \"FolderRenamed\", \"\",\n \"FolderRecycled\", \"FolderDeleted\", \"Recycle\",\n \"FolderDeleted\", \"FolderDeleted\", \"\",\n \"FileCheckedIn\", \"FileCreatedOrModified\", \"Checkin\",\n \"FileCheckedOut\", \"FileAccessed\", \"Checkout\"\n ];\n let multiple_file_operations = dynamic([\n \"FileRenamed\",\n \"FileMoved\",\n \"FileCopied\",\n \"FolderCopied\",\n \"FolderMoved\",\n \"FolderRenamed\"\n ]);\n let parser=(disabled:bool=false){\n let OfficeActivityProjected = \n OfficeActivity\n | where not(disabled)\n | where RecordType == \"SharePointFileOperation\" and Operation != \"FileMalwareDetected\"\n | project Operation, OrganizationId, OrganizationName, SourceRecordId, OfficeWorkload, UserId, ClientIP, UserAgent, Start_Time, TimeGenerated, Type, OfficeObjectId, SourceFileName, SourceFileExtension, DestinationFileName, DestinationFileExtension, Site_Url, DestinationRelativeUrl, UserKey, MachineDomainInfo, MachineId; // ,_ItemId \n let SingleFileOperationEvents = \n OfficeActivityProjected\n | where Operation !in (multiple_file_operations)\n | project-rename \n TargetFilePath = OfficeObjectId,\n TargetFileName = SourceFileName,\n TargetFileExtension = SourceFileExtension\n | extend \n TargetFilePathType = \"URL\"\n | project-away DestinationFileName, DestinationFileExtension, DestinationRelativeUrl\n ;\n // single in dest: SiteDeleted\n let MultipleFileOperationsEvents = \n OfficeActivityProjected\n | where Operation in (multiple_file_operations)\n | project-rename \n SrcFilePath = OfficeObjectId,\n TargetFileName = DestinationFileName,\n TargetFileExtension = DestinationFileExtension,\n SrcFileName = SourceFileName,\n SrcFileExtension = SourceFileExtension\n | extend \n TargetFilePath = strcat (Site_Url, DestinationRelativeUrl, \"/\", TargetFileName),\n TargetFilePathType = \"URL\",\n SrcFilePathType = \"URL\"\n | project-away DestinationRelativeUrl\n ;\n union SingleFileOperationEvents, MultipleFileOperationsEvents\n | lookup operations on Operation\n | invoke _ASIM_ResolveActorUsername('UserId')\n | project-away UserId\n | project-rename \n EventOriginalType = Operation,\n ActorScopeId = OrganizationId,\n ActorScope = OrganizationName,\n EventOriginalUid = SourceRecordId,\n EventProduct = OfficeWorkload,\n ActorUserId = UserKey,\n HttpUserAgent = UserAgent,\n SrcIpAddr = ClientIP,\n EventStartTime = Start_Time,\n // EvetUid = _ItemId,\n TargetUrl = Site_Url,\n SrcDvcId = MachineId,\n SrcDvcScopeId = MachineDomainInfo\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime = TimeGenerated,\n EventResult = \"Success\",\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.1',\n EventSchema = \"FileEvent\",\n ActorUserIdType = 'Other',\n SrcDvcIdType = 'Other',\n TargetAppName = EventProduct,\n TargetAppType = 'SaaS application',\n Dvc = strcat ('Microsoft ', EventProduct)\n // Aliases\n | extend \n User = ActorUsername,\n FilePath = TargetFilePath,\n FileName = TargetFileName,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Url = TargetUrl,\n Dvc = EventProduct,\n Application = EventProduct\n};\nparser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSysmon/ASimFileEventMicrosoftSysmon.json b/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSysmon/ASimFileEventMicrosoftSysmon.json index 62a9b7eab55..d444c8e5934 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSysmon/ASimFileEventMicrosoftSysmon.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSysmon/ASimFileEventMicrosoftSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventMicrosoftSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventMicrosoftSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File event ASIM parser for Windows Sysmon", - "category": "ASIM", - "FunctionAlias": "ASimFileEventMicrosoftSysmon", - "query": "let parser = (disabled:bool=false) {\n // -- Event parser\n let EventParser = () {\n Event\n | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Source, Type , _ItemId \n | where Source == \"Microsoft-Windows-Sysmon\" and EventID in (11,23,26)\n | project-away Source\n | parse-kv EventData as (\n RuleName:string,\n UtcTime:datetime, \n ProcessGuid:string,\n ProcessId:string,\n Image:string,\n User:string,\n TargetFilename:string,\n Hashes:string,\n CreationUtcTime:datetime\n )\n with (regex=@'{?([^<]*?)}?')\n | project-rename \n ActingProcessGuid = ProcessGuid,\n ActingProcessId = ProcessId,\n ActorUsername = User,\n ActingProcessName = Image,\n TargetFileCreationTime=CreationUtcTime,\n TargetFilePath=TargetFilename,\n EventStartTime=UtcTime\n | project-away EventData\n };\n EventParser \n | project-rename\n DvcHostname = Computer,\n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n | extend\n EventType=iff (EventID == 11, 'FileCreated', 'FileDeleted'),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'FileEvent',\n EventSchemaVersion = '0.2.1',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs='Windows',\n TargetFilePathType = 'Windows',\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventCount = int(1),\n EventEndTime = EventStartTime,\n EventOriginalType = tostring(EventID),\n TargetFileName = tostring(split(TargetFilePath,'\\\\')[-1]),\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n EventUid = _ItemId\n | parse-kv Hashes as (\n MD5:string,\n SHA1:string,\n IMPHASH:string,\n SHA256:string\n )\n | project-rename\n TargetFileMD5 = MD5,\n TargetFileSHA1 = SHA1,\n TargetFileIMPHASH = IMPHASH,\n TargetFileSHA256 = SHA256\n | extend\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH)\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\", \"IMPHASH\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5,TargetFileIMPHASH),Hash)])\n // -- Typed entity identifiers\n | extend\n ActorWindowsUsername = ActorUsername\n // -- Aliases\n | extend\n Process = ActingProcessName,\n Dvc = DvcHostname,\n FilePath = TargetFilePath,\n FileName = TargetFileName,\n User = ActorUsername\n | project-away EventID, Hashes,ActorWindowsUsername,TargetFileIMPHASH\n };\n parser(disabled=disabled) ", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File event ASIM parser for Windows Sysmon", + "category": "ASIM", + "FunctionAlias": "ASimFileEventMicrosoftSysmon", + "query": "let parser = (disabled:bool=false) {\n // -- Event parser\n let EventParser = () {\n Event\n | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Source, Type , _ItemId \n | where Source == \"Microsoft-Windows-Sysmon\" and EventID in (11,23,26)\n | project-away Source\n | parse-kv EventData as (\n RuleName:string,\n UtcTime:datetime, \n ProcessGuid:string,\n ProcessId:string,\n Image:string,\n User:string,\n TargetFilename:string,\n Hashes:string,\n CreationUtcTime:datetime\n )\n with (regex=@'{?([^<]*?)}?')\n | project-rename \n ActingProcessGuid = ProcessGuid,\n ActingProcessId = ProcessId,\n ActorUsername = User,\n ActingProcessName = Image,\n TargetFileCreationTime=CreationUtcTime,\n TargetFilePath=TargetFilename,\n EventStartTime=UtcTime\n | project-away EventData\n };\n EventParser \n | project-rename\n DvcHostname = Computer,\n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n | extend\n EventType=iff (EventID == 11, 'FileCreated', 'FileDeleted'),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'FileEvent',\n EventSchemaVersion = '0.2.1',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs='Windows',\n TargetFilePathType = 'Windows',\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventCount = int(1),\n EventEndTime = EventStartTime,\n EventOriginalType = tostring(EventID),\n TargetFileName = tostring(split(TargetFilePath,'\\\\')[-1]),\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n EventUid = _ItemId\n | parse-kv Hashes as (\n MD5:string,\n SHA1:string,\n IMPHASH:string,\n SHA256:string\n )\n | project-rename\n TargetFileMD5 = MD5,\n TargetFileSHA1 = SHA1,\n TargetFileIMPHASH = IMPHASH,\n TargetFileSHA256 = SHA256\n | extend\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH)\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\", \"IMPHASH\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5,TargetFileIMPHASH),Hash)])\n // -- Typed entity identifiers\n | extend\n ActorWindowsUsername = ActorUsername\n // -- Aliases\n | extend\n Process = ActingProcessName,\n Dvc = DvcHostname,\n FilePath = TargetFilePath,\n FileName = TargetFileName,\n User = ActorUsername\n | project-away EventID, Hashes,ActorWindowsUsername,TargetFileIMPHASH\n };\n parser(disabled=disabled) ", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSysmonWindowsEvent/ASimFileEventMicrosoftSysmonWindowsEvent.json b/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSysmonWindowsEvent/ASimFileEventMicrosoftSysmonWindowsEvent.json index 1fa16e76b5e..7e5bdf67eef 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSysmonWindowsEvent/ASimFileEventMicrosoftSysmonWindowsEvent.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSysmonWindowsEvent/ASimFileEventMicrosoftSysmonWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventMicrosoftSysmonWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventMicrosoftSysmonWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File event ASIM parser for Windows Sysmon", - "category": "ASIM", - "FunctionAlias": "ASimFileEventMicrosoftSysmonWindowsEvent", - "query": "let parser = (disabled:bool=false) {\n //\n // -- WindowsEvent parser\n let WindowsEventParser=(){\n WindowsEvent \n | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Provider, Type , _ItemId \n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID in (11,23,26)\n | project-away Provider\n | extend \n TargetFileCreationTime=todatetime(EventData.CreationUtcTime),\n TargetFilePath=tostring(EventData.TargetFilename),\n ActingProcessName = tostring(EventData.Image),\n ActingProcessId = tostring(EventData.ProcessId),\n ActingProcessGuid = tostring(EventData.ProcessGuid),\n ActorUsername = tostring(EventData.User),\n EventStartTime = todatetime(EventData.UtcTime),\n RuleName = tostring(EventData.RuleName),\n Hashes = tostring(EventData.Hashes)\n | parse ActingProcessGuid with \"{\" ActingProcessGuid \"}\"\n | project-away EventData\n };\n WindowsEventParser\n | project-rename\n DvcHostname = Computer,\n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n | extend\n EventType=iff (EventID == 11, 'FileCreated', 'FileDeleted'),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'FileEvent',\n EventSchemaVersion = '0.2.1',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs='Windows',\n TargetFilePathType = 'Windows',\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventCount = int(1),\n EventEndTime = EventStartTime,\n EventOriginalType = tostring(EventID),\n TargetFileName = tostring(split(TargetFilePath,'\\\\')[-1]),\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n EventUid = _ItemId\n | parse-kv Hashes as (\n MD5:string,\n SHA1:string,\n IMPHASH:string,\n SHA256:string\n )\n | project-rename\n TargetFileMD5 = MD5,\n TargetFileSHA1 = SHA1,\n TargetFileIMPHASH = IMPHASH,\n TargetFileSHA256 = SHA256\n | extend\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH)\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\", \"IMPHASH\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5,TargetFileIMPHASH),Hash)])\n // -- Typed entity identifiers\n | extend\n ActorWindowsUsername = ActorUsername\n // -- Aliases\n | extend\n Process = ActingProcessName,\n Dvc = DvcHostname,\n FilePath = TargetFilePath,\n FileName = TargetFileName,\n User = ActorUsername\n | project-away EventID, Hashes,ActorWindowsUsername,TargetFileIMPHASH\n }; \n parser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File event ASIM parser for Windows Sysmon", + "category": "ASIM", + "FunctionAlias": "ASimFileEventMicrosoftSysmonWindowsEvent", + "query": "let parser = (disabled:bool=false) {\n //\n // -- WindowsEvent parser\n let WindowsEventParser=(){\n WindowsEvent \n | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Provider, Type , _ItemId \n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID in (11,23,26)\n | project-away Provider\n | extend \n TargetFileCreationTime=todatetime(EventData.CreationUtcTime),\n TargetFilePath=tostring(EventData.TargetFilename),\n ActingProcessName = tostring(EventData.Image),\n ActingProcessId = tostring(EventData.ProcessId),\n ActingProcessGuid = tostring(EventData.ProcessGuid),\n ActorUsername = tostring(EventData.User),\n EventStartTime = todatetime(EventData.UtcTime),\n RuleName = tostring(EventData.RuleName),\n Hashes = tostring(EventData.Hashes)\n | parse ActingProcessGuid with \"{\" ActingProcessGuid \"}\"\n | project-away EventData\n };\n WindowsEventParser\n | project-rename\n DvcHostname = Computer,\n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n | extend\n EventType=iff (EventID == 11, 'FileCreated', 'FileDeleted'),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'FileEvent',\n EventSchemaVersion = '0.2.1',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs='Windows',\n TargetFilePathType = 'Windows',\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventCount = int(1),\n EventEndTime = EventStartTime,\n EventOriginalType = tostring(EventID),\n TargetFileName = tostring(split(TargetFilePath,'\\\\')[-1]),\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n EventUid = _ItemId\n | parse-kv Hashes as (\n MD5:string,\n SHA1:string,\n IMPHASH:string,\n SHA256:string\n )\n | project-rename\n TargetFileMD5 = MD5,\n TargetFileSHA1 = SHA1,\n TargetFileIMPHASH = IMPHASH,\n TargetFileSHA256 = SHA256\n | extend\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH)\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\", \"IMPHASH\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5,TargetFileIMPHASH),Hash)])\n // -- Typed entity identifiers\n | extend\n ActorWindowsUsername = ActorUsername\n // -- Aliases\n | extend\n Process = ActingProcessName,\n Dvc = DvcHostname,\n FilePath = TargetFilePath,\n FileName = TargetFileName,\n User = ActorUsername\n | project-away EventID, Hashes,ActorWindowsUsername,TargetFileIMPHASH\n }; \n parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftWindowsEvents/ASimFileEventMicrosoftWindowsEvents.json b/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftWindowsEvents/ASimFileEventMicrosoftWindowsEvents.json index 03164a16c14..391d74ec6c0 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftWindowsEvents/ASimFileEventMicrosoftWindowsEvents.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftWindowsEvents/ASimFileEventMicrosoftWindowsEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventMicrosoftWindowsEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventMicrosoftWindowsEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Event ASIM parser for Microsoft Windows Events", - "category": "ASIM", - "FunctionAlias": "ASimFileEventMicrosoftWindowsEvents", - "query": "let Parser=(disabled:bool=false)\n{\nlet EventTypeLookup = datatable (AccessMask:string,EventType:string)\n[\n \"0x1\", \"ObjectAccessed\"\n , \"0x10\", \"MetadataModified\"\n , \"0x100\", \"MetadataModified\"\n , \"0x10000\", \"ObjectDeleted\"\n , \"0x2\", \"ObjectModified\"\n , \"0x20000\", \"MetadataAccessed\"\n , \"0x4\", \"ObjectModified\"\n , \"0x40\", \"ObjectDeleted\"\n , \"0x40000\", \"MetadataModified\"\n , \"0x6\", \"ObjectModified\"\n , \"0x8\", \"MetadataAccessed\"\n , \"0x80\", \"MetadataAccessed\"\n , \"0x80000\", \"MetadataModified\"\n];\nlet UserTypeLookup = datatable (AccountType:string, ActorUserType:string)\n[\n 'User', 'Regular',\n 'Machine', 'Machine'\n]; \nlet KnownSIDs = datatable (sid:string, username:string, type:string)\n[\n 'S-1-5-18', 'Local System', 'Simple',\n 'S-1-0-0', 'Nobody', 'Simple'\n];\nWindowsEvent\n| where EventID == 4663 \n and EventData.ObjectType == \"File\"\n and EventData.ObjectName !startswith @\"\\Device\\\"\n| project TimeGenerated\n , EventID, AccessMask = tostring(EventData.AccessMask)\n , ProcessName = tostring(EventData.ProcessName)\n , SubjectUserSid = tostring(EventData.SubjectUserSid)\n , AccountType = tostring(EventData.AccountType)\n , Computer = tostring(EventData.Computer)\n , ObjectName = tostring(EventData.ObjectName)\n , ProcessId = tostring(EventData.ProcessId)\n , SubjectUserName = tostring(EventData.SubjectUserName)\n , SubjectAccount = tostring(EventData.SubjectAccount)\n , SubjectLogonId = tostring(EventData.SubjectLogonId)\n , HandleId = tostring(EventData.HandleId)\n , Type\n| extend ActorUserIdType=\"SID\", TargetFilePathType=\"Windows Local\"\n| lookup EventTypeLookup on AccessMask\n| lookup UserTypeLookup on AccountType\n| lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n| extend ActingProcessName = ProcessName\n , ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\n , ActorUsernameType = iff(SubjectUserName == '-',type, 'Windows')\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , TargetFilePath = ObjectName\n , TargetFilePathFormat = \"Windows Local\"\n , ActingProcessId = tostring(toint(ProcessId))\n , EventOriginalType = tostring(EventID)\n| project-away EventID, ProcessId, AccountType, type, username\n| project-rename ActorUserId = SubjectUserSid\n , DvcHostname = Computer\n , Process = ProcessName\n , FilePath = ObjectName\n , ActorSessionId = SubjectLogonId\n , FileSessionId = HandleId\n| extend EventSchema = \"FileEvent\"\n , EventSchemaVersion = \"0.1.1\"\n , EventResult = \"Success\"\n , EventCount = int(1)\n , EventVendor = 'Microsoft'\n , EventProduct = 'Security Events'\n , Dvc = DvcHostname\n , ActorWindowsUsername = ActorUsername\n , User = ActorUsername\n , ActorUserSid = ActorUserId\n| project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat\n};\nParser (disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Event ASIM parser for Microsoft Windows Events", + "category": "ASIM", + "FunctionAlias": "ASimFileEventMicrosoftWindowsEvents", + "query": "let Parser=(disabled:bool=false)\n{\nlet EventTypeLookup = datatable (AccessMask:string,EventType:string)\n[\n \"0x1\", \"ObjectAccessed\"\n , \"0x10\", \"MetadataModified\"\n , \"0x100\", \"MetadataModified\"\n , \"0x10000\", \"ObjectDeleted\"\n , \"0x2\", \"ObjectModified\"\n , \"0x20000\", \"MetadataAccessed\"\n , \"0x4\", \"ObjectModified\"\n , \"0x40\", \"ObjectDeleted\"\n , \"0x40000\", \"MetadataModified\"\n , \"0x6\", \"ObjectModified\"\n , \"0x8\", \"MetadataAccessed\"\n , \"0x80\", \"MetadataAccessed\"\n , \"0x80000\", \"MetadataModified\"\n];\nlet UserTypeLookup = datatable (AccountType:string, ActorUserType:string)\n[\n 'User', 'Regular',\n 'Machine', 'Machine'\n]; \nlet KnownSIDs = datatable (sid:string, username:string, type:string)\n[\n 'S-1-5-18', 'Local System', 'Simple',\n 'S-1-0-0', 'Nobody', 'Simple'\n];\nWindowsEvent\n| where EventID == 4663 \n and EventData.ObjectType == \"File\"\n and EventData.ObjectName !startswith @\"\\Device\\\"\n| project TimeGenerated\n , EventID, AccessMask = tostring(EventData.AccessMask)\n , ProcessName = tostring(EventData.ProcessName)\n , SubjectUserSid = tostring(EventData.SubjectUserSid)\n , AccountType = tostring(EventData.AccountType)\n , Computer = tostring(EventData.Computer)\n , ObjectName = tostring(EventData.ObjectName)\n , ProcessId = tostring(EventData.ProcessId)\n , SubjectUserName = tostring(EventData.SubjectUserName)\n , SubjectAccount = tostring(EventData.SubjectAccount)\n , SubjectLogonId = tostring(EventData.SubjectLogonId)\n , HandleId = tostring(EventData.HandleId)\n , Type\n| extend ActorUserIdType=\"SID\", TargetFilePathType=\"Windows Local\"\n| lookup EventTypeLookup on AccessMask\n| lookup UserTypeLookup on AccountType\n| lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n| extend ActingProcessName = ProcessName\n , ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\n , ActorUsernameType = iff(SubjectUserName == '-',type, 'Windows')\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , TargetFilePath = ObjectName\n , TargetFilePathFormat = \"Windows Local\"\n , ActingProcessId = tostring(toint(ProcessId))\n , EventOriginalType = tostring(EventID)\n| project-away EventID, ProcessId, AccountType, type, username\n| project-rename ActorUserId = SubjectUserSid\n , DvcHostname = Computer\n , Process = ProcessName\n , FilePath = ObjectName\n , ActorSessionId = SubjectLogonId\n , FileSessionId = HandleId\n| extend EventSchema = \"FileEvent\"\n , EventSchemaVersion = \"0.1.1\"\n , EventResult = \"Success\"\n , EventCount = int(1)\n , EventVendor = 'Microsoft'\n , EventProduct = 'Security Events'\n , Dvc = DvcHostname\n , ActorWindowsUsername = ActorUsername\n , User = ActorUsername\n , ActorUserSid = ActorUserId\n| project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat\n};\nParser (disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventNative/ASimFileEventNative.json b/Parsers/ASimFileEvent/ARM/ASimFileEventNative/ASimFileEventNative.json index 3817d04f36a..e81ee5a46d3 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventNative/ASimFileEventNative.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventNative/ASimFileEventNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Event ASIM parser for Microsoft Sentinel native File Event table", - "category": "ASIM", - "FunctionAlias": "ASimFileEventNative", - "query": "let parser=(disabled: bool=false) {\n ASimFileEventLogs\n | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"FileEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = ActorUsername,\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n Url = TargetUrl,\n Application = TargetAppName\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Event ASIM parser for Microsoft Sentinel native File Event table", + "category": "ASIM", + "FunctionAlias": "ASimFileEventNative", + "query": "let parser=(disabled: bool=false) {\n ASimFileEventLogs\n | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"FileEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = ActorUsername,\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n Url = TargetUrl,\n Application = TargetAppName\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventSentinelOne/ASimFileEventSentinelOne.json b/Parsers/ASimFileEvent/ARM/ASimFileEventSentinelOne/ASimFileEventSentinelOne.json index 4e83f753206..92e3dcac9c4 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventSentinelOne/ASimFileEventSentinelOne.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventSentinelOne/ASimFileEventSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Event ASIM Parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "ASimFileEventSentinelOne", - "query": "let GetWindowsFilenamePart = (path: string) { tostring(split(path, @'\\')[-1]) };\nlet GetLinuxFilenamePart = (path: string) { tostring(split(path, @'/')[-1]) };\nlet EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\n [\n \"FILECREATION\", \"FileCreated\",\n \"FILEMODIFICATION\", \"FileModified\",\n \"FILEDELETION\", \"FileDeleted\",\n \"FILERENAME\", \"FileRenamed\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (disabled: bool=false) {\n let allFileData = SentinelOne_CL\n | where not(disabled)\n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s in ('FILECREATION', 'FILEMODIFICATION', 'FILEDELETION', 'FILERENAME');\n let windowsFileData = allFileData\n | where agentDetectionInfo_osFamily_s == \"windows\"\n | extend\n TargetFilePathType = \"Windows Local\",\n TargetFileName = GetWindowsFilenamePart(targetProcessInfo_tgtFilePath_s),\n SrcFileName = GetWindowsFilenamePart(targetProcessInfo_tgtFileOldPath_s);\n let otherFileData = allFileData\n | where agentDetectionInfo_osFamily_s != \"windows\"\n | extend\n TargetFilePathType = \"Unix\",\n TargetFileName = GetLinuxFilenamePart(targetProcessInfo_tgtFilePath_s),\n SrcFileName = GetLinuxFilenamePart(targetProcessInfo_tgtFileOldPath_s);\n let parseddata = union windowsFileData, otherFileData\n | lookup EventTypeLookup on alertInfo_eventType_s;\n let undefineddata = parseddata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = parseddata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maaliciousdata = parseddata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maaliciousdata\n | extend\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious),\n EventSeverity = iff(ruleInfo_severity_s == \"Critical\", \"High\", ruleInfo_severity_s),\n EventVendor = \"SentinelOne\",\n EventProduct = \"SentinelOne\",\n EventResult = \"Success\",\n EventSchema = \"FileEvent\",\n EventSchemaVersion = \"0.2.1\",\n EventCount = toint(1),\n DvcAction = \"Allowed\",\n ActorUsername = sourceProcessInfo_user_s\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventUid = _ItemId,\n ActingProcessCommandLine = sourceProcessInfo_commandline_s,\n ActingProcessGuid = sourceProcessInfo_uniqueId_g,\n ActingProcessId = sourceProcessInfo_pid_s,\n ActingProcessName = sourceProcessInfo_name_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n TargetFileCreationTime = targetProcessInfo_tgtFileCreatedAt_t,\n SrcFilePath = targetProcessInfo_tgtFileOldPath_s,\n TargetFilePath = targetProcessInfo_tgtFilePath_s,\n TargetFileSHA1 = targetProcessInfo_tgtFileHashSha1_s,\n TargetFileSHA256 = targetProcessInfo_tgtFileHashSha256_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend\n Dvc = coalesce(DvcHostname, DvcId, EventProduct),\n EventEndTime = EventStartTime,\n Rule = RuleName,\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n User = ActorUsername,\n Hash = coalesce(TargetFileSHA256, TargetFileSHA1)\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n HashType = case(\n isnotempty(Hash) and isnotempty(TargetFileSHA256),\n \"TargetFileSHA256\",\n isnotempty(Hash) and isnotempty(TargetFileSHA1),\n \"TargetFileSHA1\",\n \"\"\n ) \n | project-away \n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n ThreatConfidence_*\n};\nparser(disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Event ASIM Parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "ASimFileEventSentinelOne", + "query": "let GetWindowsFilenamePart = (path: string) { tostring(split(path, @'\\')[-1]) };\nlet GetLinuxFilenamePart = (path: string) { tostring(split(path, @'/')[-1]) };\nlet EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\n [\n \"FILECREATION\", \"FileCreated\",\n \"FILEMODIFICATION\", \"FileModified\",\n \"FILEDELETION\", \"FileDeleted\",\n \"FILERENAME\", \"FileRenamed\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (disabled: bool=false) {\n let allFileData = SentinelOne_CL\n | where not(disabled)\n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s in ('FILECREATION', 'FILEMODIFICATION', 'FILEDELETION', 'FILERENAME');\n let windowsFileData = allFileData\n | where agentDetectionInfo_osFamily_s == \"windows\"\n | extend\n TargetFilePathType = \"Windows Local\",\n TargetFileName = GetWindowsFilenamePart(targetProcessInfo_tgtFilePath_s),\n SrcFileName = GetWindowsFilenamePart(targetProcessInfo_tgtFileOldPath_s);\n let otherFileData = allFileData\n | where agentDetectionInfo_osFamily_s != \"windows\"\n | extend\n TargetFilePathType = \"Unix\",\n TargetFileName = GetLinuxFilenamePart(targetProcessInfo_tgtFilePath_s),\n SrcFileName = GetLinuxFilenamePart(targetProcessInfo_tgtFileOldPath_s);\n let parseddata = union windowsFileData, otherFileData\n | lookup EventTypeLookup on alertInfo_eventType_s;\n let undefineddata = parseddata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = parseddata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maaliciousdata = parseddata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maaliciousdata\n | extend\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious),\n EventSeverity = iff(ruleInfo_severity_s == \"Critical\", \"High\", ruleInfo_severity_s),\n EventVendor = \"SentinelOne\",\n EventProduct = \"SentinelOne\",\n EventResult = \"Success\",\n EventSchema = \"FileEvent\",\n EventSchemaVersion = \"0.2.1\",\n EventCount = toint(1),\n DvcAction = \"Allowed\",\n ActorUsername = sourceProcessInfo_user_s\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventUid = _ItemId,\n ActingProcessCommandLine = sourceProcessInfo_commandline_s,\n ActingProcessGuid = sourceProcessInfo_uniqueId_g,\n ActingProcessId = sourceProcessInfo_pid_s,\n ActingProcessName = sourceProcessInfo_name_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n TargetFileCreationTime = targetProcessInfo_tgtFileCreatedAt_t,\n SrcFilePath = targetProcessInfo_tgtFileOldPath_s,\n TargetFilePath = targetProcessInfo_tgtFilePath_s,\n TargetFileSHA1 = targetProcessInfo_tgtFileHashSha1_s,\n TargetFileSHA256 = targetProcessInfo_tgtFileHashSha256_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend\n Dvc = coalesce(DvcHostname, DvcId, EventProduct),\n EventEndTime = EventStartTime,\n Rule = RuleName,\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n User = ActorUsername,\n Hash = coalesce(TargetFileSHA256, TargetFileSHA1)\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n HashType = case(\n isnotempty(Hash) and isnotempty(TargetFileSHA256),\n \"TargetFileSHA256\",\n isnotempty(Hash) and isnotempty(TargetFileSHA1),\n \"TargetFileSHA1\",\n \"\"\n ) \n | project-away \n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n ThreatConfidence_*\n};\nparser(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventVMwareCarbonBlackCloud/ASimFileEventVMwareCarbonBlackCloud.json b/Parsers/ASimFileEvent/ARM/ASimFileEventVMwareCarbonBlackCloud/ASimFileEventVMwareCarbonBlackCloud.json index d2da0aaf948..b2920979c0d 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventVMwareCarbonBlackCloud/ASimFileEventVMwareCarbonBlackCloud.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventVMwareCarbonBlackCloud/ASimFileEventVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Event Parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "ASimFileEventVMwareCarbonBlackCloud", - "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet EventTypeLookup = datatable(action_s: string, EventType: string)[\n \"ACTION_FILE_CREATE\", \"FileCreated\",\n \"ACTION_FILE_DELETE\", \"FileDeleted\",\n \"ACTION_FILE_LAST_WRITE\", \"FileModified\",\n \"ACTION_FILE_LINK\", \"FileModified\",\n \"ACTION_FILE_READ\", \"FileAccessed\",\n \"ACTION_FILE_RENAME\", \"FileRenamed\",\n \"ACTION_FILE_WRITE\", \"FileModified\",\n \"ACTION_FILE_OPEN_DELETE\", \"FileDeleted\",\n \"ACTION_FILE_OPEN_EXECUTE\", \"FileAccessed\",\n \"ACTION_FILE_OPEN_SET_ATTRIBUTES\", \"FileAttributesUpdated\",\n \"ACTION_FILE_OPEN_SET_SECURITY\", \"FileAttributesUpdated\",\n \"ACTION_FILE_SET_SECURITY\", \"FileAttributesUpdated\",\n \"ACTION_FILE_TRUNCATE\", \"FileModified\",\n \"ACTION_FILE_OPEN_WRITE\", \"FileModified\",\n \"ACTION_FILE_MOD_OPEN\", \"FileAccessed\",\n \"ACTION_FILE_OPEN_READ\", \"FileAccessed\"\n];\nlet parser = (disabled: bool=false) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where eventType_s == \"endpoint.event.filemod\" and isnotempty(filemod_name_s)\n | where action_s !in (\"ACTION_INVALID\", \"ACTION_FILE_UNDELETE\")\n | parse filemod_hash_s with * '[\"' TargetFileMD5: string '\",\"' TargetFileSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s\n | extend temp_action = iff(action_s has \"|\", action_s, \"\")\n | lookup EventTypeLookup on action_s\n | extend EventType = case(\n isnotempty(EventType), EventType,\n temp_action has \"delete\", \"FileDeleted\",\n temp_action has \"link\", \"FileModified\",\n temp_action has \"rename\", \"FileRenamed\",\n temp_action has \"execute\", \"FileAccessed\",\n temp_action has_any (\"attributes\", \"security\"), \"FileAttributesUpdated\",\n temp_action has \"truncate\", \"FileModified\",\n temp_action has \"write\", \"FileModified\",\n temp_action has_any (\"read\", \"open\"), \"FileAccessed\",\n temp_action has \"create\", \"FileCreated\",\n \"\"\n )\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetFilePathType = case(\n device_os_s == \"WINDOWS\" and filemod_name_s startswith \"\\\\\", \"Windows Share\",\n device_os_s == \"WINDOWS\", \"Windows Local\",\n device_os_s in (\"MAC\", \"LINUX\"), \"Unix\",\n \"\"\n ),\n ActingProcessId = tostring(toint(process_pid_d)),\n TargetFileName = tostring(split(filemod_name_s, '\\\\')[-1]),\n AdditionalFields = bag_pack(\n \"org_key\", org_key_s,\n \"process_publisher\", process_publisher_s,\n \"process_reputation\", process_reputation_s,\n \"process_guid\", process_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename\n ActorUsername = process_username_s,\n DvcIpAddr = device_external_ip_s,\n EventUid = _ItemId,\n DvcScope = device_group_s,\n ActingProcessCommandLine = process_cmdline_s,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n TargetFilePath = filemod_name_s\n | extend \n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"FileEvent\",\n EventSchemaVersion = \"0.2.1\",\n EventVendor = \"VMware\",\n EventCount = int(1),\n SrcIpAddr = DvcIpAddr\n | extend\n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n User = ActorUsername,\n Hash = coalesce(TargetFileSHA256, TargetFileMD5)\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n HashType = case(\n isnotempty(TargetFileSHA256),\n \"TargetFileSHA256\",\n isnotempty(TargetFileMD5),\n \"TargetFileMD5\",\n \"\"\n )\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n temp_action\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Event Parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "ASimFileEventVMwareCarbonBlackCloud", + "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet EventTypeLookup = datatable(action_s: string, EventType: string)[\n \"ACTION_FILE_CREATE\", \"FileCreated\",\n \"ACTION_FILE_DELETE\", \"FileDeleted\",\n \"ACTION_FILE_LAST_WRITE\", \"FileModified\",\n \"ACTION_FILE_LINK\", \"FileModified\",\n \"ACTION_FILE_READ\", \"FileAccessed\",\n \"ACTION_FILE_RENAME\", \"FileRenamed\",\n \"ACTION_FILE_WRITE\", \"FileModified\",\n \"ACTION_FILE_OPEN_DELETE\", \"FileDeleted\",\n \"ACTION_FILE_OPEN_EXECUTE\", \"FileAccessed\",\n \"ACTION_FILE_OPEN_SET_ATTRIBUTES\", \"FileAttributesUpdated\",\n \"ACTION_FILE_OPEN_SET_SECURITY\", \"FileAttributesUpdated\",\n \"ACTION_FILE_SET_SECURITY\", \"FileAttributesUpdated\",\n \"ACTION_FILE_TRUNCATE\", \"FileModified\",\n \"ACTION_FILE_OPEN_WRITE\", \"FileModified\",\n \"ACTION_FILE_MOD_OPEN\", \"FileAccessed\",\n \"ACTION_FILE_OPEN_READ\", \"FileAccessed\"\n];\nlet parser = (disabled: bool=false) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where eventType_s == \"endpoint.event.filemod\" and isnotempty(filemod_name_s)\n | where action_s !in (\"ACTION_INVALID\", \"ACTION_FILE_UNDELETE\")\n | parse filemod_hash_s with * '[\"' TargetFileMD5: string '\",\"' TargetFileSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s\n | extend temp_action = iff(action_s has \"|\", action_s, \"\")\n | lookup EventTypeLookup on action_s\n | extend EventType = case(\n isnotempty(EventType), EventType,\n temp_action has \"delete\", \"FileDeleted\",\n temp_action has \"link\", \"FileModified\",\n temp_action has \"rename\", \"FileRenamed\",\n temp_action has \"execute\", \"FileAccessed\",\n temp_action has_any (\"attributes\", \"security\"), \"FileAttributesUpdated\",\n temp_action has \"truncate\", \"FileModified\",\n temp_action has \"write\", \"FileModified\",\n temp_action has_any (\"read\", \"open\"), \"FileAccessed\",\n temp_action has \"create\", \"FileCreated\",\n \"\"\n )\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetFilePathType = case(\n device_os_s == \"WINDOWS\" and filemod_name_s startswith \"\\\\\", \"Windows Share\",\n device_os_s == \"WINDOWS\", \"Windows Local\",\n device_os_s in (\"MAC\", \"LINUX\"), \"Unix\",\n \"\"\n ),\n ActingProcessId = tostring(toint(process_pid_d)),\n TargetFileName = tostring(split(filemod_name_s, '\\\\')[-1]),\n AdditionalFields = bag_pack(\n \"org_key\", org_key_s,\n \"process_publisher\", process_publisher_s,\n \"process_reputation\", process_reputation_s,\n \"process_guid\", process_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename\n ActorUsername = process_username_s,\n DvcIpAddr = device_external_ip_s,\n EventUid = _ItemId,\n DvcScope = device_group_s,\n ActingProcessCommandLine = process_cmdline_s,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n TargetFilePath = filemod_name_s\n | extend \n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"FileEvent\",\n EventSchemaVersion = \"0.2.1\",\n EventVendor = \"VMware\",\n EventCount = int(1),\n SrcIpAddr = DvcIpAddr\n | extend\n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n User = ActorUsername,\n Hash = coalesce(TargetFileSHA256, TargetFileMD5)\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n HashType = case(\n isnotempty(TargetFileSHA256),\n \"TargetFileSHA256\",\n isnotempty(TargetFileMD5),\n \"TargetFileMD5\",\n \"\"\n )\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n temp_action\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/imFileEvent/imFileEvent.json b/Parsers/ASimFileEvent/ARM/imFileEvent/imFileEvent.json index 3aac32ebedd..d4ed864409c 100644 --- a/Parsers/ASimFileEvent/ARM/imFileEvent/imFileEvent.json +++ b/Parsers/ASimFileEvent/ARM/imFileEvent/imFileEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/imFileEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "imFileEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Source Agnostic File Events Parser", - "category": "ASIM", - "FunctionAlias": "imFileEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n| where SearchKey in ('Any', 'ExcludevimFile')\n| extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n| distinct SourceSpecificParser\n| where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimFileEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n pack: bool=false\n ) {\n union isfuzzy=true\n vimFileEventEmpty,\n vimFileEventLinuxSysmonFileCreated(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventLinuxSysmonFileCreated' in (DisabledParsers)))),\n vimFileEventLinuxSysmonFileDeleted(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventLinuxSysmonFileDeleted' in (DisabledParsers)))),\n vimFileEventAzureBlobStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureBlobStorage' in (DisabledParsers)))),\n vimFileEventMicrosoft365D(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoft365D' in (DisabledParsers)))),\n vimFileEventAzureFileStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureFileStorage' in (DisabledParsers)))),\n vimFileEventAzureQueueStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureQueueStorage' in (DisabledParsers)))),\n vimFileEventMicrosoftSharePoint(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSharePoint' in (DisabledParsers)))),\n vimFileEventMicrosoftSysmon(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSysmon' in (DisabledParsers)))),\n vimFileEventMicrosoftSysmonWindowsEvent(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSysmonWindowsEvent' in (DisabledParsers)))),\n vimFileEventAzureTableStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureTableStorage' in (DisabledParsers)))),\n vimFileEventMicrosoftWindowsEvents(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftWindowsEvents' in (DisabledParsers)))),\n vimFileEventMicrosoftSecurityEvents(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSecurityEvents' in (DisabledParsers)))),\n vimFileEventNative(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventNative' in (DisabledParsers)))),\n vimFileEventSentinelOne(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('vimFileEventSentinelOne' in (DisabledParsers)))),\n vimFileEventVMwareCarbonBlackCloud(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('vimFileEventVMwareCarbonBlackCloud' in (DisabledParsers)))),\n vimFileEventGoogleWorkspace(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('vimFileEventGoogleWorkspace' in (DisabledParsers))))\n};\nparser(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, pack=pack)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False,pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Source Agnostic File Events Parser", + "category": "ASIM", + "FunctionAlias": "imFileEvent", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n| where SearchKey in ('Any', 'ExcludevimFile')\n| extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n| distinct SourceSpecificParser\n| where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimFileEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n pack: bool=false\n ) {\n union isfuzzy=true\n vimFileEventEmpty,\n vimFileEventLinuxSysmonFileCreated(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventLinuxSysmonFileCreated' in (DisabledParsers)))),\n vimFileEventLinuxSysmonFileDeleted(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventLinuxSysmonFileDeleted' in (DisabledParsers)))),\n vimFileEventAzureBlobStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureBlobStorage' in (DisabledParsers)))),\n vimFileEventMicrosoft365D(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoft365D' in (DisabledParsers)))),\n vimFileEventAzureFileStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureFileStorage' in (DisabledParsers)))),\n vimFileEventAzureQueueStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureQueueStorage' in (DisabledParsers)))),\n vimFileEventMicrosoftSharePoint(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSharePoint' in (DisabledParsers)))),\n vimFileEventMicrosoftSysmon(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSysmon' in (DisabledParsers)))),\n vimFileEventMicrosoftSysmonWindowsEvent(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSysmonWindowsEvent' in (DisabledParsers)))),\n vimFileEventAzureTableStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureTableStorage' in (DisabledParsers)))),\n vimFileEventMicrosoftWindowsEvents(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftWindowsEvents' in (DisabledParsers)))),\n vimFileEventMicrosoftSecurityEvents(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSecurityEvents' in (DisabledParsers)))),\n vimFileEventNative(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventNative' in (DisabledParsers)))),\n vimFileEventSentinelOne(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('vimFileEventSentinelOne' in (DisabledParsers)))),\n vimFileEventVMwareCarbonBlackCloud(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('vimFileEventVMwareCarbonBlackCloud' in (DisabledParsers)))),\n vimFileEventGoogleWorkspace(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('vimFileEventGoogleWorkspace' in (DisabledParsers))))\n};\nparser(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, pack=pack)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False,pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventAzureBlobStorage/vimFileEventAzureBlobStorage.json b/Parsers/ASimFileEvent/ARM/vimFileEventAzureBlobStorage/vimFileEventAzureBlobStorage.json index 7411833263b..1fbf3894987 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventAzureBlobStorage/vimFileEventAzureBlobStorage.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventAzureBlobStorage/vimFileEventAzureBlobStorage.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventAzureBlobStorage')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventAzureBlobStorage", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Activity ASIM filtering parser for Azure Blob Storage", - "category": "ASIM", - "FunctionAlias": "vimFileEventAzureBlobStorage", - "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n )\n{\n let bloboperations=datatable(OperationName: string, EventType: string)\n[\n \"PutBlock\", \"FileCreated\",\n \"PutBlob\", \"FileCreated\",\n \"PutPage\", \"FileCreated\",\n \"CreateContainer\", \"FolderCreated\",\n \"CopyBlob\", \"FileCopied\",\n \"QueryBlobContents\", \"FileAccessed\",\n \"GetBlob\", \"FileAccessed\",\n \"AppendBlock\", \"FileModified\",\n \"ClearPage\", \"FileModified\",\n \"PutBlockFromURL\", \"FileModified\",\n \"DeleteBlob\", \"FileDeleted\",\n \"DeleteContainer\", \"FolderDeleted\"\n];\n StorageBlobLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n // **** relevant data filtering;\n | where OperationName in (bloboperations)\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(CallerIpAddress, srcipaddr_has_any_prefix))) and \n (array_length(actorusername_has_any) == 0) and\n ((array_length(targetfilepath_has_any) == 0) or (Uri has_any (targetfilepath_has_any))) and \n (array_length(srcfilepath_has_any) == 0) and\n (array_length(hashes_has_any) == 0) and \n (array_length(dvchostname_has_any) == 0)\n //\n | lookup bloboperations on OperationName\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))) \n | project-rename \n EventOriginalUid = CorrelationId\n ,\n EventOriginalType=OperationName\n ,\n HttpUserAgent=UserAgentHeader\n ,\n TargetUrl=Uri\n | extend \n EventCount=int(1)\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n ,\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n ,\n EventProduct='Azure File Storage' \n ,\n EventVendor='Microsoft'\n ,\n EventSchemaVersion='0.1.0'\n ,\n TargetFilePath=tostring(split(TargetUrl, '?')[0]) \n ,\n TargetFilePathType='URL'\n ,\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\n ,\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[1])\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\n // Aliases\n | extend \n FilePath=TargetFilePath\n};\nparser\n(\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Activity ASIM filtering parser for Azure Blob Storage", + "category": "ASIM", + "FunctionAlias": "vimFileEventAzureBlobStorage", + "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n )\n{\n let bloboperations=datatable(OperationName: string, EventType: string)\n[\n \"PutBlock\", \"FileCreated\",\n \"PutBlob\", \"FileCreated\",\n \"PutPage\", \"FileCreated\",\n \"CreateContainer\", \"FolderCreated\",\n \"CopyBlob\", \"FileCopied\",\n \"QueryBlobContents\", \"FileAccessed\",\n \"GetBlob\", \"FileAccessed\",\n \"AppendBlock\", \"FileModified\",\n \"ClearPage\", \"FileModified\",\n \"PutBlockFromURL\", \"FileModified\",\n \"DeleteBlob\", \"FileDeleted\",\n \"DeleteContainer\", \"FolderDeleted\"\n];\n StorageBlobLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n // **** relevant data filtering;\n | where OperationName in (bloboperations)\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(CallerIpAddress, srcipaddr_has_any_prefix))) and \n (array_length(actorusername_has_any) == 0) and\n ((array_length(targetfilepath_has_any) == 0) or (Uri has_any (targetfilepath_has_any))) and \n (array_length(srcfilepath_has_any) == 0) and\n (array_length(hashes_has_any) == 0) and \n (array_length(dvchostname_has_any) == 0)\n //\n | lookup bloboperations on OperationName\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))) \n | project-rename \n EventOriginalUid = CorrelationId\n ,\n EventOriginalType=OperationName\n ,\n HttpUserAgent=UserAgentHeader\n ,\n TargetUrl=Uri\n | extend \n EventCount=int(1)\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n ,\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n ,\n EventProduct='Azure File Storage' \n ,\n EventVendor='Microsoft'\n ,\n EventSchemaVersion='0.1.0'\n ,\n TargetFilePath=tostring(split(TargetUrl, '?')[0]) \n ,\n TargetFilePathType='URL'\n ,\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\n ,\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[1])\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\n // Aliases\n | extend \n FilePath=TargetFilePath\n};\nparser\n(\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventAzureFileStorage/vimFileEventAzureFileStorage.json b/Parsers/ASimFileEvent/ARM/vimFileEventAzureFileStorage/vimFileEventAzureFileStorage.json index 2137ad76170..f34e86864f1 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventAzureFileStorage/vimFileEventAzureFileStorage.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventAzureFileStorage/vimFileEventAzureFileStorage.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventAzureFileStorage')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventAzureFileStorage", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Activity ASIM filtering parser for Azure File Storage", - "category": "ASIM", - "FunctionAlias": "vimFileEventAzureFileStorage", - "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let fileoperations=datatable(OperationName: string, EventType: string)[\n \"DeleteFile\", \"FileDeleted\"\n ,\n \"DeleteDirectory\", \"FolderDeleted\"\n ,\n \"GetFile\", \"FileAccessed\"\n ,\n \"CopyFile\", \"FileCopied\"\n ,\n \"CreateFileSnapshot\", \"FileCreated\"\n ,\n \"CreateDirectory\", \"FolderCreated\"\n ,\n \"CreateFile\", \"FileCreated\"\n ,\n \"CreateShare\", \"FolderCreated\"\n ,\n \"DeleteShare\", \"FileDeleted\"\n ,\n \"PutRange\", \"FileModified\"\n ,\n \"CopyFileDestination\", \"FileCopied\"\n ,\n \"CopyFileSource\", \"FileCopied\"\n];\n StorageFileLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n // **** relevant data filtering;\n | where OperationName in (fileoperations)\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(CallerIpAddress, srcipaddr_has_any_prefix))) and \n (array_length(actorusername_has_any) == 0) and\n ((array_length(targetfilepath_has_any) == 0) or (Uri has_any (targetfilepath_has_any))) and \n (array_length(srcfilepath_has_any) == 0) and\n (array_length(hashes_has_any) == 0) and \n (array_length(dvchostname_has_any) == 0)\n //\n | extend \n EventCount=int(1)\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n ,\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n ,\n EventOriginalUid = CorrelationId\n ,\n EventOriginalType=OperationName\n ,\n EventProduct='Azure File Storage' \n ,\n EventVendor='Microsoft'\n ,\n EventSchemaVersion='0.1.0'\n ,\n TargetFilePath=tostring(split(Uri, '?')[0]) \n ,\n TargetFilePathType='URL'\n ,\n TargetUrl=Uri\n ,\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\n ,\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[0])\n ,\n HttpUserAgent=UserAgentHeader\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\n | lookup fileoperations on OperationName\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))) \n // Aliases\n | extend \n FilePath=TargetFilePath\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Activity ASIM filtering parser for Azure File Storage", + "category": "ASIM", + "FunctionAlias": "vimFileEventAzureFileStorage", + "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let fileoperations=datatable(OperationName: string, EventType: string)[\n \"DeleteFile\", \"FileDeleted\"\n ,\n \"DeleteDirectory\", \"FolderDeleted\"\n ,\n \"GetFile\", \"FileAccessed\"\n ,\n \"CopyFile\", \"FileCopied\"\n ,\n \"CreateFileSnapshot\", \"FileCreated\"\n ,\n \"CreateDirectory\", \"FolderCreated\"\n ,\n \"CreateFile\", \"FileCreated\"\n ,\n \"CreateShare\", \"FolderCreated\"\n ,\n \"DeleteShare\", \"FileDeleted\"\n ,\n \"PutRange\", \"FileModified\"\n ,\n \"CopyFileDestination\", \"FileCopied\"\n ,\n \"CopyFileSource\", \"FileCopied\"\n];\n StorageFileLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n // **** relevant data filtering;\n | where OperationName in (fileoperations)\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(CallerIpAddress, srcipaddr_has_any_prefix))) and \n (array_length(actorusername_has_any) == 0) and\n ((array_length(targetfilepath_has_any) == 0) or (Uri has_any (targetfilepath_has_any))) and \n (array_length(srcfilepath_has_any) == 0) and\n (array_length(hashes_has_any) == 0) and \n (array_length(dvchostname_has_any) == 0)\n //\n | extend \n EventCount=int(1)\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n ,\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n ,\n EventOriginalUid = CorrelationId\n ,\n EventOriginalType=OperationName\n ,\n EventProduct='Azure File Storage' \n ,\n EventVendor='Microsoft'\n ,\n EventSchemaVersion='0.1.0'\n ,\n TargetFilePath=tostring(split(Uri, '?')[0]) \n ,\n TargetFilePathType='URL'\n ,\n TargetUrl=Uri\n ,\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\n ,\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[0])\n ,\n HttpUserAgent=UserAgentHeader\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\n | lookup fileoperations on OperationName\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))) \n // Aliases\n | extend \n FilePath=TargetFilePath\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventAzureQueueStorage/vimFileEventAzureQueueStorage.json b/Parsers/ASimFileEvent/ARM/vimFileEventAzureQueueStorage/vimFileEventAzureQueueStorage.json index 8453c58f402..42c23c44beb 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventAzureQueueStorage/vimFileEventAzureQueueStorage.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventAzureQueueStorage/vimFileEventAzureQueueStorage.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventAzureQueueStorage')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventAzureQueueStorage", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Activity ASIM filtering parser for Azure Queue Storage", - "category": "ASIM", - "FunctionAlias": "vimFileEventAzureQueueStorage", - "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n )\n{\n let queueoperations=datatable(OperationName: string, EventType: string)\n[\n \"ClearMessages\", \"FileDeleted\"\n ,\n \"CreateQueue\", \"FileCreated\"\n ,\n \"DeleteQueue\", \"FileDeleted\"\n ,\n \"DeleteMessage\", \"FileDeleted\"\n ,\n \"GetQueue\", \"FileAccessed\"\n ,\n \"GetMessage\", \"FileAccessed\"\n ,\n \"GetMessages\", \"FileAccessed\"\n ,\n \"PeekMessage\", \"FileAccessed\"\n ,\n \"PeekMessages\", \"FileAccessed\"\n ,\n \"PutMessage\", \"FileCreated\"\n ,\n \"UpdateMessage\", \"FileModified\" \n];\n StorageQueueLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n // **** relevant data filtering;\n | where OperationName in (queueoperations)\n //\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(CallerIpAddress, srcipaddr_has_any_prefix))) and \n (array_length(actorusername_has_any) == 0) and\n ((array_length(targetfilepath_has_any) == 0) or (Uri has_any (targetfilepath_has_any))) and \n (array_length(srcfilepath_has_any) == 0) and\n (array_length(hashes_has_any) == 0) and \n (array_length(dvchostname_has_any) == 0)\n | extend \n EventCount=int(1)\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n ,\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n ,\n EventOriginalUid = CorrelationId\n ,\n EventOriginalType=OperationName\n ,\n EventProduct='Azure File Storage' \n ,\n EventVendor='Microsoft'\n ,\n EventSchemaVersion='0.1.0'\n ,\n TargetFilePath=tostring(split(Uri, '?')[0]) \n ,\n TargetFilePathType='URL'\n ,\n TargetUrl=Uri\n ,\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\n ,\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[0])\n ,\n HttpUserAgent=UserAgentHeader\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\n | lookup queueoperations on OperationName\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)))\n // Aliases\n | extend \n FilePath=TargetFilePath\n};\nparser\n(\n starttime=datetime(null), \n endtime=datetime(null), \n eventtype_in=dynamic([]),\n srcipaddr_has_any_prefix=dynamic([]),\n actorusername_has_any=dynamic([]),\n targetfilepath_has_any=dynamic([]),\n srcfilepath_has_any=dynamic([]),\n hashes_has_any=dynamic([]),\n dvchostname_has_any=dynamic([]),\n disabled=false\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Activity ASIM filtering parser for Azure Queue Storage", + "category": "ASIM", + "FunctionAlias": "vimFileEventAzureQueueStorage", + "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n )\n{\n let queueoperations=datatable(OperationName: string, EventType: string)\n[\n \"ClearMessages\", \"FileDeleted\"\n ,\n \"CreateQueue\", \"FileCreated\"\n ,\n \"DeleteQueue\", \"FileDeleted\"\n ,\n \"DeleteMessage\", \"FileDeleted\"\n ,\n \"GetQueue\", \"FileAccessed\"\n ,\n \"GetMessage\", \"FileAccessed\"\n ,\n \"GetMessages\", \"FileAccessed\"\n ,\n \"PeekMessage\", \"FileAccessed\"\n ,\n \"PeekMessages\", \"FileAccessed\"\n ,\n \"PutMessage\", \"FileCreated\"\n ,\n \"UpdateMessage\", \"FileModified\" \n];\n StorageQueueLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n // **** relevant data filtering;\n | where OperationName in (queueoperations)\n //\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(CallerIpAddress, srcipaddr_has_any_prefix))) and \n (array_length(actorusername_has_any) == 0) and\n ((array_length(targetfilepath_has_any) == 0) or (Uri has_any (targetfilepath_has_any))) and \n (array_length(srcfilepath_has_any) == 0) and\n (array_length(hashes_has_any) == 0) and \n (array_length(dvchostname_has_any) == 0)\n | extend \n EventCount=int(1)\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n ,\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n ,\n EventOriginalUid = CorrelationId\n ,\n EventOriginalType=OperationName\n ,\n EventProduct='Azure File Storage' \n ,\n EventVendor='Microsoft'\n ,\n EventSchemaVersion='0.1.0'\n ,\n TargetFilePath=tostring(split(Uri, '?')[0]) \n ,\n TargetFilePathType='URL'\n ,\n TargetUrl=Uri\n ,\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\n ,\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[0])\n ,\n HttpUserAgent=UserAgentHeader\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\n | lookup queueoperations on OperationName\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)))\n // Aliases\n | extend \n FilePath=TargetFilePath\n};\nparser\n(\n starttime=datetime(null), \n endtime=datetime(null), \n eventtype_in=dynamic([]),\n srcipaddr_has_any_prefix=dynamic([]),\n actorusername_has_any=dynamic([]),\n targetfilepath_has_any=dynamic([]),\n srcfilepath_has_any=dynamic([]),\n hashes_has_any=dynamic([]),\n dvchostname_has_any=dynamic([]),\n disabled=false\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventAzureTableStorage/vimFileEventAzureTableStorage.json b/Parsers/ASimFileEvent/ARM/vimFileEventAzureTableStorage/vimFileEventAzureTableStorage.json index b1df578434c..1b9ce1e5ebb 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventAzureTableStorage/vimFileEventAzureTableStorage.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventAzureTableStorage/vimFileEventAzureTableStorage.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventAzureTableStorage')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventAzureTableStorage", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Activity ASIM filtering parser for Azure Table Storage", - "category": "ASIM", - "FunctionAlias": "vimFileEventAzureTableStorage", - "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n )\n{\n let tableoperations=datatable(OperationName: string, EventType: string)\n[\n ,\n \"CreateTable\", \"FileCreated\"\n ,\n \"DeleteTable\", \"FileDeleted\"\n ,\n \"DeleteEntity\", \"FileModified\"\n ,\n \"InsertEntity\", \"FileModified\"\n ,\n \"InsertOrMergeEntity\", \"FileModified\"\n ,\n \"InsertOrReplaceEntity\", \"FileModified\"\n ,\n \"QueryEntity\", \"FileAccessed\"\n ,\n \"QueryEntities\", \"FileAccessed\"\n ,\n \"QueryTable\", \"FileAccessed\"\n ,\n \"QueryTables\", \"FileAccessed\"\n ,\n \"UpdateEntity\", \"FileModified\"\n ,\n \"MergeEntity\", \"FileModified\"\n];\n StorageTableLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n // **** relevant data filtering;\n | where OperationName in (tableoperations)\n //\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(CallerIpAddress, srcipaddr_has_any_prefix))) and \n (array_length(actorusername_has_any) == 0) and\n ((array_length(targetfilepath_has_any) == 0) or (Uri has_any (targetfilepath_has_any))) and \n (array_length(srcfilepath_has_any) == 0) and\n (array_length(hashes_has_any) == 0) and \n (array_length(dvchostname_has_any) == 0)\n | extend \n EventCount=int(1)\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n ,\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n ,\n EventOriginalUid = CorrelationId\n ,\n EventOriginalType=OperationName\n ,\n EventProduct='Azure File Storage' \n ,\n EventVendor='Microsoft'\n ,\n EventSchemaVersion='0.1.0'\n ,\n TargetFilePath=tostring(split(Uri, '?')[0]) \n ,\n TargetFilePathType='URL'\n ,\n TargetUrl=Uri\n ,\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\n ,\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[0])\n ,\n HttpUserAgent=UserAgentHeader\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\n | lookup tableoperations on OperationName\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)))\n // Aliases\n | extend \n FilePath=TargetFilePath\n};\nparser\n(\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Activity ASIM filtering parser for Azure Table Storage", + "category": "ASIM", + "FunctionAlias": "vimFileEventAzureTableStorage", + "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n )\n{\n let tableoperations=datatable(OperationName: string, EventType: string)\n[\n ,\n \"CreateTable\", \"FileCreated\"\n ,\n \"DeleteTable\", \"FileDeleted\"\n ,\n \"DeleteEntity\", \"FileModified\"\n ,\n \"InsertEntity\", \"FileModified\"\n ,\n \"InsertOrMergeEntity\", \"FileModified\"\n ,\n \"InsertOrReplaceEntity\", \"FileModified\"\n ,\n \"QueryEntity\", \"FileAccessed\"\n ,\n \"QueryEntities\", \"FileAccessed\"\n ,\n \"QueryTable\", \"FileAccessed\"\n ,\n \"QueryTables\", \"FileAccessed\"\n ,\n \"UpdateEntity\", \"FileModified\"\n ,\n \"MergeEntity\", \"FileModified\"\n];\n StorageTableLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n // **** relevant data filtering;\n | where OperationName in (tableoperations)\n //\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(CallerIpAddress, srcipaddr_has_any_prefix))) and \n (array_length(actorusername_has_any) == 0) and\n ((array_length(targetfilepath_has_any) == 0) or (Uri has_any (targetfilepath_has_any))) and \n (array_length(srcfilepath_has_any) == 0) and\n (array_length(hashes_has_any) == 0) and \n (array_length(dvchostname_has_any) == 0)\n | extend \n EventCount=int(1)\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n ,\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n ,\n EventOriginalUid = CorrelationId\n ,\n EventOriginalType=OperationName\n ,\n EventProduct='Azure File Storage' \n ,\n EventVendor='Microsoft'\n ,\n EventSchemaVersion='0.1.0'\n ,\n TargetFilePath=tostring(split(Uri, '?')[0]) \n ,\n TargetFilePathType='URL'\n ,\n TargetUrl=Uri\n ,\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\n ,\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[0])\n ,\n HttpUserAgent=UserAgentHeader\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\n | lookup tableoperations on OperationName\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)))\n // Aliases\n | extend \n FilePath=TargetFilePath\n};\nparser\n(\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventEmpty/vimFileEventEmpty.json b/Parsers/ASimFileEvent/ARM/vimFileEventEmpty/vimFileEventEmpty.json index bf150354cfb..8bbc67d7e21 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventEmpty/vimFileEventEmpty.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventEmpty/vimFileEventEmpty.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventEmpty')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventEmpty", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Event ASIM schema function", - "category": "ASIM", - "FunctionAlias": "vimFileEventEmpty", - "query": "let FileEvent=datatable(\n _ResourceId:string,\n ActingProcessCommandLine:string,\n ActingProcessGuid:string,\n ActingProcessId:string,\n ActingProcessName:string,\n ActorOriginalUserType:string,\n ActorScope:string,\n ActorScopeId:string,\n ActorSessionId:string,\n ActorUserAadId:string,\n ActorUserId:string,\n ActorUserIdType:string,\n ActorUsername:string,\n ActorUsernameType:string,\n ActorUserSid:string,\n ActorUserType:string,\n AdditionalFields:dynamic,\n Application:string,\n Dvc:string,\n DvcAction:string,\n DvcDescription:string,\n DvcDomain:string,\n DvcDomainType:string,\n DvcFQDN:string,\n DvcHostname:string,\n DvcId:string,\n DvcIdType:string,\n DvcInterface:string,\n DvcIpAddr:string,\n DvcMacAddr:string,\n DvcOriginalAction:string,\n DvcOs:string,\n DvcOsVersion:string,\n DvcScopeId:string,\n DvcScope:string,\n DvcZone:string,\n EventCount:int,\n EventEndTime:datetime,\n EventMessage:string,\n EventOriginalResultDetails:string,\n EventOriginalSeverity:string,\n EventOriginalSubType:string,\n EventOriginalType:string,\n EventOriginalUid:string,\n EventOwner:string,\n EventProduct:string,\n EventProductVersion:string,\n EventReportUrl:string,\n EventResult:string,\n EventSchema:string,\n EventSchemaVersion:string,\n EventSeverity:string,\n EventStartTime:datetime,\n EventType:string,\n EventUid:string,\n EventVendor:string,\n EventSubType:string,\n EventResultDetails:string,\n FileName:string,\n FilePath:string,\n Hash:string,\n HashType:string,\n HttpUserAgent:string,\n IpAddr:string,\n NetworkApplicationProtocol:string,\n Process:string,\n Rule:string,\n RuleName:string,\n RuleNumber:int,\n Src:string,\n SrcDescription:string,\n SrcDeviceType:string,\n SrcDomain:string,\n SrcDomainType:string,\n SrcDvcId:string,\n SrcDvcIdType:string,\n SrcDvcScope:string,\n SrcDvcScopeId:string,\n SrcFileCreationTime:datetime,\n SrcFileDirectory:string,\n SrcFileExtension:string,\n SrcFileMD5:string,\n SrcFileMimeType:string,\n SrcFileName:string,\n SrcFilePath:string,\n SrcFilePathType:string,\n SrcFileSHA1:string,\n SrcFileSHA256:string,\n SrcFileSHA512:string,\n SrcFileSize:long,\n SrcFQDN:string,\n SrcGeoCity:string,\n SrcGeoCountry:string,\n SrcGeoLatitude:real,\n SrcGeoLongitude:real,\n SrcGeoRegion:string,\n SrcHostname:string,\n SrcIpAddr:string,\n SrcPortNumber:int,\n SrcMacAddr:string,\n SrcRiskLevel:int,\n SrcOriginalRiskLevel:string,\n TargetAppId:string,\n TargetAppName:string,\n TargetAppType:string,\n TargetOriginalAppType:string,\n TargetFileCreationTime:datetime,\n TargetFileDirectory:string,\n TargetFileExtension:string,\n TargetFileMD5:string,\n TargetFileMimeType:string,\n TargetFileName:string,\n TargetFilePath:string,\n TargetFilePathType:string,\n TargetFileSHA1:string,\n TargetFileSHA256:string,\n TargetFileSHA512:string,\n TargetFileSize:long,\n TargetUrl:string,\n ThreatCategory:string,\n ThreatConfidence:int,\n ThreatField:string,\n ThreatFilePath:string,\n ThreatFirstReportedTime:datetime,\n ThreatId:string,\n ThreatIpAddr:string,\n ThreatIsActive:bool,\n ThreatLastReportedTime:datetime,\n ThreatName:string,\n ThreatOriginalConfidence:string,\n ThreatOriginalRiskLevel:string,\n ThreatRiskLevel:int,\n TimeGenerated:datetime,\n Type:string,\n Url:string,\n User:string,\n ActorUserPuid:string,\n ActorUpn:string,\n Dst:string\n)[];\nFileEvent", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Event ASIM schema function", + "category": "ASIM", + "FunctionAlias": "vimFileEventEmpty", + "query": "let FileEvent=datatable(\n _ResourceId:string,\n ActingProcessCommandLine:string,\n ActingProcessGuid:string,\n ActingProcessId:string,\n ActingProcessName:string,\n ActorOriginalUserType:string,\n ActorScope:string,\n ActorScopeId:string,\n ActorSessionId:string,\n ActorUserAadId:string,\n ActorUserId:string,\n ActorUserIdType:string,\n ActorUsername:string,\n ActorUsernameType:string,\n ActorUserSid:string,\n ActorUserType:string,\n AdditionalFields:dynamic,\n Application:string,\n Dvc:string,\n DvcAction:string,\n DvcDescription:string,\n DvcDomain:string,\n DvcDomainType:string,\n DvcFQDN:string,\n DvcHostname:string,\n DvcId:string,\n DvcIdType:string,\n DvcInterface:string,\n DvcIpAddr:string,\n DvcMacAddr:string,\n DvcOriginalAction:string,\n DvcOs:string,\n DvcOsVersion:string,\n DvcScopeId:string,\n DvcScope:string,\n DvcZone:string,\n EventCount:int,\n EventEndTime:datetime,\n EventMessage:string,\n EventOriginalResultDetails:string,\n EventOriginalSeverity:string,\n EventOriginalSubType:string,\n EventOriginalType:string,\n EventOriginalUid:string,\n EventOwner:string,\n EventProduct:string,\n EventProductVersion:string,\n EventReportUrl:string,\n EventResult:string,\n EventSchema:string,\n EventSchemaVersion:string,\n EventSeverity:string,\n EventStartTime:datetime,\n EventType:string,\n EventUid:string,\n EventVendor:string,\n EventSubType:string,\n EventResultDetails:string,\n FileName:string,\n FilePath:string,\n Hash:string,\n HashType:string,\n HttpUserAgent:string,\n IpAddr:string,\n NetworkApplicationProtocol:string,\n Process:string,\n Rule:string,\n RuleName:string,\n RuleNumber:int,\n Src:string,\n SrcDescription:string,\n SrcDeviceType:string,\n SrcDomain:string,\n SrcDomainType:string,\n SrcDvcId:string,\n SrcDvcIdType:string,\n SrcDvcScope:string,\n SrcDvcScopeId:string,\n SrcFileCreationTime:datetime,\n SrcFileDirectory:string,\n SrcFileExtension:string,\n SrcFileMD5:string,\n SrcFileMimeType:string,\n SrcFileName:string,\n SrcFilePath:string,\n SrcFilePathType:string,\n SrcFileSHA1:string,\n SrcFileSHA256:string,\n SrcFileSHA512:string,\n SrcFileSize:long,\n SrcFQDN:string,\n SrcGeoCity:string,\n SrcGeoCountry:string,\n SrcGeoLatitude:real,\n SrcGeoLongitude:real,\n SrcGeoRegion:string,\n SrcHostname:string,\n SrcIpAddr:string,\n SrcPortNumber:int,\n SrcMacAddr:string,\n SrcRiskLevel:int,\n SrcOriginalRiskLevel:string,\n TargetAppId:string,\n TargetAppName:string,\n TargetAppType:string,\n TargetOriginalAppType:string,\n TargetFileCreationTime:datetime,\n TargetFileDirectory:string,\n TargetFileExtension:string,\n TargetFileMD5:string,\n TargetFileMimeType:string,\n TargetFileName:string,\n TargetFilePath:string,\n TargetFilePathType:string,\n TargetFileSHA1:string,\n TargetFileSHA256:string,\n TargetFileSHA512:string,\n TargetFileSize:long,\n TargetUrl:string,\n ThreatCategory:string,\n ThreatConfidence:int,\n ThreatField:string,\n ThreatFilePath:string,\n ThreatFirstReportedTime:datetime,\n ThreatId:string,\n ThreatIpAddr:string,\n ThreatIsActive:bool,\n ThreatLastReportedTime:datetime,\n ThreatName:string,\n ThreatOriginalConfidence:string,\n ThreatOriginalRiskLevel:string,\n ThreatRiskLevel:int,\n TimeGenerated:datetime,\n Type:string,\n Url:string,\n User:string,\n ActorUserPuid:string,\n ActorUpn:string,\n Dst:string\n)[];\nFileEvent", + "version": 1 + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventGoogleWorkspace/vimFileEventGoogleWorkspace.json b/Parsers/ASimFileEvent/ARM/vimFileEventGoogleWorkspace/vimFileEventGoogleWorkspace.json index 82219625764..56924c12d50 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventGoogleWorkspace/vimFileEventGoogleWorkspace.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventGoogleWorkspace/vimFileEventGoogleWorkspace.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventGoogleWorkspace')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventGoogleWorkspace", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File events ASIM filtering parser for Google Workspace", - "category": "ASIM", - "FunctionAlias": "vimFileEventGoogleWorkspace", - "query": "let parser = (\n starttime: datetime = datetime(null)\n , endtime: datetime = datetime(null)\n , eventtype_in: dynamic = dynamic([])\n , srcipaddr_has_any_prefix: dynamic = dynamic([])\n , actorusername_has_any: dynamic = dynamic([])\n , targetfilepath_has_any: dynamic = dynamic([])\n , srcfilepath_has_any: dynamic = dynamic([])\n , hashes_has_any: dynamic = dynamic([])\n , dvchostname_has_any: dynamic = dynamic([])\n , disabled: bool = false\n ) {\n let GoogleWorkspaceSchema = datatable (\n event_name_s: string,\n event_type_s: string,\n id_uniqueQualifier_s: string,\n actor_email_s: string,\n actor_profileId_s: string,\n IPAddress: string,\n doc_type_s: string,\n doc_title_s: string,\n originating_app_id_s: string,\n id_applicationName_s: string,\n old_value_s: string,\n new_value_s: string,\n destination_folder_title_s: string,\n source_folder_title_s: string,\n copy_type_s: string,\n target_user_s: string,\n doc_id_s: string,\n primary_event_b: bool,\n billable_b: bool,\n owner_s: string,\n owner_is_shared_drive_b: bool,\n is_encrypted_b: bool,\n visibility_s: string,\n shared_drive_id_s: string,\n destination_folder_id_s: string,\n source_folder_id_s: string,\n TimeGenerated: datetime,\n _ResourceId: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n RawData: string,\n SourceSystem: string,\n TenantId: string,\n _ItemId: string\n)[];\n let EventFieldsLookup = datatable (\n EventOriginalSubType: string,\n EventType: string,\n EventSubType: string\n)\n [\n \"download\", \"FileAccessed\", \"Download\",\n \"edit\", \"FileModified\", \"Checkin\",\n \"upload\", \"FileCreated\", \"Upload\",\n \"create\", \"FileCreated\", \"Checkin\",\n \"rename\", \"FileRenamed\", \"\",\n \"view\", \"FileAccessed\", \"Preview\",\n \"preview\", \"FileAccessed\", \"Preview\",\n \"copy\", \"FileCopied\", \"\",\n \"source_copy\", \"FileCopied\", \"\",\n \"delete\", \"FileDeleted\", \"\",\n \"trash\", \"FileDeleted\", \"Recycle\",\n \"move\", \"FileMoved\", \"\",\n \"untrash\", \"FileCreatedOrModified\", \"Checkin\",\n \"deny_access_request\", \"FileAccessed\", \"Preview\",\n \"expire_access_request\", \"FileAccessed\", \"Preview\",\n \"request_access\", \"FileAccessed\", \"Preview\",\n \"add_to_folder\", \"FileCreated\", \"Checkin\",\n \"approval_canceled\", \"FileAccessed\", \"\",\n \"approval_comment_added\", \"FileAccessed\", \"\",\n \"approval_completed\", \"FileAccessed\", \"Preview\",\n \"approval_decisions_reset\", \"FileAccessed\", \"\",\n \"approval_due_time_change\", \"FileAccessed\", \"\",\n \"approval_requested\", \"FileAccessed\", \"Preview\",\n \"approval_reviewer_change\", \"FileAccessed\", \"\",\n \"approval_reviewer_responded\", \"FileAccessed\", \"\",\n \"create_comment\", \"FileModified\", \"Checkin\",\n \"delete_comment\", \"FileModified\", \"Checkin\",\n \"edit_comment\", \"FileModified\", \"Checkin\",\n \"reassign_comment\", \"FileModified\", \"Checkin\",\n \"reopen_comment\", \"FileModified\", \"Checkin\",\n \"resolve_comment\", \"FileModified\", \"Checkin\",\n \"add_lock\", \"FileModified\", \"\",\n \"print\", \"FileAccessed\", \"Print\",\n \"remove_from_folder\", \"FileDeleted\", \"\",\n \"remove_lock\", \"FileModified\", \"\",\n];\n let SupportedEventNames = EventFieldsLookup\n | project EventOriginalSubType;\n union isfuzzy=true GoogleWorkspaceSchema, GWorkspace_ReportsAPI_drive_CL\n | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and ((array_length(actorusername_has_any) == 0) or (actor_email_s has_any (actorusername_has_any)))\n and ((array_length(targetfilepath_has_any) == 0) or (doc_title_s has_any (targetfilepath_has_any)))\n and (array_length(hashes_has_any) == 0)\n and (array_length(dvchostname_has_any) == 0)\n and event_name_s in (SupportedEventNames)\n | lookup EventFieldsLookup on $left.event_name_s == $right.EventOriginalSubType\n | where ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\n | project-rename \n EventOriginalUid = id_uniqueQualifier_s,\n ActorUsername = actor_email_s,\n ActorUserId = actor_profileId_s,\n SrcIpAddr = IPAddress,\n TargetFileMimeType = doc_type_s,\n TargetFilePath = doc_title_s,\n ActingAppId = originating_app_id_s,\n EventOriginalType=event_type_s\n | extend\n TargetAppName = iif(id_applicationName_s == 'drive', \"Google Workspace - Drive\", \"\"),\n TargetAppType = iif(id_applicationName_s == 'drive', \"SaaS application\", \"\"),\n ActorUserIdType = iif(isnotempty(ActorUserId), \"GWorkspaceProfileID\", \"\"),\n SrcFilePath = iif(event_name_s has_any ('rename', 'copy', 'source_copy'), old_value_s, \"\"),\n TargetFilePath = iif(event_name_s has ('source_copy'), new_value_s, TargetFilePath),\n TargetFileDirectory = iif(event_name_s has_any ('move'), destination_folder_title_s, \"\"),\n SrcFileDirectory = iif(event_name_s has_any ('move'), source_folder_title_s, \"\"),\n EventType = case(\n TargetFileMimeType == \"folder\" and event_name_s == \"create\",\n \"FolderCreated\",\n TargetFileMimeType == \"folder\" and event_name_s == \"rename\",\n \"FolderModified\",\n TargetFileMimeType == \"folder\" and event_name_s == \"delete\",\n \"FolderDeleted\",\n TargetFileMimeType == \"folder\" and event_name_s == \"trash\",\n \"FolderDeleted\",\n TargetFileMimeType == \"folder\" and event_name_s == \"move\",\n \"FolderMoved\",\n TargetFileMimeType == \"folder\" and event_name_s == \"untrash\",\n \"FolderCreated\",\n EventType\n ),\n EventSubType = case(\n TargetFileMimeType == \"folder\" and event_name_s == \"create\",\n \"\",\n TargetFileMimeType == \"folder\" and event_name_s == \"trash\",\n \"\",\n TargetFileMimeType == \"folder\" and event_name_s == \"untrash\",\n \"\",\n EventSubType\n ),\n EventMessage = case(\n event_name_s == 'download',\n strcat(ActorUsername, \" deleted an item\"),\n event_name_s == 'edit',\n strcat(ActorUsername, \" edited an item\"),\n event_name_s == 'upload',\n strcat(ActorUsername, \" uploaded an item\"),\n event_name_s == 'create',\n strcat(ActorUsername, \" created an item\"),\n event_name_s == 'rename',\n strcat(ActorUsername, \" renamed \", old_value_s, \" to \", TargetFilePath),\n event_name_s == 'view',\n strcat(ActorUsername, \" viewed an item\"),\n event_name_s == 'preview',\n strcat(ActorUsername, \" previewed an item\"),\n event_name_s == 'copy',\n strcat(ActorUsername, \" created a copy of original document \", old_value_s),\n event_name_s == 'delete',\n strcat(ActorUsername, \" deleted an item\"),\n event_name_s == 'trash',\n strcat(ActorUsername, \" trashed an item\"),\n event_name_s == 'move',\n strcat(ActorUsername, \" moved an item from \", source_folder_title_s, \" to \", destination_folder_title_s),\n event_name_s == 'untrash',\n strcat(ActorUsername, \" restored an item\"),\n event_name_s == 'source_copy',\n strcat(ActorUsername, \" copied this item, creating a new item \", copy_type_s, \" your organication \", new_value_s),\n event_name_s == 'deny_access_request',\n strcat(ActorUsername, \" denied an access request for \", target_user_s),\n event_name_s == 'expire_access_request',\n strcat(\"An access request for \", target_user_s, \" expired \"),\n event_name_s == 'request_access',\n strcat(ActorUsername, \" requested access to an item for \", target_user_s),\n event_name_s == 'add_to_folder',\n strcat(ActorUsername, \" added an item to \", destination_folder_title_s),\n event_name_s == 'approval_canceled',\n strcat(ActorUsername, \" canceled an approval on an item\"),\n event_name_s == 'approval_comment_added',\n strcat(ActorUsername, \" added a comment on an approval on an item\"),\n event_name_s == 'approval_completed',\n \"An approval was completed\",\n event_name_s == 'approval_decisions_reset',\n \"Approval decisions were reset\",\n event_name_s == 'approval_due_time_change',\n strcat(ActorUsername, \" requested a due time change on an approval\"),\n event_name_s == 'approval_requested',\n strcat(ActorUsername, \" requested approval on an item\"),\n event_name_s == 'approval_reviewer_change',\n strcat(ActorUsername, \" requested a reviewer change on an approval\"),\n event_name_s == 'approval_reviewer_responded',\n strcat(ActorUsername, \" reviewed an approval on an item\"),\n event_name_s == 'create_comment',\n strcat(ActorUsername, \" created a comment\"),\n event_name_s == 'delete_comment',\n strcat(ActorUsername, \" deleted a comment\"),\n event_name_s == 'edit_comment',\n strcat(ActorUsername, \" edited a comment\"),\n event_name_s == 'reassign_comment',\n strcat(ActorUsername, \" reassigned a comment\"),\n event_name_s == 'reopen_comment',\n strcat(ActorUsername, \" reopened a comment\"),\n event_name_s == 'resolve_comment',\n strcat(ActorUsername, \" resolved a comment\"),\n event_name_s == 'add_lock',\n strcat(ActorUsername, \" locked an item\"),\n event_name_s == 'print',\n strcat(ActorUsername, \" printed an item\"),\n event_name_s == 'remove_from_folder',\n strcat(ActorUsername, \" removed an item from from \", source_folder_title_s),\n event_name_s == 'remove_lock',\n strcat(ActorUsername, \" unlocked an item\"),\n \"\"\n ),\n AdditionalFields = bag_pack(\n \"Doc_Id\",\n doc_id_s,\n \"Primary_Event\",\n primary_event_b,\n \"Billable\",\n billable_b,\n \"Owner\",\n owner_s,\n \"Owner_Is_Shared_Drive\",\n owner_is_shared_drive_b,\n \"Is_Encrypted\",\n is_encrypted_b,\n \"Visibility\",\n visibility_s,\n \"Copy_Type\",\n copy_type_s,\n \"Shared_Drive_Id\",\n shared_drive_id_s,\n \"Destination_Folder_Id\",\n destination_folder_id_s,\n \"Source_Folder_Id\",\n source_folder_id_s\n )\n | where ((array_length(srcfilepath_has_any) == 0) or (SrcFilePath has_any (srcfilepath_has_any)))\n | extend\n EventOriginalSubType = event_name_s,\n Application = TargetAppName,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n TargetFileName=TargetFilePath,\n FilePath = TargetFilePath,\n TargetFilePathType = iif(isnotempty(TargetFilePath), \"FileNameOnly\", \"\"),\n SrcFilePathType = iif(isnotempty(SrcFilePath), \"FileNameOnly\", \"\"),\n FileName = TargetFilePath,\n SrcFileName = SrcFilePath,\n User = ActorUsername,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventProduct = \"Workspace\",\n EventVendor = \"Google\",\n EventResult = \"Success\",\n EventSchemaVersion = \"0.2.1\",\n EventSchema = \"FileEvent\",\n EventUid = _ItemId,\n Dvc = \"Workspace\"\n | project-away \n *_s,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n targetfilepath_has_any = targetfilepath_has_any,\n srcfilepath_has_any = srcfilepath_has_any,\n hashes_has_any = hashes_has_any,\n dvchostname_has_any = dvchostname_has_any,\n disabled = disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File events ASIM filtering parser for Google Workspace", + "category": "ASIM", + "FunctionAlias": "vimFileEventGoogleWorkspace", + "query": "let parser = (\n starttime: datetime = datetime(null)\n , endtime: datetime = datetime(null)\n , eventtype_in: dynamic = dynamic([])\n , srcipaddr_has_any_prefix: dynamic = dynamic([])\n , actorusername_has_any: dynamic = dynamic([])\n , targetfilepath_has_any: dynamic = dynamic([])\n , srcfilepath_has_any: dynamic = dynamic([])\n , hashes_has_any: dynamic = dynamic([])\n , dvchostname_has_any: dynamic = dynamic([])\n , disabled: bool = false\n ) {\n let GoogleWorkspaceSchema = datatable (\n event_name_s: string,\n event_type_s: string,\n id_uniqueQualifier_s: string,\n actor_email_s: string,\n actor_profileId_s: string,\n IPAddress: string,\n doc_type_s: string,\n doc_title_s: string,\n originating_app_id_s: string,\n id_applicationName_s: string,\n old_value_s: string,\n new_value_s: string,\n destination_folder_title_s: string,\n source_folder_title_s: string,\n copy_type_s: string,\n target_user_s: string,\n doc_id_s: string,\n primary_event_b: bool,\n billable_b: bool,\n owner_s: string,\n owner_is_shared_drive_b: bool,\n is_encrypted_b: bool,\n visibility_s: string,\n shared_drive_id_s: string,\n destination_folder_id_s: string,\n source_folder_id_s: string,\n TimeGenerated: datetime,\n _ResourceId: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n RawData: string,\n SourceSystem: string,\n TenantId: string,\n _ItemId: string\n)[];\n let EventFieldsLookup = datatable (\n EventOriginalSubType: string,\n EventType: string,\n EventSubType: string\n)\n [\n \"download\", \"FileAccessed\", \"Download\",\n \"edit\", \"FileModified\", \"Checkin\",\n \"upload\", \"FileCreated\", \"Upload\",\n \"create\", \"FileCreated\", \"Checkin\",\n \"rename\", \"FileRenamed\", \"\",\n \"view\", \"FileAccessed\", \"Preview\",\n \"preview\", \"FileAccessed\", \"Preview\",\n \"copy\", \"FileCopied\", \"\",\n \"source_copy\", \"FileCopied\", \"\",\n \"delete\", \"FileDeleted\", \"\",\n \"trash\", \"FileDeleted\", \"Recycle\",\n \"move\", \"FileMoved\", \"\",\n \"untrash\", \"FileCreatedOrModified\", \"Checkin\",\n \"deny_access_request\", \"FileAccessed\", \"Preview\",\n \"expire_access_request\", \"FileAccessed\", \"Preview\",\n \"request_access\", \"FileAccessed\", \"Preview\",\n \"add_to_folder\", \"FileCreated\", \"Checkin\",\n \"approval_canceled\", \"FileAccessed\", \"\",\n \"approval_comment_added\", \"FileAccessed\", \"\",\n \"approval_completed\", \"FileAccessed\", \"Preview\",\n \"approval_decisions_reset\", \"FileAccessed\", \"\",\n \"approval_due_time_change\", \"FileAccessed\", \"\",\n \"approval_requested\", \"FileAccessed\", \"Preview\",\n \"approval_reviewer_change\", \"FileAccessed\", \"\",\n \"approval_reviewer_responded\", \"FileAccessed\", \"\",\n \"create_comment\", \"FileModified\", \"Checkin\",\n \"delete_comment\", \"FileModified\", \"Checkin\",\n \"edit_comment\", \"FileModified\", \"Checkin\",\n \"reassign_comment\", \"FileModified\", \"Checkin\",\n \"reopen_comment\", \"FileModified\", \"Checkin\",\n \"resolve_comment\", \"FileModified\", \"Checkin\",\n \"add_lock\", \"FileModified\", \"\",\n \"print\", \"FileAccessed\", \"Print\",\n \"remove_from_folder\", \"FileDeleted\", \"\",\n \"remove_lock\", \"FileModified\", \"\",\n];\n let SupportedEventNames = EventFieldsLookup\n | project EventOriginalSubType;\n union isfuzzy=true GoogleWorkspaceSchema, GWorkspace_ReportsAPI_drive_CL\n | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and ((array_length(actorusername_has_any) == 0) or (actor_email_s has_any (actorusername_has_any)))\n and ((array_length(targetfilepath_has_any) == 0) or (doc_title_s has_any (targetfilepath_has_any)))\n and (array_length(hashes_has_any) == 0)\n and (array_length(dvchostname_has_any) == 0)\n and event_name_s in (SupportedEventNames)\n | lookup EventFieldsLookup on $left.event_name_s == $right.EventOriginalSubType\n | where ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\n | project-rename \n EventOriginalUid = id_uniqueQualifier_s,\n ActorUsername = actor_email_s,\n ActorUserId = actor_profileId_s,\n SrcIpAddr = IPAddress,\n TargetFileMimeType = doc_type_s,\n TargetFilePath = doc_title_s,\n ActingAppId = originating_app_id_s,\n EventOriginalType=event_type_s\n | extend\n TargetAppName = iif(id_applicationName_s == 'drive', \"Google Workspace - Drive\", \"\"),\n TargetAppType = iif(id_applicationName_s == 'drive', \"SaaS application\", \"\"),\n ActorUserIdType = iif(isnotempty(ActorUserId), \"GWorkspaceProfileID\", \"\"),\n SrcFilePath = iif(event_name_s has_any ('rename', 'copy', 'source_copy'), old_value_s, \"\"),\n TargetFilePath = iif(event_name_s has ('source_copy'), new_value_s, TargetFilePath),\n TargetFileDirectory = iif(event_name_s has_any ('move'), destination_folder_title_s, \"\"),\n SrcFileDirectory = iif(event_name_s has_any ('move'), source_folder_title_s, \"\"),\n EventType = case(\n TargetFileMimeType == \"folder\" and event_name_s == \"create\",\n \"FolderCreated\",\n TargetFileMimeType == \"folder\" and event_name_s == \"rename\",\n \"FolderModified\",\n TargetFileMimeType == \"folder\" and event_name_s == \"delete\",\n \"FolderDeleted\",\n TargetFileMimeType == \"folder\" and event_name_s == \"trash\",\n \"FolderDeleted\",\n TargetFileMimeType == \"folder\" and event_name_s == \"move\",\n \"FolderMoved\",\n TargetFileMimeType == \"folder\" and event_name_s == \"untrash\",\n \"FolderCreated\",\n EventType\n ),\n EventSubType = case(\n TargetFileMimeType == \"folder\" and event_name_s == \"create\",\n \"\",\n TargetFileMimeType == \"folder\" and event_name_s == \"trash\",\n \"\",\n TargetFileMimeType == \"folder\" and event_name_s == \"untrash\",\n \"\",\n EventSubType\n ),\n EventMessage = case(\n event_name_s == 'download',\n strcat(ActorUsername, \" deleted an item\"),\n event_name_s == 'edit',\n strcat(ActorUsername, \" edited an item\"),\n event_name_s == 'upload',\n strcat(ActorUsername, \" uploaded an item\"),\n event_name_s == 'create',\n strcat(ActorUsername, \" created an item\"),\n event_name_s == 'rename',\n strcat(ActorUsername, \" renamed \", old_value_s, \" to \", TargetFilePath),\n event_name_s == 'view',\n strcat(ActorUsername, \" viewed an item\"),\n event_name_s == 'preview',\n strcat(ActorUsername, \" previewed an item\"),\n event_name_s == 'copy',\n strcat(ActorUsername, \" created a copy of original document \", old_value_s),\n event_name_s == 'delete',\n strcat(ActorUsername, \" deleted an item\"),\n event_name_s == 'trash',\n strcat(ActorUsername, \" trashed an item\"),\n event_name_s == 'move',\n strcat(ActorUsername, \" moved an item from \", source_folder_title_s, \" to \", destination_folder_title_s),\n event_name_s == 'untrash',\n strcat(ActorUsername, \" restored an item\"),\n event_name_s == 'source_copy',\n strcat(ActorUsername, \" copied this item, creating a new item \", copy_type_s, \" your organication \", new_value_s),\n event_name_s == 'deny_access_request',\n strcat(ActorUsername, \" denied an access request for \", target_user_s),\n event_name_s == 'expire_access_request',\n strcat(\"An access request for \", target_user_s, \" expired \"),\n event_name_s == 'request_access',\n strcat(ActorUsername, \" requested access to an item for \", target_user_s),\n event_name_s == 'add_to_folder',\n strcat(ActorUsername, \" added an item to \", destination_folder_title_s),\n event_name_s == 'approval_canceled',\n strcat(ActorUsername, \" canceled an approval on an item\"),\n event_name_s == 'approval_comment_added',\n strcat(ActorUsername, \" added a comment on an approval on an item\"),\n event_name_s == 'approval_completed',\n \"An approval was completed\",\n event_name_s == 'approval_decisions_reset',\n \"Approval decisions were reset\",\n event_name_s == 'approval_due_time_change',\n strcat(ActorUsername, \" requested a due time change on an approval\"),\n event_name_s == 'approval_requested',\n strcat(ActorUsername, \" requested approval on an item\"),\n event_name_s == 'approval_reviewer_change',\n strcat(ActorUsername, \" requested a reviewer change on an approval\"),\n event_name_s == 'approval_reviewer_responded',\n strcat(ActorUsername, \" reviewed an approval on an item\"),\n event_name_s == 'create_comment',\n strcat(ActorUsername, \" created a comment\"),\n event_name_s == 'delete_comment',\n strcat(ActorUsername, \" deleted a comment\"),\n event_name_s == 'edit_comment',\n strcat(ActorUsername, \" edited a comment\"),\n event_name_s == 'reassign_comment',\n strcat(ActorUsername, \" reassigned a comment\"),\n event_name_s == 'reopen_comment',\n strcat(ActorUsername, \" reopened a comment\"),\n event_name_s == 'resolve_comment',\n strcat(ActorUsername, \" resolved a comment\"),\n event_name_s == 'add_lock',\n strcat(ActorUsername, \" locked an item\"),\n event_name_s == 'print',\n strcat(ActorUsername, \" printed an item\"),\n event_name_s == 'remove_from_folder',\n strcat(ActorUsername, \" removed an item from from \", source_folder_title_s),\n event_name_s == 'remove_lock',\n strcat(ActorUsername, \" unlocked an item\"),\n \"\"\n ),\n AdditionalFields = bag_pack(\n \"Doc_Id\",\n doc_id_s,\n \"Primary_Event\",\n primary_event_b,\n \"Billable\",\n billable_b,\n \"Owner\",\n owner_s,\n \"Owner_Is_Shared_Drive\",\n owner_is_shared_drive_b,\n \"Is_Encrypted\",\n is_encrypted_b,\n \"Visibility\",\n visibility_s,\n \"Copy_Type\",\n copy_type_s,\n \"Shared_Drive_Id\",\n shared_drive_id_s,\n \"Destination_Folder_Id\",\n destination_folder_id_s,\n \"Source_Folder_Id\",\n source_folder_id_s\n )\n | where ((array_length(srcfilepath_has_any) == 0) or (SrcFilePath has_any (srcfilepath_has_any)))\n | extend\n EventOriginalSubType = event_name_s,\n Application = TargetAppName,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n TargetFileName=TargetFilePath,\n FilePath = TargetFilePath,\n TargetFilePathType = iif(isnotempty(TargetFilePath), \"FileNameOnly\", \"\"),\n SrcFilePathType = iif(isnotempty(SrcFilePath), \"FileNameOnly\", \"\"),\n FileName = TargetFilePath,\n SrcFileName = SrcFilePath,\n User = ActorUsername,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventProduct = \"Workspace\",\n EventVendor = \"Google\",\n EventResult = \"Success\",\n EventSchemaVersion = \"0.2.1\",\n EventSchema = \"FileEvent\",\n EventUid = _ItemId,\n Dvc = \"Workspace\"\n | project-away \n *_s,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n targetfilepath_has_any = targetfilepath_has_any,\n srcfilepath_has_any = srcfilepath_has_any,\n hashes_has_any = hashes_has_any,\n dvchostname_has_any = dvchostname_has_any,\n disabled = disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventLinuxSysmonFileCreated/vimFileEventLinuxSysmonFileCreated.json b/Parsers/ASimFileEvent/ARM/vimFileEventLinuxSysmonFileCreated/vimFileEventLinuxSysmonFileCreated.json index 452506ef637..1b907b28931 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventLinuxSysmonFileCreated/vimFileEventLinuxSysmonFileCreated.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventLinuxSysmonFileCreated/vimFileEventLinuxSysmonFileCreated.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventLinuxSysmonFileCreated')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventLinuxSysmonFileCreated", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File create Activity ASIM filtering parser for Sysmon for Linux", - "category": "ASIM", - "FunctionAlias": "vimFileEventLinuxSysmonFileCreated", - "query": "let parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n Syslog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where SyslogMessage has_all ('11')\n // pre-filtering\n | where ((array_length(eventtype_in) == 0) or ('FileCreated' in~ (eventtype_in))) and\n (array_length(srcipaddr_has_any_prefix) == 0) and\n ((array_length(actorusername_has_any) == 0) or (SyslogMessage has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (SyslogMessage has_any (targetfilepath_has_any))) and\n ((array_length(srcfilepath_has_any) == 0)) and\n (array_length(hashes_has_any) == 0) and \n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any)) \n | parse SyslogMessage with *\n ''msgEventRecordID: string''\n *\n //''msgComputer:string''\n ''\n * \n ''msgProcessGuid: string''\n ''msgProcessId: string''\n ''msgImage: string''\n ''msgTargetFileName: string''\n ''msgCreationUtcTime: datetime''*\n | where ((array_length(targetfilepath_has_any) == 0) or (msgTargetFileName has_any (targetfilepath_has_any)))\n | parse SyslogMessage with *''ActorUsername ''*\n | where ((array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any)))\n | extend\n EventCount=int(1)\n ,\n EventStartTime =TimeGenerated \n ,\n EventEndTime=TimeGenerated\n ,\n EventType = 'FileCreated'\n ,\n EventResult ='Success'\n ,\n EventOriginalType ='11' \n ,\n EventProduct='Sysmon for Linux'\n ,\n EventProductVersion='v13.22'\n ,\n EventVendor ='Microsoft'\n ,\n EventSchemaVersion ='0.1.0'\n ,\n DvcOs = 'Linux'\n ,\n TargetFilePathType='Unix'\n ,\n ActorUserType = iff(isnotempty(ActorUsername), 'Simple', '') // make sure user type is okay\n | project-rename\n DvcHostname=Computer\n ,\n EventOriginalUid=msgEventRecordID\n ,\n ActingProcessName =msgImage\n ,\n ActingProcessId=msgProcessId\n ,\n ActingProcessGuid=msgProcessGuid\n ,\n TargetFilePath =msgTargetFileName\n ,\n TargetFileCreationTime =msgCreationUtcTime\n // ------ Alias\n | extend\n Process=ActingProcessName\n ,\n FilePath=TargetFilePath\n ,\n Dvc = DvcHostname\n ,\n User = ActorUsername\n | project-away SyslogMessage\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File create Activity ASIM filtering parser for Sysmon for Linux", + "category": "ASIM", + "FunctionAlias": "vimFileEventLinuxSysmonFileCreated", + "query": "let parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n Syslog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where SyslogMessage has_all ('11')\n // pre-filtering\n | where ((array_length(eventtype_in) == 0) or ('FileCreated' in~ (eventtype_in))) and\n (array_length(srcipaddr_has_any_prefix) == 0) and\n ((array_length(actorusername_has_any) == 0) or (SyslogMessage has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (SyslogMessage has_any (targetfilepath_has_any))) and\n ((array_length(srcfilepath_has_any) == 0)) and\n (array_length(hashes_has_any) == 0) and \n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any)) \n | parse SyslogMessage with *\n ''msgEventRecordID: string''\n *\n //''msgComputer:string''\n ''\n * \n ''msgProcessGuid: string''\n ''msgProcessId: string''\n ''msgImage: string''\n ''msgTargetFileName: string''\n ''msgCreationUtcTime: datetime''*\n | where ((array_length(targetfilepath_has_any) == 0) or (msgTargetFileName has_any (targetfilepath_has_any)))\n | parse SyslogMessage with *''ActorUsername ''*\n | where ((array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any)))\n | extend\n EventCount=int(1)\n ,\n EventStartTime =TimeGenerated \n ,\n EventEndTime=TimeGenerated\n ,\n EventType = 'FileCreated'\n ,\n EventResult ='Success'\n ,\n EventOriginalType ='11' \n ,\n EventProduct='Sysmon for Linux'\n ,\n EventProductVersion='v13.22'\n ,\n EventVendor ='Microsoft'\n ,\n EventSchemaVersion ='0.1.0'\n ,\n DvcOs = 'Linux'\n ,\n TargetFilePathType='Unix'\n ,\n ActorUserType = iff(isnotempty(ActorUsername), 'Simple', '') // make sure user type is okay\n | project-rename\n DvcHostname=Computer\n ,\n EventOriginalUid=msgEventRecordID\n ,\n ActingProcessName =msgImage\n ,\n ActingProcessId=msgProcessId\n ,\n ActingProcessGuid=msgProcessGuid\n ,\n TargetFilePath =msgTargetFileName\n ,\n TargetFileCreationTime =msgCreationUtcTime\n // ------ Alias\n | extend\n Process=ActingProcessName\n ,\n FilePath=TargetFilePath\n ,\n Dvc = DvcHostname\n ,\n User = ActorUsername\n | project-away SyslogMessage\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventLinuxSysmonFileDeleted/vimFileEventLinuxSysmonFileDeleted.json b/Parsers/ASimFileEvent/ARM/vimFileEventLinuxSysmonFileDeleted/vimFileEventLinuxSysmonFileDeleted.json index ac4d4f1c4a3..11cb76edb25 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventLinuxSysmonFileDeleted/vimFileEventLinuxSysmonFileDeleted.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventLinuxSysmonFileDeleted/vimFileEventLinuxSysmonFileDeleted.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventLinuxSysmonFileDeleted')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventLinuxSysmonFileDeleted", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File delete activity ASIM filtering parser for Sysmon for Linux", - "category": "ASIM", - "FunctionAlias": "vimFileEventLinuxSysmonFileDeleted", - "query": "let parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n Syslog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where SyslogMessage has ('23', '26')\n // pre-filtering\n | where ((array_length(eventtype_in) == 0) or ('FileDeleted' in~ (eventtype_in))) and\n (array_length(srcipaddr_has_any_prefix) == 0) and\n ((array_length(actorusername_has_any) == 0) or (SyslogMessage has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (SyslogMessage has_any (targetfilepath_has_any))) and\n (array_length(srcfilepath_has_any) == 0) and\n (array_length(hashes_has_any) == 0) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | parse SyslogMessage with \n ''msgEventId: string''\n *\n ''msgEventRecordID: string''\n *\n ''msgComputer: string''\n ''\n *\n '{'msgProcessGuid: string'}'\n ''msgProcessId: string''\n ''msgUser: string''\n ''msgImage: string''\n ''msgTargetFilename: string''\n ''msgHashes: string'' *\n // post-filtering\n | where ((array_length(actorusername_has_any) == 0) or (msgUser has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (msgTargetFilename has_any (targetfilepath_has_any)))\n | extend\n EventCount=int(1)\n ,\n EventStartTime =TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType = 'FileDeleted'\n ,\n EventResult ='Success' \n ,\n EventProduct='Sysmon for Linux'\n ,\n EventProductVersion='v13.22' \n ,\n EventVendor ='Microsoft'\n ,\n EventSchemaVersion ='0.1.0'\n ,\n DvcOs = 'Linux'\n ,\n TargetFilePathType='Unix'\n ,\n ActorUsernameType='Simple'\n | project-rename\n DvcHostname=Computer\n ,\n EventOriginalUid=msgEventRecordID\n ,\n EventOriginalType =msgEventId \n ,\n ActorUsername=msgUser\n ,\n ActingProcessName =msgImage\n ,\n ActingProcessId=msgProcessId\n ,\n ActingProcessGuid=msgProcessGuid\n ,\n TargetFilePath =msgTargetFilename\n // ------ Alias\n | extend\n Process=ActingProcessName\n ,\n FilePath=TargetFilePath\n ,\n Dvc =DvcHostname\n ,\n User=ActorUsername\n | project-away SyslogMessage\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File delete activity ASIM filtering parser for Sysmon for Linux", + "category": "ASIM", + "FunctionAlias": "vimFileEventLinuxSysmonFileDeleted", + "query": "let parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n Syslog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where SyslogMessage has ('23', '26')\n // pre-filtering\n | where ((array_length(eventtype_in) == 0) or ('FileDeleted' in~ (eventtype_in))) and\n (array_length(srcipaddr_has_any_prefix) == 0) and\n ((array_length(actorusername_has_any) == 0) or (SyslogMessage has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (SyslogMessage has_any (targetfilepath_has_any))) and\n (array_length(srcfilepath_has_any) == 0) and\n (array_length(hashes_has_any) == 0) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | parse SyslogMessage with \n ''msgEventId: string''\n *\n ''msgEventRecordID: string''\n *\n ''msgComputer: string''\n ''\n *\n '{'msgProcessGuid: string'}'\n ''msgProcessId: string''\n ''msgUser: string''\n ''msgImage: string''\n ''msgTargetFilename: string''\n ''msgHashes: string'' *\n // post-filtering\n | where ((array_length(actorusername_has_any) == 0) or (msgUser has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (msgTargetFilename has_any (targetfilepath_has_any)))\n | extend\n EventCount=int(1)\n ,\n EventStartTime =TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType = 'FileDeleted'\n ,\n EventResult ='Success' \n ,\n EventProduct='Sysmon for Linux'\n ,\n EventProductVersion='v13.22' \n ,\n EventVendor ='Microsoft'\n ,\n EventSchemaVersion ='0.1.0'\n ,\n DvcOs = 'Linux'\n ,\n TargetFilePathType='Unix'\n ,\n ActorUsernameType='Simple'\n | project-rename\n DvcHostname=Computer\n ,\n EventOriginalUid=msgEventRecordID\n ,\n EventOriginalType =msgEventId \n ,\n ActorUsername=msgUser\n ,\n ActingProcessName =msgImage\n ,\n ActingProcessId=msgProcessId\n ,\n ActingProcessGuid=msgProcessGuid\n ,\n TargetFilePath =msgTargetFilename\n // ------ Alias\n | extend\n Process=ActingProcessName\n ,\n FilePath=TargetFilePath\n ,\n Dvc =DvcHostname\n ,\n User=ActorUsername\n | project-away SyslogMessage\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventM365D/vimFileEventM365D.json b/Parsers/ASimFileEvent/ARM/vimFileEventM365D/vimFileEventM365D.json index 7bbf682c70f..d01fff06201 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventM365D/vimFileEventM365D.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventM365D/vimFileEventM365D.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventMicrosoft365D')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventMicrosoft365D", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Event ASIM filtering parser for Microsoft 365 Defender for Endpoint", - "category": "ASIM", - "FunctionAlias": "vimFileEventMicrosoft365D", - "query": "let protocols = dynamic(['smb']);\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let remote_events = \n DeviceFileEvents\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where isnotempty(RequestAccountName)\n | where ((array_length(eventtype_in) == 0 or ActionType in~ (eventtype_in))) and\n ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(RequestSourceIP, srcipaddr_has_any_prefix))) and \n ((array_length(actorusername_has_any) == 0) or (RequestAccountName has_any (actorusername_has_any)) or (RequestAccountDomain has_any (actorusername_has_any)) or (strcat(RequestAccountDomain, '\\\\', RequestAccountName) has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (FileName has_any (targetfilepath_has_any)) or (FolderPath has_any (targetfilepath_has_any)) or (strcat(FolderPath, iff(FolderPath startswith \"/\", \"/\", \"\\\\\"), FileName) has_any (targetfilepath_has_any))) and \n ((array_length(srcfilepath_has_any) == 0) or (PreviousFileName has_any (srcfilepath_has_any)) or (PreviousFolderPath has_any (srcfilepath_has_any)) or (strcat(FolderPath, iff(PreviousFolderPath startswith \"/\", \"/\", \"\\\\\"), PreviousFileName) has_any (srcfilepath_has_any))) and\n ((array_length(hashes_has_any) == 0) or (SHA256 in (hashes_has_any)) or (SHA1 in (hashes_has_any)) or (MD5 in (hashes_has_any))) and \n (array_length(dvchostname_has_any) == 0 or DeviceName has_any (dvchostname_has_any))\n | project-rename \n SrcIpAddr = RequestSourceIP,\n ActorUserSid = RequestAccountSid,\n TargetUserSid = InitiatingProcessAccountSid,\n TargetUserAadId = InitiatingProcessAccountObjectId,\n TargetUserUpn = InitiatingProcessAccountUpn\n | extend\n ActorWindowsUsername = strcat(RequestAccountDomain, '\\\\', RequestAccountName),\n TargetWindowsUsername = strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName),\n ActorUserUpn = \"\",\n ActorUserAadId = \"\"\n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorWindowsUsername, ActorUserSid),\n TargetUserType = _ASIM_GetWindowsUserType(TargetWindowsUsername, TargetUserSid)\n | extend\n SrcPortNumber = toint(RequestSourcePort),\n TargetUsername = coalesce(TargetUserUpn, TargetWindowsUsername),\n TargetUsernameType = iff(isempty(TargetUserUpn), 'Windows', 'UPN'),\n TargetUserId = coalesce(TargetUserAadId, TargetUserSid), \n TargetUserIdType = iff(isempty(TargetUserSid), 'AADID', 'SID'),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n ;\n let local_events = \n DeviceFileEvents\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where isempty(RequestAccountName)\n | where ((array_length(eventtype_in) == 0 or ActionType in~ (eventtype_in))) and\n ((array_length(srcipaddr_has_any_prefix) == 0)) and \n ((array_length(actorusername_has_any) == 0) or (InitiatingProcessAccountDomain has_any (actorusername_has_any)) or (InitiatingProcessAccountName has_any (actorusername_has_any)) or (strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName) has_any (actorusername_has_any)) or (InitiatingProcessAccountUpn has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (FileName has_any (targetfilepath_has_any)) or (FolderPath has_any (targetfilepath_has_any)) or (strcat(FolderPath, iff(FolderPath startswith \"/\", \"/\", \"\\\\\"), FileName) has_any (targetfilepath_has_any))) and \n ((array_length(srcfilepath_has_any) == 0) or (PreviousFileName has_any (srcfilepath_has_any)) or (PreviousFolderPath has_any (srcfilepath_has_any)) or (strcat(FolderPath, iff(PreviousFolderPath startswith \"/\", \"/\", \"\\\\\"), PreviousFileName) has_any (srcfilepath_has_any))) and\n ((array_length(hashes_has_any) == 0) or (SHA256 in (hashes_has_any)) or (SHA1 in (hashes_has_any)) or (MD5 in (hashes_has_any))) and \n (array_length(dvchostname_has_any) == 0 or DeviceName has_any (dvchostname_has_any)) \n | project-rename\n ActorUserSid = InitiatingProcessAccountSid,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn\n | extend \n ActorWindowsUsername = strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName) \n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorWindowsUsername, ActorUserSid)\n | project-away RequestAccountSid, RequestSourceIP\n ;\n union \n remote_events\n , \n local_events\n | project-rename\n EventType = ActionType,\n DvcId = DeviceId,\n TargetFileMD5 = MD5,\n TargetFileSHA1 = SHA1,\n TargetFileSHA256 = SHA256,\n ActingProcessCommandLine = InitiatingProcessCommandLine,\n ActingProcessName =InitiatingProcessFolderPath,\n ActingProcessMD5 = InitiatingProcessMD5,\n ActingProcessSHA1 = InitiatingProcessSHA1,\n ActingProcessSHA256 = InitiatingProcessSHA256,\n ActingProcessParentFileName = InitiatingProcessParentFileName,\n ActingProcessCreationTime = InitiatingProcessCreationTime,\n ActingProcessParentCreationTime = InitiatingProcessParentCreationTime,\n TargetFileName = FileName,\n SrcFileName = PreviousFileName\n | extend\n DvcOs = iff(FolderPath startswith \"/\", \"Linux\", \"Windows\"),\n TargetFileSize = tolong(FileSize)\n | extend\n EventCount = int(1),\n EventOriginalUid = tostring(ReportId),\n ActingProcessId = tostring(InitiatingProcessId),\n EventStartTime = Timestamp, \n EventEndTime= Timestamp,\n EventResult = 'Success',\n EventProduct = 'M365 Defender for Endpoint',\n EventSchema = 'FileEvent',\n EventVendor = 'Microsoft',\n EventSeverity = 'Informational',\n EventSchemaVersion = '0.2.1',\n DvcIdType = \"MDEid\",\n ActorUsername = coalesce(ActorUserUpn, ActorWindowsUsername),\n ActorUsernameType = iff(isempty(ActorUserUpn), 'Windows', 'UPN'),\n ActorUserId = coalesce(ActorUserAadId, ActorUserSid), \n ActorUserIdType = iff(isempty(ActorUserSid), 'AADID', 'SID'),\n TargetFilePath = strcat(FolderPath, iff(DvcOs == \"Linux\", \"/\", \"\\\\\"), TargetFileName),\n TargetFilePathType = iff(DvcOs == \"Linux\", \"Unix\", \"Windows Local\"),\n SrcFilePath = strcat(PreviousFolderPath, iff(DvcOs == \"Linux\", \"/\", \"\\\\\"), SrcFileName),\n SrcFilePathType = iff(DvcOs == \"Linux\", \"Unix\", \"Windows Local\"),\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5),\n NetworkApplicationProtocol = iff (RequestProtocol in (protocols), toupper(RequestProtocol), \"\")\n | invoke _ASIM_ResolveDvcFQDN ('DeviceName')\n | project-away DeviceName\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5), Hash)]) \n // ****** Aliases\n | extend \n User = ActorUsername,\n Dvc = coalesce(DvcFQDN, DvcHostname),\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n CommandLine = ActingProcessCommandLine,\n DvcMDEid = DvcId,\n FileName = TargetFileName\n | project-away\n MachineGroup,\n ReportId,\n SourceSystem,\n Initiating*,\n Timestamp,\n TenantId,\n Request*,\n PreviousFolderPath,\n FolderPath,\n AppGuardContainerId\n | project-away ShareName, IsAzureInfoProtectionApplied, FileOrigin*, Sensitivity*\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Event ASIM filtering parser for Microsoft 365 Defender for Endpoint", + "category": "ASIM", + "FunctionAlias": "vimFileEventMicrosoft365D", + "query": "let protocols = dynamic(['smb']);\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let remote_events = \n DeviceFileEvents\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where isnotempty(RequestAccountName)\n | where ((array_length(eventtype_in) == 0 or ActionType in~ (eventtype_in))) and\n ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(RequestSourceIP, srcipaddr_has_any_prefix))) and \n ((array_length(actorusername_has_any) == 0) or (RequestAccountName has_any (actorusername_has_any)) or (RequestAccountDomain has_any (actorusername_has_any)) or (strcat(RequestAccountDomain, '\\\\', RequestAccountName) has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (FileName has_any (targetfilepath_has_any)) or (FolderPath has_any (targetfilepath_has_any)) or (strcat(FolderPath, iff(FolderPath startswith \"/\", \"/\", \"\\\\\"), FileName) has_any (targetfilepath_has_any))) and \n ((array_length(srcfilepath_has_any) == 0) or (PreviousFileName has_any (srcfilepath_has_any)) or (PreviousFolderPath has_any (srcfilepath_has_any)) or (strcat(FolderPath, iff(PreviousFolderPath startswith \"/\", \"/\", \"\\\\\"), PreviousFileName) has_any (srcfilepath_has_any))) and\n ((array_length(hashes_has_any) == 0) or (SHA256 in (hashes_has_any)) or (SHA1 in (hashes_has_any)) or (MD5 in (hashes_has_any))) and \n (array_length(dvchostname_has_any) == 0 or DeviceName has_any (dvchostname_has_any))\n | project-rename \n SrcIpAddr = RequestSourceIP,\n ActorUserSid = RequestAccountSid,\n TargetUserSid = InitiatingProcessAccountSid,\n TargetUserAadId = InitiatingProcessAccountObjectId,\n TargetUserUpn = InitiatingProcessAccountUpn\n | extend\n ActorWindowsUsername = strcat(RequestAccountDomain, '\\\\', RequestAccountName),\n TargetWindowsUsername = strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName),\n ActorUserUpn = \"\",\n ActorUserAadId = \"\"\n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorWindowsUsername, ActorUserSid),\n TargetUserType = _ASIM_GetWindowsUserType(TargetWindowsUsername, TargetUserSid)\n | extend\n SrcPortNumber = toint(RequestSourcePort),\n TargetUsername = coalesce(TargetUserUpn, TargetWindowsUsername),\n TargetUsernameType = iff(isempty(TargetUserUpn), 'Windows', 'UPN'),\n TargetUserId = coalesce(TargetUserAadId, TargetUserSid), \n TargetUserIdType = iff(isempty(TargetUserSid), 'AADID', 'SID'),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n ;\n let local_events = \n DeviceFileEvents\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where isempty(RequestAccountName)\n | where ((array_length(eventtype_in) == 0 or ActionType in~ (eventtype_in))) and\n ((array_length(srcipaddr_has_any_prefix) == 0)) and \n ((array_length(actorusername_has_any) == 0) or (InitiatingProcessAccountDomain has_any (actorusername_has_any)) or (InitiatingProcessAccountName has_any (actorusername_has_any)) or (strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName) has_any (actorusername_has_any)) or (InitiatingProcessAccountUpn has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (FileName has_any (targetfilepath_has_any)) or (FolderPath has_any (targetfilepath_has_any)) or (strcat(FolderPath, iff(FolderPath startswith \"/\", \"/\", \"\\\\\"), FileName) has_any (targetfilepath_has_any))) and \n ((array_length(srcfilepath_has_any) == 0) or (PreviousFileName has_any (srcfilepath_has_any)) or (PreviousFolderPath has_any (srcfilepath_has_any)) or (strcat(FolderPath, iff(PreviousFolderPath startswith \"/\", \"/\", \"\\\\\"), PreviousFileName) has_any (srcfilepath_has_any))) and\n ((array_length(hashes_has_any) == 0) or (SHA256 in (hashes_has_any)) or (SHA1 in (hashes_has_any)) or (MD5 in (hashes_has_any))) and \n (array_length(dvchostname_has_any) == 0 or DeviceName has_any (dvchostname_has_any)) \n | project-rename\n ActorUserSid = InitiatingProcessAccountSid,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn\n | extend \n ActorWindowsUsername = strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName) \n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorWindowsUsername, ActorUserSid)\n | project-away RequestAccountSid, RequestSourceIP\n ;\n union \n remote_events\n , \n local_events\n | project-rename\n EventType = ActionType,\n DvcId = DeviceId,\n TargetFileMD5 = MD5,\n TargetFileSHA1 = SHA1,\n TargetFileSHA256 = SHA256,\n ActingProcessCommandLine = InitiatingProcessCommandLine,\n ActingProcessName =InitiatingProcessFolderPath,\n ActingProcessMD5 = InitiatingProcessMD5,\n ActingProcessSHA1 = InitiatingProcessSHA1,\n ActingProcessSHA256 = InitiatingProcessSHA256,\n ActingProcessParentFileName = InitiatingProcessParentFileName,\n ActingProcessCreationTime = InitiatingProcessCreationTime,\n ActingProcessParentCreationTime = InitiatingProcessParentCreationTime,\n TargetFileName = FileName,\n SrcFileName = PreviousFileName\n | extend\n DvcOs = iff(FolderPath startswith \"/\", \"Linux\", \"Windows\"),\n TargetFileSize = tolong(FileSize)\n | extend\n EventCount = int(1),\n EventOriginalUid = tostring(ReportId),\n ActingProcessId = tostring(InitiatingProcessId),\n EventStartTime = Timestamp, \n EventEndTime= Timestamp,\n EventResult = 'Success',\n EventProduct = 'M365 Defender for Endpoint',\n EventSchema = 'FileEvent',\n EventVendor = 'Microsoft',\n EventSeverity = 'Informational',\n EventSchemaVersion = '0.2.1',\n DvcIdType = \"MDEid\",\n ActorUsername = coalesce(ActorUserUpn, ActorWindowsUsername),\n ActorUsernameType = iff(isempty(ActorUserUpn), 'Windows', 'UPN'),\n ActorUserId = coalesce(ActorUserAadId, ActorUserSid), \n ActorUserIdType = iff(isempty(ActorUserSid), 'AADID', 'SID'),\n TargetFilePath = strcat(FolderPath, iff(DvcOs == \"Linux\", \"/\", \"\\\\\"), TargetFileName),\n TargetFilePathType = iff(DvcOs == \"Linux\", \"Unix\", \"Windows Local\"),\n SrcFilePath = strcat(PreviousFolderPath, iff(DvcOs == \"Linux\", \"/\", \"\\\\\"), SrcFileName),\n SrcFilePathType = iff(DvcOs == \"Linux\", \"Unix\", \"Windows Local\"),\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5),\n NetworkApplicationProtocol = iff (RequestProtocol in (protocols), toupper(RequestProtocol), \"\")\n | invoke _ASIM_ResolveDvcFQDN ('DeviceName')\n | project-away DeviceName\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5), Hash)]) \n // ****** Aliases\n | extend \n User = ActorUsername,\n Dvc = coalesce(DvcFQDN, DvcHostname),\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n CommandLine = ActingProcessCommandLine,\n DvcMDEid = DvcId,\n FileName = TargetFileName\n | project-away\n MachineGroup,\n ReportId,\n SourceSystem,\n Initiating*,\n Timestamp,\n TenantId,\n Request*,\n PreviousFolderPath,\n FolderPath,\n AppGuardContainerId\n | project-away ShareName, IsAzureInfoProtectionApplied, FileOrigin*, Sensitivity*\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSecurityEvents/vimFileEventMicrosoftSecurityEvents.json b/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSecurityEvents/vimFileEventMicrosoftSecurityEvents.json index e4b457bf3a3..90362ea7087 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSecurityEvents/vimFileEventMicrosoftSecurityEvents.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSecurityEvents/vimFileEventMicrosoftSecurityEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventMicrosoftSecurityEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventMicrosoftSecurityEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Event ASIM filtering parser for Microsoft Windows Events", - "category": "ASIM", - "FunctionAlias": "vimFileEventMicrosoftSecurityEvents", - "query": "let Parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let EventTypeLookup = datatable (AccessMask: string, EventType: string)\n [\n \"0x1\", \"ObjectAccessed\"\n ,\n \"0x10\", \"MetadataModified\"\n ,\n \"0x100\", \"MetadataModified\"\n ,\n \"0x10000\", \"ObjectDeleted\"\n ,\n \"0x2\", \"ObjectModified\"\n ,\n \"0x20000\", \"MetadataAccessed\"\n ,\n \"0x4\", \"ObjectModified\"\n ,\n \"0x40\", \"ObjectDeleted\"\n ,\n \"0x40000\", \"MetadataModified\"\n ,\n \"0x6\", \"ObjectModified\"\n ,\n \"0x8\", \"MetadataAccessed\"\n ,\n \"0x80\", \"MetadataAccessed\"\n ,\n \"0x80000\", \"MetadataModified\"\n];\n let UserTypeLookup = datatable (AccountType: string, ActorUserType: string)\n [\n 'User', 'Regular',\n 'Machine', 'Machine'\n]; \n let KnownSIDs = datatable (sid: string, username: string, type: string)\n [\n 'S-1-5-18', 'Local System', 'Simple',\n 'S-1-0-0', 'Nobody', 'Simple'\n];\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID == 4663 \n and ObjectType == \"File\"\n and ObjectName !startswith @\"\\Device\\\"\n | where (array_length(srcipaddr_has_any_prefix) == 0) and \n ((array_length(targetfilepath_has_any) == 0) or (ObjectName has_any (targetfilepath_has_any))) and \n (array_length(srcfilepath_has_any) == 0) and\n (array_length(hashes_has_any) == 0) and \n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | project\n TimeGenerated,\n EventID,\n AccessMask,\n ProcessName,\n SubjectUserSid,\n AccountType,\n Computer,\n ObjectName,\n ProcessId,\n SubjectUserName,\n SubjectAccount,\n SubjectLogonId,\n HandleId,\n Type\n | lookup EventTypeLookup on AccessMask\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)))\n | lookup UserTypeLookup on AccountType\n | lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n | extend\n ActingProcessName = ProcessName\n ,\n ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\n ,\n ActorUsernameType = iff(SubjectUserName == '-', type, 'Windows')\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n TargetFilePath = ObjectName\n ,\n TargetFilePathFormat = \"Windows Local\"\n ,\n ActingProcessId = tostring(toint(ProcessId))\n ,\n EventOriginalType = tostring(EventID)\n | where (array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any))\n | project-away EventID, ProcessId, AccountType, username\n | project-rename\n ActorUserId = SubjectUserSid\n ,\n DvcHostname = Computer\n ,\n Process = ProcessName\n ,\n FilePath = ObjectName\n ,\n ActorSessionId = SubjectLogonId\n ,\n FileSessionId = HandleId\n | extend\n EventSchema = \"FileEvent\"\n ,\n EventSchemaVersion = \"0.1.1\"\n ,\n EventResult = \"Success\"\n ,\n EventCount = int(1)\n ,\n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Security Events'\n ,\n Dvc = DvcHostname\n ,\n ActorWindowsUsername = ActorUsername\n ,\n User = ActorUsername\n ,\n ActorUserSid = ActorUserId,\n ActorUserIdType=\"SID\", TargetFilePathType=\"Windows Local\"\n | project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat,type\n};\nParser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Event ASIM filtering parser for Microsoft Windows Events", + "category": "ASIM", + "FunctionAlias": "vimFileEventMicrosoftSecurityEvents", + "query": "let Parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let EventTypeLookup = datatable (AccessMask: string, EventType: string)\n [\n \"0x1\", \"ObjectAccessed\"\n ,\n \"0x10\", \"MetadataModified\"\n ,\n \"0x100\", \"MetadataModified\"\n ,\n \"0x10000\", \"ObjectDeleted\"\n ,\n \"0x2\", \"ObjectModified\"\n ,\n \"0x20000\", \"MetadataAccessed\"\n ,\n \"0x4\", \"ObjectModified\"\n ,\n \"0x40\", \"ObjectDeleted\"\n ,\n \"0x40000\", \"MetadataModified\"\n ,\n \"0x6\", \"ObjectModified\"\n ,\n \"0x8\", \"MetadataAccessed\"\n ,\n \"0x80\", \"MetadataAccessed\"\n ,\n \"0x80000\", \"MetadataModified\"\n];\n let UserTypeLookup = datatable (AccountType: string, ActorUserType: string)\n [\n 'User', 'Regular',\n 'Machine', 'Machine'\n]; \n let KnownSIDs = datatable (sid: string, username: string, type: string)\n [\n 'S-1-5-18', 'Local System', 'Simple',\n 'S-1-0-0', 'Nobody', 'Simple'\n];\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID == 4663 \n and ObjectType == \"File\"\n and ObjectName !startswith @\"\\Device\\\"\n | where (array_length(srcipaddr_has_any_prefix) == 0) and \n ((array_length(targetfilepath_has_any) == 0) or (ObjectName has_any (targetfilepath_has_any))) and \n (array_length(srcfilepath_has_any) == 0) and\n (array_length(hashes_has_any) == 0) and \n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | project\n TimeGenerated,\n EventID,\n AccessMask,\n ProcessName,\n SubjectUserSid,\n AccountType,\n Computer,\n ObjectName,\n ProcessId,\n SubjectUserName,\n SubjectAccount,\n SubjectLogonId,\n HandleId,\n Type\n | lookup EventTypeLookup on AccessMask\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)))\n | lookup UserTypeLookup on AccountType\n | lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n | extend\n ActingProcessName = ProcessName\n ,\n ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\n ,\n ActorUsernameType = iff(SubjectUserName == '-', type, 'Windows')\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n TargetFilePath = ObjectName\n ,\n TargetFilePathFormat = \"Windows Local\"\n ,\n ActingProcessId = tostring(toint(ProcessId))\n ,\n EventOriginalType = tostring(EventID)\n | where (array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any))\n | project-away EventID, ProcessId, AccountType, username\n | project-rename\n ActorUserId = SubjectUserSid\n ,\n DvcHostname = Computer\n ,\n Process = ProcessName\n ,\n FilePath = ObjectName\n ,\n ActorSessionId = SubjectLogonId\n ,\n FileSessionId = HandleId\n | extend\n EventSchema = \"FileEvent\"\n ,\n EventSchemaVersion = \"0.1.1\"\n ,\n EventResult = \"Success\"\n ,\n EventCount = int(1)\n ,\n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Security Events'\n ,\n Dvc = DvcHostname\n ,\n ActorWindowsUsername = ActorUsername\n ,\n User = ActorUsername\n ,\n ActorUserSid = ActorUserId,\n ActorUserIdType=\"SID\", TargetFilePathType=\"Windows Local\"\n | project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat,type\n};\nParser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSharePoint/vimFileEventMicrosoftSharePoint.json b/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSharePoint/vimFileEventMicrosoftSharePoint.json index 0df7af3ba80..c41d572be36 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSharePoint/vimFileEventMicrosoftSharePoint.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSharePoint/vimFileEventMicrosoftSharePoint.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventMicrosoftSharePoint')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventMicrosoftSharePoint", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Activity ASIM filtering parser for Sharepoint and OneDrive for business", - "category": "ASIM", - "FunctionAlias": "vimFileEventMicrosoftSharePoint", - "query": "let _ASIM_ResolveActorUsername = (T: (*), UsernameField: string) { \n T\n | extend ActorUsername = column_ifexists(UsernameField, \"\")\n | extend windows = ActorUsername has '\\\\'\n | extend \n ActorUsernameType = iff (windows, \"Windows\", \"UPN\"),\n ActorUserUpn = iff (windows, \"\", ActorUsername),\n ActorWindowsUsername = iff (windows, ActorUsername, \"\")\n};\nlet operations = datatable (Operation: string, EventType: string, EventSubType: string) [\n \"FileUploaded\", \"FileCreated\", \"Upload\",\n \"FileAccessedExtended\", \"FileAccessed\", \"Extended\",\n \"FileRecycled\", \"FileDeleted\", \"Recycle\",\n \"FileDeleted\", \"FileDeleted\", \"\",\n \"FileAccessed\", \"FileAccessed\", \"\",\n \"FolderCreated\", \"FolderCreated\", \"\",\n \"FilePreviewed\", \"FileAccessed\", \"Preview\",\n \"FileDownloaded\", \"FileAccessed\", \"Download\",\n \"FileSyncDownloadedFull\", \"FileAccessed\", \"Download\",\n \"FolderModified\", \"FolderModified\", \"\",\n \"FileModifiedExtended\", \"FolderModified\", \"Extended\",\n \"FileModified\", \"FolderModified\", \"\",\n \"FileVersionsAllDeleted\", \"FolderDeleted\", \"Versions\",\n \"FileSyncUploadedFull\", \"FileCreated\", \"Upload\",\n \"FileSensitivityLabelApplied\", \"FileAttributesUpdated\", \"\",\n \"FileSensitivityLabelChanged\", \"FileAttributesUpdated\", \"\",\n \"FileSensitivityLabelRemoved\", \"FileAttributesUpdated\", \"\",\n \"SiteDeleted\", \"FolderDeleted\", \"Site\",\n \"FileRenamed\", \"FileRenamed\", \"\",\n \"FileMoved\", \"FileMoved\", \"\",\n \"FileCopied\", \"FileCopied\", \"\",\n \"FolderCopied\", \"FolderCopied\", \"\",\n \"FolderMoved\", \"FolderMoved\", \"\",\n \"FolderRenamed\", \"FolderRenamed\", \"\",\n \"FolderRecycled\", \"FolderDeleted\", \"Recycle\",\n \"FolderDeleted\", \"FolderDeleted\", \"\",\n \"FileCheckedIn\", \"FileCreatedOrModified\", \"Checkin\",\n \"FileCheckedOut\", \"FileAccessed\", \"Checkout\"\n];\nlet multiple_file_operations = dynamic([\n \"FileRenamed\",\n \"FileMoved\",\n \"FileCopied\",\n \"FolderCopied\",\n \"FolderMoved\",\n \"FolderRenamed\"\n ]);\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let OfficeActivityProjected = \n OfficeActivity\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where RecordType == \"SharePointFileOperation\" and Operation != \"FileMalwareDetected\"\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(ClientIP, srcipaddr_has_any_prefix))) and \n ((array_length(actorusername_has_any) == 0) or (UserId has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (OfficeObjectId has_any (targetfilepath_has_any)) or (strcat (Site_Url, DestinationRelativeUrl, \"/\", DestinationFileName) has_any (targetfilepath_has_any))) and\n ((array_length(srcfilepath_has_any) == 0) or (OfficeObjectId has_any (srcfilepath_has_any))) and\n (array_length(hashes_has_any) == 0) and\n (array_length(dvchostname_has_any) == 0)\n | project\n Operation,\n OrganizationId,\n OrganizationName,\n SourceRecordId,\n OfficeWorkload,\n UserId,\n ClientIP,\n UserAgent,\n Start_Time,\n TimeGenerated,\n Type,\n OfficeObjectId,\n SourceFileName,\n SourceFileExtension,\n DestinationFileName,\n DestinationFileExtension,\n Site_Url,\n DestinationRelativeUrl,\n UserKey,\n MachineDomainInfo,\n MachineId; // ,_ItemId \n let SingleFileOperationEvents = \n OfficeActivityProjected\n | where Operation !in (multiple_file_operations)\n | project-rename \n TargetFilePath = OfficeObjectId,\n TargetFileName = SourceFileName,\n TargetFileExtension = SourceFileExtension\n // Post-filtering\n | where (array_length(srcfilepath_has_any) == 0) and\n ((array_length(targetfilepath_has_any) == 0) or (TargetFilePath has_any (targetfilepath_has_any)))\n | extend \n TargetFilePathType = \"URL\"\n | project-away DestinationFileName, DestinationFileExtension, DestinationRelativeUrl\n ;\n // single in dest: SiteDeleted\n let MultipleFileOperationsEvents = \n OfficeActivityProjected\n | where Operation in (multiple_file_operations)\n | project-rename \n SrcFilePath = OfficeObjectId,\n TargetFileName = DestinationFileName,\n TargetFileExtension = DestinationFileExtension,\n SrcFileName = SourceFileName,\n SrcFileExtension = SourceFileExtension\n | extend \n TargetFilePath = strcat (Site_Url, DestinationRelativeUrl, \"/\", TargetFileName),\n TargetFilePathType = \"URL\",\n SrcFilePathType = \"URL\"\n // Post-filtering\n | where ((array_length(srcfilepath_has_any) == 0) or (SrcFilePath has_any (srcfilepath_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (TargetFilePath has_any (targetfilepath_has_any)))\n | project-away DestinationRelativeUrl\n ;\n union SingleFileOperationEvents, MultipleFileOperationsEvents\n | lookup operations on Operation\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | invoke _ASIM_ResolveActorUsername('UserId')\n | project-away UserId\n | project-rename \n EventOriginalType = Operation,\n ActorScopeId = OrganizationId,\n ActorScope = OrganizationName,\n EventOriginalUid = SourceRecordId,\n EventProduct = OfficeWorkload,\n ActorUserId = UserKey,\n HttpUserAgent = UserAgent,\n SrcIpAddr = ClientIP,\n EventStartTime = Start_Time,\n // EvetUid = _ItemId,\n TargetUrl = Site_Url,\n SrcDvcId = MachineId,\n SrcDvcScopeId = MachineDomainInfo\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime = TimeGenerated,\n EventResult = \"Success\",\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.1',\n EventSchema = \"FileEvent\",\n ActorUserIdType = 'Other',\n SrcDvcIdType = 'Other',\n TargetAppName = EventProduct,\n TargetAppType = 'SaaS application',\n Dvc = strcat ('Microsoft ', EventProduct)\n // Aliases\n | extend \n User = ActorUsername,\n FilePath = TargetFilePath,\n FileName = TargetFileName,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Url = TargetUrl,\n Dvc = EventProduct,\n Application = EventProduct\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Activity ASIM filtering parser for Sharepoint and OneDrive for business", + "category": "ASIM", + "FunctionAlias": "vimFileEventMicrosoftSharePoint", + "query": "let _ASIM_ResolveActorUsername = (T: (*), UsernameField: string) { \n T\n | extend ActorUsername = column_ifexists(UsernameField, \"\")\n | extend windows = ActorUsername has '\\\\'\n | extend \n ActorUsernameType = iff (windows, \"Windows\", \"UPN\"),\n ActorUserUpn = iff (windows, \"\", ActorUsername),\n ActorWindowsUsername = iff (windows, ActorUsername, \"\")\n};\nlet operations = datatable (Operation: string, EventType: string, EventSubType: string) [\n \"FileUploaded\", \"FileCreated\", \"Upload\",\n \"FileAccessedExtended\", \"FileAccessed\", \"Extended\",\n \"FileRecycled\", \"FileDeleted\", \"Recycle\",\n \"FileDeleted\", \"FileDeleted\", \"\",\n \"FileAccessed\", \"FileAccessed\", \"\",\n \"FolderCreated\", \"FolderCreated\", \"\",\n \"FilePreviewed\", \"FileAccessed\", \"Preview\",\n \"FileDownloaded\", \"FileAccessed\", \"Download\",\n \"FileSyncDownloadedFull\", \"FileAccessed\", \"Download\",\n \"FolderModified\", \"FolderModified\", \"\",\n \"FileModifiedExtended\", \"FolderModified\", \"Extended\",\n \"FileModified\", \"FolderModified\", \"\",\n \"FileVersionsAllDeleted\", \"FolderDeleted\", \"Versions\",\n \"FileSyncUploadedFull\", \"FileCreated\", \"Upload\",\n \"FileSensitivityLabelApplied\", \"FileAttributesUpdated\", \"\",\n \"FileSensitivityLabelChanged\", \"FileAttributesUpdated\", \"\",\n \"FileSensitivityLabelRemoved\", \"FileAttributesUpdated\", \"\",\n \"SiteDeleted\", \"FolderDeleted\", \"Site\",\n \"FileRenamed\", \"FileRenamed\", \"\",\n \"FileMoved\", \"FileMoved\", \"\",\n \"FileCopied\", \"FileCopied\", \"\",\n \"FolderCopied\", \"FolderCopied\", \"\",\n \"FolderMoved\", \"FolderMoved\", \"\",\n \"FolderRenamed\", \"FolderRenamed\", \"\",\n \"FolderRecycled\", \"FolderDeleted\", \"Recycle\",\n \"FolderDeleted\", \"FolderDeleted\", \"\",\n \"FileCheckedIn\", \"FileCreatedOrModified\", \"Checkin\",\n \"FileCheckedOut\", \"FileAccessed\", \"Checkout\"\n];\nlet multiple_file_operations = dynamic([\n \"FileRenamed\",\n \"FileMoved\",\n \"FileCopied\",\n \"FolderCopied\",\n \"FolderMoved\",\n \"FolderRenamed\"\n ]);\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let OfficeActivityProjected = \n OfficeActivity\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where RecordType == \"SharePointFileOperation\" and Operation != \"FileMalwareDetected\"\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(ClientIP, srcipaddr_has_any_prefix))) and \n ((array_length(actorusername_has_any) == 0) or (UserId has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (OfficeObjectId has_any (targetfilepath_has_any)) or (strcat (Site_Url, DestinationRelativeUrl, \"/\", DestinationFileName) has_any (targetfilepath_has_any))) and\n ((array_length(srcfilepath_has_any) == 0) or (OfficeObjectId has_any (srcfilepath_has_any))) and\n (array_length(hashes_has_any) == 0) and\n (array_length(dvchostname_has_any) == 0)\n | project\n Operation,\n OrganizationId,\n OrganizationName,\n SourceRecordId,\n OfficeWorkload,\n UserId,\n ClientIP,\n UserAgent,\n Start_Time,\n TimeGenerated,\n Type,\n OfficeObjectId,\n SourceFileName,\n SourceFileExtension,\n DestinationFileName,\n DestinationFileExtension,\n Site_Url,\n DestinationRelativeUrl,\n UserKey,\n MachineDomainInfo,\n MachineId; // ,_ItemId \n let SingleFileOperationEvents = \n OfficeActivityProjected\n | where Operation !in (multiple_file_operations)\n | project-rename \n TargetFilePath = OfficeObjectId,\n TargetFileName = SourceFileName,\n TargetFileExtension = SourceFileExtension\n // Post-filtering\n | where (array_length(srcfilepath_has_any) == 0) and\n ((array_length(targetfilepath_has_any) == 0) or (TargetFilePath has_any (targetfilepath_has_any)))\n | extend \n TargetFilePathType = \"URL\"\n | project-away DestinationFileName, DestinationFileExtension, DestinationRelativeUrl\n ;\n // single in dest: SiteDeleted\n let MultipleFileOperationsEvents = \n OfficeActivityProjected\n | where Operation in (multiple_file_operations)\n | project-rename \n SrcFilePath = OfficeObjectId,\n TargetFileName = DestinationFileName,\n TargetFileExtension = DestinationFileExtension,\n SrcFileName = SourceFileName,\n SrcFileExtension = SourceFileExtension\n | extend \n TargetFilePath = strcat (Site_Url, DestinationRelativeUrl, \"/\", TargetFileName),\n TargetFilePathType = \"URL\",\n SrcFilePathType = \"URL\"\n // Post-filtering\n | where ((array_length(srcfilepath_has_any) == 0) or (SrcFilePath has_any (srcfilepath_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (TargetFilePath has_any (targetfilepath_has_any)))\n | project-away DestinationRelativeUrl\n ;\n union SingleFileOperationEvents, MultipleFileOperationsEvents\n | lookup operations on Operation\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | invoke _ASIM_ResolveActorUsername('UserId')\n | project-away UserId\n | project-rename \n EventOriginalType = Operation,\n ActorScopeId = OrganizationId,\n ActorScope = OrganizationName,\n EventOriginalUid = SourceRecordId,\n EventProduct = OfficeWorkload,\n ActorUserId = UserKey,\n HttpUserAgent = UserAgent,\n SrcIpAddr = ClientIP,\n EventStartTime = Start_Time,\n // EvetUid = _ItemId,\n TargetUrl = Site_Url,\n SrcDvcId = MachineId,\n SrcDvcScopeId = MachineDomainInfo\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime = TimeGenerated,\n EventResult = \"Success\",\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.1',\n EventSchema = \"FileEvent\",\n ActorUserIdType = 'Other',\n SrcDvcIdType = 'Other',\n TargetAppName = EventProduct,\n TargetAppType = 'SaaS application',\n Dvc = strcat ('Microsoft ', EventProduct)\n // Aliases\n | extend \n User = ActorUsername,\n FilePath = TargetFilePath,\n FileName = TargetFileName,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Url = TargetUrl,\n Dvc = EventProduct,\n Application = EventProduct\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSysmon/vimFileEventMicrosoftSysmon.json b/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSysmon/vimFileEventMicrosoftSysmon.json index 11bc308f6cd..98d3a8ec848 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSysmon/vimFileEventMicrosoftSysmon.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSysmon/vimFileEventMicrosoftSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventMicrosoftSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventMicrosoftSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File event ASIM filtering parser for Windows Sysmon", - "category": "ASIM", - "FunctionAlias": "vimFileEventMicrosoftSysmon", - "query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n // -- Event parser\n let EventParser = () {\n Event\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | project\n EventID,\n EventData,\n Computer,\n TimeGenerated,\n _ResourceId,\n _SubscriptionId,\n Source,\n Type, \n _ItemId \n | where Source == \"Microsoft-Windows-Sysmon\" and EventID in (11, 23, 26)\n | project-away Source\n // pre-filtering\n | where ((array_length(eventtype_in) == 0 or (iff (EventID == 11, 'FileCreated', 'FileDeleted') in~ (eventtype_in)))) and\n (array_length(srcipaddr_has_any_prefix) == 0) and\n ((array_length(srcfilepath_has_any) == 0)) and\n ((array_length(dvchostname_has_any) == 0) or Computer has_any (dvchostname_has_any))\n | parse-kv EventData as (\n RuleName: string,\n UtcTime: datetime, \n ProcessGuid: string,\n ProcessId: string,\n Image: string,\n User: string,\n TargetFilename: string,\n Hashes: string,\n CreationUtcTime: datetime\n )\n with (regex=@'{?([^<]*?)}?')\n | project-rename \n ActingProcessGuid = ProcessGuid,\n ActingProcessId = ProcessId,\n ActorUsername = User,\n ActingProcessName = Image,\n TargetFileCreationTime=CreationUtcTime,\n TargetFilePath=TargetFilename,\n EventStartTime=UtcTime\n // Filter for ActorUsername and TargetFilePath\n | where ((array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any))) and \n ((array_length(targetfilepath_has_any) == 0) or (TargetFilePath has_any (targetfilepath_has_any)))\n | project-away EventData\n};\n EventParser \n | project-rename\n DvcHostname = Computer,\n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n | extend\n EventType=iff (EventID == 11, 'FileCreated', 'FileDeleted'),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'FileEvent',\n EventSchemaVersion = '0.2.1',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs='Windows',\n TargetFilePathType = 'Windows',\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventCount = int(1),\n EventEndTime = EventStartTime,\n EventOriginalType = tostring(EventID),\n TargetFileName = tostring(split(TargetFilePath, '\\\\')[-1]),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n EventUid = _ItemId\n | parse-kv Hashes as (\n MD5: string,\n SHA1: string,\n IMPHASH: string,\n SHA256: string\n )\n | project-rename\n TargetFileMD5 = MD5,\n TargetFileSHA1 = SHA1,\n TargetFileIMPHASH = IMPHASH,\n TargetFileSHA256 = SHA256\n // Filter for hash\n | where (array_length(hashes_has_any) == 0)\n or (TargetFileMD5 has_any (hashes_has_any))\n or (TargetFileSHA1 has_any (hashes_has_any))\n or (TargetFileIMPHASH has_any (hashes_has_any))\n or (TargetFileSHA256 has_any (hashes_has_any))\n | extend\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH)\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\", \"IMPHASH\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH), Hash)])\n // -- Typed entity identifiers\n | extend\n ActorWindowsUsername = ActorUsername\n // -- Aliases\n | extend\n Process = ActingProcessName,\n Dvc = DvcHostname,\n FilePath = TargetFilePath,\n FileName = TargetFileName,\n User = ActorUsername\n | project-away EventID, Hashes,ActorWindowsUsername,TargetFileIMPHASH\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File event ASIM filtering parser for Windows Sysmon", + "category": "ASIM", + "FunctionAlias": "vimFileEventMicrosoftSysmon", + "query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n // -- Event parser\n let EventParser = () {\n Event\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | project\n EventID,\n EventData,\n Computer,\n TimeGenerated,\n _ResourceId,\n _SubscriptionId,\n Source,\n Type, \n _ItemId \n | where Source == \"Microsoft-Windows-Sysmon\" and EventID in (11, 23, 26)\n | project-away Source\n // pre-filtering\n | where ((array_length(eventtype_in) == 0 or (iff (EventID == 11, 'FileCreated', 'FileDeleted') in~ (eventtype_in)))) and\n (array_length(srcipaddr_has_any_prefix) == 0) and\n ((array_length(srcfilepath_has_any) == 0)) and\n ((array_length(dvchostname_has_any) == 0) or Computer has_any (dvchostname_has_any))\n | parse-kv EventData as (\n RuleName: string,\n UtcTime: datetime, \n ProcessGuid: string,\n ProcessId: string,\n Image: string,\n User: string,\n TargetFilename: string,\n Hashes: string,\n CreationUtcTime: datetime\n )\n with (regex=@'{?([^<]*?)}?')\n | project-rename \n ActingProcessGuid = ProcessGuid,\n ActingProcessId = ProcessId,\n ActorUsername = User,\n ActingProcessName = Image,\n TargetFileCreationTime=CreationUtcTime,\n TargetFilePath=TargetFilename,\n EventStartTime=UtcTime\n // Filter for ActorUsername and TargetFilePath\n | where ((array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any))) and \n ((array_length(targetfilepath_has_any) == 0) or (TargetFilePath has_any (targetfilepath_has_any)))\n | project-away EventData\n};\n EventParser \n | project-rename\n DvcHostname = Computer,\n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n | extend\n EventType=iff (EventID == 11, 'FileCreated', 'FileDeleted'),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'FileEvent',\n EventSchemaVersion = '0.2.1',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs='Windows',\n TargetFilePathType = 'Windows',\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventCount = int(1),\n EventEndTime = EventStartTime,\n EventOriginalType = tostring(EventID),\n TargetFileName = tostring(split(TargetFilePath, '\\\\')[-1]),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n EventUid = _ItemId\n | parse-kv Hashes as (\n MD5: string,\n SHA1: string,\n IMPHASH: string,\n SHA256: string\n )\n | project-rename\n TargetFileMD5 = MD5,\n TargetFileSHA1 = SHA1,\n TargetFileIMPHASH = IMPHASH,\n TargetFileSHA256 = SHA256\n // Filter for hash\n | where (array_length(hashes_has_any) == 0)\n or (TargetFileMD5 has_any (hashes_has_any))\n or (TargetFileSHA1 has_any (hashes_has_any))\n or (TargetFileIMPHASH has_any (hashes_has_any))\n or (TargetFileSHA256 has_any (hashes_has_any))\n | extend\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH)\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\", \"IMPHASH\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH), Hash)])\n // -- Typed entity identifiers\n | extend\n ActorWindowsUsername = ActorUsername\n // -- Aliases\n | extend\n Process = ActingProcessName,\n Dvc = DvcHostname,\n FilePath = TargetFilePath,\n FileName = TargetFileName,\n User = ActorUsername\n | project-away EventID, Hashes,ActorWindowsUsername,TargetFileIMPHASH\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSysmonWindowsEvent/vimFileEventMicrosoftSysmonWindowsEvent.json b/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSysmonWindowsEvent/vimFileEventMicrosoftSysmonWindowsEvent.json index fba3fb1b98b..84fc3bad991 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSysmonWindowsEvent/vimFileEventMicrosoftSysmonWindowsEvent.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSysmonWindowsEvent/vimFileEventMicrosoftSysmonWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventMicrosoftSysmonWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventMicrosoftSysmonWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File event ASIM filtering parser for Windows Sysmon", - "category": "ASIM", - "FunctionAlias": "vimFileEventMicrosoftSysmonWindowsEvent", - "query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n //\n // -- WindowsEvent parser\n let WindowsEventParser=() {\n WindowsEvent \n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | project\n EventID,\n EventData,\n Computer,\n TimeGenerated,\n _ResourceId,\n _SubscriptionId,\n Provider,\n Type,\n _ItemId \n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID in (11, 23, 26)\n | project-away Provider\n // pre-filtering\n | where ((array_length(eventtype_in) == 0 or (iff (EventID == 11, 'FileCreated', 'FileDeleted') in~ (eventtype_in)))) and\n (array_length(srcipaddr_has_any_prefix) == 0) and\n ((array_length(actorusername_has_any) == 0) or (tostring(EventData.User) has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (tostring(EventData.TargetFilename) has_any (targetfilepath_has_any))) and\n ((array_length(srcfilepath_has_any) == 0)) and\n ((array_length(dvchostname_has_any) == 0) or Computer has_any (dvchostname_has_any))\n | extend \n TargetFileCreationTime=todatetime(EventData.CreationUtcTime),\n TargetFilePath=tostring(EventData.TargetFilename),\n ActingProcessName = tostring(EventData.Image),\n ActingProcessId = tostring(EventData.ProcessId),\n ActingProcessGuid = tostring(EventData.ProcessGuid),\n ActorUsername = tostring(EventData.User),\n EventStartTime = todatetime(EventData.UtcTime),\n RuleName = tostring(EventData.RuleName),\n Hashes = tostring(EventData.Hashes)\n | parse ActingProcessGuid with \"{\" ActingProcessGuid \"}\"\n | project-away EventData\n};\n WindowsEventParser \n | project-rename\n DvcHostname = Computer,\n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n | extend\n EventType=iff (EventID == 11, 'FileCreated', 'FileDeleted'),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'FileEvent',\n EventSchemaVersion = '0.2.1',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs='Windows',\n TargetFilePathType = 'Windows',\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventCount = int(1),\n EventEndTime = EventStartTime,\n EventOriginalType = tostring(EventID),\n TargetFileName = tostring(split(TargetFilePath, '\\\\')[-1]),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n EventUid = _ItemId\n | parse-kv Hashes as (\n MD5: string,\n SHA1: string,\n IMPHASH: string,\n SHA256: string\n )\n | project-rename\n TargetFileMD5 = MD5,\n TargetFileSHA1 = SHA1,\n TargetFileIMPHASH = IMPHASH,\n TargetFileSHA256 = SHA256\n // Filter for hash\n | where (array_length(hashes_has_any) == 0)\n or (TargetFileMD5 has_any (hashes_has_any))\n or (TargetFileSHA1 has_any (hashes_has_any))\n or (TargetFileIMPHASH has_any (hashes_has_any))\n or (TargetFileSHA256 has_any (hashes_has_any))\n | extend\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH)\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\", \"IMPHASH\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH), Hash)])\n // -- Typed entity identifiers\n | extend\n ActorWindowsUsername = ActorUsername\n // -- Aliases\n | extend\n Process = ActingProcessName,\n Dvc = DvcHostname,\n FilePath = TargetFilePath,\n FileName = TargetFileName,\n User = ActorUsername\n | project-away EventID, Hashes,ActorWindowsUsername,TargetFileIMPHASH\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File event ASIM filtering parser for Windows Sysmon", + "category": "ASIM", + "FunctionAlias": "vimFileEventMicrosoftSysmonWindowsEvent", + "query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n //\n // -- WindowsEvent parser\n let WindowsEventParser=() {\n WindowsEvent \n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | project\n EventID,\n EventData,\n Computer,\n TimeGenerated,\n _ResourceId,\n _SubscriptionId,\n Provider,\n Type,\n _ItemId \n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID in (11, 23, 26)\n | project-away Provider\n // pre-filtering\n | where ((array_length(eventtype_in) == 0 or (iff (EventID == 11, 'FileCreated', 'FileDeleted') in~ (eventtype_in)))) and\n (array_length(srcipaddr_has_any_prefix) == 0) and\n ((array_length(actorusername_has_any) == 0) or (tostring(EventData.User) has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (tostring(EventData.TargetFilename) has_any (targetfilepath_has_any))) and\n ((array_length(srcfilepath_has_any) == 0)) and\n ((array_length(dvchostname_has_any) == 0) or Computer has_any (dvchostname_has_any))\n | extend \n TargetFileCreationTime=todatetime(EventData.CreationUtcTime),\n TargetFilePath=tostring(EventData.TargetFilename),\n ActingProcessName = tostring(EventData.Image),\n ActingProcessId = tostring(EventData.ProcessId),\n ActingProcessGuid = tostring(EventData.ProcessGuid),\n ActorUsername = tostring(EventData.User),\n EventStartTime = todatetime(EventData.UtcTime),\n RuleName = tostring(EventData.RuleName),\n Hashes = tostring(EventData.Hashes)\n | parse ActingProcessGuid with \"{\" ActingProcessGuid \"}\"\n | project-away EventData\n};\n WindowsEventParser \n | project-rename\n DvcHostname = Computer,\n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n | extend\n EventType=iff (EventID == 11, 'FileCreated', 'FileDeleted'),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'FileEvent',\n EventSchemaVersion = '0.2.1',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs='Windows',\n TargetFilePathType = 'Windows',\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventCount = int(1),\n EventEndTime = EventStartTime,\n EventOriginalType = tostring(EventID),\n TargetFileName = tostring(split(TargetFilePath, '\\\\')[-1]),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n EventUid = _ItemId\n | parse-kv Hashes as (\n MD5: string,\n SHA1: string,\n IMPHASH: string,\n SHA256: string\n )\n | project-rename\n TargetFileMD5 = MD5,\n TargetFileSHA1 = SHA1,\n TargetFileIMPHASH = IMPHASH,\n TargetFileSHA256 = SHA256\n // Filter for hash\n | where (array_length(hashes_has_any) == 0)\n or (TargetFileMD5 has_any (hashes_has_any))\n or (TargetFileSHA1 has_any (hashes_has_any))\n or (TargetFileIMPHASH has_any (hashes_has_any))\n or (TargetFileSHA256 has_any (hashes_has_any))\n | extend\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH)\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\", \"IMPHASH\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH), Hash)])\n // -- Typed entity identifiers\n | extend\n ActorWindowsUsername = ActorUsername\n // -- Aliases\n | extend\n Process = ActingProcessName,\n Dvc = DvcHostname,\n FilePath = TargetFilePath,\n FileName = TargetFileName,\n User = ActorUsername\n | project-away EventID, Hashes,ActorWindowsUsername,TargetFileIMPHASH\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftWindowsEvents/vimFileEventMicrosoftWindowsEvents.json b/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftWindowsEvents/vimFileEventMicrosoftWindowsEvents.json index a09511b2307..ce529cc1540 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftWindowsEvents/vimFileEventMicrosoftWindowsEvents.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftWindowsEvents/vimFileEventMicrosoftWindowsEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventMicrosoftWindowsEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventMicrosoftWindowsEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Event ASIM filtering parser for Microsoft Windows Events", - "category": "ASIM", - "FunctionAlias": "vimFileEventMicrosoftWindowsEvents", - "query": "let Parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let EventTypeLookup = datatable (AccessMask: string, EventType: string)\n [\n \"0x1\", \"ObjectAccessed\"\n ,\n \"0x10\", \"MetadataModified\"\n ,\n \"0x100\", \"MetadataModified\"\n ,\n \"0x10000\", \"ObjectDeleted\"\n ,\n \"0x2\", \"ObjectModified\"\n ,\n \"0x20000\", \"MetadataAccessed\"\n ,\n \"0x4\", \"ObjectModified\"\n ,\n \"0x40\", \"ObjectDeleted\"\n ,\n \"0x40000\", \"MetadataModified\"\n ,\n \"0x6\", \"ObjectModified\"\n ,\n \"0x8\", \"MetadataAccessed\"\n ,\n \"0x80\", \"MetadataAccessed\"\n ,\n \"0x80000\", \"MetadataModified\"\n];\n let UserTypeLookup = datatable (AccountType: string, ActorUserType: string)\n [\n 'User', 'Regular',\n 'Machine', 'Machine'\n]; \n let KnownSIDs = datatable (sid: string, username: string, type: string)\n [\n 'S-1-5-18', 'Local System', 'Simple',\n 'S-1-0-0', 'Nobody', 'Simple'\n];\n WindowsEvent\n | where EventID == 4663 \n and EventData.ObjectType == \"File\"\n and EventData.ObjectName !startswith @\"\\Device\\\"\n | extend ActorUserIdType=\"SID\", TargetFilePathType=\"Windows Local\"\n | project\n TimeGenerated\n ,\n EventID,\n AccessMask = tostring(EventData.AccessMask)\n ,\n ProcessName = tostring(EventData.ProcessName)\n ,\n SubjectUserSid = tostring(EventData.SubjectUserSid)\n ,\n AccountType = tostring(EventData.AccountType)\n ,\n Computer = tostring(EventData.Computer)\n ,\n ObjectName = tostring(EventData.ObjectName)\n ,\n ProcessId = tostring(EventData.ProcessId)\n ,\n SubjectUserName = tostring(EventData.SubjectUserName)\n ,\n SubjectAccount = tostring(EventData.SubjectAccount)\n ,\n SubjectLogonId = tostring(EventData.SubjectLogonId)\n ,\n HandleId = tostring(EventData.HandleId)\n ,\n Type\n | lookup EventTypeLookup on AccessMask\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)))\n | lookup UserTypeLookup on AccountType\n | lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n | extend\n ActingProcessName = ProcessName\n ,\n ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\n ,\n ActorUsernameType = iff(SubjectUserName == '-', type, 'Windows')\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n TargetFilePath = ObjectName\n ,\n TargetFilePathFormat = \"Windows Local\"\n ,\n ActingProcessId = tostring(toint(ProcessId))\n ,\n EventOriginalType = tostring(EventID)\n | where (array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any))\n | project-away EventID, ProcessId, AccountType, username\n | project-rename\n ActorUserId = SubjectUserSid\n ,\n DvcHostname = Computer\n ,\n Process = ProcessName\n ,\n FilePath = ObjectName\n ,\n ActorSessionId = SubjectLogonId\n ,\n FileSessionId = HandleId\n | extend\n EventSchema = \"FileEvent\"\n ,\n EventSchemaVersion = \"0.1.1\"\n ,\n EventResult = \"Success\"\n ,\n EventCount = int(1)\n ,\n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Security Events'\n ,\n Dvc = DvcHostname\n ,\n ActorWindowsUsername = ActorUsername\n ,\n User = ActorUsername\n ,\n ActorUserSid = ActorUserId\n , ActorUserIdType=\"SID\"\n , TargetFilePathType=\"Windows Local\"\n | project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat,type\n};\nParser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Event ASIM filtering parser for Microsoft Windows Events", + "category": "ASIM", + "FunctionAlias": "vimFileEventMicrosoftWindowsEvents", + "query": "let Parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let EventTypeLookup = datatable (AccessMask: string, EventType: string)\n [\n \"0x1\", \"ObjectAccessed\"\n ,\n \"0x10\", \"MetadataModified\"\n ,\n \"0x100\", \"MetadataModified\"\n ,\n \"0x10000\", \"ObjectDeleted\"\n ,\n \"0x2\", \"ObjectModified\"\n ,\n \"0x20000\", \"MetadataAccessed\"\n ,\n \"0x4\", \"ObjectModified\"\n ,\n \"0x40\", \"ObjectDeleted\"\n ,\n \"0x40000\", \"MetadataModified\"\n ,\n \"0x6\", \"ObjectModified\"\n ,\n \"0x8\", \"MetadataAccessed\"\n ,\n \"0x80\", \"MetadataAccessed\"\n ,\n \"0x80000\", \"MetadataModified\"\n];\n let UserTypeLookup = datatable (AccountType: string, ActorUserType: string)\n [\n 'User', 'Regular',\n 'Machine', 'Machine'\n]; \n let KnownSIDs = datatable (sid: string, username: string, type: string)\n [\n 'S-1-5-18', 'Local System', 'Simple',\n 'S-1-0-0', 'Nobody', 'Simple'\n];\n WindowsEvent\n | where EventID == 4663 \n and EventData.ObjectType == \"File\"\n and EventData.ObjectName !startswith @\"\\Device\\\"\n | extend ActorUserIdType=\"SID\", TargetFilePathType=\"Windows Local\"\n | project\n TimeGenerated\n ,\n EventID,\n AccessMask = tostring(EventData.AccessMask)\n ,\n ProcessName = tostring(EventData.ProcessName)\n ,\n SubjectUserSid = tostring(EventData.SubjectUserSid)\n ,\n AccountType = tostring(EventData.AccountType)\n ,\n Computer = tostring(EventData.Computer)\n ,\n ObjectName = tostring(EventData.ObjectName)\n ,\n ProcessId = tostring(EventData.ProcessId)\n ,\n SubjectUserName = tostring(EventData.SubjectUserName)\n ,\n SubjectAccount = tostring(EventData.SubjectAccount)\n ,\n SubjectLogonId = tostring(EventData.SubjectLogonId)\n ,\n HandleId = tostring(EventData.HandleId)\n ,\n Type\n | lookup EventTypeLookup on AccessMask\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)))\n | lookup UserTypeLookup on AccountType\n | lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n | extend\n ActingProcessName = ProcessName\n ,\n ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\n ,\n ActorUsernameType = iff(SubjectUserName == '-', type, 'Windows')\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n TargetFilePath = ObjectName\n ,\n TargetFilePathFormat = \"Windows Local\"\n ,\n ActingProcessId = tostring(toint(ProcessId))\n ,\n EventOriginalType = tostring(EventID)\n | where (array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any))\n | project-away EventID, ProcessId, AccountType, username\n | project-rename\n ActorUserId = SubjectUserSid\n ,\n DvcHostname = Computer\n ,\n Process = ProcessName\n ,\n FilePath = ObjectName\n ,\n ActorSessionId = SubjectLogonId\n ,\n FileSessionId = HandleId\n | extend\n EventSchema = \"FileEvent\"\n ,\n EventSchemaVersion = \"0.1.1\"\n ,\n EventResult = \"Success\"\n ,\n EventCount = int(1)\n ,\n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Security Events'\n ,\n Dvc = DvcHostname\n ,\n ActorWindowsUsername = ActorUsername\n ,\n User = ActorUsername\n ,\n ActorUserSid = ActorUserId\n , ActorUserIdType=\"SID\"\n , TargetFilePathType=\"Windows Local\"\n | project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat,type\n};\nParser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventNative/vimFileEventNative.json b/Parsers/ASimFileEvent/ARM/vimFileEventNative/vimFileEventNative.json index b871fe55022..f4bf45c8390 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventNative/vimFileEventNative.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventNative/vimFileEventNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Event ASIM filtering parser for Microsoft Sentinel native File Event table", - "category": "ASIM", - "FunctionAlias": "vimFileEventNative", - "query": "let parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n ASimFileEventLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))) and\n ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))) and \n ((array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (TargetFilePath has_any (targetfilepath_has_any))) and \n ((array_length(srcfilepath_has_any) == 0) or (SrcFilePath has_any (srcfilepath_has_any))) and\n ((array_length(hashes_has_any) == 0) or (TargetFileMD5 in (hashes_has_any)) or (TargetFileSHA1 in (hashes_has_any)) or (TargetFileSHA256 in (hashes_has_any)) or (TargetFileSHA512 in (hashes_has_any))) and \n (array_length(dvchostname_has_any) == 0 or DvcHostname has_any (dvchostname_has_any))\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"FileEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = ActorUsername,\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n Url = TargetUrl,\n Application = TargetAppName\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n )\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Event ASIM filtering parser for Microsoft Sentinel native File Event table", + "category": "ASIM", + "FunctionAlias": "vimFileEventNative", + "query": "let parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n ASimFileEventLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))) and\n ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))) and \n ((array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (TargetFilePath has_any (targetfilepath_has_any))) and \n ((array_length(srcfilepath_has_any) == 0) or (SrcFilePath has_any (srcfilepath_has_any))) and\n ((array_length(hashes_has_any) == 0) or (TargetFileMD5 in (hashes_has_any)) or (TargetFileSHA1 in (hashes_has_any)) or (TargetFileSHA256 in (hashes_has_any)) or (TargetFileSHA512 in (hashes_has_any))) and \n (array_length(dvchostname_has_any) == 0 or DvcHostname has_any (dvchostname_has_any))\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"FileEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = ActorUsername,\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n Url = TargetUrl,\n Application = TargetAppName\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n )\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventSentinelOne/vimFileEventSentinelOne.json b/Parsers/ASimFileEvent/ARM/vimFileEventSentinelOne/vimFileEventSentinelOne.json index f8c1cda8488..be0fe86895b 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventSentinelOne/vimFileEventSentinelOne.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventSentinelOne/vimFileEventSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Event ASIM filtering Parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "vimFileEventSentinelOne", - "query": "let GetWindowsFilenamePart = (path: string) { tostring(split(path, @'\\')[-1]) };\nlet GetLinuxFilenamePart = (path: string) { tostring(split(path, @'/')[-1]) };\nlet EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\n [\n \"FILECREATION\", \"FileCreated\",\n \"FILEMODIFICATION\", \"FileModified\",\n \"FILEDELETION\", \"FileDeleted\",\n \"FILERENAME\", \"FileRenamed\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let allFileData = SentinelOne_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(srcipaddr_has_any_prefix) == 0)\n and ((array_length(actorusername_has_any) == 0) or (sourceProcessInfo_user_s has_any (actorusername_has_any)))\n and ((array_length(targetfilepath_has_any) == 0) or (targetProcessInfo_tgtFilePath_s has_any (targetfilepath_has_any)))\n and ((array_length(srcfilepath_has_any) == 0) or (targetProcessInfo_tgtFileOldPath_s has_any (srcfilepath_has_any)))\n and ((array_length(hashes_has_any) == 0) or (targetProcessInfo_tgtFileHashSha1_s in (hashes_has_any)) or (targetProcessInfo_tgtFileHashSha256_s in (hashes_has_any)))\n and (array_length(dvchostname_has_any) == 0 or agentDetectionInfo_name_s has_any (dvchostname_has_any))\n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s in ('FILECREATION', 'FILEMODIFICATION', 'FILEDELETION', 'FILERENAME');\n let windowsFileData = allFileData\n | where agentDetectionInfo_osFamily_s == \"windows\"\n | extend\n TargetFilePathType = \"Windows Local\",\n TargetFileName = GetWindowsFilenamePart(targetProcessInfo_tgtFilePath_s),\n SrcFileName = GetWindowsFilenamePart(targetProcessInfo_tgtFileOldPath_s);\n let otherFileData = allFileData\n | where agentDetectionInfo_osFamily_s != \"windows\"\n | extend\n TargetFilePathType = \"Unix\",\n TargetFileName = GetLinuxFilenamePart(targetProcessInfo_tgtFilePath_s),\n SrcFileName = GetLinuxFilenamePart(targetProcessInfo_tgtFileOldPath_s);\n let parseddata = union windowsFileData, otherFileData\n | lookup EventTypeLookup on alertInfo_eventType_s\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)));\n let undefineddata = parseddata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = parseddata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maaliciousdata = parseddata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maaliciousdata\n | extend\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious),\n EventSeverity = iff(ruleInfo_severity_s == \"Critical\", \"High\", ruleInfo_severity_s),\n EventVendor = \"SentinelOne\",\n EventProduct = \"SentinelOne\",\n EventResult = \"Success\",\n EventSchema = \"FileEvent\",\n EventSchemaVersion = \"0.2.1\",\n EventCount = toint(1),\n DvcAction = \"Allowed\",\n ActorUsername = sourceProcessInfo_user_s\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventUid = _ItemId,\n ActingProcessCommandLine = sourceProcessInfo_commandline_s,\n ActingProcessGuid = sourceProcessInfo_uniqueId_g,\n ActingProcessId = sourceProcessInfo_pid_s,\n ActingProcessName = sourceProcessInfo_name_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n TargetFileCreationTime = targetProcessInfo_tgtFileCreatedAt_t,\n SrcFilePath = targetProcessInfo_tgtFileOldPath_s,\n TargetFilePath = targetProcessInfo_tgtFilePath_s,\n TargetFileSHA1 = targetProcessInfo_tgtFileHashSha1_s,\n TargetFileSHA256 = targetProcessInfo_tgtFileHashSha256_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend\n Dvc = coalesce(DvcHostname, DvcId, EventProduct),\n EventEndTime = EventStartTime,\n Rule = RuleName,\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n User = ActorUsername,\n Hash = coalesce(TargetFileSHA256, TargetFileSHA1)\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n HashType = case(\n isnotempty(Hash) and isnotempty(TargetFileSHA256),\n \"TargetFileSHA256\",\n isnotempty(Hash) and isnotempty(TargetFileSHA1),\n \"TargetFileSHA1\",\n \"\"\n ) \n | project-away \n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n ThreatConfidence_*\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Event ASIM filtering Parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "vimFileEventSentinelOne", + "query": "let GetWindowsFilenamePart = (path: string) { tostring(split(path, @'\\')[-1]) };\nlet GetLinuxFilenamePart = (path: string) { tostring(split(path, @'/')[-1]) };\nlet EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\n [\n \"FILECREATION\", \"FileCreated\",\n \"FILEMODIFICATION\", \"FileModified\",\n \"FILEDELETION\", \"FileDeleted\",\n \"FILERENAME\", \"FileRenamed\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let allFileData = SentinelOne_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(srcipaddr_has_any_prefix) == 0)\n and ((array_length(actorusername_has_any) == 0) or (sourceProcessInfo_user_s has_any (actorusername_has_any)))\n and ((array_length(targetfilepath_has_any) == 0) or (targetProcessInfo_tgtFilePath_s has_any (targetfilepath_has_any)))\n and ((array_length(srcfilepath_has_any) == 0) or (targetProcessInfo_tgtFileOldPath_s has_any (srcfilepath_has_any)))\n and ((array_length(hashes_has_any) == 0) or (targetProcessInfo_tgtFileHashSha1_s in (hashes_has_any)) or (targetProcessInfo_tgtFileHashSha256_s in (hashes_has_any)))\n and (array_length(dvchostname_has_any) == 0 or agentDetectionInfo_name_s has_any (dvchostname_has_any))\n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s in ('FILECREATION', 'FILEMODIFICATION', 'FILEDELETION', 'FILERENAME');\n let windowsFileData = allFileData\n | where agentDetectionInfo_osFamily_s == \"windows\"\n | extend\n TargetFilePathType = \"Windows Local\",\n TargetFileName = GetWindowsFilenamePart(targetProcessInfo_tgtFilePath_s),\n SrcFileName = GetWindowsFilenamePart(targetProcessInfo_tgtFileOldPath_s);\n let otherFileData = allFileData\n | where agentDetectionInfo_osFamily_s != \"windows\"\n | extend\n TargetFilePathType = \"Unix\",\n TargetFileName = GetLinuxFilenamePart(targetProcessInfo_tgtFilePath_s),\n SrcFileName = GetLinuxFilenamePart(targetProcessInfo_tgtFileOldPath_s);\n let parseddata = union windowsFileData, otherFileData\n | lookup EventTypeLookup on alertInfo_eventType_s\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)));\n let undefineddata = parseddata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = parseddata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maaliciousdata = parseddata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maaliciousdata\n | extend\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious),\n EventSeverity = iff(ruleInfo_severity_s == \"Critical\", \"High\", ruleInfo_severity_s),\n EventVendor = \"SentinelOne\",\n EventProduct = \"SentinelOne\",\n EventResult = \"Success\",\n EventSchema = \"FileEvent\",\n EventSchemaVersion = \"0.2.1\",\n EventCount = toint(1),\n DvcAction = \"Allowed\",\n ActorUsername = sourceProcessInfo_user_s\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventUid = _ItemId,\n ActingProcessCommandLine = sourceProcessInfo_commandline_s,\n ActingProcessGuid = sourceProcessInfo_uniqueId_g,\n ActingProcessId = sourceProcessInfo_pid_s,\n ActingProcessName = sourceProcessInfo_name_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n TargetFileCreationTime = targetProcessInfo_tgtFileCreatedAt_t,\n SrcFilePath = targetProcessInfo_tgtFileOldPath_s,\n TargetFilePath = targetProcessInfo_tgtFilePath_s,\n TargetFileSHA1 = targetProcessInfo_tgtFileHashSha1_s,\n TargetFileSHA256 = targetProcessInfo_tgtFileHashSha256_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend\n Dvc = coalesce(DvcHostname, DvcId, EventProduct),\n EventEndTime = EventStartTime,\n Rule = RuleName,\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n User = ActorUsername,\n Hash = coalesce(TargetFileSHA256, TargetFileSHA1)\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n HashType = case(\n isnotempty(Hash) and isnotempty(TargetFileSHA256),\n \"TargetFileSHA256\",\n isnotempty(Hash) and isnotempty(TargetFileSHA1),\n \"TargetFileSHA1\",\n \"\"\n ) \n | project-away \n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n ThreatConfidence_*\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventVMwareCarbonBlackCloud/vimFileEventVMwareCarbonBlackCloud.json b/Parsers/ASimFileEvent/ARM/vimFileEventVMwareCarbonBlackCloud/vimFileEventVMwareCarbonBlackCloud.json index 17adb843bed..74e15e76f99 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventVMwareCarbonBlackCloud/vimFileEventVMwareCarbonBlackCloud.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventVMwareCarbonBlackCloud/vimFileEventVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Event Parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "vimFileEventVMwareCarbonBlackCloud", - "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet EventTypeLookup = datatable(action_s: string, EventType: string)[\n \"ACTION_FILE_CREATE\", \"FileCreated\",\n \"ACTION_FILE_DELETE\", \"FileDeleted\",\n \"ACTION_FILE_LAST_WRITE\", \"FileModified\",\n \"ACTION_FILE_LINK\", \"FileModified\",\n \"ACTION_FILE_READ\", \"FileAccessed\",\n \"ACTION_FILE_RENAME\", \"FileRenamed\",\n \"ACTION_FILE_WRITE\", \"FileModified\",\n \"ACTION_FILE_OPEN_DELETE\", \"FileDeleted\",\n \"ACTION_FILE_OPEN_EXECUTE\", \"FileAccessed\",\n \"ACTION_FILE_OPEN_SET_ATTRIBUTES\", \"FileAttributesUpdated\",\n \"ACTION_FILE_OPEN_SET_SECURITY\", \"FileAttributesUpdated\",\n \"ACTION_FILE_SET_SECURITY\", \"FileAttributesUpdated\",\n \"ACTION_FILE_TRUNCATE\", \"FileModified\",\n \"ACTION_FILE_OPEN_WRITE\", \"FileModified\",\n \"ACTION_FILE_MOD_OPEN\", \"FileAccessed\",\n \"ACTION_FILE_OPEN_READ\", \"FileAccessed\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventtype_in: dynamic=dynamic([]), \n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n actorusername_has_any: dynamic=dynamic([]), \n targetfilepath_has_any: dynamic=dynamic([]), \n srcfilepath_has_any: dynamic=dynamic([]), \n hashes_has_any: dynamic=dynamic([]), \n dvchostname_has_any: dynamic=dynamic([]), \n disabled: bool=false\n ) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)) \n | where eventType_s == \"endpoint.event.filemod\" and isnotempty(filemod_name_s)\n and action_s !in (\"ACTION_INVALID\", \"ACTION_FILE_UNDELETE\")\n | where array_length(srcfilepath_has_any) == 0\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(device_external_ip_s, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or process_username_s has_any (actorusername_has_any))\n and (array_length(targetfilepath_has_any) == 0 or filemod_name_s has_any (targetfilepath_has_any))\n and (array_length(hashes_has_any) == 0 or filemod_hash_s has_any (hashes_has_any))\n and (array_length(dvchostname_has_any) == 0 or device_name_s has_any (dvchostname_has_any))\n | parse filemod_hash_s with * '[\"' TargetFileMD5: string '\",\"' TargetFileSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s\n | extend temp_action = iff(action_s has \"|\", action_s, \"\")\n | lookup EventTypeLookup on action_s\n | extend EventType = case(\n isnotempty(EventType), EventType,\n temp_action has \"delete\", \"FileDeleted\",\n temp_action has \"link\", \"FileModified\",\n temp_action has \"rename\", \"FileRenamed\",\n temp_action has \"execute\", \"FileAccessed\",\n temp_action has_any (\"attributes\", \"security\"), \"FileAttributesUpdated\",\n temp_action has \"truncate\", \"FileModified\",\n temp_action has \"write\", \"FileModified\",\n temp_action has_any (\"read\", \"open\"), \"FileAccessed\",\n temp_action has \"create\", \"FileCreated\",\n \"\"\n )\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetFilePathType = case(\n device_os_s == \"WINDOWS\" and filemod_name_s startswith \"\\\\\", \"Windows Share\",\n device_os_s == \"WINDOWS\", \"Windows Local\",\n device_os_s in (\"MAC\", \"LINUX\"), \"Unix\",\n \"\"\n ),\n ActingProcessId = tostring(toint(process_pid_d)),\n TargetFileName = tostring(split(filemod_name_s, '\\\\')[-1]),\n AdditionalFields = bag_pack(\n \"org_key\", org_key_s,\n \"process_publisher\", process_publisher_s,\n \"process_reputation\", process_reputation_s,\n \"process_guid\", process_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename\n ActorUsername = process_username_s,\n DvcIpAddr = device_external_ip_s,\n EventUid = _ItemId,\n DvcScope = device_group_s,\n ActingProcessCommandLine = process_cmdline_s,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n TargetFilePath = filemod_name_s\n | extend \n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"FileEvent\",\n EventSchemaVersion = \"0.2.1\",\n EventVendor = \"VMware\",\n EventCount = int(1),\n SrcIpAddr = DvcIpAddr\n | extend\n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n Src = SrcIpAddr,\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n User = ActorUsername,\n Hash = coalesce(TargetFileSHA256, TargetFileMD5)\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n HashType = case(\n isnotempty(TargetFileSHA256),\n \"TargetFileSHA256\",\n isnotempty(TargetFileMD5),\n \"TargetFileMD5\",\n \"\"\n )\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n temp_action\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n actorusername_has_any=actorusername_has_any, \n targetfilepath_has_any=targetfilepath_has_any, \n srcfilepath_has_any=srcfilepath_has_any, \n hashes_has_any=hashes_has_any, \n dvchostname_has_any=dvchostname_has_any, \n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Event Parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "vimFileEventVMwareCarbonBlackCloud", + "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet EventTypeLookup = datatable(action_s: string, EventType: string)[\n \"ACTION_FILE_CREATE\", \"FileCreated\",\n \"ACTION_FILE_DELETE\", \"FileDeleted\",\n \"ACTION_FILE_LAST_WRITE\", \"FileModified\",\n \"ACTION_FILE_LINK\", \"FileModified\",\n \"ACTION_FILE_READ\", \"FileAccessed\",\n \"ACTION_FILE_RENAME\", \"FileRenamed\",\n \"ACTION_FILE_WRITE\", \"FileModified\",\n \"ACTION_FILE_OPEN_DELETE\", \"FileDeleted\",\n \"ACTION_FILE_OPEN_EXECUTE\", \"FileAccessed\",\n \"ACTION_FILE_OPEN_SET_ATTRIBUTES\", \"FileAttributesUpdated\",\n \"ACTION_FILE_OPEN_SET_SECURITY\", \"FileAttributesUpdated\",\n \"ACTION_FILE_SET_SECURITY\", \"FileAttributesUpdated\",\n \"ACTION_FILE_TRUNCATE\", \"FileModified\",\n \"ACTION_FILE_OPEN_WRITE\", \"FileModified\",\n \"ACTION_FILE_MOD_OPEN\", \"FileAccessed\",\n \"ACTION_FILE_OPEN_READ\", \"FileAccessed\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventtype_in: dynamic=dynamic([]), \n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n actorusername_has_any: dynamic=dynamic([]), \n targetfilepath_has_any: dynamic=dynamic([]), \n srcfilepath_has_any: dynamic=dynamic([]), \n hashes_has_any: dynamic=dynamic([]), \n dvchostname_has_any: dynamic=dynamic([]), \n disabled: bool=false\n ) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)) \n | where eventType_s == \"endpoint.event.filemod\" and isnotempty(filemod_name_s)\n and action_s !in (\"ACTION_INVALID\", \"ACTION_FILE_UNDELETE\")\n | where array_length(srcfilepath_has_any) == 0\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(device_external_ip_s, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or process_username_s has_any (actorusername_has_any))\n and (array_length(targetfilepath_has_any) == 0 or filemod_name_s has_any (targetfilepath_has_any))\n and (array_length(hashes_has_any) == 0 or filemod_hash_s has_any (hashes_has_any))\n and (array_length(dvchostname_has_any) == 0 or device_name_s has_any (dvchostname_has_any))\n | parse filemod_hash_s with * '[\"' TargetFileMD5: string '\",\"' TargetFileSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s\n | extend temp_action = iff(action_s has \"|\", action_s, \"\")\n | lookup EventTypeLookup on action_s\n | extend EventType = case(\n isnotempty(EventType), EventType,\n temp_action has \"delete\", \"FileDeleted\",\n temp_action has \"link\", \"FileModified\",\n temp_action has \"rename\", \"FileRenamed\",\n temp_action has \"execute\", \"FileAccessed\",\n temp_action has_any (\"attributes\", \"security\"), \"FileAttributesUpdated\",\n temp_action has \"truncate\", \"FileModified\",\n temp_action has \"write\", \"FileModified\",\n temp_action has_any (\"read\", \"open\"), \"FileAccessed\",\n temp_action has \"create\", \"FileCreated\",\n \"\"\n )\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetFilePathType = case(\n device_os_s == \"WINDOWS\" and filemod_name_s startswith \"\\\\\", \"Windows Share\",\n device_os_s == \"WINDOWS\", \"Windows Local\",\n device_os_s in (\"MAC\", \"LINUX\"), \"Unix\",\n \"\"\n ),\n ActingProcessId = tostring(toint(process_pid_d)),\n TargetFileName = tostring(split(filemod_name_s, '\\\\')[-1]),\n AdditionalFields = bag_pack(\n \"org_key\", org_key_s,\n \"process_publisher\", process_publisher_s,\n \"process_reputation\", process_reputation_s,\n \"process_guid\", process_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename\n ActorUsername = process_username_s,\n DvcIpAddr = device_external_ip_s,\n EventUid = _ItemId,\n DvcScope = device_group_s,\n ActingProcessCommandLine = process_cmdline_s,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n TargetFilePath = filemod_name_s\n | extend \n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"FileEvent\",\n EventSchemaVersion = \"0.2.1\",\n EventVendor = \"VMware\",\n EventCount = int(1),\n SrcIpAddr = DvcIpAddr\n | extend\n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n Src = SrcIpAddr,\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n User = ActorUsername,\n Hash = coalesce(TargetFileSHA256, TargetFileMD5)\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n HashType = case(\n isnotempty(TargetFileSHA256),\n \"TargetFileSHA256\",\n isnotempty(TargetFileMD5),\n \"TargetFileMD5\",\n \"\"\n )\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n temp_action\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n actorusername_has_any=actorusername_has_any, \n targetfilepath_has_any=targetfilepath_has_any, \n srcfilepath_has_any=srcfilepath_has_any, \n hashes_has_any=hashes_has_any, \n dvchostname_has_any=dvchostname_has_any, \n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json index 2fd7557df8e..b88d559d872 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSession')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSession", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSession", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(pack:bool=false){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n \n , ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoTSensor (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTSSensor' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoTAgent (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTAgent' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftWindowsEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftSecurityEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSecurityEventFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , ASimNetworkSessionVMConnection (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMConnection' in (DisabledParsers) ))\n , ASimNetworkSessionAWSVPC (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , ASimNetworkSessionAzureFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionAzureNSG (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , ASimNetworkSessionVectraAI (pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVectraAI' in (DisabledParsers) )))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoMerakiSyslog (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMerakiSyslog' in (DisabledParsers) ))\n , ASimNetworkSessionAppGateSDP (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n , ASimNetworkSessionFortinetFortiGate (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionFortinetFortiGate' in (DisabledParsers) ))\n , ASimNetworkSessionCorelightZeek (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCorelightZeek' in (DisabledParsers) ))\n , ASimNetworkSessionCheckPointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCheckPointFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoASA (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoASA' in (DisabledParsers) ))\n , ASimNetworkSessionWatchGuardFirewareOS (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionWatchGuardFirewareOS' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftSysmonWindowsEvent (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))\n , ASimNetworkSessionForcePointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionForcePointFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionNative (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionNative' in (DisabledParsers) ))\n , ASimNetworkSessionSentinelOne (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSentinelOne' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoISE (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoISE' in (DisabledParsers) ))\n , ASimNetworkSessionBarracudaWAF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionBarracudaWAF' in (DisabledParsers) ))\n , ASimNetworkSessionBarracudaCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionBarracudaCEF' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoFirepower (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoFirepower' in (DisabledParsers) ))\n , ASimNetworkSessionCrowdStrikeFalconHost (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCrowdStrikeFalconHost' in (DisabledParsers) ))\n , ASimNetworkSessionVMwareCarbonBlackCloud (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMwareCarbonBlackCloud' in (DisabledParsers) ))\n , ASimNetworkSessionPaloAltoCortexDataLake (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCortexDataLake' in (DisabledParsers) ))\n , ASimNetworkSessionSonicWallFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSonicWallFirewall' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric (pack=pack)\n", - "version": 1, - "functionParameters": "pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSession", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(pack:bool=false){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoTSensor (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTSSensor' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoTAgent (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTAgent' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftWindowsEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftSecurityEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSecurityEventFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , ASimNetworkSessionVMConnection (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMConnection' in (DisabledParsers) ))\n , ASimNetworkSessionAWSVPC (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , ASimNetworkSessionAzureFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionAzureNSG (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , ASimNetworkSessionVectraAI (pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVectraAI' in (DisabledParsers) )))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoMerakiSyslog (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMerakiSyslog' in (DisabledParsers) ))\n , ASimNetworkSessionAppGateSDP (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n , ASimNetworkSessionFortinetFortiGate (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionFortinetFortiGate' in (DisabledParsers) ))\n , ASimNetworkSessionCorelightZeek (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCorelightZeek' in (DisabledParsers) ))\n , ASimNetworkSessionCheckPointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCheckPointFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoASA (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoASA' in (DisabledParsers) ))\n , ASimNetworkSessionWatchGuardFirewareOS (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionWatchGuardFirewareOS' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftSysmonWindowsEvent (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))\n , ASimNetworkSessionForcePointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionForcePointFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionNative (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionNative' in (DisabledParsers) ))\n , ASimNetworkSessionSentinelOne (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSentinelOne' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoISE (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoISE' in (DisabledParsers) ))\n , ASimNetworkSessionBarracudaWAF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionBarracudaWAF' in (DisabledParsers) ))\n , ASimNetworkSessionBarracudaCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionBarracudaCEF' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoFirepower (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoFirepower' in (DisabledParsers) ))\n , ASimNetworkSessionCrowdStrikeFalconHost (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCrowdStrikeFalconHost' in (DisabledParsers) ))\n , ASimNetworkSessionVMwareCarbonBlackCloud (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMwareCarbonBlackCloud' in (DisabledParsers) ))\n , ASimNetworkSessionPaloAltoCortexDataLake (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCortexDataLake' in (DisabledParsers) ))\n , ASimNetworkSessionSonicWallFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSonicWallFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionIllumioSaaSCore (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionIllumioSaaSCore' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric (pack=pack)\n", + "version": 1, + "functionParameters": "pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json index 80e2d8e5b37..71abd5f41a2 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionAWSVPC')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionAWSVPC", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for AWS VPC logs", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionAWSVPC", - "query": "let ProtocolLookup = datatable(Protocol:int, NetworkProtocol:string) [\n 0,\"HOPOPT\",\n 1,\"ICMP\",\n 2,\"IGMP\",\n 3,\"GGP\",\n 4,\"IPv4\",\n 5,\"ST\",\n 6,\"TCP\",\n 7,\"CBT\",\n 8,\"EGP\",\n 9,\"IGP\",\n 10,\"BBN-RCC-MON\",\n 11,\"NVP-II\",\n 12,\"PUP\",\n 13,\"ARGUS (deprecated)\",\n 14,\"EMCON\",\n 15,\"XNET\",\n 16,\"CHAOS\",\n 17,\"UDP\",\n 18,\"MUX\",\n 19,\"DCN-MEAS\",\n 20,\"HMP\",\n 21,\"PRM\",\n 22,\"XNS-IDP\",\n 23,\"TRUNK-1\",\n 24,\"TRUNK-2\",\n 25,\"LEAF-1\",\n 26,\"LEAF-2\",\n 27,\"RDP\",\n 28,\"IRTP\",\n 29,\"ISO-TP4\",\n 30,\"NETBLT\",\n 31,\"MFE-NSP\",\n 32,\"MERIT-INP\",\n 33,\"DCCP\",\n 34,\"3PC\",\n 35,\"IDPR\",\n 36,\"XTP\",\n 37,\"DDP\",\n 38,\"IDPR-CMTP\",\n 39,\"TP++\",\n 40,\"IL\",\n 41,\"IPv6\",\n 42,\"SDRP\",\n 43,\"IPv6-Route\",\n 44,\"IPv6-Frag\",\n 45,\"IDRP\",\n 46,\"RSVP\",\n 47,\"GRE\",\n 48,\"DSR\",\n 49,\"BNA\",\n 50,\"ESP\",\n 51,\"AH\",\n 52,\"I-NLSP\",\n 53,\"SWIPE (deprecated)\",\n 54,\"NARP\",\n 55,\"MOBILE\",\n 56,\"TLSP\",\n 57,\"SKIP\",\n 58,\"IPv6-ICMP\",\n 59,\"IPv6-NoNxt\",\n 60,\"IPv6-Opts\",\n 61,\"\",\n 62,\"CFTP\",\n 63,\"\",\n 64,\"SAT-EXPAK\",\n 65,\"KRYPTOLAN\",\n 66,\"RVD\",\n 67,\"IPPC\",\n 68,\"\",\n 69,\"SAT-MON\",\n 70,\"VISA\",\n 71,\"IPCV\",\n 72,\"CPNX\",\n 73,\"CPHB\",\n 74,\"WSN\",\n 75,\"PVP\",\n 76,\"BR-SAT-MON\",\n 77,\"SUN-ND\",\n 78,\"WB-MON\",\n 79,\"WB-EXPAK\",\n 80,\"ISO-IP\",\n 81,\"VMTP\",\n 82,\"SECURE-VMTP\",\n 83,\"VINES\",\n 84,\"TTP\",\n 84,\"IPTM\",\n 85,\"NSFNET-IGP\",\n 86,\"DGP\",\n 87,\"TCF\",\n 88,\"EIGRP\",\n 89,\"OSPFIGP\",\n 90,\"Sprite-RPC\",\n 91,\"LARP\",\n 92,\"MTP\",\n 93,\"AX.25\",\n 94,\"IPIP\",\n 95,\"MICP (deprecated)\",\n 96,\"SCC-SP\",\n 97,\"ETHERIP\",\n 98,\"ENCAP\",\n 99,\"\",\n 100,\"GMTP\",\n 101,\"IFMP\",\n 102,\"PNNI\",\n 103,\"PIM\",\n 104,\"ARIS\",\n 105,\"SCPS\",\n 106,\"QNX\",\n 107,\"A/N\",\n 108,\"IPComp\",\n 109,\"SNP\",\n 110,\"Compaq-Peer\",\n 111,\"IPX-in-IP\",\n 112,\"VRRP\",\n 113,\"PGM\",\n 114,\"\",\n 115,\"L2TP\",\n 116,\"DDX\",\n 117,\"IATP\",\n 118,\"STP\",\n 119,\"SRP\",\n 120,\"UTI\",\n 121,\"SMP\",\n 122,\"SM (deprecated)\",\n 123,\"PTP\",\n 124,\"ISIS over IPv4\",\n 125,\"FIRE\",\n 126,\"CRTP\",\n 127,\"CRUDP\",\n 128,\"SSCOPMCE\",\n 129,\"IPLT\",\n 130,\"SPS\",\n 131,\"PIPE\",\n 132,\"SCTP\",\n 133,\"FC\",\n 134,\"RSVP-E2E-IGNORE\",\n 135,\"Mobility Header\",\n 136,\"UDPLite\",\n 137,\"MPLS-in-IP\",\n 138,\"manet\",\n 139,\"HIP\",\n 140,\"Shim6\",\n 141,\"WESP\",\n 142,\"ROHC\",\n 143,\"Ethernet\",\n 253,\"\",\n 254,\"\",\n 255,\"Reserved\"\n];\nlet DirectionLookup = datatable (FlowDirection:string, NetworkDirection:string) [\n 'ingress', 'Inbound',\n 'egress', 'Outbound'\n];\nlet ActionLookup = datatable (Action:string, DvcAction:string) [\n 'ACCEPT', 'Allow',\n 'REJECT', 'Deny'\n];\nlet parser = (disabled:bool=false){\nAWSVPCFlow | where not(disabled)\n| where LogStatus == \"OK\"\n| extend\n EventVendor=\"AWS\", \n EventProduct=\"VPC\",\n NetworkBytes = tolong(Bytes),\n NetworkPackets = tolong(Packets),\n EventProductVersion = tostring(Version),\n EventType=\"NetworkSession\",\n EventCount=toint(1),\n EventResult = iff (Action==\"ACCEPT\",\"Success\",\"Failure\"),\n EventSeverity = iff (Action==\"ACCEPT\",\"Informational\",\"Low\"),\n EventSchemaVersion=\"0.2.2\",\n EventSchema=\"NetworkSession\",\n SrcAppType = iff (PktSrcAwsService != \"\", \"CloudService\", \"\"),\n DstAppType = iff (PktDstAwsService != \"\", \"CloudService\", \"\"),\n DvcIdType = \"AwsVpcId\"\n| lookup ProtocolLookup on Protocol\n| lookup ActionLookup on Action\n| lookup DirectionLookup on FlowDirection\n| project-rename\n DstIpAddr = DstAddr, \n DstPortNumber = DstPort, \n SrcNatIpAddr=PktSrcAddr, \n DstNatIpAddr=PktDstAddr, \n SrcPortNumber = SrcPort, \n SrcIpAddr = SrcAddr, \n EventEndTime = End, \n DvcInboundInterface = InterfaceId,\n DvcSubscriptionId = AccountId,\n DvcId = VpcId,\n NetworkProtocolVersion = TrafficType,\n EventOriginalResultDetails = LogStatus,\n SrcAppName = PktSrcAwsService,\n DstAppName = PktDstAwsService\n// -- Aliases\n| extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventStartTime = TimeGenerated,\n DvcInterface = DvcInboundInterface\n| project-away Action, AzId, Bytes, FlowDirection, InstanceId, Packets, Protocol, Region, SourceSystem, SublocationId, SublocationType, SubnetId, TcpFlags, TenantId, TrafficPath, Version\n};\nparser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for AWS VPC logs", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionAWSVPC", + "query": "let ProtocolLookup = datatable(Protocol:int, NetworkProtocol:string) [\n 0,\"HOPOPT\",\n 1,\"ICMP\",\n 2,\"IGMP\",\n 3,\"GGP\",\n 4,\"IPv4\",\n 5,\"ST\",\n 6,\"TCP\",\n 7,\"CBT\",\n 8,\"EGP\",\n 9,\"IGP\",\n 10,\"BBN-RCC-MON\",\n 11,\"NVP-II\",\n 12,\"PUP\",\n 13,\"ARGUS (deprecated)\",\n 14,\"EMCON\",\n 15,\"XNET\",\n 16,\"CHAOS\",\n 17,\"UDP\",\n 18,\"MUX\",\n 19,\"DCN-MEAS\",\n 20,\"HMP\",\n 21,\"PRM\",\n 22,\"XNS-IDP\",\n 23,\"TRUNK-1\",\n 24,\"TRUNK-2\",\n 25,\"LEAF-1\",\n 26,\"LEAF-2\",\n 27,\"RDP\",\n 28,\"IRTP\",\n 29,\"ISO-TP4\",\n 30,\"NETBLT\",\n 31,\"MFE-NSP\",\n 32,\"MERIT-INP\",\n 33,\"DCCP\",\n 34,\"3PC\",\n 35,\"IDPR\",\n 36,\"XTP\",\n 37,\"DDP\",\n 38,\"IDPR-CMTP\",\n 39,\"TP++\",\n 40,\"IL\",\n 41,\"IPv6\",\n 42,\"SDRP\",\n 43,\"IPv6-Route\",\n 44,\"IPv6-Frag\",\n 45,\"IDRP\",\n 46,\"RSVP\",\n 47,\"GRE\",\n 48,\"DSR\",\n 49,\"BNA\",\n 50,\"ESP\",\n 51,\"AH\",\n 52,\"I-NLSP\",\n 53,\"SWIPE (deprecated)\",\n 54,\"NARP\",\n 55,\"MOBILE\",\n 56,\"TLSP\",\n 57,\"SKIP\",\n 58,\"IPv6-ICMP\",\n 59,\"IPv6-NoNxt\",\n 60,\"IPv6-Opts\",\n 61,\"\",\n 62,\"CFTP\",\n 63,\"\",\n 64,\"SAT-EXPAK\",\n 65,\"KRYPTOLAN\",\n 66,\"RVD\",\n 67,\"IPPC\",\n 68,\"\",\n 69,\"SAT-MON\",\n 70,\"VISA\",\n 71,\"IPCV\",\n 72,\"CPNX\",\n 73,\"CPHB\",\n 74,\"WSN\",\n 75,\"PVP\",\n 76,\"BR-SAT-MON\",\n 77,\"SUN-ND\",\n 78,\"WB-MON\",\n 79,\"WB-EXPAK\",\n 80,\"ISO-IP\",\n 81,\"VMTP\",\n 82,\"SECURE-VMTP\",\n 83,\"VINES\",\n 84,\"TTP\",\n 84,\"IPTM\",\n 85,\"NSFNET-IGP\",\n 86,\"DGP\",\n 87,\"TCF\",\n 88,\"EIGRP\",\n 89,\"OSPFIGP\",\n 90,\"Sprite-RPC\",\n 91,\"LARP\",\n 92,\"MTP\",\n 93,\"AX.25\",\n 94,\"IPIP\",\n 95,\"MICP (deprecated)\",\n 96,\"SCC-SP\",\n 97,\"ETHERIP\",\n 98,\"ENCAP\",\n 99,\"\",\n 100,\"GMTP\",\n 101,\"IFMP\",\n 102,\"PNNI\",\n 103,\"PIM\",\n 104,\"ARIS\",\n 105,\"SCPS\",\n 106,\"QNX\",\n 107,\"A/N\",\n 108,\"IPComp\",\n 109,\"SNP\",\n 110,\"Compaq-Peer\",\n 111,\"IPX-in-IP\",\n 112,\"VRRP\",\n 113,\"PGM\",\n 114,\"\",\n 115,\"L2TP\",\n 116,\"DDX\",\n 117,\"IATP\",\n 118,\"STP\",\n 119,\"SRP\",\n 120,\"UTI\",\n 121,\"SMP\",\n 122,\"SM (deprecated)\",\n 123,\"PTP\",\n 124,\"ISIS over IPv4\",\n 125,\"FIRE\",\n 126,\"CRTP\",\n 127,\"CRUDP\",\n 128,\"SSCOPMCE\",\n 129,\"IPLT\",\n 130,\"SPS\",\n 131,\"PIPE\",\n 132,\"SCTP\",\n 133,\"FC\",\n 134,\"RSVP-E2E-IGNORE\",\n 135,\"Mobility Header\",\n 136,\"UDPLite\",\n 137,\"MPLS-in-IP\",\n 138,\"manet\",\n 139,\"HIP\",\n 140,\"Shim6\",\n 141,\"WESP\",\n 142,\"ROHC\",\n 143,\"Ethernet\",\n 253,\"\",\n 254,\"\",\n 255,\"Reserved\"\n];\nlet DirectionLookup = datatable (FlowDirection:string, NetworkDirection:string) [\n 'ingress', 'Inbound',\n 'egress', 'Outbound'\n];\nlet ActionLookup = datatable (Action:string, DvcAction:string) [\n 'ACCEPT', 'Allow',\n 'REJECT', 'Deny'\n];\nlet parser = (disabled:bool=false){\nAWSVPCFlow | where not(disabled)\n| where LogStatus == \"OK\"\n| extend\n EventVendor=\"AWS\", \n EventProduct=\"VPC\",\n NetworkBytes = tolong(Bytes),\n NetworkPackets = tolong(Packets),\n EventProductVersion = tostring(Version),\n EventType=\"NetworkSession\",\n EventCount=toint(1),\n EventResult = iff (Action==\"ACCEPT\",\"Success\",\"Failure\"),\n EventSeverity = iff (Action==\"ACCEPT\",\"Informational\",\"Low\"),\n EventSchemaVersion=\"0.2.2\",\n EventSchema=\"NetworkSession\",\n SrcAppType = iff (PktSrcAwsService != \"\", \"CloudService\", \"\"),\n DstAppType = iff (PktDstAwsService != \"\", \"CloudService\", \"\"),\n DvcIdType = \"AwsVpcId\"\n| lookup ProtocolLookup on Protocol\n| lookup ActionLookup on Action\n| lookup DirectionLookup on FlowDirection\n| project-rename\n DstIpAddr = DstAddr, \n DstPortNumber = DstPort, \n SrcNatIpAddr=PktSrcAddr, \n DstNatIpAddr=PktDstAddr, \n SrcPortNumber = SrcPort, \n SrcIpAddr = SrcAddr, \n EventEndTime = End, \n DvcInboundInterface = InterfaceId,\n DvcSubscriptionId = AccountId,\n DvcId = VpcId,\n NetworkProtocolVersion = TrafficType,\n EventOriginalResultDetails = LogStatus,\n SrcAppName = PktSrcAwsService,\n DstAppName = PktDstAwsService\n// -- Aliases\n| extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventStartTime = TimeGenerated,\n DvcInterface = DvcInboundInterface\n| project-away Action, AzId, Bytes, FlowDirection, InstanceId, Packets, Protocol, Region, SourceSystem, SublocationId, SublocationType, SubnetId, TcpFlags, TenantId, TrafficPath, Version\n};\nparser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAppGateSDP/ASimNetworkSessionAppGateSDP.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAppGateSDP/ASimNetworkSessionAppGateSDP.json index e580604382d..824e0b9ab13 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAppGateSDP/ASimNetworkSessionAppGateSDP.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAppGateSDP/ASimNetworkSessionAppGateSDP.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionAppGateSDP')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionAppGateSDP", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for AppGate SDP", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionAppGateSDP", - "query": "let parser = (disabled:bool=false) \n{\n let DirectionLookup = datatable (direction:string, NetworkDirection:string) \n [\n 'up', 'Inbound',\n 'down', 'Outbound'\n ];\n let ActionLookup = datatable (DvcOriginalAction:string, DvcAction:string, EventSeverity:string, EventResult:string)\n [\n 'allow', 'Allow', 'Informational', 'Success',\n 'drop', 'Drop', 'Low', 'Failure',\n 'reject', 'Deny', 'Low', 'Failure',\n 'block', 'Deny', 'Low', 'Failure',\n 'block_report', 'Deny', 'Low', 'Failure',\n 'allow_report', 'Allow', 'Informational', 'Success'\n ];\n let tcpupd_success = Syslog\n | where \n ProcessName in (\"cz-sessiond\", \"cz-vpnd\")\n and SyslogMessage has_all (\"[AUDIT]\",\"ip_access\",'\"rule_name\"')\n and SyslogMessage has_any ('\"protocol\":\"UDP\"','\"protocol\":\"TCP\"') \n | project TimeGenerated, SyslogMessage, Computer\n | extend type = extract (@'\"event_type\"\\:\\\"(.*?)\\\"', 1, SyslogMessage)\n | where type == \"ip_access\"\n | parse-where SyslogMessage with \n *\n '\"action\":\"' DvcOriginalAction:string '\",' * \n '\"client_ip\":\"' SrcIpAddr:string '\",' *\n '\"client_port\":' SrcPortNumber:int ',' *\n '\"destination_ip\":\"' DstIpAddr:string '\",' *\n '\"destination_port\":' DstPortNumber:int ',' *\n '\"direction\":\"' direction:string '\",' * \n '\"distinguished_name_device_id\":\"' SrcDvcId:string '\",' *\n '\"distinguished_name_user\":\"' SrcUsername:string '\",' *\n '\"entitlement_token_id\":\"' NetworkSessionId:string '\",' *\n '\"packet_size\":' SrcBytes:long ',' *\n '\"protocol\":\"' NetworkProtocol:string '\",' * \n '\"rule_name\":\"' NetworkRuleName:string '\",' * \n '\"source_ip\":\"' SrcNatIpAddr:string '\",' *\n '\"source_port\":' SrcNatPortNumber:int ',' * \n '\"version\":' EventProductVersion:string '}' *\n ;\n let tcpupd_fail = \n Syslog\n | where \n ProcessName in (\"cz-sessiond\", \"cz-vpnd\")\n and SyslogMessage has_all (\"[AUDIT]\",\"ip_access\",'\"drop-reason\"')\n and SyslogMessage has_any ('\"protocol\":\"UDP\"','\"protocol\":\"TCP\"') \n | project TimeGenerated, SyslogMessage, Computer\n | extend type = extract (@'\"event_type\"\\:\\\"(.*?)\\\"', 1, SyslogMessage)\n | where type == \"ip_access\"\n | parse-where SyslogMessage with \n *\n '\"action\":\"' DvcOriginalAction:string '\",' * \n '\"client_ip\":\"' SrcIpAddr:string '\",' *\n '\"client_port\":' SrcPortNumber:int ',' *\n '\"destination_ip\":\"' DstIpAddr:string '\",' *\n '\"destination_port\":' DstPortNumber:int ',' *\n '\"direction\":\"' direction:string '\",' * \n '\"distinguished_name_device_id\":\"' SrcDvcId:string '\",' *\n '\"distinguished_name_user\":\"' SrcUsername:string '\",' *\n '\"drop-reason\":\"' EventOriginalResultDetails:string '\",' *\n '\"entitlement_token_id\":\"' NetworkSessionId:string '\",' *\n '\"packet_size\":' SrcBytes:long ',' *\n '\"protocol\":\"' NetworkProtocol:string '\",' *\n '\"source_ip\":\"' SrcNatIpAddr:string '\",' *\n '\"source_port\":' SrcNatPortNumber:int ',' * \n '\"version\":' EventProductVersion:string '}' *\n ;\n let icmp_success = Syslog\n | where \n ProcessName in (\"cz-sessiond\", \"cz-vpnd\")\n and SyslogMessage has_all (\"[AUDIT]\",\"ip_access\",'\"protocol\":\"ICMP\"') \n | project TimeGenerated, SyslogMessage, Computer\n | extend type = extract (@'\"event_type\"\\:\\\"(.*?)\\\"', 1, SyslogMessage)\n | where type == \"ip_access\"\n | parse-where SyslogMessage with \n *\n '\"action\":\"' DvcOriginalAction:string '\",' * \n '\"client_ip\":\"' SrcIpAddr:string '\",' *\n '\"client_port\":' SrcPortNumber:int ',' *\n '\"destination_ip\":\"' DstIpAddr:string '\",' *\n '\"direction\":\"' direction:string '\",' * \n '\"distinguished_name_device_id\":\"' SrcDvcId:string '\",' *\n '\"distinguished_name_user\":\"' SrcUsername:string '\",' *\n '\"entitlement_token_id\":\"' NetworkSessionId:string '\",' *\n '\"icmp_code\":' NetworkIcmpSubCode:int ',' *\n '\"icmp_type\":' NetworkIcmpCode:int ',' * \n '\"packet_size\":' SrcBytes:long ',' *\n '\"protocol\":\"' NetworkProtocol:string '\",' * \n '\"rule_name\":\"' NetworkRuleName:string '\",' * \n '\"source_ip\":\"' SrcNatIpAddr:string '\",' *\n '\"version\":' EventProductVersion:string '}' *\n ;\n union tcpupd_success, tcpupd_fail, icmp_success \n | parse SyslogMessage with \n *\n '\"country_name\":\"' SrcGeoCountry:string '\",' *\n '\"lat\":' SrcGeoLatitude:real ',' * \n '\"lon\":' SrcGeoLongitude:real '}' *\n | parse SyslogMessage with \n *\n '\"city_name\":\"' SrcGeoCity:string '\",' *\n '\"region_name\":\"' SrcGeoRegion:string '\",' *\n | extend \n SrcDvcIdType = 'AppGateId',\n SrcUsernameType = 'UPN'\n // -- Event fields\n | project-rename \n DvcHostname = Computer\n | extend \n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.2.3',\n EventVendor = 'AppGate',\n EventProduct = 'SDP',\n EventType = 'NetworkSession'\n | lookup DirectionLookup on direction\n | lookup ActionLookup on DvcOriginalAction\n // -- Aliases\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcHostname,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n // -- Entity identifier explicit aliases\n SrcUserUpn = SrcUsername\n | project-away \n SyslogMessage, type, direction\n};\nparser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for AppGate SDP", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionAppGateSDP", + "query": "let parser = (disabled:bool=false) \n{\n let DirectionLookup = datatable (direction:string, NetworkDirection:string) \n [\n 'up', 'Inbound',\n 'down', 'Outbound'\n ];\n let ActionLookup = datatable (DvcOriginalAction:string, DvcAction:string, EventSeverity:string, EventResult:string)\n [\n 'allow', 'Allow', 'Informational', 'Success',\n 'drop', 'Drop', 'Low', 'Failure',\n 'reject', 'Deny', 'Low', 'Failure',\n 'block', 'Deny', 'Low', 'Failure',\n 'block_report', 'Deny', 'Low', 'Failure',\n 'allow_report', 'Allow', 'Informational', 'Success'\n ];\n let tcpupd_success = Syslog\n | where \n ProcessName in (\"cz-sessiond\", \"cz-vpnd\")\n and SyslogMessage has_all (\"[AUDIT]\",\"ip_access\",'\"rule_name\"')\n and SyslogMessage has_any ('\"protocol\":\"UDP\"','\"protocol\":\"TCP\"') \n | project TimeGenerated, SyslogMessage, Computer\n | extend type = extract (@'\"event_type\"\\:\\\"(.*?)\\\"', 1, SyslogMessage)\n | where type == \"ip_access\"\n | parse-where SyslogMessage with \n *\n '\"action\":\"' DvcOriginalAction:string '\",' * \n '\"client_ip\":\"' SrcIpAddr:string '\",' *\n '\"client_port\":' SrcPortNumber:int ',' *\n '\"destination_ip\":\"' DstIpAddr:string '\",' *\n '\"destination_port\":' DstPortNumber:int ',' *\n '\"direction\":\"' direction:string '\",' * \n '\"distinguished_name_device_id\":\"' SrcDvcId:string '\",' *\n '\"distinguished_name_user\":\"' SrcUsername:string '\",' *\n '\"entitlement_token_id\":\"' NetworkSessionId:string '\",' *\n '\"packet_size\":' SrcBytes:long ',' *\n '\"protocol\":\"' NetworkProtocol:string '\",' * \n '\"rule_name\":\"' NetworkRuleName:string '\",' * \n '\"source_ip\":\"' SrcNatIpAddr:string '\",' *\n '\"source_port\":' SrcNatPortNumber:int ',' * \n '\"version\":' EventProductVersion:string '}' *\n ;\n let tcpupd_fail = \n Syslog\n | where \n ProcessName in (\"cz-sessiond\", \"cz-vpnd\")\n and SyslogMessage has_all (\"[AUDIT]\",\"ip_access\",'\"drop-reason\"')\n and SyslogMessage has_any ('\"protocol\":\"UDP\"','\"protocol\":\"TCP\"') \n | project TimeGenerated, SyslogMessage, Computer\n | extend type = extract (@'\"event_type\"\\:\\\"(.*?)\\\"', 1, SyslogMessage)\n | where type == \"ip_access\"\n | parse-where SyslogMessage with \n *\n '\"action\":\"' DvcOriginalAction:string '\",' * \n '\"client_ip\":\"' SrcIpAddr:string '\",' *\n '\"client_port\":' SrcPortNumber:int ',' *\n '\"destination_ip\":\"' DstIpAddr:string '\",' *\n '\"destination_port\":' DstPortNumber:int ',' *\n '\"direction\":\"' direction:string '\",' * \n '\"distinguished_name_device_id\":\"' SrcDvcId:string '\",' *\n '\"distinguished_name_user\":\"' SrcUsername:string '\",' *\n '\"drop-reason\":\"' EventOriginalResultDetails:string '\",' *\n '\"entitlement_token_id\":\"' NetworkSessionId:string '\",' *\n '\"packet_size\":' SrcBytes:long ',' *\n '\"protocol\":\"' NetworkProtocol:string '\",' *\n '\"source_ip\":\"' SrcNatIpAddr:string '\",' *\n '\"source_port\":' SrcNatPortNumber:int ',' * \n '\"version\":' EventProductVersion:string '}' *\n ;\n let icmp_success = Syslog\n | where \n ProcessName in (\"cz-sessiond\", \"cz-vpnd\")\n and SyslogMessage has_all (\"[AUDIT]\",\"ip_access\",'\"protocol\":\"ICMP\"') \n | project TimeGenerated, SyslogMessage, Computer\n | extend type = extract (@'\"event_type\"\\:\\\"(.*?)\\\"', 1, SyslogMessage)\n | where type == \"ip_access\"\n | parse-where SyslogMessage with \n *\n '\"action\":\"' DvcOriginalAction:string '\",' * \n '\"client_ip\":\"' SrcIpAddr:string '\",' *\n '\"client_port\":' SrcPortNumber:int ',' *\n '\"destination_ip\":\"' DstIpAddr:string '\",' *\n '\"direction\":\"' direction:string '\",' * \n '\"distinguished_name_device_id\":\"' SrcDvcId:string '\",' *\n '\"distinguished_name_user\":\"' SrcUsername:string '\",' *\n '\"entitlement_token_id\":\"' NetworkSessionId:string '\",' *\n '\"icmp_code\":' NetworkIcmpSubCode:int ',' *\n '\"icmp_type\":' NetworkIcmpCode:int ',' * \n '\"packet_size\":' SrcBytes:long ',' *\n '\"protocol\":\"' NetworkProtocol:string '\",' * \n '\"rule_name\":\"' NetworkRuleName:string '\",' * \n '\"source_ip\":\"' SrcNatIpAddr:string '\",' *\n '\"version\":' EventProductVersion:string '}' *\n ;\n union tcpupd_success, tcpupd_fail, icmp_success \n | parse SyslogMessage with \n *\n '\"country_name\":\"' SrcGeoCountry:string '\",' *\n '\"lat\":' SrcGeoLatitude:real ',' * \n '\"lon\":' SrcGeoLongitude:real '}' *\n | parse SyslogMessage with \n *\n '\"city_name\":\"' SrcGeoCity:string '\",' *\n '\"region_name\":\"' SrcGeoRegion:string '\",' *\n | extend \n SrcDvcIdType = 'AppGateId',\n SrcUsernameType = 'UPN'\n // -- Event fields\n | project-rename \n DvcHostname = Computer\n | extend \n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.2.3',\n EventVendor = 'AppGate',\n EventProduct = 'SDP',\n EventType = 'NetworkSession'\n | lookup DirectionLookup on direction\n | lookup ActionLookup on DvcOriginalAction\n // -- Aliases\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcHostname,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n // -- Entity identifier explicit aliases\n SrcUserUpn = SrcUsername\n | project-away \n SyslogMessage, type, direction\n};\nparser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureFirewall/ASimNetworkSessionAzureFirewall.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureFirewall/ASimNetworkSessionAzureFirewall.json index 88c4d3e35ee..854d6af2ec9 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureFirewall/ASimNetworkSessionAzureFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureFirewall/ASimNetworkSessionAzureFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionAzureFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionAzureFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Azure Firewall logs", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionAzureFirewall", - "query": "let parser = (disabled:bool=false) {\n let AzureFirewallNetworkRuleLogs = \n AzureDiagnostics\n | where not(disabled)\n | where Category == \"AzureFirewallNetworkRule\"\n | where isnotempty(msg_s)\n | project msg_s, OperationName, SubscriptionId, ResourceId, TimeGenerated, Type, _ResourceId;\n let AzureFirewallSessionLogs = \n AzureFirewallNetworkRuleLogs\n | where OperationName in (\"AzureFirewallNetworkRuleLog\",\"AzureFirewallThreatIntelLog\")\n | parse-where\n msg_s with NetworkProtocol:string \n \" request from \" SrcIpAddr:string\n \":\" SrcPortNumber:int\n \" to \" DstIpAddr:string\n \":\" DstPortNumber:int\n \". Action: \" DvcAction:string\n \".\" *\n | project-away msg_s\n | extend NetworkIcmpCode = iff(NetworkProtocol startswith \"ICMP\", toint(extract (\"type=(\\\\d+)\",1,NetworkProtocol)), int(null))\n | extend NetworkIcmpType = iff(isnotnull(NetworkIcmpCode), _ASIM_LookupICMPType(NetworkIcmpCode), \"\")\n | extend NetworkProtocol = iff(NetworkProtocol startswith \"ICMP\", \"ICMP\", NetworkProtocol)\n | extend EventSeverity = case (\n OperationName == \"AzureFirewallThreatIntelLog\", \"Medium\",\n DvcAction == \"Deny\", \"Low\",\n \"Informational\")\n | extend EventResult = iff(DvcAction == \"Allow\", \"Success\", \"Failure\")\n ;\n let AzureFirewallNATLogs = \n AzureFirewallNetworkRuleLogs\n | where OperationName == \"AzureFirewallNatRuleLog\"\n | parse-where\n msg_s with NetworkProtocol:string \n \" request from \" SrcIpAddr:string\n \":\" SrcPortNumber:int\n \" to \" DstIpAddr:string\n \":\" DstPortNumber:int\n \" was DNAT'ed to \" DstNatIpAddr:string\n \":\" DstNatPortNumber:int\n | project-away msg_s\n | extend EventSeverity = \"Informational\"\n | extend EventResult = \"Success\"\n | extend DvcAction = \"Allow\"\n ;\n union AzureFirewallSessionLogs, AzureFirewallNATLogs\n | extend\n EventVendor=\"Microsoft\",\n EventProduct=\"Azure Firewall\",\n EventType=\"NetworkSession\",\n EventCount=toint(1),\n EventSchemaVersion=\"0.2.2\",\n EventSchema=\"NetworkSession\",\n DvcIdType = \"AzureResourceId\"\n | project-rename\n DvcSubscriptionId = SubscriptionId,\n DvcId = ResourceId\n // -- Aliases\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated\n | project-keep\n Src*,\n Dst*,\n Event*,\n Dvc*,\n Network*,\n IpAddr,\n Type,\n _ResourceId,\n TimeGenerated\n};\nparser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Azure Firewall logs", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionAzureFirewall", + "query": "let parser = (disabled:bool=false) {\n let AzureFirewallNetworkRuleLogs = \n AzureDiagnostics\n | where not(disabled)\n | where Category == \"AzureFirewallNetworkRule\"\n | where isnotempty(msg_s)\n | project msg_s, OperationName, SubscriptionId, ResourceId, TimeGenerated, Type, _ResourceId;\n let AzureFirewallSessionLogs = \n AzureFirewallNetworkRuleLogs\n | where OperationName in (\"AzureFirewallNetworkRuleLog\",\"AzureFirewallThreatIntelLog\")\n | parse-where\n msg_s with NetworkProtocol:string \n \" request from \" SrcIpAddr:string\n \":\" SrcPortNumber:int\n \" to \" DstIpAddr:string\n \":\" DstPortNumber:int\n \". Action: \" DvcAction:string\n \".\" *\n | project-away msg_s\n | extend NetworkIcmpCode = iff(NetworkProtocol startswith \"ICMP\", toint(extract (\"type=(\\\\d+)\",1,NetworkProtocol)), int(null))\n | extend NetworkIcmpType = iff(isnotnull(NetworkIcmpCode), _ASIM_LookupICMPType(NetworkIcmpCode), \"\")\n | extend NetworkProtocol = iff(NetworkProtocol startswith \"ICMP\", \"ICMP\", NetworkProtocol)\n | extend EventSeverity = case (\n OperationName == \"AzureFirewallThreatIntelLog\", \"Medium\",\n DvcAction == \"Deny\", \"Low\",\n \"Informational\")\n | extend EventResult = iff(DvcAction == \"Allow\", \"Success\", \"Failure\")\n ;\n let AzureFirewallNATLogs = \n AzureFirewallNetworkRuleLogs\n | where OperationName == \"AzureFirewallNatRuleLog\"\n | parse-where\n msg_s with NetworkProtocol:string \n \" request from \" SrcIpAddr:string\n \":\" SrcPortNumber:int\n \" to \" DstIpAddr:string\n \":\" DstPortNumber:int\n \" was DNAT'ed to \" DstNatIpAddr:string\n \":\" DstNatPortNumber:int\n | project-away msg_s\n | extend EventSeverity = \"Informational\"\n | extend EventResult = \"Success\"\n | extend DvcAction = \"Allow\"\n ;\n union AzureFirewallSessionLogs, AzureFirewallNATLogs\n | extend\n EventVendor=\"Microsoft\",\n EventProduct=\"Azure Firewall\",\n EventType=\"NetworkSession\",\n EventCount=toint(1),\n EventSchemaVersion=\"0.2.2\",\n EventSchema=\"NetworkSession\",\n DvcIdType = \"AzureResourceId\"\n | project-rename\n DvcSubscriptionId = SubscriptionId,\n DvcId = ResourceId\n // -- Aliases\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated\n | project-keep\n Src*,\n Dst*,\n Event*,\n Dvc*,\n Network*,\n IpAddr,\n Type,\n _ResourceId,\n TimeGenerated\n};\nparser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json index 8bd17642f7a..1b96d84e2aa 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionAzureNSG')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionAzureNSG", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Azure NSG flows", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionAzureNSG", - "query": "let DvcActionLookup = datatable(FlowStatus_s:string, DvcAction:string, EventResult:string) [\n 'A', 'Allow', 'Success',\n 'D', 'Deny', 'Failure',\n];\nlet NetworkDirectionLookup = datatable(FlowDirection_s:string, NetworkDirection:string, isOutBound:bool) [\n 'I', 'Inbound', false,\n 'O', 'Outbound', true\n];\nlet NetworkProtocolLookup = datatable(L4Protocol_s:string, NetworkProtocol:string)[\n 'T', 'TCP',\n 'U', 'UDP'\n];\nlet parser = (disabled:bool=false) \n{\n let AzureNetworkAnalytics = (FlowDirection: string) {\n AzureNetworkAnalytics_CL\n | where not(disabled) and isnotempty(FlowType_s)\n | where FlowDirection == FlowDirection_s\n | lookup NetworkDirectionLookup on FlowDirection_s\n };\n let AzureNetworkAnalyticsInbound =\n AzureNetworkAnalytics ('I')\n | where not(isOutBound)\n | project-rename\n DstMacAddr = MACAddress_s\n | extend\n DstBytes = tolong(OutboundBytes_d), // -- size fields seem not to be populated for inbound\n DstPackets = tolong(OutboundPackets_d),\n SrcBytes = tolong(InboundBytes_d),\n SrcPackets = tolong(InboundPackets_d),\n SrcInterfaceName = tostring(split(NIC_s, '/')[1]),\n SrcGeoCountry = toupper(Country_s)\n | extend hostelements=split(VM2_s,'/')\n | extend \n DstFQDN = strcat(hostelements[0], @\"\\\", hostelements[1]),\n DstHostname = tostring(hostelements[1]),\n DstDomain = tostring(hostelements[0]),\n DstDomainType = \"ResourceGroup\"\n | extend Hostname = DstHostname\n | project-away hostelements, isOutBound\n ; \n let AzureNetworkAnalyticsOutbound =\n AzureNetworkAnalytics ('O')\n | where isOutBound\n | project-rename\n SrcMacAddr = MACAddress_s\n | extend\n SrcBytes = tolong(OutboundBytes_d), \n SrcPackets = tolong(OutboundPackets_d),\n DstBytes = tolong(InboundBytes_d),\n DstPackets = tolong(InboundPackets_d),\n DstInterfaceName = tostring(split(NIC_s, '/')[1]),\n DstGeoCountry = toupper(Country_s)\n | extend hostelements=split(VM1_s,'/')\n | extend \n SrcFQDN = strcat(hostelements[0], @\"\\\", hostelements[1]),\n SrcHostname = tostring(hostelements[1]),\n SrcDomain = tostring(hostelements[0]),\n SrcDomainType = \"ResourceGroup\"\n | extend Hostname = SrcHostname\n | project-away hostelements, isOutBound\n ;\n union AzureNetworkAnalyticsInbound, AzureNetworkAnalyticsOutbound\n | project-rename\n Dvc = NSGList_s,\n DvcSubscriptionId = Subscription_g,\n EventEndTime = FlowEndTime_t,\n EventStartTime = FlowStartTime_t,\n NetworkApplicationProtocol = L7Protocol_s,\n NetworkRuleName = NSGRule_s,\n NetworkSessionId = ConnectionName_s,\n EventOriginalSubType = FlowType_s\n | extend\n DstPortNumber = toint(DestPort_d),\n EventProduct = 'NSGFlow',\n EventSchema = 'NetworkSession',\n EventSchemaVersion='0.2.2',\n EventSeverity = 'Informational', //??\n EventType = 'Flow',\n EventVendor = 'Microsoft',\n EventCount = toint(AllowedInFlows_d+DeniedInFlows_d+AllowedOutFlows_d+DeniedOutFlows_d),\n NetworkDuration = toint((((EventEndTime - datetime(1970-01-01)) / 1s) - ((EventStartTime - datetime(1970-01-01)) / 1s )) * 1000),\n Rule = NetworkRuleName,\n SessionId = NetworkSessionId\n | lookup DvcActionLookup on FlowStatus_s\n | extend \n DstIpAddr = iff(isnotempty(DestIP_s),\n DestIP_s,\n split(DestPublicIPs_s, '|')[0]),\n Duration = NetworkDuration,\n NetworkBytes = tolong(DstBytes + SrcBytes),\n NetworkPackets = tolong(DstPackets + SrcPackets),\n SrcIpAddr = iff(isnotempty(SrcIP_s),\n SrcIP_s,\n split(SrcPublicIPs_s, '|')[0])\n | extend\n Dst = DstIpAddr,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | lookup NetworkProtocolLookup on L4Protocol_s\n | project-keep\n Src*,\n Dst*,\n Event*,\n Dvc*,\n Network*,\n IpAddr,\n Hostname,\n Type,\n Duration,\n SessionId,\n _ResourceId,\n TimeGenerated\n | project-away *_s\n };\nparser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Azure NSG flows", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionAzureNSG", + "query": "let DvcActionLookup = datatable(FlowStatus_s:string, DvcAction:string, EventResult:string) [\n 'A', 'Allow', 'Success',\n 'D', 'Deny', 'Failure',\n];\nlet NetworkDirectionLookup = datatable(FlowDirection_s:string, NetworkDirection:string, isOutBound:bool) [\n 'I', 'Inbound', false,\n 'O', 'Outbound', true\n];\nlet NetworkProtocolLookup = datatable(L4Protocol_s:string, NetworkProtocol:string)[\n 'T', 'TCP',\n 'U', 'UDP'\n];\nlet parser = (disabled:bool=false) \n{\n let AzureNetworkAnalytics = (FlowDirection: string) {\n AzureNetworkAnalytics_CL\n | where not(disabled) and isnotempty(FlowType_s)\n | where FlowDirection == FlowDirection_s\n | lookup NetworkDirectionLookup on FlowDirection_s\n };\n let AzureNetworkAnalyticsInbound =\n AzureNetworkAnalytics ('I')\n | where not(isOutBound)\n | project-rename\n DstMacAddr = MACAddress_s\n | extend\n DstBytes = tolong(OutboundBytes_d), // -- size fields seem not to be populated for inbound\n DstPackets = tolong(OutboundPackets_d),\n SrcBytes = tolong(InboundBytes_d),\n SrcPackets = tolong(InboundPackets_d),\n SrcInterfaceName = tostring(split(NIC_s, '/')[1]),\n SrcGeoCountry = toupper(Country_s)\n | extend hostelements=split(VM2_s,'/')\n | extend \n DstFQDN = strcat(hostelements[0], @\"\\\", hostelements[1]),\n DstHostname = tostring(hostelements[1]),\n DstDomain = tostring(hostelements[0]),\n DstDomainType = \"ResourceGroup\"\n | extend Hostname = DstHostname\n | project-away hostelements, isOutBound\n ; \n let AzureNetworkAnalyticsOutbound =\n AzureNetworkAnalytics ('O')\n | where isOutBound\n | project-rename\n SrcMacAddr = MACAddress_s\n | extend\n SrcBytes = tolong(OutboundBytes_d), \n SrcPackets = tolong(OutboundPackets_d),\n DstBytes = tolong(InboundBytes_d),\n DstPackets = tolong(InboundPackets_d),\n DstInterfaceName = tostring(split(NIC_s, '/')[1]),\n DstGeoCountry = toupper(Country_s)\n | extend hostelements=split(VM1_s,'/')\n | extend \n SrcFQDN = strcat(hostelements[0], @\"\\\", hostelements[1]),\n SrcHostname = tostring(hostelements[1]),\n SrcDomain = tostring(hostelements[0]),\n SrcDomainType = \"ResourceGroup\"\n | extend Hostname = SrcHostname\n | project-away hostelements, isOutBound\n ;\n union AzureNetworkAnalyticsInbound, AzureNetworkAnalyticsOutbound\n | project-rename\n Dvc = NSGList_s,\n DvcSubscriptionId = Subscription_g,\n EventEndTime = FlowEndTime_t,\n EventStartTime = FlowStartTime_t,\n NetworkApplicationProtocol = L7Protocol_s,\n NetworkRuleName = NSGRule_s,\n NetworkSessionId = ConnectionName_s,\n EventOriginalSubType = FlowType_s\n | extend\n DstPortNumber = toint(DestPort_d),\n EventProduct = 'NSGFlow',\n EventSchema = 'NetworkSession',\n EventSchemaVersion='0.2.2',\n EventSeverity = 'Informational', //??\n EventType = 'Flow',\n EventVendor = 'Microsoft',\n EventCount = toint(AllowedInFlows_d+DeniedInFlows_d+AllowedOutFlows_d+DeniedOutFlows_d),\n NetworkDuration = toint((((EventEndTime - datetime(1970-01-01)) / 1s) - ((EventStartTime - datetime(1970-01-01)) / 1s )) * 1000),\n Rule = NetworkRuleName,\n SessionId = NetworkSessionId\n | lookup DvcActionLookup on FlowStatus_s\n | extend \n DstIpAddr = iff(isnotempty(DestIP_s),\n DestIP_s,\n split(DestPublicIPs_s, '|')[0]),\n Duration = NetworkDuration,\n NetworkBytes = tolong(DstBytes + SrcBytes),\n NetworkPackets = tolong(DstPackets + SrcPackets),\n SrcIpAddr = iff(isnotempty(SrcIP_s),\n SrcIP_s,\n split(SrcPublicIPs_s, '|')[0])\n | extend\n Dst = DstIpAddr,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | lookup NetworkProtocolLookup on L4Protocol_s\n | project-keep\n Src*,\n Dst*,\n Event*,\n Dvc*,\n Network*,\n IpAddr,\n Hostname,\n Type,\n Duration,\n SessionId,\n _ResourceId,\n TimeGenerated\n | project-away *_s\n };\nparser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaCEF/ASimNetworkSessionBarracudaCEF.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaCEF/ASimNetworkSessionBarracudaCEF.json index daabd50fc78..01205397b47 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaCEF/ASimNetworkSessionBarracudaCEF.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaCEF/ASimNetworkSessionBarracudaCEF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionBarracudaCEF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionBarracudaCEF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Barracuda WAF", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionBarracudaCEF", - "query": "let barracudaSchema = datatable(\n UnitName_s: string,\n DeviceReceiptTime_s: string,\n ActionID_s: string,\n DestinationIP_s: string,\n SourceIP: string,\n host_s: string,\n HostIP_s: string,\n Severity_s: string,\n LogType_s: string,\n DestinationPort_d: real,\n SourcePort_d: real,\n Protocol_s: string,\n DeviceVersion_s: string,\n TimeTaken_d: real,\n _ResourceId: string,\n RawData: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string\n)[];\nlet ProtocolLookup = datatable(\n Protocol_s: string,\n NetworkProtocol: string,\n NetworkProtocolVersion: string\n)[\n \"TCP\", \"TCP\", \"\",\n \"TCP/ip\", \"TCP\", \"\",\n \"UDP\", \"UDP\", \"\",\n \"UDP/ip\", \"UDP\", \"\",\n \"ICMP\", \"ICMP\", \"IPV4\",\n \"ICMPv6\", \"ICMP\", \"IPV6\",\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\",\n 1, \"High\",\n 2, \"High\",\n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\",\n 6, \"Informational\",\n 7, \"Informational\"\n];\nlet EventResultLookup = datatable (\n ActionID_s: string,\n EventResult: string,\n DvcAction: string\n)\n [\n \"ALLOW\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\"\n];\nlet parser = (disabled: bool=false)\n{\nlet BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"NF\"\n | extend\n severity = toint(LogSeverity)\n | lookup EventResultLookup on $left.DeviceAction == $right.ActionID_s\n | lookup SeverityLookup on severity\n | lookup ProtocolLookup on $left.Protocol == $right.Protocol_s\n | extend\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventVendor = \"Barracuda\"\n | extend\n Dvc = DeviceName,\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n DstIpAddr = DestinationIP,\n SrcIpAddr = SourceIP,\n DvcHostname = DeviceName,\n DvcIpAddr = DestinationIP,\n DstPortNumber = toint(DestinationPort),\n SrcPortNumber = toint(SourcePort),\n EventUid = _ItemId,\n EventProductVersion = DeviceVersion\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n EventEndTime = EventStartTime\n | project-away\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId,CollectorHostName;\nBarracudaCEF\n};\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionBarracudaCEF", + "query": "let barracudaSchema = datatable(\n UnitName_s: string,\n DeviceReceiptTime_s: string,\n ActionID_s: string,\n DestinationIP_s: string,\n SourceIP: string,\n host_s: string,\n HostIP_s: string,\n Severity_s: string,\n LogType_s: string,\n DestinationPort_d: real,\n SourcePort_d: real,\n Protocol_s: string,\n DeviceVersion_s: string,\n TimeTaken_d: real,\n _ResourceId: string,\n RawData: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string\n)[];\nlet ProtocolLookup = datatable(\n Protocol_s: string,\n NetworkProtocol: string,\n NetworkProtocolVersion: string\n)[\n \"TCP\", \"TCP\", \"\",\n \"TCP/ip\", \"TCP\", \"\",\n \"UDP\", \"UDP\", \"\",\n \"UDP/ip\", \"UDP\", \"\",\n \"ICMP\", \"ICMP\", \"IPV4\",\n \"ICMPv6\", \"ICMP\", \"IPV6\",\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\",\n 1, \"High\",\n 2, \"High\",\n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\",\n 6, \"Informational\",\n 7, \"Informational\"\n];\nlet EventResultLookup = datatable (\n ActionID_s: string,\n EventResult: string,\n DvcAction: string\n)\n [\n \"ALLOW\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\"\n];\nlet parser = (disabled: bool=false)\n{\nlet BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"NF\"\n | extend\n severity = toint(LogSeverity)\n | lookup EventResultLookup on $left.DeviceAction == $right.ActionID_s\n | lookup SeverityLookup on severity\n | lookup ProtocolLookup on $left.Protocol == $right.Protocol_s\n | extend\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventVendor = \"Barracuda\"\n | extend\n Dvc = DeviceName,\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n DstIpAddr = DestinationIP,\n SrcIpAddr = SourceIP,\n DvcHostname = DeviceName,\n DvcIpAddr = DestinationIP,\n DstPortNumber = toint(DestinationPort),\n SrcPortNumber = toint(SourcePort),\n EventUid = _ItemId,\n EventProductVersion = DeviceVersion\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n EventEndTime = EventStartTime\n | project-away\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId,CollectorHostName;\nBarracudaCEF\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaWAF/ASimNetworkSessionBarracudaWAF.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaWAF/ASimNetworkSessionBarracudaWAF.json index bf18db4f28a..b02adbf39fe 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaWAF/ASimNetworkSessionBarracudaWAF.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaWAF/ASimNetworkSessionBarracudaWAF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionBarracudaWAF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionBarracudaWAF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Barracuda WAF", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionBarracudaWAF", - "query": "let barracudaSchema = datatable(\n UnitName_s: string,\n DeviceReceiptTime_s: string,\n ActionID_s: string,\n DestinationIP_s: string,\n SourceIP: string,\n host_s: string,\n HostIP_s: string,\n Severity_s: string,\n LogType_s: string,\n DestinationPort_d: real,\n SourcePort_d: real,\n Protocol_s: string,\n DeviceVersion_s: string,\n TimeTaken_d: real,\n _ResourceId: string,\n RawData: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string\n)[];\nlet ProtocolLookup = datatable(\n Protocol_s: string,\n NetworkProtocol: string,\n NetworkProtocolVersion: string\n)[\n \"TCP\", \"TCP\", \"\",\n \"TCP/ip\", \"TCP\", \"\",\n \"UDP\", \"UDP\", \"\",\n \"UDP/ip\", \"UDP\", \"\",\n \"ICMP\", \"ICMP\", \"IPV4\",\n \"ICMPv6\", \"ICMP\", \"IPV6\",\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\",\n 1, \"High\",\n 2, \"High\",\n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\",\n 6, \"Informational\",\n 7, \"Informational\"\n];\nlet EventResultLookup = datatable (\n ActionID_s: string,\n EventResult: string,\n DvcAction: string\n)\n [\n \"ALLOW\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\"\n];\nlet parser = (disabled: bool=false)\n{\nlet BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled) and LogType_s == \"NF\"\n | extend\n severity = toint(Severity_s)\n | lookup EventResultLookup on ActionID_s\n | lookup SeverityLookup on severity\n | lookup ProtocolLookup on Protocol_s\n | extend\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventVendor = \"Barracuda\"\n | extend\n Dvc = UnitName_s,\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s))),\n DstIpAddr = DestinationIP_s,\n SrcIpAddr = SourceIP,\n DvcHostname = host_s,\n DvcIpAddr = HostIP_s,\n DstPortNumber = toint(DestinationPort_d),\n SrcPortNumber = toint(SourcePort_d),\n EventUid = _ItemId,\n EventProductVersion = DeviceVersion_s\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n EventEndTime = EventStartTime\n | project-away\n *_d,\n *_s,\n _ResourceId,\n severity,\n RawData,\n SourceIP,\n Message,\n Computer,\n MG,\n ManagementGroupName,\n TenantId,\n SourceSystem;\nBarracudaCustom\n };\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionBarracudaWAF", + "query": "let barracudaSchema = datatable(\n UnitName_s: string,\n DeviceReceiptTime_s: string,\n ActionID_s: string,\n DestinationIP_s: string,\n SourceIP: string,\n host_s: string,\n HostIP_s: string,\n Severity_s: string,\n LogType_s: string,\n DestinationPort_d: real,\n SourcePort_d: real,\n Protocol_s: string,\n DeviceVersion_s: string,\n TimeTaken_d: real,\n _ResourceId: string,\n RawData: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string\n)[];\nlet ProtocolLookup = datatable(\n Protocol_s: string,\n NetworkProtocol: string,\n NetworkProtocolVersion: string\n)[\n \"TCP\", \"TCP\", \"\",\n \"TCP/ip\", \"TCP\", \"\",\n \"UDP\", \"UDP\", \"\",\n \"UDP/ip\", \"UDP\", \"\",\n \"ICMP\", \"ICMP\", \"IPV4\",\n \"ICMPv6\", \"ICMP\", \"IPV6\",\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\",\n 1, \"High\",\n 2, \"High\",\n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\",\n 6, \"Informational\",\n 7, \"Informational\"\n];\nlet EventResultLookup = datatable (\n ActionID_s: string,\n EventResult: string,\n DvcAction: string\n)\n [\n \"ALLOW\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\"\n];\nlet parser = (disabled: bool=false)\n{\nlet BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled) and LogType_s == \"NF\"\n | extend\n severity = toint(Severity_s)\n | lookup EventResultLookup on ActionID_s\n | lookup SeverityLookup on severity\n | lookup ProtocolLookup on Protocol_s\n | extend\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventVendor = \"Barracuda\"\n | extend\n Dvc = UnitName_s,\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s))),\n DstIpAddr = DestinationIP_s,\n SrcIpAddr = SourceIP,\n DvcHostname = host_s,\n DvcIpAddr = HostIP_s,\n DstPortNumber = toint(DestinationPort_d),\n SrcPortNumber = toint(SourcePort_d),\n EventUid = _ItemId,\n EventProductVersion = DeviceVersion_s\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n EventEndTime = EventStartTime\n | project-away\n *_d,\n *_s,\n _ResourceId,\n severity,\n RawData,\n SourceIP,\n Message,\n Computer,\n MG,\n ManagementGroupName,\n TenantId,\n SourceSystem;\nBarracudaCustom\n };\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCheckPointFirewall/ASimNetworkSessionCheckPointFirewall.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCheckPointFirewall/ASimNetworkSessionCheckPointFirewall.json index 6a27ceb12cb..a70c80413cf 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCheckPointFirewall/ASimNetworkSessionCheckPointFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCheckPointFirewall/ASimNetworkSessionCheckPointFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionCheckPointFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionCheckPointFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Check Point Firewall", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionCheckPointFirewall", - "query": "let ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)\n [\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"];\n let DirectionLookup=datatable(conn_direction:string,NetworkDirection:string)\n [\n \"Incoming\",\"Inbound\", \n \"Outgoing\",\"Outbound\", \n \"Internal\",\"Local\"];\n let ActionLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string,EventSeverity:string)\n [\n \"Accept\",\"Allow\",\"Success\",\"Informational\",\n \"Allow\",\"Allow\",\"Success\",\"Informational\",\n \"Drop\",\"Drop\",\"Failure\",\"Low\",\n \"Reject\",\"Deny\",\"Failure\",\"Low\",\n \"Encrypt\",\"Encrypt\",\"Success\",\"Informational\",\n \"Decrypt\",\"Decrypt\",\"Success\",\"Informational\",\n \"Bypass\",\"Allow\",\"Success\",\"Informational\",\n \"Block\",\"Deny\",\"Failure\",\"Low\",\n \"\",\"\",\"NA\",\"Informational\"\n ];\n let NWParser=(disabled:bool=false)\n {\n CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor==\"Check Point\" and DeviceProduct==\"VPN-1 & FireWall-1\"\n | lookup ActionLookup on DeviceAction\n | lookup ProtocolLookup on Protocol\n | extend \n EventProduct = \"Firewall\",\n EventCount = toint(1),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\"\n | parse-kv AdditionalExtensions as (\n rule_uid:string,\n loguid:string,\n origin:string,\n originsicname:string,\n inzone:string,\n outzone:string,\n conn_direction:string,\n alert:string,\n inspection_category:string,\n inspection_item:string\n ) with (pair_delimiter=';', kv_delimiter='=')\n | extend\n ThreatCategory = coalesce(alert, inspection_category),\n NetworkRuleName = coalesce(DeviceCustomString2, rule_uid, Activity),\n EventStartTime = TimeGenerated\n | parse originsicname with \"CN\\\\=\" DvcHostname \",\" *\n | project-rename\n Dvc = origin, \n EventOriginalUid = loguid,\n ThreatName = inspection_item,\n EventVendor = DeviceVendor,\n DstPortNumber = DestinationPort,\n DstIpAddr = DestinationIP,\n SrcPortNumber = SourcePort,\n SrcIpAddr = SourceIP,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n EventProductVersion = DeviceVersion,\n EventOriginalSeverity = LogSeverity,\n Rule = NetworkRuleName,\n DvcOriginalAction = DeviceAction,\n DstAppName = Activity,\n EventMessage = Message\n | lookup DirectionLookup on conn_direction\n | extend \n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n NetworkDirection = case(\n isnotempty(NetworkDirection), NetworkDirection,\n inzone == \"Internal\" and (outzone == \"Internal\" or outzone == \"Local\"), \"Local\",\n (inzone == \"Internal\" or inzone == \"Local\") and outzone == \"External\", \"Outbound\",\n inzone == \"External\" and (outzone == \"Internal\" or outzone == \"Local\"), \"Inbound\",\n CommunicationDirection == \"0\", \"Inbound\",\n CommunicationDirection == \"1\", \"Outbound\",\n \"\"\n ),\n EventSeverity = iif(isnotempty(ThreatCategory),\"High\",EventSeverity),\n NetworkIcmpType = coalesce(\n tostring(column_ifexists(\"FieldDeviceCustomNumber2\", long(null))),\n tostring(column_ifexists(\"DeviceCustomNumber2\",long(null)))\n ),\n NetworkIcmpCode = coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber3\", long(null))),\n toint(column_ifexists(\"DeviceCustomNumber3\",long(null)))\n )\n | project-away ApplicationProtocol, AdditionalExtensions, CommunicationDirection, Computer, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, Protocol, ReceiptTime, ReceivedBytes, Remote*, ReportReferenceLink, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, rule_uid, originsicname, inzone, outzone, alert, conn_direction, inspection_category, ExtID, EventOutcome, FieldDevice*, Reason\n };\n NWParser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Check Point Firewall", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionCheckPointFirewall", + "query": "let ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)\n [\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"];\n let DirectionLookup=datatable(conn_direction:string,NetworkDirection:string)\n [\n \"Incoming\",\"Inbound\", \n \"Outgoing\",\"Outbound\", \n \"Internal\",\"Local\"];\n let ActionLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string,EventSeverity:string)\n [\n \"Accept\",\"Allow\",\"Success\",\"Informational\",\n \"Allow\",\"Allow\",\"Success\",\"Informational\",\n \"Drop\",\"Drop\",\"Failure\",\"Low\",\n \"Reject\",\"Deny\",\"Failure\",\"Low\",\n \"Encrypt\",\"Encrypt\",\"Success\",\"Informational\",\n \"Decrypt\",\"Decrypt\",\"Success\",\"Informational\",\n \"Bypass\",\"Allow\",\"Success\",\"Informational\",\n \"Block\",\"Deny\",\"Failure\",\"Low\",\n \"\",\"\",\"NA\",\"Informational\"\n ];\n let NWParser=(disabled:bool=false)\n {\n CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor==\"Check Point\" and DeviceProduct==\"VPN-1 & FireWall-1\"\n | lookup ActionLookup on DeviceAction\n | lookup ProtocolLookup on Protocol\n | extend \n EventProduct = \"Firewall\",\n EventCount = toint(1),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\"\n | parse-kv AdditionalExtensions as (\n rule_uid:string,\n loguid:string,\n origin:string,\n originsicname:string,\n inzone:string,\n outzone:string,\n conn_direction:string,\n alert:string,\n inspection_category:string,\n inspection_item:string\n ) with (pair_delimiter=';', kv_delimiter='=')\n | extend\n ThreatCategory = coalesce(alert, inspection_category),\n NetworkRuleName = coalesce(DeviceCustomString2, rule_uid, Activity),\n EventStartTime = TimeGenerated\n | parse originsicname with \"CN\\\\=\" DvcHostname \",\" *\n | project-rename\n Dvc = origin, \n EventOriginalUid = loguid,\n ThreatName = inspection_item,\n EventVendor = DeviceVendor,\n DstPortNumber = DestinationPort,\n DstIpAddr = DestinationIP,\n SrcPortNumber = SourcePort,\n SrcIpAddr = SourceIP,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n EventProductVersion = DeviceVersion,\n EventOriginalSeverity = LogSeverity,\n Rule = NetworkRuleName,\n DvcOriginalAction = DeviceAction,\n DstAppName = Activity,\n EventMessage = Message\n | lookup DirectionLookup on conn_direction\n | extend \n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n NetworkDirection = case(\n isnotempty(NetworkDirection), NetworkDirection,\n inzone == \"Internal\" and (outzone == \"Internal\" or outzone == \"Local\"), \"Local\",\n (inzone == \"Internal\" or inzone == \"Local\") and outzone == \"External\", \"Outbound\",\n inzone == \"External\" and (outzone == \"Internal\" or outzone == \"Local\"), \"Inbound\",\n CommunicationDirection == \"0\", \"Inbound\",\n CommunicationDirection == \"1\", \"Outbound\",\n \"\"\n ),\n EventSeverity = iif(isnotempty(ThreatCategory),\"High\",EventSeverity),\n NetworkIcmpType = coalesce(\n tostring(column_ifexists(\"FieldDeviceCustomNumber2\", long(null))),\n tostring(column_ifexists(\"DeviceCustomNumber2\",long(null)))\n ),\n NetworkIcmpCode = coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber3\", long(null))),\n toint(column_ifexists(\"DeviceCustomNumber3\",long(null)))\n )\n | project-away ApplicationProtocol, AdditionalExtensions, CommunicationDirection, Computer, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, Protocol, ReceiptTime, ReceivedBytes, Remote*, ReportReferenceLink, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, rule_uid, originsicname, inzone, outzone, alert, conn_direction, inspection_category, ExtID, EventOutcome, FieldDevice*, Reason\n };\n NWParser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json index eaed5f9d603..be433d84792 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionCiscoASA')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionCiscoASA", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Cisco ASA", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionCiscoASA", - "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (disabled:bool=false)\n { \n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * ;\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, Device*\n };\n NWParser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Cisco ASA", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionCiscoASA", + "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (disabled:bool=false)\n { \n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * ;\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, Device*\n };\n NWParser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFirepower/ASimNetworkSessionCiscoFirepower.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFirepower/ASimNetworkSessionCiscoFirepower.json index fd48752c1d3..5ba457c5767 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFirepower/ASimNetworkSessionCiscoFirepower.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFirepower/ASimNetworkSessionCiscoFirepower.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionCiscoFirepower')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionCiscoFirepower", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Cisco Firepower", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionCiscoFirepower", - "query": "let ActionLookup = datatable(\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"Blocked\", \"Deny\", \"Failure\",\n \"Alerted\", \"Allow\", \"Success\",\n \"Rewritten\", \"Allow\", \"Success\",\n \"Would be Rewritten\", \"Allow\", \"Partial\",\n \"Would be Blocked\", \"Deny\", \"Partial\",\n \"Would Be Blocked\", \"Deny\", \"Partial\",\n \"Dropped\", \"Drop\", \"Failure\",\n \"Would be Dropped\", \"Drop\", \"Partial\",\n \"Partially Dropped\", \"Drop\", \"Partial\",\n \"Would be Block\", \"Deny\", \"Partial\",\n \"Partial Blocked\", \"Deny\", \"Partial\",\n \"Rejected\", \"Deny\", \"Failure\",\n \"Would be Rejected\", \"Deny\", \"Partial\",\n \"Would Rejected\", \"Deny\", \"Partial\",\n \"Block\", \"Deny\", \"Failure\",\n \"Partial Block\", \"Deny\", \"Partial\",\n \"Drop\", \"Drop\", \"Failure\",\n \"Would Drop\", \"Drop\", \"Partial\",\n \"Reject\", \"Deny\", \"Failure\",\n \"Rewrite\", \"Allow\", \"Success\",\n \"Allow\", \"Allow\", \"Success\",\n \"Monitor\", \"Allow\", \"Success\"\n];\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Medium\",\n \"5\", \"Medium\",\n \"6\", \"Medium\",\n \"7\", \"High\",\n \"8\", \"High\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventResultDetailsLookup = datatable(Reason: string, EventResultDetails: string)\n [\n \"N/A\", \"NA\",\n \"IP Block\", \"Terminated\",\n \"IP Monitor\", \"Unknown\",\n \"User Bypass\", \"Unknown\",\n \"File Monitor\", \"Unknown\",\n \"File Block\", \"Terminated\",\n \"Intrusion Monitor\", \"Unknown\",\n \"Intrusion Block\", \"Terminated\",\n \"File Resume Block\", \"Terminated\",\n \"File Resume Allow\", \"Unknown\",\n \"File Custom Detection\", \"Unknown\"\n];\nlet parser = (disabled: bool=false) {\n let AllLogs = CommonSecurityLog\n | where not(disabled) \n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"Firepower\"\n and DeviceEventClassID has_any(\"INTRUSION:400\", \"PV:112\", \"RNA:1003:1\")\n | invoke _ASIM_ResolveNetworkProtocol('Protocol')\n | extend NetworkProtocol = iff(NetworkProtocol == \"Unassigned\" and Protocol !in (63, 68, 99, 114, 253, 254), Protocol, NetworkProtocol);\n let Connection_Statistics_Events = AllLogs\n | where DeviceEventClassID has \"RNA:1003:1\"\n | parse-kv AdditionalExtensions as (\n start: long,\n end: long,\n bytesIn: long,\n bytesOut: long,\n )\n with (pair_delimiter=';', kv_delimiter='=')\n | lookup EventResultDetailsLookup on Reason\n | extend\n SrcBytes = bytesIn,\n DstBytes = bytesOut,\n EventOriginalResultDetails = Reason,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1,\n \"instanceID\", ProcessID,\n \"clientApplicationID\", RequestClientApplication,\n \"clientUrl\", RequestURL);\n let Intrusion_Events = AllLogs\n | where DeviceEventClassID has \"INTRUSION:400\"\n | parse-kv AdditionalExtensions as (\n start: long\n )\n with (pair_delimiter=';', kv_delimiter='=')\n | extend \n EventMessage = Activity,\n ThreatCategory = DeviceEventCategory,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1,\n \"ipspolicy\", DeviceCustomString5,\n \"clientApplicationID\", RequestClientApplication,\n \"clientUrl\", RequestURL);\n let Policy_Violation_Events = AllLogs\n | where DeviceEventClassID has \"PV:112\"\n | extend\n EventMessage = Message,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1)\n | project-rename DstUsername = DestinationUserName\n | extend\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\");\n union Connection_Statistics_Events, Intrusion_Events, Policy_Violation_Events\n | extend\n SrcPortNumber = iff(NetworkProtocol == \"ICMP\", int(null), SourcePort),\n DstPortNumber = iff(NetworkProtocol == \"ICMP\", int(null), DestinationPort),\n NetworkIcmpCode = iff(NetworkProtocol == \"ICMP\", DestinationPort, int(null)),\n NetworkIcmpType = iff(NetworkProtocol == \"ICMP\", tostring(SourcePort), \"\"),\n SrcZone = DeviceCustomString3,\n DstZone = DeviceCustomString4\n | lookup ActionLookup on DeviceAction\n | lookup EventSeverityLookup on LogSeverity\n | extend \n EventStartTime = coalesce(unixtime_milliseconds_todatetime(start), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n EventOriginalType = iff(DeviceEventClassID has \"INTRUSION:400\", \"INTRUSION EVENT\", Activity),\n SrcVlanId = tostring(DeviceCustomNumber1)\n | extend\n EventEndTime = coalesce(unixtime_milliseconds_todatetime(end), EventStartTime),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\",\n DstIpAddr contains \":\",\n \"IPv6\",\n \"\"\n )\n | extend Ip_device = iff(DeviceName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", DeviceName, \"\")\n | extend\n DvcIpAddr = Ip_device,\n DeviceName = iff(isempty(Ip_device), DeviceName, \"\")\n | extend host = coalesce(DeviceName, Computer)\n | invoke _ASIM_ResolveDvcFQDN('host')\n | invoke _ASIM_ResolveDstFQDN('DestinationDnsDomain')\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventCount = int(1)\n | project-rename \n EventProduct = DeviceProduct,\n EventVendor = DeviceVendor,\n SrcUsername = SourceUserName,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n EventOriginalSeverity = LogSeverity,\n DvcId = DeviceExternalID,\n NetworkApplicationProtocol = ApplicationProtocol,\n EventProductVersion = DeviceVersion,\n EventOriginalUid = ExtID,\n NetworkRuleName = DeviceCustomString2,\n EventUid = _ItemId,\n DvcOriginalAction = DeviceAction\n | extend\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DvcIdType = \"Other\"\n | extend \n IpAddr = SrcIpAddr,\n InnerVlanId = SrcVlanId,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = coalesce(DvcIpAddr, DvcHostname),\n Rule = NetworkRuleName,\n User = SrcUsername,\n Hostname = DstHostname\n | project-away\n bytesIn,\n bytesOut,\n start,\n end,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n ProcessID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n ThreatConfidence,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId,\n Ip_*,\n host,\n NetworkProtocolNumber\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Cisco Firepower", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionCiscoFirepower", + "query": "let ActionLookup = datatable(\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"Blocked\", \"Deny\", \"Failure\",\n \"Alerted\", \"Allow\", \"Success\",\n \"Rewritten\", \"Allow\", \"Success\",\n \"Would be Rewritten\", \"Allow\", \"Partial\",\n \"Would be Blocked\", \"Deny\", \"Partial\",\n \"Would Be Blocked\", \"Deny\", \"Partial\",\n \"Dropped\", \"Drop\", \"Failure\",\n \"Would be Dropped\", \"Drop\", \"Partial\",\n \"Partially Dropped\", \"Drop\", \"Partial\",\n \"Would be Block\", \"Deny\", \"Partial\",\n \"Partial Blocked\", \"Deny\", \"Partial\",\n \"Rejected\", \"Deny\", \"Failure\",\n \"Would be Rejected\", \"Deny\", \"Partial\",\n \"Would Rejected\", \"Deny\", \"Partial\",\n \"Block\", \"Deny\", \"Failure\",\n \"Partial Block\", \"Deny\", \"Partial\",\n \"Drop\", \"Drop\", \"Failure\",\n \"Would Drop\", \"Drop\", \"Partial\",\n \"Reject\", \"Deny\", \"Failure\",\n \"Rewrite\", \"Allow\", \"Success\",\n \"Allow\", \"Allow\", \"Success\",\n \"Monitor\", \"Allow\", \"Success\"\n];\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Medium\",\n \"5\", \"Medium\",\n \"6\", \"Medium\",\n \"7\", \"High\",\n \"8\", \"High\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventResultDetailsLookup = datatable(Reason: string, EventResultDetails: string)\n [\n \"N/A\", \"NA\",\n \"IP Block\", \"Terminated\",\n \"IP Monitor\", \"Unknown\",\n \"User Bypass\", \"Unknown\",\n \"File Monitor\", \"Unknown\",\n \"File Block\", \"Terminated\",\n \"Intrusion Monitor\", \"Unknown\",\n \"Intrusion Block\", \"Terminated\",\n \"File Resume Block\", \"Terminated\",\n \"File Resume Allow\", \"Unknown\",\n \"File Custom Detection\", \"Unknown\"\n];\nlet parser = (disabled: bool=false) {\n let AllLogs = CommonSecurityLog\n | where not(disabled) \n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"Firepower\"\n and DeviceEventClassID has_any(\"INTRUSION:400\", \"PV:112\", \"RNA:1003:1\")\n | invoke _ASIM_ResolveNetworkProtocol('Protocol')\n | extend NetworkProtocol = iff(NetworkProtocol == \"Unassigned\" and Protocol !in (63, 68, 99, 114, 253, 254), Protocol, NetworkProtocol);\n let Connection_Statistics_Events = AllLogs\n | where DeviceEventClassID has \"RNA:1003:1\"\n | parse-kv AdditionalExtensions as (\n start: long,\n end: long,\n bytesIn: long,\n bytesOut: long,\n )\n with (pair_delimiter=';', kv_delimiter='=')\n | lookup EventResultDetailsLookup on Reason\n | extend\n SrcBytes = bytesIn,\n DstBytes = bytesOut,\n EventOriginalResultDetails = Reason,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1,\n \"instanceID\", ProcessID,\n \"clientApplicationID\", RequestClientApplication,\n \"clientUrl\", RequestURL);\n let Intrusion_Events = AllLogs\n | where DeviceEventClassID has \"INTRUSION:400\"\n | parse-kv AdditionalExtensions as (\n start: long\n )\n with (pair_delimiter=';', kv_delimiter='=')\n | extend \n EventMessage = Activity,\n ThreatCategory = DeviceEventCategory,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1,\n \"ipspolicy\", DeviceCustomString5,\n \"clientApplicationID\", RequestClientApplication,\n \"clientUrl\", RequestURL);\n let Policy_Violation_Events = AllLogs\n | where DeviceEventClassID has \"PV:112\"\n | extend\n EventMessage = Message,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1)\n | project-rename DstUsername = DestinationUserName\n | extend\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\");\n union Connection_Statistics_Events, Intrusion_Events, Policy_Violation_Events\n | extend\n SrcPortNumber = iff(NetworkProtocol == \"ICMP\", int(null), SourcePort),\n DstPortNumber = iff(NetworkProtocol == \"ICMP\", int(null), DestinationPort),\n NetworkIcmpCode = iff(NetworkProtocol == \"ICMP\", DestinationPort, int(null)),\n NetworkIcmpType = iff(NetworkProtocol == \"ICMP\", tostring(SourcePort), \"\"),\n SrcZone = DeviceCustomString3,\n DstZone = DeviceCustomString4\n | lookup ActionLookup on DeviceAction\n | lookup EventSeverityLookup on LogSeverity\n | extend \n EventStartTime = coalesce(unixtime_milliseconds_todatetime(start), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n EventOriginalType = iff(DeviceEventClassID has \"INTRUSION:400\", \"INTRUSION EVENT\", Activity),\n SrcVlanId = tostring(DeviceCustomNumber1)\n | extend\n EventEndTime = coalesce(unixtime_milliseconds_todatetime(end), EventStartTime),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\",\n DstIpAddr contains \":\",\n \"IPv6\",\n \"\"\n )\n | extend Ip_device = iff(DeviceName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", DeviceName, \"\")\n | extend\n DvcIpAddr = Ip_device,\n DeviceName = iff(isempty(Ip_device), DeviceName, \"\")\n | extend host = coalesce(DeviceName, Computer)\n | invoke _ASIM_ResolveDvcFQDN('host')\n | invoke _ASIM_ResolveDstFQDN('DestinationDnsDomain')\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventCount = int(1)\n | project-rename \n EventProduct = DeviceProduct,\n EventVendor = DeviceVendor,\n SrcUsername = SourceUserName,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n EventOriginalSeverity = LogSeverity,\n DvcId = DeviceExternalID,\n NetworkApplicationProtocol = ApplicationProtocol,\n EventProductVersion = DeviceVersion,\n EventOriginalUid = ExtID,\n NetworkRuleName = DeviceCustomString2,\n EventUid = _ItemId,\n DvcOriginalAction = DeviceAction\n | extend\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DvcIdType = \"Other\"\n | extend \n IpAddr = SrcIpAddr,\n InnerVlanId = SrcVlanId,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = coalesce(DvcIpAddr, DvcHostname),\n Rule = NetworkRuleName,\n User = SrcUsername,\n Hostname = DstHostname\n | project-away\n bytesIn,\n bytesOut,\n start,\n end,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n ProcessID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n ThreatConfidence,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId,\n Ip_*,\n host,\n NetworkProtocolNumber\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoISE/ASimNetworkSessionCiscoISE.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoISE/ASimNetworkSessionCiscoISE.json index 21147034153..991d5fe7c6f 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoISE/ASimNetworkSessionCiscoISE.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoISE/ASimNetworkSessionCiscoISE.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionCiscoISE')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionCiscoISE", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Cisco ISE", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionCiscoISE", - "query": "let EventFieldsLookup=datatable(\nEventOriginalType: string,\nEventResult: string,\nDvcAction: string,\nEventResultDetails: string,\nEventSubType: string,\nEventOriginalSeverity: string,\nEventSeverity: string,\nEventMessage: string,\nEventOriginalResultDetails: string\n)[\n\"60188\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"INFO\", \"Low\", \"An attempted SSH connection has failed\", \"An attempted SSH connection has failed\",\n\"60234\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"The SXP connection has been disconnected\", \"The SXP connection has been disconnected\",\n\"60235\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"SXP connection succeeded\", \"SXP connection succeeded\",\n\"60236\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"SXP connection failed\", \"SXP connection failed\",\n\"61010\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"ISE has established connection to APIC\", \"ISE has established connection to APIC\",\n\"61011\", \"Success\", \"Allow\", \"\", \"End\", \"INFO\", \"Informational\", \"ISE was disconnected from APIC\", \"ISE was disconnected from APIC\",\n\"61025\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Open secure connection with TLS peer\", \"Secure connection established with TLS peer\",\n\"61026\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Shutdown secure connection with TLS peer\", \"Secure connection with TLS peer shutdown\",\n\"60509\", \"Failure\", \"Deny\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"ERS request was denied as maximum possible connection was exceeded\", \"ERS request was denied as maximum possible connection was exceeded\",\n\"61231\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"Kafka connection to ACI error while receiving message\", \"Kafka connection to ACI error while receiving message\",\n\"61232\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"Kafka connection to ACI error while sending message\", \"Kafka connection to ACI error while sending message\",\n\"89003\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"Failed to connect to MDM server\", \"Failed to connect to MDM server\",\n\"24000\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Connection established with LDAP server\", \"Connection established with LDAP server\",\n\"24001\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Cannot establish connection with LDAP server\", \"Cannot establish connection with LDAP server\",\n\"24019\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"LDAP connection error was encountered\", \"ISE cannot connect to LDAP external ID store\",\n\"24030\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"SSL connection error was encountered\", \"SSL connection error was encountered\",\n\"24400\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Connection to ISE Active Directory agent established successfully\", \"Connection to ISE Active Directory agent established successfully\",\n\"24401\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Could not establish connection with ISE Active Directory agent\", \"Could not establish connection with ISE Active Directory agent\",\n\"24428\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Connection related error has occurred in either LRPC, LDAP or KERBEROS\", \"This RPC connection problem may be because the stub received incorrect data\",\n\"24429\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Could not establish connection with Active Directory\", \"Could not establish connection with Active Directory\",\n\"24850\", \"Success\", \"Allow\", \"\", \"Start\", \"DEBUG\", \"Informational\", \"Successfully connected to external ODBC database\", \"ISE successfully established a new connection to external ODBC database\",\n\"24851\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"DEBUG\", \"Low\", \"Connection to external ODBC database failed\", \"ISE failed to establish a new connection to external ODBC database\",\n\"34120\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Profiler failed to get the connection to NAC Manager\", \"Profiler sends a notification event to NAC Manager, but the notification fails because could not connect to NAC Manager\",\n\"34147\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"JGroups TLS Handshake Failed\", \"JGroups TLS Handshake Failed\",\n\"34148\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"JGroups TLS Handshake Succeeded\", \"JGroups TLS Handshake Succeeded\",\n\"34149\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"HTTPS TLS Handshake Failed\", \"HTTPS TLS Handshake Failed\",\n\"34150\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"HTTPS TLS Handshake Succeeded\", \"HTTPS TLS Handshake Succeeded\",\n\"34159\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"LDAPS connection established successfully\", \"LDAPS connection established successfully\",\n\"34160\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"LDAPS connection terminated successfully\", \"LDAPS connection terminated successfully\",\n\"34161\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection establishment failed with SSL error\", \"LDAPS connection establishment failed with SSL error\",\n\"34162\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection terminated with SSL error\", \"LDAPS connection terminated with SSL error\",\n\"34163\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection establishment failed with non-SSL error\", \"LDAPS connection establishment failed with non-SSL error\",\n\"34164\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection terminated with non-SSL error\", \"LDAPS connection terminated with non-SSL error\",\n\"90062\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Cannot connect to Domain Controller\", \"Cannot connect to Domain Controller\",\n\"90063\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Successfully establish connection to Domain Controller\", \"Successfully establish connection to Domain Controller\",\n\"90066\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Lost connection with Domain Controller\", \"Lost connection with Domain Controller\",\n\"90078\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Closed connection to Domain Controller\", \"Closed connection to Domain Controller\",\n\"91082\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"RADIUS DTLS: Connection to OCSP server failed\", \"RADIUS DTLS: Connection attempt to OCSP server failed.\",\n\"11317\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"TrustSec SSH connection failed\", \"ISE failed to establish SSH connection to a network device. Verify network device SSH credentials in the Network Device page are similar to the credentials configured on the network device. Check network device enabled ssh connections from ISE (ip address)\",\n\"5405\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"NOTICE\", \"Low\", \"RADIUS Request dropped\", \"RADIUS request dropped\",\n\"5406\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"NOTICE\", \"Low\", \"TACACS+ Request dropped\", \"TACACS+ request dropped\"\n];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | summarize make_set(EventOriginalType));\nlet GetSrcIpAddr = (src_ip: string) {\n case ( \n src_ip matches regex @\"\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\",\n src_ip,\n \"\"\n )\n};\nlet GetMacAddr = (mac: string) {\n case ( \n mac matches regex @\"[a-fA-F0-9\\-:]{17}\",\n mac,\n \"\"\n )\n};\nlet CiscoISENSParser=(disabled: bool=false) {\n Syslog\n | where not(disabled)\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse kind = regex SyslogMessage with @\"\\d{10}\\s\" EventOriginalType @\"\\s(NOTICE|INFO|WARN|WARNING|ERROR|FATAL|DEBUG)\"\n | where EventOriginalType in (EventOriginalTypeList)\n | lookup EventFieldsLookup on EventOriginalType\n | parse-kv SyslogMessage as (FailureReason: string, NetworkDeviceName: string, DestinationIPAddress: string, DestinationPort: int, ['Remote-Address']: string, ['Device IP Address']: string, ['User-Name']: string, UserName: string, User: string, ['Device Port']: int, Protocol: string, ['Calling-Station-ID']: string, ['Called-Station-ID']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n DstIpAddr=DestinationIPAddress\n , DstPortNumber=DestinationPort\n , SrcPortNumber=['Device Port']\n , NetworkApplicationProtocol=Protocol\n | invoke _ASIM_ResolveSrcFQDN(\"['Calling-Station-ID']\")\n | extend \n EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.6\"\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventType = \"NetworkSession\"\n , EventOriginalResultDetails = case(isnotempty(FailureReason), FailureReason, EventOriginalResultDetails)\n , DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , DstMacAddr = GetMacAddr(['Called-Station-ID'])\n , SrcMacAddr = GetMacAddr(['Calling-Station-ID'])\n , DstUsername = coalesce(UserName, ['User-Name'], User)\n | extend\n DstUsernameType = _ASIM_GetUsernameType(DstUsername)\n , DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n , SrcIpAddr = coalesce(['Device IP Address'], ['Remote-Address'], GetSrcIpAddr(['Calling-Station-ID']))\n //********************** ************************\n | extend \n Dvc = coalesce(DvcHostname, DvcIpAddr)\n , IpAddr = SrcIpAddr\n , Dst = DstIpAddr\n , Src = SrcIpAddr\n , User = DstUsername\n //********************** ***********************\n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n FailureReason,\n NetworkDeviceName,\n ['User-Name'],\n UserName,\n ['Device IP Address'],\n ['Remote-Address'],\n ['Calling-Station-ID'],\n ['Called-Station-ID']\n};\nCiscoISENSParser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Cisco ISE", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionCiscoISE", + "query": "let EventFieldsLookup=datatable(\nEventOriginalType: string,\nEventResult: string,\nDvcAction: string,\nEventResultDetails: string,\nEventSubType: string,\nEventOriginalSeverity: string,\nEventSeverity: string,\nEventMessage: string,\nEventOriginalResultDetails: string\n)[\n\"60188\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"INFO\", \"Low\", \"An attempted SSH connection has failed\", \"An attempted SSH connection has failed\",\n\"60234\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"The SXP connection has been disconnected\", \"The SXP connection has been disconnected\",\n\"60235\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"SXP connection succeeded\", \"SXP connection succeeded\",\n\"60236\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"SXP connection failed\", \"SXP connection failed\",\n\"61010\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"ISE has established connection to APIC\", \"ISE has established connection to APIC\",\n\"61011\", \"Success\", \"Allow\", \"\", \"End\", \"INFO\", \"Informational\", \"ISE was disconnected from APIC\", \"ISE was disconnected from APIC\",\n\"61025\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Open secure connection with TLS peer\", \"Secure connection established with TLS peer\",\n\"61026\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Shutdown secure connection with TLS peer\", \"Secure connection with TLS peer shutdown\",\n\"60509\", \"Failure\", \"Deny\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"ERS request was denied as maximum possible connection was exceeded\", \"ERS request was denied as maximum possible connection was exceeded\",\n\"61231\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"Kafka connection to ACI error while receiving message\", \"Kafka connection to ACI error while receiving message\",\n\"61232\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"Kafka connection to ACI error while sending message\", \"Kafka connection to ACI error while sending message\",\n\"89003\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"Failed to connect to MDM server\", \"Failed to connect to MDM server\",\n\"24000\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Connection established with LDAP server\", \"Connection established with LDAP server\",\n\"24001\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Cannot establish connection with LDAP server\", \"Cannot establish connection with LDAP server\",\n\"24019\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"LDAP connection error was encountered\", \"ISE cannot connect to LDAP external ID store\",\n\"24030\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"SSL connection error was encountered\", \"SSL connection error was encountered\",\n\"24400\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Connection to ISE Active Directory agent established successfully\", \"Connection to ISE Active Directory agent established successfully\",\n\"24401\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Could not establish connection with ISE Active Directory agent\", \"Could not establish connection with ISE Active Directory agent\",\n\"24428\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Connection related error has occurred in either LRPC, LDAP or KERBEROS\", \"This RPC connection problem may be because the stub received incorrect data\",\n\"24429\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Could not establish connection with Active Directory\", \"Could not establish connection with Active Directory\",\n\"24850\", \"Success\", \"Allow\", \"\", \"Start\", \"DEBUG\", \"Informational\", \"Successfully connected to external ODBC database\", \"ISE successfully established a new connection to external ODBC database\",\n\"24851\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"DEBUG\", \"Low\", \"Connection to external ODBC database failed\", \"ISE failed to establish a new connection to external ODBC database\",\n\"34120\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Profiler failed to get the connection to NAC Manager\", \"Profiler sends a notification event to NAC Manager, but the notification fails because could not connect to NAC Manager\",\n\"34147\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"JGroups TLS Handshake Failed\", \"JGroups TLS Handshake Failed\",\n\"34148\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"JGroups TLS Handshake Succeeded\", \"JGroups TLS Handshake Succeeded\",\n\"34149\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"HTTPS TLS Handshake Failed\", \"HTTPS TLS Handshake Failed\",\n\"34150\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"HTTPS TLS Handshake Succeeded\", \"HTTPS TLS Handshake Succeeded\",\n\"34159\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"LDAPS connection established successfully\", \"LDAPS connection established successfully\",\n\"34160\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"LDAPS connection terminated successfully\", \"LDAPS connection terminated successfully\",\n\"34161\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection establishment failed with SSL error\", \"LDAPS connection establishment failed with SSL error\",\n\"34162\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection terminated with SSL error\", \"LDAPS connection terminated with SSL error\",\n\"34163\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection establishment failed with non-SSL error\", \"LDAPS connection establishment failed with non-SSL error\",\n\"34164\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection terminated with non-SSL error\", \"LDAPS connection terminated with non-SSL error\",\n\"90062\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Cannot connect to Domain Controller\", \"Cannot connect to Domain Controller\",\n\"90063\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Successfully establish connection to Domain Controller\", \"Successfully establish connection to Domain Controller\",\n\"90066\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Lost connection with Domain Controller\", \"Lost connection with Domain Controller\",\n\"90078\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Closed connection to Domain Controller\", \"Closed connection to Domain Controller\",\n\"91082\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"RADIUS DTLS: Connection to OCSP server failed\", \"RADIUS DTLS: Connection attempt to OCSP server failed.\",\n\"11317\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"TrustSec SSH connection failed\", \"ISE failed to establish SSH connection to a network device. Verify network device SSH credentials in the Network Device page are similar to the credentials configured on the network device. Check network device enabled ssh connections from ISE (ip address)\",\n\"5405\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"NOTICE\", \"Low\", \"RADIUS Request dropped\", \"RADIUS request dropped\",\n\"5406\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"NOTICE\", \"Low\", \"TACACS+ Request dropped\", \"TACACS+ request dropped\"\n];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | summarize make_set(EventOriginalType));\nlet GetSrcIpAddr = (src_ip: string) {\n case ( \n src_ip matches regex @\"\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\",\n src_ip,\n \"\"\n )\n};\nlet GetMacAddr = (mac: string) {\n case ( \n mac matches regex @\"[a-fA-F0-9\\-:]{17}\",\n mac,\n \"\"\n )\n};\nlet CiscoISENSParser=(disabled: bool=false) {\n Syslog\n | where not(disabled)\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse kind = regex SyslogMessage with @\"\\d{10}\\s\" EventOriginalType @\"\\s(NOTICE|INFO|WARN|WARNING|ERROR|FATAL|DEBUG)\"\n | where EventOriginalType in (EventOriginalTypeList)\n | lookup EventFieldsLookup on EventOriginalType\n | parse-kv SyslogMessage as (FailureReason: string, NetworkDeviceName: string, DestinationIPAddress: string, DestinationPort: int, ['Remote-Address']: string, ['Device IP Address']: string, ['User-Name']: string, UserName: string, User: string, ['Device Port']: int, Protocol: string, ['Calling-Station-ID']: string, ['Called-Station-ID']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n DstIpAddr=DestinationIPAddress\n , DstPortNumber=DestinationPort\n , SrcPortNumber=['Device Port']\n , NetworkApplicationProtocol=Protocol\n | invoke _ASIM_ResolveSrcFQDN(\"['Calling-Station-ID']\")\n | extend \n EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.6\"\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventType = \"NetworkSession\"\n , EventOriginalResultDetails = case(isnotempty(FailureReason), FailureReason, EventOriginalResultDetails)\n , DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , DstMacAddr = GetMacAddr(['Called-Station-ID'])\n , SrcMacAddr = GetMacAddr(['Calling-Station-ID'])\n , DstUsername = coalesce(UserName, ['User-Name'], User)\n | extend\n DstUsernameType = _ASIM_GetUsernameType(DstUsername)\n , DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n , SrcIpAddr = coalesce(['Device IP Address'], ['Remote-Address'], GetSrcIpAddr(['Calling-Station-ID']))\n //********************** ************************\n | extend \n Dvc = coalesce(DvcHostname, DvcIpAddr)\n , IpAddr = SrcIpAddr\n , Dst = DstIpAddr\n , Src = SrcIpAddr\n , User = DstUsername\n //********************** ***********************\n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n FailureReason,\n NetworkDeviceName,\n ['User-Name'],\n UserName,\n ['Device IP Address'],\n ['Remote-Address'],\n ['Calling-Station-ID'],\n ['Called-Station-ID']\n};\nCiscoISENSParser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json index 58d31aa854e..a7a06f3eaa6 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionCiscoMeraki')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionCiscoMeraki", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionCiscoMeraki", - "query": "let EventResultDetailsLookup = datatable(reason: string, EventResultDetails: string)\n[\n \"0\", \"Unknown\",\n \"1\", \"Unknown\",\n \"2\", \"Timeout\",\n \"3\", \"Terminated\",\n \"4\", \"Timeout\",\n \"5\", \"Transient error\",\n \"6\", \"Invalid Tunnel\",\n \"7\", \"Invalid Tunnel\",\n \"8\", \"Terminated\",\n \"9\", \"Invalid Tunnel\",\n \"10\", \"Unknown\",\n \"11\", \"Invalid TCP\",\n \"12\", \"Unknown\",\n \"13\", \"Invalid TCP\",\n \"14\", \"Invalid Tunnel\",\n \"15\", \"Invalid TCP\",\n \"16\", \"Timeout\",\n \"17\", \"Invalid Tunnel\",\n \"18\", \"Invalid TCP\",\n \"19\", \"Invalid TCP\",\n \"20\", \"Invalid TCP\",\n \"21\", \"Unknown\",\n \"22\", \"Invalid TCP\",\n \"23\", \"Invalid Tunnel\",\n \"24\", \"Invalid Tunnel\",\n \"32\", \"Unknown\",\n \"33\", \"Invalid TCP\",\n \"34\", \"Invalid TCP\",\n \"35\", \"Invalid TCP\",\n \"36\", \"Unknown\",\n \"37\", \"Unknown\",\n \"38\", \"Unknown\",\n \"39\", \"Timeout\",\n \"40\", \"Invalid TCP\",\n \"98\", \"Unknown\",\n \"99\", \"Unknown\"\n];\nlet NetworkIcmpTypeLookup=datatable(\n NetworkIcmpCode_lookup: int,\n NetworkIcmpType_lookup: string\n)\n [\n 0, \"Reserved\",\n 1, \"Destination Unreachable\",\n 2, \"Packet Too Big\",\n 3, \"Time Exceeded\",\n 4, \"Parameter Problem\",\n 100, \"Private experimentation\",\n 101, \"Private experimentation\",\n 127, \"Reserved for expansion of ICMPv6 error messages\",\n 128, \"Echo Request\",\n 129, \"Echo Reply\",\n 130, \"Multicast Listener Query\",\n 131, \"Multicast Listener Report\",\n 132, \"Multicast Listener Done\",\n 133, \"Router Solicitation\",\n 134, \"Router Advertisement\",\n 135, \"Neighbor Solicitation\",\n 136, \"Neighbor Advertisement\",\n 137, \"Redirect Message\",\n 138, \"Router Renumbering\",\n 139, \"ICMP Node Information Query\",\n 140, \"ICMP Node Information Response\",\n 141, \"Inverse Neighbor Discovery Solicitation Message\",\n 142, \"Inverse Neighbor Discovery Advertisement Message\",\n 143, \"Version 2 Multicast Listener Report\",\n 144, \"Home Agent Address Discovery Request Message\",\n 145, \"Home Agent Address Discovery Reply Message\",\n 146, \"Mobile Prefix Solicitation\",\n 147, \"Mobile Prefix Advertisement\",\n 148, \"Certification Path Solicitation Message\",\n 149, \"Certification Path Advertisement Message\",\n 150, \"ICMP messages utilized by experimental mobility protocols such as Seamoby\",\n 151, \"Multicast Router Advertisement\",\n 152, \"Multicast Router Solicitation\",\n 153, \"Multicast Router Termination\",\n 154, \"FMIPv6 Messages\",\n 155, \"RPL Control Message\",\n 156, \"ILNPv6 Locator Update Message\",\n 157, \"Duplicate Address Request\",\n 158, \"Duplicate Address Confirmation\",\n 159, \"MPL Control Message\",\n 160, \"Extended Echo Request\",\n 161, \"Extended Echo Reply\",\n 200, \"Private experimentation\",\n 201, \"Private experimentation\",\n 255, \"Reserved for expansion of ICMPv6 informational messages\"\n];\nlet NetworkProtocolLookup=datatable(\n protocol: string,\n NetworkProtocol_lookup: string,\n NetworkProtocolVersion: string\n)[\n \"tcp\", \"TCP\", \"\",\n \"tcp/ip\", \"TCP\", \"\",\n \"udp\", \"UDP\", \"\",\n \"udp/ip\", \"UDP\", \"\",\n \"icmp\", \"ICMP\", \"IPV4\",\n \"icmp6\", \"ICMP\", \"IPV6\",\n];\nlet EventSeverityPriorityLookup=datatable(priority: string, EventSeverity: string)[\n \"1\", \"High\",\n \"2\", \"Medium\",\n \"3\", \"Low\",\n \"4\", \"Informational\"\n];\nlet EventSeverityDvcActionLookup=datatable(DvcAction: string, EventSeverity: string)[\n \"Allow\", \"Informational\",\n \"Deny\", \"Low\"\n];\nlet NetworkDirectionLookup=datatable(direction: string, NetworkDirection: string)[\n \"ingress\", \"Inbound\",\n \"egress\", \"Outbound\",\n \"Unknown\", \"NA\"\n];\nlet DvcActionLookup = datatable(pattern: string, DvcAction: string, EventResult: string)[\n \"allow\", \"Allow\", \"Success\",\n \"deny\", \"Deny\", \"Failure\",\n \"0\", \"Allow\", \"Success\",\n \"1\", \"Deny\", \"Failure\",\n \"Blocked\", \"Deny\", \"Failure\"\n];\nlet EventResultLookup = datatable(LogSubType: string, EventResult_type: string)[\n \"association\", \"Success\",\n \"disassociation\", \"Failure\",\n \"Virtual router collision\", \"Failure\",\n];\nlet parser=(disabled: bool=false) {\n let allData = (\n meraki_CL\n | project-rename LogMessage = Message\n );\n let PreFilteredData = allData\n | where not(disabled) and (LogMessage has_any(\"flows\", \"firewall\", \"ids-alerts\") or LogMessage has_all(\"security_event\", \"ids-alerted\") or (LogMessage has \"events\" and (LogMessage has_any (\"Blocked DHCP server response\", \"association\") or (LogMessage has \"VRRP packet\" and not(LogMessage has_any (\"VRRP passive\", \"VRRP active\"))) or (LogMessage has \"disassociation\" and not(LogMessage has_any (\"auth_neg_failed\", \"dhcp\"))))) or (LogMessage has \"airmarshal_events\" and LogMessage has_any(\"ssid_spoofing_detected\", \"rogue_ssid_detected\")))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3]);\n let FlowsFirewallData = PreFilteredData\n | where LogType in (\"flows\", \"firewall\", \"cellular_firewall\", \"vpn_firewall\")\n | parse-kv Substring as(src: string, dst: string, mac: string, sport: string, dport: string, protocol: string, type: int) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | parse Substring with pattern1: string \" src=\" temp_restmessage: string\n | parse Substring with * \"pattern: \" pattern2: string \" \" temp_restmessage: string\n | extend NetworkIcmpCode_lookup = iff(protocol == 'icmp6', type, int(null))\n | extend type_icmp4 = iff(protocol == 'icmp', type, int(null))\n | lookup NetworkIcmpTypeLookup on NetworkIcmpCode_lookup\n | invoke _ASIM_ResolveICMPType('type_icmp4')\n | extend NetworkIcmpCode = coalesce(NetworkIcmpCode_lookup, NetworkIcmpCode)\n | extend NetworkIcmpType = iff(isnotempty(NetworkIcmpCode), coalesce(NetworkIcmpType_lookup, NetworkIcmpType), \"\")\n | extend pattern = coalesce(pattern1, pattern2)\n | lookup DvcActionLookup on pattern\n | extend direction = case(pattern has_any ('0','1'), 'ingress', pattern has_any ('allow','deny'), 'egress', 'unknown')\n | lookup NetworkDirectionLookup on direction\n | lookup EventSeverityDvcActionLookup on DvcAction\n | extend\n SrcMacAddr = trim('\"', mac),\n EventType = \"Flow\";\n let IDSAlertData = PreFilteredData\n | where LogType in (\"ids-alerts\", \"security_event\")\n | parse LogMessage with * \"security_event \" LogSubType: string \" \" * \"message: \" message: string \n | where LogType == \"security_event\" and LogSubType == \"ids-alerted\" or LogType == \"ids-alerts\"\n | parse-kv Substring as(priority: string, timestamp: string, direction: string, protocol: string, src: string, dst: string, signature: string, dhost: string, shost: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend EventResult = \"Success\"\n | extend\n priority = trim('\"', priority),\n direction = trim('\"', direction)\n | lookup EventSeverityPriorityLookup on priority\n | lookup NetworkDirectionLookup on direction\n | extend AdditionalFields = bag_pack(\n \"signature\", trim('\"', signature)\n )\n | extend\n SrcMacAddr = trim('\"', shost),\n DstMacAddr = trim('\"', dhost),\n EventMessage = trim('\"', message);\n let AirmarshalEvents = PreFilteredData\n | where LogType in (\"airmarshal_events\")\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | parse-kv temp_message as(src: string, dst: string, wired_mac: string, vlan_id: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend\n SrcMacAddr = trim('\"', src),\n DstMacAddr = trim('\"', dst),\n DvcMacAddr = trim('\"', wired_mac)\n | extend\n EventResult = \"Success\",\n EventSeverity = \"High\";\n let EventsData = PreFilteredData\n | where LogType == \"events\";\n let EventsData_associ = EventsData\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | where LogSubType == \"association\" or (LogSubType == \"disassociation\" and not(Substring has_any (\"auth_neg_failed\", \"dhcp\")))\n | parse-kv Substring as (last_known_client_ip: string, client_mac: string, identity: string, aid: string, duration: string, ip_src: string, dns_server: string, reason: string, rssi: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend AdditionalFields = bag_pack(\n \"aid\", aid,\n \"rssi\", rssi\n )\n | extend SrcMacAddr = trim('\"', client_mac)\n | lookup EventResultLookup on LogSubType\n | extend EventResult = EventResult_type\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff((toint(reason) >= 25 and toint(reason) <= 31) or (toint(reason) >= 25 and toint(reason) <= 31), \"Unknown\", EventResultDetails);\n let EventsData_space = EventsData\n | where Substring has \"Blocked DHCP server response\" or (Substring has \"VRRP packet\" and not(Substring in~ (\"VRRP passive\", \"VRRP active\"))) \n | parse Substring with LogSubType1: string \" from\" temp_addr1: string \" on VLAN \" vlan_id1: string \" \" restmessage\n | parse Substring with LogSubType2: string \" from\" temp_addr2: string \" on VLAN \" vlan_id2: string\n | extend LogSubType = coalesce(LogSubType1, LogSubType2)\n | extend LogSubType = iff(LogSubType has \"VRRP Packet\", \"Virtual router collision\", LogSubType)\n | extend pattern = iff(Substring has \"Blocked\", \"Blocked\", \"\")\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | lookup EventResultLookup on LogSubType\n | extend EventResult = coalesce(EventResult, EventResult_type)\n | extend temp_addr = coalesce(trim('\"', temp_addr1), trim('\"', temp_addr2))\n | extend vlan_id = coalesce(trim('\"', vlan_id1), trim('\"', vlan_id2))\n | extend SrcMacAddr = iff(temp_addr matches regex \"(([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}))\", temp_addr, \"\")\n | parse temp_addr with * \"[\" temp_ip \"]:\" temp_port \n | extend SrcIpAddr = case(\n temp_addr has \".\",\n split(temp_addr, \":\")[0],\n isnotempty(temp_ip),\n temp_ip,\n temp_addr\n )\n | extend SrcPortNumber = toint(case(\n isnotempty(temp_port),\n temp_port,\n temp_addr has \".\",\n split(temp_addr, \":\")[1],\n \"\"\n )\n )\n | extend SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr)\n | extend EventMessage = Substring;\n union\n FlowsFirewallData,\n IDSAlertData,\n EventsData_associ,\n EventsData_space,\n AirmarshalEvents\n | lookup NetworkProtocolLookup on protocol\n | invoke _ASIM_ResolveNetworkProtocol('protocol')\n | extend NetworkProtocol = iff(isempty(NetworkProtocolNumber), NetworkProtocol_lookup, NetworkProtocol)\n | extend \n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1])\n | extend\n Epoch = iff(isnotempty(column_ifexists(\"timestamp\", \"\")), timestamp, Epoch)\n | extend\n EpochTimestamp = split(Epoch, \".\")\n | extend\n EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend temp_srcipport= coalesce(src, ip_src, last_known_client_ip) \n | extend temp_srcipport = trim('\"', temp_srcipport)\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\n | extend SrcIpAddr = case(\n temp_srcipport has \".\",\n split(temp_srcipport, \":\")[0], \n isnotempty(SrcIpAddr),\n SrcIpAddr,\n coalesce(temp_srcip, temp_srcipport)\n )\n | extend SrcPortNumber = iff(isempty(SrcPortNumber), toint(coalesce(sport, temp_srcport)), SrcPortNumber)\n | extend SrcPortNumber = toint(iff(isempty(SrcPortNumber) and SrcIpAddr has \".\", split(temp_srcipport, \":\")[1], SrcPortNumber))\n | extend temp_dstipport = coalesce(dst, dns_server)\n | extend temp_dstipport = trim('\"', temp_dstipport)\n | parse temp_dstipport with * \"[\" temp_dstip \"]:\" temp_dstport\n | extend DstIpAddr = iff(temp_dstipport has \".\", split(temp_dstipport, \":\")[0], coalesce(temp_dstip, temp_dstipport))\n | extend DstPortNumber = toint(coalesce(dport, temp_dstport))\n | extend DstPortNumber = toint(iff(isempty(DstPortNumber) and DstIpAddr has \".\", split(temp_dstipport, \":\")[1], DstPortNumber))\n | extend SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr)\n | extend DstIpAddr = iff(DstIpAddr == DstMacAddr, \"\", DstIpAddr)\n | extend \n EventMessage = iff(\n LogSubType has_any(\"Blocked DHCP server\", \"Virtual router collision\"),\n Substring,\n coalesce(message, \"\")\n ),\n SrcUsername = trim('\"', identity),\n SrcVlanId = trim('\"', vlan_id)\n | extend\n EventSeverity = case(\n isnotempty(EventSeverity),\n EventSeverity,\n EventResult == \"Failure\",\n \"Low\",\n \"Informational\"\n ),\n EventType = iff(isnotempty(EventType), EventType, \"NetworkSession\"),\n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\")\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dvc = DvcHostname,\n Src = coalesce(SrcIpAddr, SrcMacAddr),\n Dst = coalesce(DstIpAddr, DstMacAddr),\n NetworkDuration = toint(todouble(duration) * 1000)\n | project-rename\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType\n | extend\n EventEndTime = EventStartTime,\n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n InnerVlanId = SrcVlanId,\n EventUid = _ResourceId\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n protocol,\n priority,\n reason,\n direction,\n duration,\n src,\n dst,\n dns_server,\n sport,\n dport,\n *_lookup,\n type*,\n pattern*,\n last_known_client_ip,\n ip_src,\n client_mac,\n mac,\n shost,\n dhost,\n wired_mac,\n identity,\n temp*,\n vlan_id*,\n LogSubType1,\n LogSubType2,\n restmessage*,\n message,\n rssi,\n aid,\n signature,\n timestamp,\n EventResult_type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG\n};\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionCiscoMeraki", + "query": "let EventResultDetailsLookup = datatable(reason: string, EventResultDetails: string)\n[\n \"0\", \"Unknown\",\n \"1\", \"Unknown\",\n \"2\", \"Timeout\",\n \"3\", \"Terminated\",\n \"4\", \"Timeout\",\n \"5\", \"Transient error\",\n \"6\", \"Invalid Tunnel\",\n \"7\", \"Invalid Tunnel\",\n \"8\", \"Terminated\",\n \"9\", \"Invalid Tunnel\",\n \"10\", \"Unknown\",\n \"11\", \"Invalid TCP\",\n \"12\", \"Unknown\",\n \"13\", \"Invalid TCP\",\n \"14\", \"Invalid Tunnel\",\n \"15\", \"Invalid TCP\",\n \"16\", \"Timeout\",\n \"17\", \"Invalid Tunnel\",\n \"18\", \"Invalid TCP\",\n \"19\", \"Invalid TCP\",\n \"20\", \"Invalid TCP\",\n \"21\", \"Unknown\",\n \"22\", \"Invalid TCP\",\n \"23\", \"Invalid Tunnel\",\n \"24\", \"Invalid Tunnel\",\n \"32\", \"Unknown\",\n \"33\", \"Invalid TCP\",\n \"34\", \"Invalid TCP\",\n \"35\", \"Invalid TCP\",\n \"36\", \"Unknown\",\n \"37\", \"Unknown\",\n \"38\", \"Unknown\",\n \"39\", \"Timeout\",\n \"40\", \"Invalid TCP\",\n \"98\", \"Unknown\",\n \"99\", \"Unknown\"\n];\nlet NetworkIcmpTypeLookup=datatable(\n NetworkIcmpCode_lookup: int,\n NetworkIcmpType_lookup: string\n)\n [\n 0, \"Reserved\",\n 1, \"Destination Unreachable\",\n 2, \"Packet Too Big\",\n 3, \"Time Exceeded\",\n 4, \"Parameter Problem\",\n 100, \"Private experimentation\",\n 101, \"Private experimentation\",\n 127, \"Reserved for expansion of ICMPv6 error messages\",\n 128, \"Echo Request\",\n 129, \"Echo Reply\",\n 130, \"Multicast Listener Query\",\n 131, \"Multicast Listener Report\",\n 132, \"Multicast Listener Done\",\n 133, \"Router Solicitation\",\n 134, \"Router Advertisement\",\n 135, \"Neighbor Solicitation\",\n 136, \"Neighbor Advertisement\",\n 137, \"Redirect Message\",\n 138, \"Router Renumbering\",\n 139, \"ICMP Node Information Query\",\n 140, \"ICMP Node Information Response\",\n 141, \"Inverse Neighbor Discovery Solicitation Message\",\n 142, \"Inverse Neighbor Discovery Advertisement Message\",\n 143, \"Version 2 Multicast Listener Report\",\n 144, \"Home Agent Address Discovery Request Message\",\n 145, \"Home Agent Address Discovery Reply Message\",\n 146, \"Mobile Prefix Solicitation\",\n 147, \"Mobile Prefix Advertisement\",\n 148, \"Certification Path Solicitation Message\",\n 149, \"Certification Path Advertisement Message\",\n 150, \"ICMP messages utilized by experimental mobility protocols such as Seamoby\",\n 151, \"Multicast Router Advertisement\",\n 152, \"Multicast Router Solicitation\",\n 153, \"Multicast Router Termination\",\n 154, \"FMIPv6 Messages\",\n 155, \"RPL Control Message\",\n 156, \"ILNPv6 Locator Update Message\",\n 157, \"Duplicate Address Request\",\n 158, \"Duplicate Address Confirmation\",\n 159, \"MPL Control Message\",\n 160, \"Extended Echo Request\",\n 161, \"Extended Echo Reply\",\n 200, \"Private experimentation\",\n 201, \"Private experimentation\",\n 255, \"Reserved for expansion of ICMPv6 informational messages\"\n];\nlet NetworkProtocolLookup=datatable(\n protocol: string,\n NetworkProtocol_lookup: string,\n NetworkProtocolVersion: string\n)[\n \"tcp\", \"TCP\", \"\",\n \"tcp/ip\", \"TCP\", \"\",\n \"udp\", \"UDP\", \"\",\n \"udp/ip\", \"UDP\", \"\",\n \"icmp\", \"ICMP\", \"IPV4\",\n \"icmp6\", \"ICMP\", \"IPV6\",\n];\nlet EventSeverityPriorityLookup=datatable(priority: string, EventSeverity: string)[\n \"1\", \"High\",\n \"2\", \"Medium\",\n \"3\", \"Low\",\n \"4\", \"Informational\"\n];\nlet EventSeverityDvcActionLookup=datatable(DvcAction: string, EventSeverity: string)[\n \"Allow\", \"Informational\",\n \"Deny\", \"Low\"\n];\nlet NetworkDirectionLookup=datatable(direction: string, NetworkDirection: string)[\n \"ingress\", \"Inbound\",\n \"egress\", \"Outbound\",\n \"Unknown\", \"NA\"\n];\nlet DvcActionLookup = datatable(pattern: string, DvcAction: string, EventResult: string)[\n \"allow\", \"Allow\", \"Success\",\n \"deny\", \"Deny\", \"Failure\",\n \"0\", \"Allow\", \"Success\",\n \"1\", \"Deny\", \"Failure\",\n \"Blocked\", \"Deny\", \"Failure\"\n];\nlet EventResultLookup = datatable(LogSubType: string, EventResult_type: string)[\n \"association\", \"Success\",\n \"disassociation\", \"Failure\",\n \"Virtual router collision\", \"Failure\",\n];\nlet parser=(disabled: bool=false) {\n let allData = (\n meraki_CL\n | project-rename LogMessage = Message\n );\n let PreFilteredData = allData\n | where not(disabled) and (LogMessage has_any(\"flows\", \"firewall\", \"ids-alerts\") or LogMessage has_all(\"security_event\", \"ids-alerted\") or (LogMessage has \"events\" and (LogMessage has_any (\"Blocked DHCP server response\", \"association\") or (LogMessage has \"VRRP packet\" and not(LogMessage has_any (\"VRRP passive\", \"VRRP active\"))) or (LogMessage has \"disassociation\" and not(LogMessage has_any (\"auth_neg_failed\", \"dhcp\"))))) or (LogMessage has \"airmarshal_events\" and LogMessage has_any(\"ssid_spoofing_detected\", \"rogue_ssid_detected\")))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3]);\n let FlowsFirewallData = PreFilteredData\n | where LogType in (\"flows\", \"firewall\", \"cellular_firewall\", \"vpn_firewall\")\n | parse-kv Substring as(src: string, dst: string, mac: string, sport: string, dport: string, protocol: string, type: int) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | parse Substring with pattern1: string \" src=\" temp_restmessage: string\n | parse Substring with * \"pattern: \" pattern2: string \" \" temp_restmessage: string\n | extend NetworkIcmpCode_lookup = iff(protocol == 'icmp6', type, int(null))\n | extend type_icmp4 = iff(protocol == 'icmp', type, int(null))\n | lookup NetworkIcmpTypeLookup on NetworkIcmpCode_lookup\n | invoke _ASIM_ResolveICMPType('type_icmp4')\n | extend NetworkIcmpCode = coalesce(NetworkIcmpCode_lookup, NetworkIcmpCode)\n | extend NetworkIcmpType = iff(isnotempty(NetworkIcmpCode), coalesce(NetworkIcmpType_lookup, NetworkIcmpType), \"\")\n | extend pattern = coalesce(pattern1, pattern2)\n | lookup DvcActionLookup on pattern\n | extend direction = case(pattern has_any ('0','1'), 'ingress', pattern has_any ('allow','deny'), 'egress', 'unknown')\n | lookup NetworkDirectionLookup on direction\n | lookup EventSeverityDvcActionLookup on DvcAction\n | extend\n SrcMacAddr = trim('\"', mac),\n EventType = \"Flow\";\n let IDSAlertData = PreFilteredData\n | where LogType in (\"ids-alerts\", \"security_event\")\n | parse LogMessage with * \"security_event \" LogSubType: string \" \" * \"message: \" message: string \n | where LogType == \"security_event\" and LogSubType == \"ids-alerted\" or LogType == \"ids-alerts\"\n | parse-kv Substring as(priority: string, timestamp: string, direction: string, protocol: string, src: string, dst: string, signature: string, dhost: string, shost: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend EventResult = \"Success\"\n | extend\n priority = trim('\"', priority),\n direction = trim('\"', direction)\n | lookup EventSeverityPriorityLookup on priority\n | lookup NetworkDirectionLookup on direction\n | extend AdditionalFields = bag_pack(\n \"signature\", trim('\"', signature)\n )\n | extend\n SrcMacAddr = trim('\"', shost),\n DstMacAddr = trim('\"', dhost),\n EventMessage = trim('\"', message);\n let AirmarshalEvents = PreFilteredData\n | where LogType in (\"airmarshal_events\")\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | parse-kv temp_message as(src: string, dst: string, wired_mac: string, vlan_id: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend\n SrcMacAddr = trim('\"', src),\n DstMacAddr = trim('\"', dst),\n DvcMacAddr = trim('\"', wired_mac)\n | extend\n EventResult = \"Success\",\n EventSeverity = \"High\";\n let EventsData = PreFilteredData\n | where LogType == \"events\";\n let EventsData_associ = EventsData\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | where LogSubType == \"association\" or (LogSubType == \"disassociation\" and not(Substring has_any (\"auth_neg_failed\", \"dhcp\")))\n | parse-kv Substring as (last_known_client_ip: string, client_mac: string, identity: string, aid: string, duration: string, ip_src: string, dns_server: string, reason: string, rssi: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend AdditionalFields = bag_pack(\n \"aid\", aid,\n \"rssi\", rssi\n )\n | extend SrcMacAddr = trim('\"', client_mac)\n | lookup EventResultLookup on LogSubType\n | extend EventResult = EventResult_type\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff((toint(reason) >= 25 and toint(reason) <= 31) or (toint(reason) >= 25 and toint(reason) <= 31), \"Unknown\", EventResultDetails);\n let EventsData_space = EventsData\n | where Substring has \"Blocked DHCP server response\" or (Substring has \"VRRP packet\" and not(Substring in~ (\"VRRP passive\", \"VRRP active\"))) \n | parse Substring with LogSubType1: string \" from\" temp_addr1: string \" on VLAN \" vlan_id1: string \" \" restmessage\n | parse Substring with LogSubType2: string \" from\" temp_addr2: string \" on VLAN \" vlan_id2: string\n | extend LogSubType = coalesce(LogSubType1, LogSubType2)\n | extend LogSubType = iff(LogSubType has \"VRRP Packet\", \"Virtual router collision\", LogSubType)\n | extend pattern = iff(Substring has \"Blocked\", \"Blocked\", \"\")\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | lookup EventResultLookup on LogSubType\n | extend EventResult = coalesce(EventResult, EventResult_type)\n | extend temp_addr = coalesce(trim('\"', temp_addr1), trim('\"', temp_addr2))\n | extend vlan_id = coalesce(trim('\"', vlan_id1), trim('\"', vlan_id2))\n | extend SrcMacAddr = iff(temp_addr matches regex \"(([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}))\", temp_addr, \"\")\n | parse temp_addr with * \"[\" temp_ip \"]:\" temp_port \n | extend SrcIpAddr = case(\n temp_addr has \".\",\n split(temp_addr, \":\")[0],\n isnotempty(temp_ip),\n temp_ip,\n temp_addr\n )\n | extend SrcPortNumber = toint(case(\n isnotempty(temp_port),\n temp_port,\n temp_addr has \".\",\n split(temp_addr, \":\")[1],\n \"\"\n )\n )\n | extend SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr)\n | extend EventMessage = Substring;\n union\n FlowsFirewallData,\n IDSAlertData,\n EventsData_associ,\n EventsData_space,\n AirmarshalEvents\n | lookup NetworkProtocolLookup on protocol\n | invoke _ASIM_ResolveNetworkProtocol('protocol')\n | extend NetworkProtocol = iff(isempty(NetworkProtocolNumber), NetworkProtocol_lookup, NetworkProtocol)\n | extend \n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1])\n | extend\n Epoch = iff(isnotempty(column_ifexists(\"timestamp\", \"\")), timestamp, Epoch)\n | extend\n EpochTimestamp = split(Epoch, \".\")\n | extend\n EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend temp_srcipport= coalesce(src, ip_src, last_known_client_ip) \n | extend temp_srcipport = trim('\"', temp_srcipport)\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\n | extend SrcIpAddr = case(\n temp_srcipport has \".\",\n split(temp_srcipport, \":\")[0], \n isnotempty(SrcIpAddr),\n SrcIpAddr,\n coalesce(temp_srcip, temp_srcipport)\n )\n | extend SrcPortNumber = iff(isempty(SrcPortNumber), toint(coalesce(sport, temp_srcport)), SrcPortNumber)\n | extend SrcPortNumber = toint(iff(isempty(SrcPortNumber) and SrcIpAddr has \".\", split(temp_srcipport, \":\")[1], SrcPortNumber))\n | extend temp_dstipport = coalesce(dst, dns_server)\n | extend temp_dstipport = trim('\"', temp_dstipport)\n | parse temp_dstipport with * \"[\" temp_dstip \"]:\" temp_dstport\n | extend DstIpAddr = iff(temp_dstipport has \".\", split(temp_dstipport, \":\")[0], coalesce(temp_dstip, temp_dstipport))\n | extend DstPortNumber = toint(coalesce(dport, temp_dstport))\n | extend DstPortNumber = toint(iff(isempty(DstPortNumber) and DstIpAddr has \".\", split(temp_dstipport, \":\")[1], DstPortNumber))\n | extend SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr)\n | extend DstIpAddr = iff(DstIpAddr == DstMacAddr, \"\", DstIpAddr)\n | extend \n EventMessage = iff(\n LogSubType has_any(\"Blocked DHCP server\", \"Virtual router collision\"),\n Substring,\n coalesce(message, \"\")\n ),\n SrcUsername = trim('\"', identity),\n SrcVlanId = trim('\"', vlan_id)\n | extend\n EventSeverity = case(\n isnotempty(EventSeverity),\n EventSeverity,\n EventResult == \"Failure\",\n \"Low\",\n \"Informational\"\n ),\n EventType = iff(isnotempty(EventType), EventType, \"NetworkSession\"),\n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\")\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dvc = DvcHostname,\n Src = coalesce(SrcIpAddr, SrcMacAddr),\n Dst = coalesce(DstIpAddr, DstMacAddr),\n NetworkDuration = toint(todouble(duration) * 1000)\n | project-rename\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType\n | extend\n EventEndTime = EventStartTime,\n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n InnerVlanId = SrcVlanId,\n EventUid = _ResourceId\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n protocol,\n priority,\n reason,\n direction,\n duration,\n src,\n dst,\n dns_server,\n sport,\n dport,\n *_lookup,\n type*,\n pattern*,\n last_known_client_ip,\n ip_src,\n client_mac,\n mac,\n shost,\n dhost,\n wired_mac,\n identity,\n temp*,\n vlan_id*,\n LogSubType1,\n LogSubType2,\n restmessage*,\n message,\n rssi,\n aid,\n signature,\n timestamp,\n EventResult_type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMerakiSyslog/ASimNetworkSessionCiscoMerakiSyslog.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMerakiSyslog/ASimNetworkSessionCiscoMerakiSyslog.json index 1a4f63ea1e3..c5cbba2a227 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMerakiSyslog/ASimNetworkSessionCiscoMerakiSyslog.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMerakiSyslog/ASimNetworkSessionCiscoMerakiSyslog.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionCiscoMerakiSyslog')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionCiscoMerakiSyslog", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionCiscoMerakiSyslog", - "query": "let EventResultDetailsLookup = datatable(reason: string, EventResultDetails: string)\n[\n \"0\", \"Unknown\",\n \"1\", \"Unknown\",\n \"2\", \"Timeout\",\n \"3\", \"Terminated\",\n \"4\", \"Timeout\",\n \"5\", \"Transient error\",\n \"6\", \"Invalid Tunnel\",\n \"7\", \"Invalid Tunnel\",\n \"8\", \"Terminated\",\n \"9\", \"Invalid Tunnel\",\n \"10\", \"Unknown\",\n \"11\", \"Invalid TCP\",\n \"12\", \"Unknown\",\n \"13\", \"Invalid TCP\",\n \"14\", \"Invalid Tunnel\",\n \"15\", \"Invalid TCP\",\n \"16\", \"Timeout\",\n \"17\", \"Invalid Tunnel\",\n \"18\", \"Invalid TCP\",\n \"19\", \"Invalid TCP\",\n \"20\", \"Invalid TCP\",\n \"21\", \"Unknown\",\n \"22\", \"Invalid TCP\",\n \"23\", \"Invalid Tunnel\",\n \"24\", \"Invalid Tunnel\",\n \"32\", \"Unknown\",\n \"33\", \"Invalid TCP\",\n \"34\", \"Invalid TCP\",\n \"35\", \"Invalid TCP\",\n \"36\", \"Unknown\",\n \"37\", \"Unknown\",\n \"38\", \"Unknown\",\n \"39\", \"Timeout\",\n \"40\", \"Invalid TCP\",\n \"98\", \"Unknown\",\n \"99\", \"Unknown\"\n];\nlet NetworkIcmpTypeLookup=datatable(\n NetworkIcmpCode_lookup: int,\n NetworkIcmpType_lookup: string\n)\n [\n 0, \"Reserved\",\n 1, \"Destination Unreachable\",\n 2, \"Packet Too Big\",\n 3, \"Time Exceeded\",\n 4, \"Parameter Problem\",\n 100, \"Private experimentation\",\n 101, \"Private experimentation\",\n 127, \"Reserved for expansion of ICMPv6 error messages\",\n 128, \"Echo Request\",\n 129, \"Echo Reply\",\n 130, \"Multicast Listener Query\",\n 131, \"Multicast Listener Report\",\n 132, \"Multicast Listener Done\",\n 133, \"Router Solicitation\",\n 134, \"Router Advertisement\",\n 135, \"Neighbor Solicitation\",\n 136, \"Neighbor Advertisement\",\n 137, \"Redirect Message\",\n 138, \"Router Renumbering\",\n 139, \"ICMP Node Information Query\",\n 140, \"ICMP Node Information Response\",\n 141, \"Inverse Neighbor Discovery Solicitation Message\",\n 142, \"Inverse Neighbor Discovery Advertisement Message\",\n 143, \"Version 2 Multicast Listener Report\",\n 144, \"Home Agent Address Discovery Request Message\",\n 145, \"Home Agent Address Discovery Reply Message\",\n 146, \"Mobile Prefix Solicitation\",\n 147, \"Mobile Prefix Advertisement\",\n 148, \"Certification Path Solicitation Message\",\n 149, \"Certification Path Advertisement Message\",\n 150, \"ICMP messages utilized by experimental mobility protocols such as Seamoby\",\n 151, \"Multicast Router Advertisement\",\n 152, \"Multicast Router Solicitation\",\n 153, \"Multicast Router Termination\",\n 154, \"FMIPv6 Messages\",\n 155, \"RPL Control Message\",\n 156, \"ILNPv6 Locator Update Message\",\n 157, \"Duplicate Address Request\",\n 158, \"Duplicate Address Confirmation\",\n 159, \"MPL Control Message\",\n 160, \"Extended Echo Request\",\n 161, \"Extended Echo Reply\",\n 200, \"Private experimentation\",\n 201, \"Private experimentation\",\n 255, \"Reserved for expansion of ICMPv6 informational messages\"\n];\nlet NetworkProtocolLookup=datatable(\n protocol: string,\n NetworkProtocol_lookup: string,\n NetworkProtocolVersion: string\n)[\n \"tcp\", \"TCP\", \"\",\n \"tcp/ip\", \"TCP\", \"\",\n \"udp\", \"UDP\", \"\",\n \"udp/ip\", \"UDP\", \"\",\n \"icmp\", \"ICMP\", \"IPV4\",\n \"icmp6\", \"ICMP\", \"IPV6\",\n];\nlet EventSeverityPriorityLookup=datatable(priority: string, EventSeverity: string)[\n \"1\", \"High\",\n \"2\", \"Medium\",\n \"3\", \"Low\",\n \"4\", \"Informational\"\n];\nlet EventSeverityDvcActionLookup=datatable(DvcAction: string, EventSeverity: string)[\n \"Allow\", \"Informational\",\n \"Deny\", \"Low\"\n];\nlet NetworkDirectionLookup=datatable(direction: string, NetworkDirection: string)[\n \"ingress\", \"Inbound\",\n \"egress\", \"Outbound\",\n \"Unknown\", \"NA\"\n];\nlet DvcActionLookup = datatable(pattern: string, DvcAction: string, EventResult: string)[\n \"allow\", \"Allow\", \"Success\",\n \"deny\", \"Deny\", \"Failure\",\n \"Blocked\", \"Deny\", \"Failure\"\n];\nlet EventResultLookup = datatable(LogSubType: string, EventResult_type: string)[\n \"association\", \"Success\",\n \"disassociation\", \"Failure\",\n \"Virtual router collision\", \"Failure\",\n];\nlet parser=(disabled: bool=false) {\n let allData = (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\n let PreFilteredData = allData\n | where not(disabled) and (LogMessage has_any(\"flows\", \"firewall\", \"ids-alerts\") or LogMessage has_all(\"security_event\", \"ids-alerted\") or (LogMessage has \"events\" and (LogMessage has_any (\"Blocked DHCP server response\", \"association\") or (LogMessage has \"VRRP packet\" and not(LogMessage has_any (\"VRRP passive\", \"VRRP active\"))) or (LogMessage has \"disassociation\" and not(LogMessage has_any (\"auth_neg_failed\", \"dhcp\"))))) or (LogMessage has \"airmarshal_events\" and LogMessage has_any(\"ssid_spoofing_detected\", \"rogue_ssid_detected\")))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3]);\n let FlowsFirewallData = PreFilteredData\n | where LogType in (\"flows\", \"firewall\", \"cellular_firewall\", \"vpn_firewall\")\n | parse-kv Substring as(src: string, dst: string, mac: string, sport: string, dport: string, protocol: string, type: int) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | parse Substring with pattern1: string \" src=\" temp_restmessage: string\n | parse Substring with * \"pattern: \" pattern2: string \" \" temp_restmessage: string\n | extend NetworkIcmpCode_lookup = iff(protocol == 'icmp6', type, int(null))\n | extend type_icmp4 = iff(protocol == 'icmp', type, int(null))\n | lookup NetworkIcmpTypeLookup on NetworkIcmpCode_lookup\n | invoke _ASIM_ResolveICMPType('type_icmp4')\n | extend NetworkIcmpCode = coalesce(NetworkIcmpCode_lookup, NetworkIcmpCode)\n | extend NetworkIcmpType = iff(isnotempty(NetworkIcmpCode), coalesce(NetworkIcmpType_lookup, NetworkIcmpType), \"\")\n | extend pattern = coalesce(pattern1, pattern2)\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | extend\n SrcMacAddr = trim('\"', mac),\n EventType = \"Flow\";\n let IDSAlertData = PreFilteredData\n | where LogType in (\"ids-alerts\", \"security_event\")\n | parse LogMessage with * \"security_event \" LogSubType: string \" \" * \"message: \" message: string \n | where LogType == \"security_event\" and LogSubType == \"ids-alerted\" or LogType == \"ids-alerts\"\n | parse-kv Substring as(priority: string, timestamp: string, direction: string, protocol: string, src: string, dst: string, signature: string, dhost: string, shost: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend EventResult = \"Success\"\n | extend\n priority = trim('\"', priority),\n direction = trim('\"', direction)\n | lookup EventSeverityPriorityLookup on priority\n | lookup NetworkDirectionLookup on direction\n | extend AdditionalFields = bag_pack(\n \"signature\", trim('\"', signature)\n )\n | extend\n SrcMacAddr = trim('\"', shost),\n DstMacAddr = trim('\"', dhost),\n EventMessage = trim('\"', message);\n let AirmarshalEvents = PreFilteredData\n | where LogType in (\"airmarshal_events\")\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | parse-kv temp_message as(src: string, dst: string, wired_mac: string, vlan_id: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend\n SrcMacAddr = trim('\"', src),\n DstMacAddr = trim('\"', dst),\n DvcMacAddr = trim('\"', wired_mac)\n | extend\n EventResult = \"Success\",\n EventSeverity = \"High\";\n let EventsData = PreFilteredData\n | where LogType == \"events\";\n let EventsData_associ = EventsData\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | where LogSubType == \"association\" or (LogSubType == \"disassociation\" and not(Substring has_any (\"auth_neg_failed\", \"dhcp\")))\n | parse-kv Substring as (last_known_client_ip: string, client_mac: string, identity: string, aid: string, duration: string, ip_src: string, dns_server: string, reason: string, rssi: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend AdditionalFields = bag_pack(\n \"aid\", aid,\n \"rssi\", rssi\n )\n | extend SrcMacAddr = trim('\"', client_mac)\n | lookup EventResultLookup on LogSubType\n | extend EventResult = EventResult_type\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff((toint(reason) >= 25 and toint(reason) <= 31) or (toint(reason) >= 25 and toint(reason) <= 31), \"Unknown\", EventResultDetails);\n let EventsData_space = EventsData\n | where Substring has \"Blocked DHCP server response\" or (Substring has \"VRRP packet\" and not(Substring in~ (\"VRRP passive\", \"VRRP active\"))) \n | parse Substring with LogSubType1: string \" from\" temp_addr1: string \" on VLAN \" vlan_id1: string \" \" restmessage\n | parse Substring with LogSubType2: string \" from\" temp_addr2: string \" on VLAN \" vlan_id2: string\n | extend LogSubType = coalesce(LogSubType1, LogSubType2)\n | extend LogSubType = iff(LogSubType has \"VRRP Packet\", \"Virtual router collision\", LogSubType)\n | extend pattern = iff(Substring has \"Blocked\", \"Blocked\", \"\")\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | lookup EventResultLookup on LogSubType\n | extend EventResult = coalesce(EventResult, EventResult_type)\n | extend temp_addr = coalesce(trim('\"', temp_addr1), trim('\"', temp_addr2))\n | extend vlan_id = coalesce(trim('\"', vlan_id1), trim('\"', vlan_id2))\n | extend SrcMacAddr = iff(temp_addr matches regex \"(([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}))\", temp_addr, \"\")\n | parse temp_addr with * \"[\" temp_ip \"]:\" temp_port \n | extend SrcIpAddr = case(\n temp_addr has \".\",\n split(temp_addr, \":\")[0],\n isnotempty(temp_ip),\n temp_ip,\n temp_addr\n )\n | extend SrcPortNumber = toint(case(\n isnotempty(temp_port),\n temp_port,\n temp_addr has \".\",\n split(temp_addr, \":\")[1],\n \"\"\n )\n )\n | extend SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr)\n | extend EventMessage = Substring;\n union\n FlowsFirewallData,\n IDSAlertData,\n EventsData_associ,\n EventsData_space,\n AirmarshalEvents\n | lookup NetworkProtocolLookup on protocol\n | invoke _ASIM_ResolveNetworkProtocol('protocol')\n | extend NetworkProtocol = iff(isempty(NetworkProtocolNumber), NetworkProtocol_lookup, NetworkProtocol)\n | extend \n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1])\n | extend\n Epoch = iff(isnotempty(column_ifexists(\"timestamp\", \"\")), timestamp, Epoch)\n | extend\n EpochTimestamp = split(Epoch, \".\")\n | extend\n EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend temp_srcipport= coalesce(src, ip_src, last_known_client_ip) \n | extend temp_srcipport = trim('\"', temp_srcipport)\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\n | extend SrcIpAddr = case(\n temp_srcipport has \".\",\n split(temp_srcipport, \":\")[0], \n isnotempty(SrcIpAddr),\n SrcIpAddr,\n coalesce(temp_srcip, temp_srcipport)\n )\n | extend SrcPortNumber = iff(isempty(SrcPortNumber), toint(coalesce(sport, temp_srcport)), SrcPortNumber)\n | extend SrcPortNumber = toint(iff(isempty(SrcPortNumber) and SrcIpAddr has \".\", split(temp_srcipport, \":\")[1], SrcPortNumber))\n | extend temp_dstipport = coalesce(dst, dns_server)\n | extend temp_dstipport = trim('\"', temp_dstipport)\n | parse temp_dstipport with * \"[\" temp_dstip \"]:\" temp_dstport\n | extend DstIpAddr = iff(temp_dstipport has \".\", split(temp_dstipport, \":\")[0], coalesce(temp_dstip, temp_dstipport))\n | extend DstPortNumber = toint(coalesce(dport, temp_dstport))\n | extend DstPortNumber = toint(iff(isempty(DstPortNumber) and DstIpAddr has \".\", split(temp_dstipport, \":\")[1], DstPortNumber))\n | extend SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr)\n | extend DstIpAddr = iff(DstIpAddr == DstMacAddr, \"\", DstIpAddr)\n | extend \n EventMessage = iff(\n LogSubType has_any(\"Blocked DHCP server\", \"Virtual router collision\"),\n Substring,\n coalesce(message, \"\")\n ),\n SrcUsername = trim('\"', identity),\n SrcVlanId = trim('\"', vlan_id)\n | extend\n EventSeverity = case(\n isnotempty(EventSeverity),\n EventSeverity,\n EventResult == \"Failure\",\n \"Low\",\n \"Informational\"\n ),\n EventType = iff(isnotempty(EventType), EventType, \"NetworkSession\"),\n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\")\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dvc = DvcHostname,\n Src = coalesce(SrcIpAddr, SrcMacAddr),\n Dst = coalesce(DstIpAddr, DstMacAddr),\n NetworkDuration = toint(todouble(duration) * 1000)\n | project-rename\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType\n | extend\n EventEndTime = EventStartTime,\n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n InnerVlanId = SrcVlanId,\n EventUid = _ResourceId\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n protocol,\n priority,\n reason,\n direction,\n duration,\n src,\n dst,\n dns_server,\n sport,\n dport,\n *_lookup,\n type*,\n pattern*,\n last_known_client_ip,\n ip_src,\n client_mac,\n mac,\n shost,\n dhost,\n wired_mac,\n identity,\n temp*,\n vlan_id*,\n LogSubType1,\n LogSubType2,\n restmessage*,\n message,\n rssi,\n aid,\n signature,\n timestamp,\n EventResult_type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName,CollectorHostName,NetworkProtocolNumber\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionCiscoMerakiSyslog", + "query": "let EventResultDetailsLookup = datatable(reason: string, EventResultDetails: string)\n[\n \"0\", \"Unknown\",\n \"1\", \"Unknown\",\n \"2\", \"Timeout\",\n \"3\", \"Terminated\",\n \"4\", \"Timeout\",\n \"5\", \"Transient error\",\n \"6\", \"Invalid Tunnel\",\n \"7\", \"Invalid Tunnel\",\n \"8\", \"Terminated\",\n \"9\", \"Invalid Tunnel\",\n \"10\", \"Unknown\",\n \"11\", \"Invalid TCP\",\n \"12\", \"Unknown\",\n \"13\", \"Invalid TCP\",\n \"14\", \"Invalid Tunnel\",\n \"15\", \"Invalid TCP\",\n \"16\", \"Timeout\",\n \"17\", \"Invalid Tunnel\",\n \"18\", \"Invalid TCP\",\n \"19\", \"Invalid TCP\",\n \"20\", \"Invalid TCP\",\n \"21\", \"Unknown\",\n \"22\", \"Invalid TCP\",\n \"23\", \"Invalid Tunnel\",\n \"24\", \"Invalid Tunnel\",\n \"32\", \"Unknown\",\n \"33\", \"Invalid TCP\",\n \"34\", \"Invalid TCP\",\n \"35\", \"Invalid TCP\",\n \"36\", \"Unknown\",\n \"37\", \"Unknown\",\n \"38\", \"Unknown\",\n \"39\", \"Timeout\",\n \"40\", \"Invalid TCP\",\n \"98\", \"Unknown\",\n \"99\", \"Unknown\"\n];\nlet NetworkIcmpTypeLookup=datatable(\n NetworkIcmpCode_lookup: int,\n NetworkIcmpType_lookup: string\n)\n [\n 0, \"Reserved\",\n 1, \"Destination Unreachable\",\n 2, \"Packet Too Big\",\n 3, \"Time Exceeded\",\n 4, \"Parameter Problem\",\n 100, \"Private experimentation\",\n 101, \"Private experimentation\",\n 127, \"Reserved for expansion of ICMPv6 error messages\",\n 128, \"Echo Request\",\n 129, \"Echo Reply\",\n 130, \"Multicast Listener Query\",\n 131, \"Multicast Listener Report\",\n 132, \"Multicast Listener Done\",\n 133, \"Router Solicitation\",\n 134, \"Router Advertisement\",\n 135, \"Neighbor Solicitation\",\n 136, \"Neighbor Advertisement\",\n 137, \"Redirect Message\",\n 138, \"Router Renumbering\",\n 139, \"ICMP Node Information Query\",\n 140, \"ICMP Node Information Response\",\n 141, \"Inverse Neighbor Discovery Solicitation Message\",\n 142, \"Inverse Neighbor Discovery Advertisement Message\",\n 143, \"Version 2 Multicast Listener Report\",\n 144, \"Home Agent Address Discovery Request Message\",\n 145, \"Home Agent Address Discovery Reply Message\",\n 146, \"Mobile Prefix Solicitation\",\n 147, \"Mobile Prefix Advertisement\",\n 148, \"Certification Path Solicitation Message\",\n 149, \"Certification Path Advertisement Message\",\n 150, \"ICMP messages utilized by experimental mobility protocols such as Seamoby\",\n 151, \"Multicast Router Advertisement\",\n 152, \"Multicast Router Solicitation\",\n 153, \"Multicast Router Termination\",\n 154, \"FMIPv6 Messages\",\n 155, \"RPL Control Message\",\n 156, \"ILNPv6 Locator Update Message\",\n 157, \"Duplicate Address Request\",\n 158, \"Duplicate Address Confirmation\",\n 159, \"MPL Control Message\",\n 160, \"Extended Echo Request\",\n 161, \"Extended Echo Reply\",\n 200, \"Private experimentation\",\n 201, \"Private experimentation\",\n 255, \"Reserved for expansion of ICMPv6 informational messages\"\n];\nlet NetworkProtocolLookup=datatable(\n protocol: string,\n NetworkProtocol_lookup: string,\n NetworkProtocolVersion: string\n)[\n \"tcp\", \"TCP\", \"\",\n \"tcp/ip\", \"TCP\", \"\",\n \"udp\", \"UDP\", \"\",\n \"udp/ip\", \"UDP\", \"\",\n \"icmp\", \"ICMP\", \"IPV4\",\n \"icmp6\", \"ICMP\", \"IPV6\",\n];\nlet EventSeverityPriorityLookup=datatable(priority: string, EventSeverity: string)[\n \"1\", \"High\",\n \"2\", \"Medium\",\n \"3\", \"Low\",\n \"4\", \"Informational\"\n];\nlet EventSeverityDvcActionLookup=datatable(DvcAction: string, EventSeverity: string)[\n \"Allow\", \"Informational\",\n \"Deny\", \"Low\"\n];\nlet NetworkDirectionLookup=datatable(direction: string, NetworkDirection: string)[\n \"ingress\", \"Inbound\",\n \"egress\", \"Outbound\",\n \"Unknown\", \"NA\"\n];\nlet DvcActionLookup = datatable(pattern: string, DvcAction: string, EventResult: string)[\n \"allow\", \"Allow\", \"Success\",\n \"deny\", \"Deny\", \"Failure\",\n \"Blocked\", \"Deny\", \"Failure\"\n];\nlet EventResultLookup = datatable(LogSubType: string, EventResult_type: string)[\n \"association\", \"Success\",\n \"disassociation\", \"Failure\",\n \"Virtual router collision\", \"Failure\",\n];\nlet parser=(disabled: bool=false) {\n let allData = (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\n let PreFilteredData = allData\n | where not(disabled) and (LogMessage has_any(\"flows\", \"firewall\", \"ids-alerts\") or LogMessage has_all(\"security_event\", \"ids-alerted\") or (LogMessage has \"events\" and (LogMessage has_any (\"Blocked DHCP server response\", \"association\") or (LogMessage has \"VRRP packet\" and not(LogMessage has_any (\"VRRP passive\", \"VRRP active\"))) or (LogMessage has \"disassociation\" and not(LogMessage has_any (\"auth_neg_failed\", \"dhcp\"))))) or (LogMessage has \"airmarshal_events\" and LogMessage has_any(\"ssid_spoofing_detected\", \"rogue_ssid_detected\")))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3]);\n let FlowsFirewallData = PreFilteredData\n | where LogType in (\"flows\", \"firewall\", \"cellular_firewall\", \"vpn_firewall\")\n | parse-kv Substring as(src: string, dst: string, mac: string, sport: string, dport: string, protocol: string, type: int) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | parse Substring with pattern1: string \" src=\" temp_restmessage: string\n | parse Substring with * \"pattern: \" pattern2: string \" \" temp_restmessage: string\n | extend NetworkIcmpCode_lookup = iff(protocol == 'icmp6', type, int(null))\n | extend type_icmp4 = iff(protocol == 'icmp', type, int(null))\n | lookup NetworkIcmpTypeLookup on NetworkIcmpCode_lookup\n | invoke _ASIM_ResolveICMPType('type_icmp4')\n | extend NetworkIcmpCode = coalesce(NetworkIcmpCode_lookup, NetworkIcmpCode)\n | extend NetworkIcmpType = iff(isnotempty(NetworkIcmpCode), coalesce(NetworkIcmpType_lookup, NetworkIcmpType), \"\")\n | extend pattern = coalesce(pattern1, pattern2)\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | extend\n SrcMacAddr = trim('\"', mac),\n EventType = \"Flow\";\n let IDSAlertData = PreFilteredData\n | where LogType in (\"ids-alerts\", \"security_event\")\n | parse LogMessage with * \"security_event \" LogSubType: string \" \" * \"message: \" message: string \n | where LogType == \"security_event\" and LogSubType == \"ids-alerted\" or LogType == \"ids-alerts\"\n | parse-kv Substring as(priority: string, timestamp: string, direction: string, protocol: string, src: string, dst: string, signature: string, dhost: string, shost: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend EventResult = \"Success\"\n | extend\n priority = trim('\"', priority),\n direction = trim('\"', direction)\n | lookup EventSeverityPriorityLookup on priority\n | lookup NetworkDirectionLookup on direction\n | extend AdditionalFields = bag_pack(\n \"signature\", trim('\"', signature)\n )\n | extend\n SrcMacAddr = trim('\"', shost),\n DstMacAddr = trim('\"', dhost),\n EventMessage = trim('\"', message);\n let AirmarshalEvents = PreFilteredData\n | where LogType in (\"airmarshal_events\")\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | parse-kv temp_message as(src: string, dst: string, wired_mac: string, vlan_id: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend\n SrcMacAddr = trim('\"', src),\n DstMacAddr = trim('\"', dst),\n DvcMacAddr = trim('\"', wired_mac)\n | extend\n EventResult = \"Success\",\n EventSeverity = \"High\";\n let EventsData = PreFilteredData\n | where LogType == \"events\";\n let EventsData_associ = EventsData\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | where LogSubType == \"association\" or (LogSubType == \"disassociation\" and not(Substring has_any (\"auth_neg_failed\", \"dhcp\")))\n | parse-kv Substring as (last_known_client_ip: string, client_mac: string, identity: string, aid: string, duration: string, ip_src: string, dns_server: string, reason: string, rssi: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend AdditionalFields = bag_pack(\n \"aid\", aid,\n \"rssi\", rssi\n )\n | extend SrcMacAddr = trim('\"', client_mac)\n | lookup EventResultLookup on LogSubType\n | extend EventResult = EventResult_type\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff((toint(reason) >= 25 and toint(reason) <= 31) or (toint(reason) >= 25 and toint(reason) <= 31), \"Unknown\", EventResultDetails);\n let EventsData_space = EventsData\n | where Substring has \"Blocked DHCP server response\" or (Substring has \"VRRP packet\" and not(Substring in~ (\"VRRP passive\", \"VRRP active\"))) \n | parse Substring with LogSubType1: string \" from\" temp_addr1: string \" on VLAN \" vlan_id1: string \" \" restmessage\n | parse Substring with LogSubType2: string \" from\" temp_addr2: string \" on VLAN \" vlan_id2: string\n | extend LogSubType = coalesce(LogSubType1, LogSubType2)\n | extend LogSubType = iff(LogSubType has \"VRRP Packet\", \"Virtual router collision\", LogSubType)\n | extend pattern = iff(Substring has \"Blocked\", \"Blocked\", \"\")\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | lookup EventResultLookup on LogSubType\n | extend EventResult = coalesce(EventResult, EventResult_type)\n | extend temp_addr = coalesce(trim('\"', temp_addr1), trim('\"', temp_addr2))\n | extend vlan_id = coalesce(trim('\"', vlan_id1), trim('\"', vlan_id2))\n | extend SrcMacAddr = iff(temp_addr matches regex \"(([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}))\", temp_addr, \"\")\n | parse temp_addr with * \"[\" temp_ip \"]:\" temp_port \n | extend SrcIpAddr = case(\n temp_addr has \".\",\n split(temp_addr, \":\")[0],\n isnotempty(temp_ip),\n temp_ip,\n temp_addr\n )\n | extend SrcPortNumber = toint(case(\n isnotempty(temp_port),\n temp_port,\n temp_addr has \".\",\n split(temp_addr, \":\")[1],\n \"\"\n )\n )\n | extend SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr)\n | extend EventMessage = Substring;\n union\n FlowsFirewallData,\n IDSAlertData,\n EventsData_associ,\n EventsData_space,\n AirmarshalEvents\n | lookup NetworkProtocolLookup on protocol\n | invoke _ASIM_ResolveNetworkProtocol('protocol')\n | extend NetworkProtocol = iff(isempty(NetworkProtocolNumber), NetworkProtocol_lookup, NetworkProtocol)\n | extend \n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1])\n | extend\n Epoch = iff(isnotempty(column_ifexists(\"timestamp\", \"\")), timestamp, Epoch)\n | extend\n EpochTimestamp = split(Epoch, \".\")\n | extend\n EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend temp_srcipport= coalesce(src, ip_src, last_known_client_ip) \n | extend temp_srcipport = trim('\"', temp_srcipport)\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\n | extend SrcIpAddr = case(\n temp_srcipport has \".\",\n split(temp_srcipport, \":\")[0], \n isnotempty(SrcIpAddr),\n SrcIpAddr,\n coalesce(temp_srcip, temp_srcipport)\n )\n | extend SrcPortNumber = iff(isempty(SrcPortNumber), toint(coalesce(sport, temp_srcport)), SrcPortNumber)\n | extend SrcPortNumber = toint(iff(isempty(SrcPortNumber) and SrcIpAddr has \".\", split(temp_srcipport, \":\")[1], SrcPortNumber))\n | extend temp_dstipport = coalesce(dst, dns_server)\n | extend temp_dstipport = trim('\"', temp_dstipport)\n | parse temp_dstipport with * \"[\" temp_dstip \"]:\" temp_dstport\n | extend DstIpAddr = iff(temp_dstipport has \".\", split(temp_dstipport, \":\")[0], coalesce(temp_dstip, temp_dstipport))\n | extend DstPortNumber = toint(coalesce(dport, temp_dstport))\n | extend DstPortNumber = toint(iff(isempty(DstPortNumber) and DstIpAddr has \".\", split(temp_dstipport, \":\")[1], DstPortNumber))\n | extend SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr)\n | extend DstIpAddr = iff(DstIpAddr == DstMacAddr, \"\", DstIpAddr)\n | extend \n EventMessage = iff(\n LogSubType has_any(\"Blocked DHCP server\", \"Virtual router collision\"),\n Substring,\n coalesce(message, \"\")\n ),\n SrcUsername = trim('\"', identity),\n SrcVlanId = trim('\"', vlan_id)\n | extend\n EventSeverity = case(\n isnotempty(EventSeverity),\n EventSeverity,\n EventResult == \"Failure\",\n \"Low\",\n \"Informational\"\n ),\n EventType = iff(isnotempty(EventType), EventType, \"NetworkSession\"),\n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\")\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dvc = DvcHostname,\n Src = coalesce(SrcIpAddr, SrcMacAddr),\n Dst = coalesce(DstIpAddr, DstMacAddr),\n NetworkDuration = toint(todouble(duration) * 1000)\n | project-rename\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType\n | extend\n EventEndTime = EventStartTime,\n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n InnerVlanId = SrcVlanId,\n EventUid = _ResourceId\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n protocol,\n priority,\n reason,\n direction,\n duration,\n src,\n dst,\n dns_server,\n sport,\n dport,\n *_lookup,\n type*,\n pattern*,\n last_known_client_ip,\n ip_src,\n client_mac,\n mac,\n shost,\n dhost,\n wired_mac,\n identity,\n temp*,\n vlan_id*,\n LogSubType1,\n LogSubType2,\n restmessage*,\n message,\n rssi,\n aid,\n signature,\n timestamp,\n EventResult_type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName,CollectorHostName,NetworkProtocolNumber\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCorelightZeek/ASimNetworkSessionCorelightZeek.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCorelightZeek/ASimNetworkSessionCorelightZeek.json index 902dd6a8627..e98be491da7 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCorelightZeek/ASimNetworkSessionCorelightZeek.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCorelightZeek/ASimNetworkSessionCorelightZeek.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionCorelightZeek')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionCorelightZeek", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Corelight Zeek", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionCorelightZeek", - "query": "let NetworkDirectionLookup = datatable(local_orig: bool, local_resp: bool, NetworkDirection: string)\n[\n false, true, 'Inbound',\n true, false, 'Outbound',\n true, true, 'Local',\n false, false, 'Local'\n];\nlet ResultLookup = datatable (conn_state:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string, EventSeverity:string)\n[ \n 'S0', 'Success', '', 'Connection attempt seen, no reply', 'Informational',\n 'S1', 'Success', '', 'Connection established, not terminated', 'Informational',\n 'SF', 'Success', 'Terminated', 'Normal establishment and termination', 'Informational', // Note that this is the same symbol as for state S1. You can tell the two apart because for S1 there will not be any byte counts in the summary, while for SF there will be.\n 'REJ', 'Failure', 'Rejeced', 'Connection attempt rejected', 'Low',\n 'S2', 'Failure', 'Terminated', 'Connection established and close attempt by originator seen (but no reply from responder)', 'Low',\n 'S3', 'Failure', 'Terminated', 'Connection established and close attempt by responder seen (but no reply from originator)', 'Low',\n 'RSTO', 'Failure', 'Reset', 'Connection established, originator aborted (sent a RST)', 'Low',\n 'RSTR', 'Failure', 'Reset', 'Responder sent a RST', 'Low',\n 'RSTOS0', 'Failure', 'Reset', 'Originator sent a SYN followed by a RST, no SYN-ACK from the responder','Low',\n 'RSTRH', 'Failure', 'Reset', 'Responder sent a SYN ACK followed by a RST, no SYN from the originator','Low',\n 'SH', 'Failure', 'Timeout', 'Originator sent a SYN followed by a FIN, no SYN ACK from the responder', 'Low',\n 'SHR', 'Failure', 'Timeout', 'Responder sent a SYN ACK followed by a FIN, no SYN from the originator', 'Low',\n 'OTH', 'Success', '', 'No SYN seen, just midstream traffic', 'Informational'\n];\nlet parser=(disabled:bool=false){\n Corelight_CL | where not(disabled)\n | where (Message has '\"_path\":\"conn\"' or Message has '\"conn_red\"')\n | project Message\n | parse-kv Message as (\n ['\"_system_name\"']:string,\n ['\"_write_ts\"']:datetime,\n ['\"ts\"']:datetime,\n ['\"uid\"']:string,\n ['\"id.orig_h\"']:string,\n ['\"id.orig_p\"']:int,\n ['\"id.resp_h\"']:string,\n ['\"id.resp_p\"']:int,\n ['\"proto\"']:string,\n ['\"service\"']:string,\n ['\"duration\"']:int,\n ['\"orig_bytes\"']:long,\n ['\"resp_bytes\"']:long,\n ['\"local_orig\"']:bool,\n ['\"local_resp\"']:bool,\n ['\"missed_bytes\"']:long,\n ['\"history\"']:string,\n ['\"orig_pkts\"']:long,\n ['\"resp_pkts\"']:long,\n ['\"orig_l2_addr\"']:string,\n ['\"resp_l2_addr\"']:string,\n ['\"community_id']:string,\n ['\"conn_state\"']:string,\n ['\"vlan\"']:string,\n ['\"inner_vlan\"']:string\n ) \n with (quote = '\"')\n | extend \n EventCount=int(1),\n EventProduct=\"Zeek\",\n EventVendor=\"Corelight\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.4\",\n EventType=\"Flow\"\n | project-rename\n EventStartTime= ['\"ts\"'],\n EventEndTime = ['\"_write_ts\"'],\n EventOriginalUid = ['\"uid\"'],\n SrcIpAddr = ['\"id.orig_h\"'],\n SrcPortNumber = ['\"id.orig_p\"'],\n DstIpAddr = ['\"id.resp_h\"'],\n DstPortNumber = ['\"id.resp_p\"'],\n NetworkProtocol = ['\"proto\"'],\n NetworkApplicationProtocol = ['\"service\"'],\n NetworkDuration = ['\"duration\"'],\n SrcBytes = ['\"orig_bytes\"'],\n DstBytes = ['\"resp_bytes\"'],\n local_orig = ['\"local_orig\"'],\n local_resp = ['\"local_resp\"'],\n FlowMissedBytes = ['\"missed_bytes\"'],\n SrcPackets = ['\"orig_pkts\"'],\n DstPackets = ['\"resp_pkts\"'],\n SrcMacAddr = ['\"orig_l2_addr\"'],\n DstMacAddr = ['\"resp_l2_addr\"'],\n DstVlanId = ['\"vlan\"'],\n SrcVlanId = ['\"inner_vlan\"'], \n conn_state = ['\"conn_state\"'],\n FlowHistory = ['\"history\"'],\n NetworkSessionId = ['\"community_id'],\n Dvc = ['\"_system_name\"']\n | lookup NetworkDirectionLookup on local_orig, local_resp\n | lookup ResultLookup on conn_state\n | extend\n NetworkBytes = SrcBytes + DstBytes,\n NetworkPackets = SrcPackets + DstPackets,\n NetworkProtocol = toupper(NetworkProtocol)\n // Aliases\n | extend \n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Duration=NetworkDuration,\n SessionId = NetworkSessionId,\n InnerVlanId = SrcVlanId,\n OuterVlanId = DstVlanId,\n Dst=DstIpAddr\n | project-away Message, local_orig, local_resp, conn_state\n};\nparser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Corelight Zeek", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionCorelightZeek", + "query": "let NetworkDirectionLookup = datatable(local_orig: bool, local_resp: bool, NetworkDirection: string)\n[\n false, true, 'Inbound',\n true, false, 'Outbound',\n true, true, 'Local',\n false, false, 'Local'\n];\nlet ResultLookup = datatable (conn_state:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string, EventSeverity:string)\n[ \n 'S0', 'Success', '', 'Connection attempt seen, no reply', 'Informational',\n 'S1', 'Success', '', 'Connection established, not terminated', 'Informational',\n 'SF', 'Success', 'Terminated', 'Normal establishment and termination', 'Informational', // Note that this is the same symbol as for state S1. You can tell the two apart because for S1 there will not be any byte counts in the summary, while for SF there will be.\n 'REJ', 'Failure', 'Rejeced', 'Connection attempt rejected', 'Low',\n 'S2', 'Failure', 'Terminated', 'Connection established and close attempt by originator seen (but no reply from responder)', 'Low',\n 'S3', 'Failure', 'Terminated', 'Connection established and close attempt by responder seen (but no reply from originator)', 'Low',\n 'RSTO', 'Failure', 'Reset', 'Connection established, originator aborted (sent a RST)', 'Low',\n 'RSTR', 'Failure', 'Reset', 'Responder sent a RST', 'Low',\n 'RSTOS0', 'Failure', 'Reset', 'Originator sent a SYN followed by a RST, no SYN-ACK from the responder','Low',\n 'RSTRH', 'Failure', 'Reset', 'Responder sent a SYN ACK followed by a RST, no SYN from the originator','Low',\n 'SH', 'Failure', 'Timeout', 'Originator sent a SYN followed by a FIN, no SYN ACK from the responder', 'Low',\n 'SHR', 'Failure', 'Timeout', 'Responder sent a SYN ACK followed by a FIN, no SYN from the originator', 'Low',\n 'OTH', 'Success', '', 'No SYN seen, just midstream traffic', 'Informational'\n];\nlet parser=(disabled:bool=false){\n Corelight_CL | where not(disabled)\n | where (Message has '\"_path\":\"conn\"' or Message has '\"conn_red\"')\n | project Message\n | parse-kv Message as (\n ['\"_system_name\"']:string,\n ['\"_write_ts\"']:datetime,\n ['\"ts\"']:datetime,\n ['\"uid\"']:string,\n ['\"id.orig_h\"']:string,\n ['\"id.orig_p\"']:int,\n ['\"id.resp_h\"']:string,\n ['\"id.resp_p\"']:int,\n ['\"proto\"']:string,\n ['\"service\"']:string,\n ['\"duration\"']:int,\n ['\"orig_bytes\"']:long,\n ['\"resp_bytes\"']:long,\n ['\"local_orig\"']:bool,\n ['\"local_resp\"']:bool,\n ['\"missed_bytes\"']:long,\n ['\"history\"']:string,\n ['\"orig_pkts\"']:long,\n ['\"resp_pkts\"']:long,\n ['\"orig_l2_addr\"']:string,\n ['\"resp_l2_addr\"']:string,\n ['\"community_id']:string,\n ['\"conn_state\"']:string,\n ['\"vlan\"']:string,\n ['\"inner_vlan\"']:string\n ) \n with (quote = '\"')\n | extend \n EventCount=int(1),\n EventProduct=\"Zeek\",\n EventVendor=\"Corelight\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.4\",\n EventType=\"Flow\"\n | project-rename\n EventStartTime= ['\"ts\"'],\n EventEndTime = ['\"_write_ts\"'],\n EventOriginalUid = ['\"uid\"'],\n SrcIpAddr = ['\"id.orig_h\"'],\n SrcPortNumber = ['\"id.orig_p\"'],\n DstIpAddr = ['\"id.resp_h\"'],\n DstPortNumber = ['\"id.resp_p\"'],\n NetworkProtocol = ['\"proto\"'],\n NetworkApplicationProtocol = ['\"service\"'],\n NetworkDuration = ['\"duration\"'],\n SrcBytes = ['\"orig_bytes\"'],\n DstBytes = ['\"resp_bytes\"'],\n local_orig = ['\"local_orig\"'],\n local_resp = ['\"local_resp\"'],\n FlowMissedBytes = ['\"missed_bytes\"'],\n SrcPackets = ['\"orig_pkts\"'],\n DstPackets = ['\"resp_pkts\"'],\n SrcMacAddr = ['\"orig_l2_addr\"'],\n DstMacAddr = ['\"resp_l2_addr\"'],\n DstVlanId = ['\"vlan\"'],\n SrcVlanId = ['\"inner_vlan\"'], \n conn_state = ['\"conn_state\"'],\n FlowHistory = ['\"history\"'],\n NetworkSessionId = ['\"community_id'],\n Dvc = ['\"_system_name\"']\n | lookup NetworkDirectionLookup on local_orig, local_resp\n | lookup ResultLookup on conn_state\n | extend\n NetworkBytes = SrcBytes + DstBytes,\n NetworkPackets = SrcPackets + DstPackets,\n NetworkProtocol = toupper(NetworkProtocol)\n // Aliases\n | extend \n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Duration=NetworkDuration,\n SessionId = NetworkSessionId,\n InnerVlanId = SrcVlanId,\n OuterVlanId = DstVlanId,\n Dst=DstIpAddr\n | project-away Message, local_orig, local_resp, conn_state\n};\nparser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCrowdStrikeFalconHost/ASimNetworkSessionCrowdStrikeFalconHost.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCrowdStrikeFalconHost/ASimNetworkSessionCrowdStrikeFalconHost.json index 62cca46cbdf..ba8e05942e1 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCrowdStrikeFalconHost/ASimNetworkSessionCrowdStrikeFalconHost.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCrowdStrikeFalconHost/ASimNetworkSessionCrowdStrikeFalconHost.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionCrowdStrikeFalconHost')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionCrowdStrikeFalconHost", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "NetworkSession ASIM Parser for CrowdStrike Falcon Endpoint Protection", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionCrowdStrikeFalconHost", - "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet EventFieldsLookup = datatable (\n ruleAction: int,\n DvcOriginalAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n 0, \"invalid\", \"Deny\", \"Failure\",\n 1, \"allowed\", \"Allow\", \"Success\",\n 2, \"blocked\", \"Deny\", \"Failure\"\n];\n//ActionLokkup is prepapred by considering facts as below:\n//Response bit: KILL PROCESS, modifier bit: '', DvcAction: Deny\n//Response bit: KILL PROCESS, modifier bit: POLICY_DISABLED, DvcAction: Allow as here process would have been killed or blocked if policy was enabled so current event is not killed.\nlet ActionLookup = datatable (\n EventOutcome: string,\n DvcOriginalAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"0\", \"Detection\", \"Allow\", \"Success\",\n \"2\", \"Detection\", \"Allow\", \"Success\",\n \"16\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"128\", \"Quarantine\", \"Allow\", \"Success\",\n \"144\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"272\", \"Detection\", \"Allow\", \"Success\",\n \"400\", \"Detection-quarantine\", \"Allow\", \"Success\",\n \"512\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"640\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"768\", \"Detection\", \"Allow\", \"Success\", \n \"1024\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"1040\", \"Prevention-killed,blocked\", \"Deny\", \"Failure\",\n \"1152\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"1168\", \"Prevention-killed,blocked,quarnatine\", \"Deny\", \"Failure\",\n \"1280\", \"Detection\", \"Allow\", \"Success\",\n \"1296\", \"Detection\", \"Allow\", \"Success\",\n \"2048\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"2176\", \"Prevention-quarantine,blocked \", \"Deny\", \"Failure\",\n \"2304\", \"Detection\", \"Allow\", \"Success\",\n \"2432\", \"Detection-quarantine\", \"Allow\", \"Success\",\n \"4096\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"4112\", \"Prevention-blocked,killed\", \"Deny\", \"Failure\",\n \"4224\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"4240\", \"Prevention-killed,blocked,quarantine\", \"Deny\", \"Failure\",\n \"4352\", \"Detection\", \"Allow\", \"Success\",\n \"4368\", \"Detection\", \"Allow\", \"Success\",\n \"4638\", \"Detection\", \"Allow\", \"Success\",\n \"5120\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"8192\", \"Disabled\", \"Allow\", \"Success\",\n \"8208\", \"Detection\", \"Allow\", \"Success\",\n \"8320\", \"Detection-quarnatine\", \"Allow\", \"Success\",\n \"8704\", \"Detection\", \"Allow\", \"Success\",\n \"9216\", \"Detection\", \"Allow\", \"Success\",\n \"10240\", \"Detection\", \"Allow\", \"Success\",\n \"12304\", \"Detection\", \"Allow\", \"Success\",\n \"16400\", \"Killed\", \"Deny\", \"Failure\",\n \"32768\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"32896\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"33024\", \"Detection\", \"Allow\", \"Success\",\n \"65536\", \"Downgraded\", \"Allow\", \"Success\",\n \"65552\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"65792\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"65808\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"73728\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"73744\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"131088\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"131216\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"131584\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"131712\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"2099200\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"2099328\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"4196352\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"4196480\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"1048576\", \"Prevention-suspend\", \"Deny\", \"Failure\",\n \"524288\", \"Prevention-suspend\", \"Deny\", \"Failure\",\n \"262144\", \"Blocking Disabled\", \"Allow\", \"Success\",\n \"16384\", \"Safeguard Enabled\", \"Allow\", \"Success\",\n \"131072\", \"Kill Failed\", \"Deny\", \"Failure\",\n \"256\", \"Policy Disabled\", \"Allow\", \"Success\",\n \"2097152\", \"Response Action Already Applied\", \"Deny\", \"Failure\",\n \"4194304\", \"Response Failed\", \"Deny\", \"Failure\"\n];\nlet parser = (disabled: bool=false) {\n let alldata = CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"CrowdStrike\"\n and DeviceProduct == \"FalconHost\"\n | where DeviceEventClassID in (\"Network Access In A Detection Summary Event\", \"FirewallMatchEvent\");\n let firewalldata = alldata\n | where DeviceEventClassID == \"FirewallMatchEvent\"\n | parse-kv AdditionalExtensions as (deviceId: string, cmdLine: string, connectionDirection: int, eventType: string, hostName: string, icmpCode: int, icmpType: string, localAddress: string, localPort: int, matchCount: int, networkProfile: string, protocol: int, remoteAddress: string, remotePort: int, ruleAction: int, ruleDescription: string, ruleGroupName: string, ruleName: string, status: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | extend\n EventCount = matchCount,\n EventStartTime = unixtime_milliseconds_todatetime(tolong(ReceiptTime)),\n NetworkDirection = case(\n connectionDirection == 1, \"Inbound\",\n connectionDirection == 2, \"Outbound\",\n \"\"\n ),\n SrcIpAddr = case(\n connectionDirection == 1, remoteAddress,\n connectionDirection == 2, localAddress,\n \"\"\n ),\n SrcPortNumber = case(\n connectionDirection == 1, remotePort,\n connectionDirection == 2, localPort,\n int(null)\n ),\n DstIpAddr = case(\n connectionDirection == 1, remoteAddress,\n connectionDirection == 2, localAddress,\n \"\"\n ),\n DstPortNumber = case(\n connectionDirection == 1, localPort,\n connectionDirection == 2, remotePort,\n int(null)\n ),\n deviceIp = iff(hostName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", hostName, \"\")\n | extend \n hostName = iff(isempty(deviceIp), hostName, \"\"),\n AdditionalFields = bag_pack(\n \"networkProfile\", networkProfile,\n \"ruleDescription\", ruleDescription,\n \"ruleGroupName\", ruleGroupName,\n \"cmdLine\", cmdLine\n ),\n NetworkIcmpCode = icmpCode\n | invoke _ASIM_ResolveDvcFQDN('hostName')\n | invoke _ASIM_ResolveNetworkProtocol('protocol')\n | extend NetworkIcmpType = _ASIM_LookupICMPType('icmpType')\n | lookup EventFieldsLookup on ruleAction\n | project-rename\n DvcId = deviceId,\n DvcIpAddr = deviceIp,\n EventOriginalSubType = eventType,\n NetworkRuleName = ruleName\n | extend\n Rule = NetworkRuleName,\n Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr);\n let networkaccessdata = alldata\n | where DeviceEventClassID has \"Network Access In A Detection Summary Event\"\n | parse-kv AdditionalExtensions as (CSMTRPatternDisposition: string, tactic: string, technique: string, objective: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | lookup ActionLookup on EventOutcome\n | invoke _ASIM_ResolveSrcFQDN('DestinationHostName')\n | extend\n EventStartTime = todatetime(DeviceCustomDate1),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n EventCount = int(1),\n SrcDomain = coalesce(DestinationNTDomain, SrcDomain),\n EventOriginalResultDetails = CSMTRPatternDisposition,\n SrcProcessId = tostring(FieldDeviceCustomNumber2),\n SrcDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", SrcDomainType),\n AdditionalFields = bag_pack(\n \"CSMTRPatternDisposition\", CSMTRPatternDisposition, \n \"Tactic\", coalesce(tactic, Activity),\n \"Technique\", coalesce(technique, DeviceAction),\n \"Objective\", coalesce(objective, Reason),\n DeviceCustomString6Label, DeviceCustomString6\n )\n | project-rename\n DvcId = ExtID,\n DstPortNumber = DestinationPort,\n SrcPortNumber = SourcePort,\n SrcMacAddr = SourceMACAddress,\n SrcUsername = DestinationUserName,\n SrcProcessName = FileName\n | extend\n Dvc = DvcId,\n Hostname = SrcHostname,\n User = SrcUsername,\n SrcAppId = SrcProcessId,\n SrcAppName = SrcProcessName,\n SrcAppType = \"Process\",\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername);\n union firewalldata, networkaccessdata\n | lookup EventSeverityLookup on LogSeverity\n | extend NetworkProtocolVersion = case(\n DstIpAddr contains \".\", \"IPv4\",\n DstIpAddr contains \":\", \"IPv6\",\n \"\"\n )\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"CrowdStrike\",\n EventProduct = \"FalconHost\",\n EventType = \"EndpointNetworkSession\"\n | project-rename\n EventOriginalType = DeviceEventClassID,\n EventProductVersion = DeviceVersion,\n EventUid = _ItemId,\n EventOriginalSeverity= LogSeverity\n | extend\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\n IpAddr = SrcIpAddr,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\")\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n Activity,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message,\n EventOutcome,\n IndicatorThreatType,\n cmdLine,\n connectionDirection,\n hostName,\n matchCount,\n networkProfile,\n protocol,\n ruleAction,\n ruleDescription,\n ruleGroupName,\n icmpCode,\n icmpType,\n status,\n CSMTRPatternDisposition,\n NetworkProtocolNumber,\n localAddress,\n localPort,\n remoteAddress,\n remotePort\n};\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "NetworkSession ASIM Parser for CrowdStrike Falcon Endpoint Protection", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionCrowdStrikeFalconHost", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet EventFieldsLookup = datatable (\n ruleAction: int,\n DvcOriginalAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n 0, \"invalid\", \"Deny\", \"Failure\",\n 1, \"allowed\", \"Allow\", \"Success\",\n 2, \"blocked\", \"Deny\", \"Failure\"\n];\n//ActionLokkup is prepapred by considering facts as below:\n//Response bit: KILL PROCESS, modifier bit: '', DvcAction: Deny\n//Response bit: KILL PROCESS, modifier bit: POLICY_DISABLED, DvcAction: Allow as here process would have been killed or blocked if policy was enabled so current event is not killed.\nlet ActionLookup = datatable (\n EventOutcome: string,\n DvcOriginalAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"0\", \"Detection\", \"Allow\", \"Success\",\n \"2\", \"Detection\", \"Allow\", \"Success\",\n \"16\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"128\", \"Quarantine\", \"Allow\", \"Success\",\n \"144\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"272\", \"Detection\", \"Allow\", \"Success\",\n \"400\", \"Detection-quarantine\", \"Allow\", \"Success\",\n \"512\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"640\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"768\", \"Detection\", \"Allow\", \"Success\", \n \"1024\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"1040\", \"Prevention-killed,blocked\", \"Deny\", \"Failure\",\n \"1152\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"1168\", \"Prevention-killed,blocked,quarnatine\", \"Deny\", \"Failure\",\n \"1280\", \"Detection\", \"Allow\", \"Success\",\n \"1296\", \"Detection\", \"Allow\", \"Success\",\n \"2048\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"2176\", \"Prevention-quarantine,blocked \", \"Deny\", \"Failure\",\n \"2304\", \"Detection\", \"Allow\", \"Success\",\n \"2432\", \"Detection-quarantine\", \"Allow\", \"Success\",\n \"4096\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"4112\", \"Prevention-blocked,killed\", \"Deny\", \"Failure\",\n \"4224\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"4240\", \"Prevention-killed,blocked,quarantine\", \"Deny\", \"Failure\",\n \"4352\", \"Detection\", \"Allow\", \"Success\",\n \"4368\", \"Detection\", \"Allow\", \"Success\",\n \"4638\", \"Detection\", \"Allow\", \"Success\",\n \"5120\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"8192\", \"Disabled\", \"Allow\", \"Success\",\n \"8208\", \"Detection\", \"Allow\", \"Success\",\n \"8320\", \"Detection-quarnatine\", \"Allow\", \"Success\",\n \"8704\", \"Detection\", \"Allow\", \"Success\",\n \"9216\", \"Detection\", \"Allow\", \"Success\",\n \"10240\", \"Detection\", \"Allow\", \"Success\",\n \"12304\", \"Detection\", \"Allow\", \"Success\",\n \"16400\", \"Killed\", \"Deny\", \"Failure\",\n \"32768\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"32896\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"33024\", \"Detection\", \"Allow\", \"Success\",\n \"65536\", \"Downgraded\", \"Allow\", \"Success\",\n \"65552\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"65792\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"65808\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"73728\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"73744\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"131088\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"131216\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"131584\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"131712\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"2099200\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"2099328\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"4196352\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"4196480\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"1048576\", \"Prevention-suspend\", \"Deny\", \"Failure\",\n \"524288\", \"Prevention-suspend\", \"Deny\", \"Failure\",\n \"262144\", \"Blocking Disabled\", \"Allow\", \"Success\",\n \"16384\", \"Safeguard Enabled\", \"Allow\", \"Success\",\n \"131072\", \"Kill Failed\", \"Deny\", \"Failure\",\n \"256\", \"Policy Disabled\", \"Allow\", \"Success\",\n \"2097152\", \"Response Action Already Applied\", \"Deny\", \"Failure\",\n \"4194304\", \"Response Failed\", \"Deny\", \"Failure\"\n];\nlet parser = (disabled: bool=false) {\n let alldata = CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"CrowdStrike\"\n and DeviceProduct == \"FalconHost\"\n | where DeviceEventClassID in (\"Network Access In A Detection Summary Event\", \"FirewallMatchEvent\");\n let firewalldata = alldata\n | where DeviceEventClassID == \"FirewallMatchEvent\"\n | parse-kv AdditionalExtensions as (deviceId: string, cmdLine: string, connectionDirection: int, eventType: string, hostName: string, icmpCode: int, icmpType: string, localAddress: string, localPort: int, matchCount: int, networkProfile: string, protocol: int, remoteAddress: string, remotePort: int, ruleAction: int, ruleDescription: string, ruleGroupName: string, ruleName: string, status: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | extend\n EventCount = matchCount,\n EventStartTime = unixtime_milliseconds_todatetime(tolong(ReceiptTime)),\n NetworkDirection = case(\n connectionDirection == 1, \"Inbound\",\n connectionDirection == 2, \"Outbound\",\n \"\"\n ),\n SrcIpAddr = case(\n connectionDirection == 1, remoteAddress,\n connectionDirection == 2, localAddress,\n \"\"\n ),\n SrcPortNumber = case(\n connectionDirection == 1, remotePort,\n connectionDirection == 2, localPort,\n int(null)\n ),\n DstIpAddr = case(\n connectionDirection == 1, remoteAddress,\n connectionDirection == 2, localAddress,\n \"\"\n ),\n DstPortNumber = case(\n connectionDirection == 1, localPort,\n connectionDirection == 2, remotePort,\n int(null)\n ),\n deviceIp = iff(hostName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", hostName, \"\")\n | extend \n hostName = iff(isempty(deviceIp), hostName, \"\"),\n AdditionalFields = bag_pack(\n \"networkProfile\", networkProfile,\n \"ruleDescription\", ruleDescription,\n \"ruleGroupName\", ruleGroupName,\n \"cmdLine\", cmdLine\n ),\n NetworkIcmpCode = icmpCode\n | invoke _ASIM_ResolveDvcFQDN('hostName')\n | invoke _ASIM_ResolveNetworkProtocol('protocol')\n | extend NetworkIcmpType = _ASIM_LookupICMPType('icmpType')\n | lookup EventFieldsLookup on ruleAction\n | project-rename\n DvcId = deviceId,\n DvcIpAddr = deviceIp,\n EventOriginalSubType = eventType,\n NetworkRuleName = ruleName\n | extend\n Rule = NetworkRuleName,\n Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr);\n let networkaccessdata = alldata\n | where DeviceEventClassID has \"Network Access In A Detection Summary Event\"\n | parse-kv AdditionalExtensions as (CSMTRPatternDisposition: string, tactic: string, technique: string, objective: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | lookup ActionLookup on EventOutcome\n | invoke _ASIM_ResolveSrcFQDN('DestinationHostName')\n | extend\n EventStartTime = todatetime(DeviceCustomDate1),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n EventCount = int(1),\n SrcDomain = coalesce(DestinationNTDomain, SrcDomain),\n EventOriginalResultDetails = CSMTRPatternDisposition,\n SrcProcessId = tostring(FieldDeviceCustomNumber2),\n SrcDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", SrcDomainType),\n AdditionalFields = bag_pack(\n \"CSMTRPatternDisposition\", CSMTRPatternDisposition, \n \"Tactic\", coalesce(tactic, Activity),\n \"Technique\", coalesce(technique, DeviceAction),\n \"Objective\", coalesce(objective, Reason),\n DeviceCustomString6Label, DeviceCustomString6\n )\n | project-rename\n DvcId = ExtID,\n DstPortNumber = DestinationPort,\n SrcPortNumber = SourcePort,\n SrcMacAddr = SourceMACAddress,\n SrcUsername = DestinationUserName,\n SrcProcessName = FileName\n | extend\n Dvc = DvcId,\n Hostname = SrcHostname,\n User = SrcUsername,\n SrcAppId = SrcProcessId,\n SrcAppName = SrcProcessName,\n SrcAppType = \"Process\",\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername);\n union firewalldata, networkaccessdata\n | lookup EventSeverityLookup on LogSeverity\n | extend NetworkProtocolVersion = case(\n DstIpAddr contains \".\", \"IPv4\",\n DstIpAddr contains \":\", \"IPv6\",\n \"\"\n )\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"CrowdStrike\",\n EventProduct = \"FalconHost\",\n EventType = \"EndpointNetworkSession\"\n | project-rename\n EventOriginalType = DeviceEventClassID,\n EventProductVersion = DeviceVersion,\n EventUid = _ItemId,\n EventOriginalSeverity= LogSeverity\n | extend\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\n IpAddr = SrcIpAddr,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\")\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n Activity,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message,\n EventOutcome,\n IndicatorThreatType,\n cmdLine,\n connectionDirection,\n hostName,\n matchCount,\n networkProfile,\n protocol,\n ruleAction,\n ruleDescription,\n ruleGroupName,\n icmpCode,\n icmpType,\n status,\n CSMTRPatternDisposition,\n NetworkProtocolNumber,\n localAddress,\n localPort,\n remoteAddress,\n remotePort\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionForcePointFirewall/ASimNetworkSessionForcePointFirewall.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionForcePointFirewall/ASimNetworkSessionForcePointFirewall.json index 2a79b11e4a3..fd2b6f4e703 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionForcePointFirewall/ASimNetworkSessionForcePointFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionForcePointFirewall/ASimNetworkSessionForcePointFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionForcePointFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionForcePointFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Force Point Firewall", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionForcePointFirewall", - "query": "let ApplicationProtocolLookup=datatable(ApplicationProtocol:string,NetworkApplicationProtocol:string)\n [\n \"HTTPS\",\"HTTPS\",\n \"HTTP-Over-QUIC\",\"HTTP\",\n \"HTTP\",\"HTTP\",\n \"DNS Over TLS\",\"DNS\",\n \"HTTP proxy\",\"HTTP\",\n \"IMAPS\",\"IMAPS\",\n \"SMTP\",\"SMTP\",\n \"IMAP\",\"IMAP\",\n \"POP3S\",\"POP3\",\n \"SMTP Submission Service\",\"SMTP\",\n \"X11\",\"X11\",\n \"RTSP\",\"RTSP\",\n \"Telnet\",\"TELNET\",\n \"NNTP\",\"NNTP\",\n \"ISAKMP\",\"ISAKMP\",\"ISAKMP\",\"ISAKMP\",\n \"POP3\",\"POP3\",\n \"BGP\",\"BGP\",\n \"FTP\",\"FTP\",\n \"RIP\",\"RIP\",\n \"Squid HTTP proxy\",\"HTTP\",\n \"TFTP\",\"TFTP\",\n \"QOTD\",\"QOTD\",\n \"SCCP\",\"SCCP\",\n \"Modbus\",\"MODBUS\",\n \"SVN\",\"SVN\",\n \"RADIUS (Accounting)\",\"RADIUS\",\n \"Kerberos\",\"KERBEROS\",\n \"GRE\",\"GRE\",\n \"UUCP-rlogin\",\"UUCP\",\n \"GTP User Data Tunneling\",\"GTP\",\n \"NNTPS\",\"NNTP\",\n \"GTP Control\",\"GTP\",\n \"IRC-default\",\"IRC\",\n \"FTPS (Control)\",\"FTPS\",\n \"ICCP\",\"ICCP\",\n \"IRCS\",\"IRC\",\n \"Telnets\",\"TELNET\",\n \"Finger\",\"FINGER\",\n \"ESP\",\"ESP\",\n \"Rlogin\",\"RLP\",\n \"IMAP3\",\"IMAP\",\n \"MGCP\",\"MGCP\",\n \"RADIUS Accounting (Old)\",\"RADIUS\",\n \"RADIUS (Old)\",\"RADIUS\",\n \"CVS\",\"CVS\",\n \"Ident\",\"IDENT\",\n \"Gopher\",\"GOPHER\",\n \"BGMP\",\"BGMP\",\n \"FTPS (Data)\",\"FTPS\",\n \"POP2\",\"POP\",\n \"TLISRV\",\"TLISRV\",\n \"INGRES-NET\",\"INGRES-NET\",\n \"IPIP\",\"IPIP\",\n \"XTP\",\"XTP\",\n \"UUCP\",\"UUCP\",\n \"IRC\",\"IRC\",\n \"Photuris (ICMP)\",\"ICMP\",\n \"TACACS-DS\",\"TACACS-DS\",\n \"WESP\",\"WESP\",\n \"EGP\",\"EGP\",\n \"WSN\",\"WSN\",\n \"XDMCP\",\"XDMCP\",\n \"Kerberos IV\",\"KERBEROS\",\n \"IRTP\",\"IRTP\",\n \"TTP\",\"TTP\",\n \"IRC-SERV\",\"IRC\",\n \"I-NLSP\",\"NLSP\",\n \"SNP\",\"SNP\",\n \"XNS-IDP\",\"XNS\",\n \"SECURE-VMTP\",\"VMTP\",\n \"VMTP\",\"VMTP\",\n \"IPLT\",\"IPLT\",\n \"GGP\",\"GGP\",\n \"MFE-NSP\",\"NSP\",\n \"HIP\",\"HIP\",\n \"MERIT-NSP\",\"NSP\",\n \"NSFNET-IGP\",\"IGP\",\n \"DCN-MEAS\",\"DCN\",\n \"STP\",\"STP\",\n \"SRP\",\"SRP\",\n \"HMP\",\"HMP\",\n \"XNET\",\"XNET\",\n \"VRRP\",\"VRRP\",\n \"ENCAP\",\"ENCAP\",\n \"CPNX\",\"CPNX\",\n \"PTP\",\"PTP\",\n \"SKIP\",\"SKIP\",\n \"SCPS\",\"SCPS\",\n \"Sprite-RPC\",\"RPC\",\n \"IPv6 ICMP\",\"ICMP\",\n \"MUX\",\"MUX\",\n \"CHAOS\",\"CHAOS\",\n \"SSCOPMCE\",\"SSCOPMCE\",\n \"CBT\",\"CBT\",\n \"SPS\",\"SPS\",\n \"ETHERIP\",\"ETHERIP\",\n \"MTP\",\"MTP\",\n \"ROHC\",\"ROHC\",\n \"CRTP\",\"CRTP\",\n \"PNNI\",\"PNNI\",\n \"NETBLT\",\"NETBLT\",\n \"TLSP\",\"TLSP\",\n \"IDPR\",\"IDPR\",\n \"DDX\",\"DDX\",\n \"PUP\",\"PUP\",\n \"DSR\",\"DSR\",\n \"NARP\",\"NARP\",\n \"CPHB\",\"CPHB\",\n \"SMP\",\"SMP\",\n \"L2TP\",\"L2TP\",\n \"IPv6 ICMP/143/0\",\"ICMP\",\n \"MICP\",\"MICP\",\n \"GMTP\",\"GMTP\",\n \"LARP\",\"LARP\",\n \"IFMP\",\"IFMP\",\n \"IGP\",\"IGP\",\n \"CFTP\",\"CFTP\",\n \"PGM\",\"PGM\",\n \"DDP\",\"DDP\",\n \"PIPE\",\"PIPE\",\n \"IATP\",\"IATP\",\n \"IGMP\",\"IGMP\",\n \"3PC\",\"3PC\",\n \"DGP\",\"DGP\",\n \"TCF\",\"TCF\",\n \"UTI\",\"UTI\",\n \"DCCP\",\"DCCP\",\n \"SWIPE\",\"SWIPE\",\n \"EMCON\",\"EMCON\",\n \"PIM\",\"PIM\",\n \"RVD\",\"RVD\",\n ];\n let ActionLookup=datatable(DeviceAction:string,DvcAction_ActionLookup:string,EventResult_ActionLookup:string,EventSeverity_ActionLookup:string)\n [\n \"Allow\",\"Allow\",\"Success\",\"Informational\", \n \"Discard\",\"Drop\",\"Failure\",\"Low\",\n \"Permit\",\"Allow\",\"Success\",\"Informational\", \n \"Refuse\",\"Deny\",\"Failure\",\"Low\",\n \"Terminate\",\"Reset Source\",\"Failure\",\"Low\", \n \"Terminate (failed)\",\"\",\"Failure\",\"Low\",\n \"Terminate (passive)\",\"Reset Destination\",\"Failure\",\"Low\", \n \"Terminate (reset)\",\"Reset\",\"Failure\",\"Low\",\n \"Wait for Authentication\",\"\",\"Success\",\"Informational\",\n \"Wait for Further Actions\",\"\",\"Success\",\"Informational\", \n \"Wait for RPC Reply\",\"\",\"Success\",\"Informational\"\n ];\n let DeviceEventClassIDLookup_Packet=datatable(DeviceEventClassID:string,EventSubType:string,DvcAction_DeviceEventClassIDLookup:string,EventResult_DeviceEventClassIDLookup:string,EventSeverity_DeviceEventClassIDLookup:string) //Add more codes if needed\n [\n \"70018\",\"Start\",\"Allow\",\"Success\",\"Informational\", // Connection_Allowed\n \"70019\",\"End\",\"Deny\",\"Failure\",\"Low\", // Connection_Discarded\n \"70021\",\"End\",\"Reset\",\"Failure\",\"Low\", // Connection_Closed\n \"70022\",\"End\",\"Reset\",\"Failure\",\"Low\", // Connection_Closed-Abnormally\n \"70026\",\"\",\"\",\"Success\",\"Informational\", // Connection_Progress\n ];\n let DeviceEventClassIDLookup_File=datatable(DeviceEventClassID:string,DvcAction_DeviceEventClassIDLookup:string,EventResult_DeviceEventClassIDLookup:string,EventSeverity_DeviceEventClassIDLookup:string)\n [\n \"76506\",\"Allow\",\"Success\",\"Informational\", // File_Allowed\n \"76508\",\"Deny\",\"Failure\",\"Low\", // File_Malware-Blocked\n \"76509\",\"\",\"Failure\",\"Low\" // File_Malware-Detected\n ];\n let MessageLookup = datatable (Message:string, DvcAction_MessageLookup:string, EventResult_MessageLookup:string, EventResultDetails:string, EventOriginalResultDetails:string) \n [\n \"Connection dropped\", \"Drop\", \"Failure\",\"Terminated\", \"Connection dropped\",\n \"Connection removed because NGFW Engine is low on memory.\",\"Drop\", \"Failure\",\"Terminated\",\"Connection removed because NGFW Engine is low on memory.\",\n \"Connection timeout in state TCP_CLOSE_WAIT\", \"\", \"Success\", \"Timeout\",\t\"One end of the Connection waits for the FIN packet (passive close).\",\n \"Connection timeout in state TCP_CLOSE_WAIT_ACK\", \"\", \"Success\", \"Timeout\", \"One end of the Connection waits for the FIN packet (passive close)\",\n \"Connection timeout in state TCP_CLOSING\", \"\", \"Success\", \"Timeout\", \"Closing packet (FIN) sent by one end of the Connection (simultaneous).\",\n \"Connection timeout in state TCP_CLOSING_ACK\", \"\", \"Success\", \"Timeout\", \"Waiting for ACK for the FIN before going to closing status (active close).\",\n \"Connection timeout in state TCP_ESTABLISHED\", \"\", \"Failure\", \"Timeout\", \"Normal status of TCP Connections for data transfer.\",\n \"Connection timeout in state TCP_FIN_WAIT_1\", \"\", \"Success\", \"Timeout\",\t\"One end of the Connection waits for sending the FIN packet (active close).\",\n \"Connection timeout in state TCP_FIN_WAIT_2\", \"\", \"Success\", \"Timeout\", \"One end of the Connection waits for receiving ACK packet.\",\n \"Connection timeout in state TCP_LAST_ACK\", \"\",\t\"Success\", \"Timeout\", \"One end of the Connection sent a FIN packet (passive close).\",\n \"Connection timeout in state TCP_LAST_ACK_WAIT\", \"\", \"Failure\",\t\"Timeout\", \"Waiting for the FIN packet to be acknowledged.\",\n \"Connection timeout in state TCP_SYN_ACK_SEEN\", \"\", \"Failure\",\t\"Timeout\", \"Second phase of the TCP three-way handshake, the server has replied to client sent SYN with SYN+ACK, next status will be established.\",\n \"Connection timeout in state TCP_SYN_FIN_SEEN\", \"\",\t\"Success\", \"Timeout\", \"T/TCP (Transactional TCP) Connection, RFC 1644.\",\n \"Connection timeout in state TCP_SYN_RETURN\", \"\", \"Failure\", \"Timeout\", \"Received simultaneous SYN from the other end (simultaneous open).\",\n \"Connection timeout in state TCP_SYN_SEEN\", \"\", \"Failure\", \"Timeout\", \"First packet sent by one end of the Connection.\",\n \"Connection timeout in state TCP_TIME_WAIT\", \"\", \"Success\", \"Timeout\", \"One end of the Connection acknowledged closing packet (FIN).\",\n \"Connection timeout in state TCP_TIME_WAIT_ACK\", \"\", \"Failure\",\t\"Timeout\", \"Waiting for ACK for the FIN status before going to time wait status (active close).\",\n \"Connection timeout in state ICMP_ECHO\", \"\", \"Failure\", \"Timeout\", \"Ping reply is expected.\",\n \"Connection timeout in state ICMP_REPLY_WAIT\", \"\", \"Failure\", \"Timeout\", \"Other ICMP request or reply types.\",\n \"Connection was reset by client\", \"Reset Source\", \"Failure\",\"Reset\", \"\",\n \"Connection was reset by server\", \"Reset Destination\", \"Failure\",\"Reset\", \"\",\n \"invalid packet (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [A] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [FA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [FPA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [PA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [RA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [SA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"TCP state violation\",\"Deny\",\"Failure\", \"Invalid TCP\", \"\",\n \"TCP state violation: Connection end-point replied with ACK to SYN-packet. Connection refused.\", \"Deny\", \"Failure\", \"Invalid TCP\", \"\",\n \"TSC error: Query timed out\", \"\", \"Failure\", \"Timeout\", \"\"\n ];\n let parser = (disabled:bool) { \n let ForcePointNetwork = CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor==\"FORCEPOINT\" and DeviceProduct==\"Firewall\"\n | where DeviceFacility in~ (\"Inspection\",\"Packet Filtering\",\"File Filtering\") and isnotempty(DeviceEventClassID) and DeviceEventClassID != \"0\" \n ;\n let PacketFilteringData = ForcePointNetwork\n | where DeviceFacility == \"Packet Filtering\" and DeviceEventClassID !in (\"70383\",\"70393\",\"70734\",\"71009\",\"71040\")\n | lookup DeviceEventClassIDLookup_Packet on DeviceEventClassID\n | lookup MessageLookup on Message\n | extend DvcAction = coalesce(DvcAction_MessageLookup, DvcAction_DeviceEventClassIDLookup), \n EventResult = case (Message startswith \"Referred connection not known\", \"Failure\",\n coalesce(EventResult_MessageLookup, EventResult_DeviceEventClassIDLookup)), \n EventSeverity = case(Message startswith \"Referred connection not known\", \"Low\",\n EventSeverity_DeviceEventClassIDLookup),\n EventOriginalResultDetails = case(Message startswith \"Referred connection not known\", Message,\n EventOriginalResultDetails),\n EventType = \"NetworkSession\"\n | project-away DvcAction_*, EventResult_*, EventSeverity_DeviceEventClassIDLookup;\n let FileFilteringData = ForcePointNetwork\n | where DeviceFacility == \"File Filtering\"\n | lookup DeviceEventClassIDLookup_File on DeviceEventClassID\n | extend ThreatName = case (DeviceEventClassID in (\"76508\", \"76509\"), Activity,\n \"\")\n | project-rename DvcAction = DvcAction_DeviceEventClassIDLookup\n | extend EventResult = case(isnotempty(Message), \"Failure\",\n EventResult_DeviceEventClassIDLookup), \n EventSeverity = case(isnotempty(Message), \"Low\",\n EventSeverity_DeviceEventClassIDLookup),\n EventOriginalResultDetails = case(isnotempty(Message), Message,\n \"\"),\n EventType = \"NetworkSession\"\n | project-away *_DeviceEventClassIDLookup;\n let InspectionData = ForcePointNetwork\n | where DeviceFacility == \"Inspection\" or DeviceEventClassID == \"70734\"\n | extend MessageCode = toint(DeviceEventClassID)\n | extend EventSeverity = case (DeviceAction in~ (\"Allow\",\"Permit\"), \"Informational\",\n MessageCode >= 200000, \"High\",\n MessageCode < 200000, \"Low\",\n \"\"),\n EventType = case (MessageCode < 80000, \"NetworkSession\",\n \"IDS\")\n | extend ThreatName = Activity\n | project-away MessageCode;\n union PacketFilteringData, FileFilteringData, InspectionData\n | extend NetworkProtocol = _ASIM_LookupNetworkProtocol(Protocol)\n | lookup ActionLookup on DeviceAction\n | extend DvcAction = coalesce(DvcAction,DvcAction_ActionLookup), \n EventResult = coalesce(EventResult,EventResult_ActionLookup), \n EventSeverity = coalesce(EventSeverity, EventSeverity_ActionLookup)\n | project-away *_ActionLookup\n | lookup ApplicationProtocolLookup on ApplicationProtocol\n | extend \n EventCount = toint(1),\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"Forcepoint\",\n EventProduct = \"Firewall\"\n | parse AdditionalExtensions with * \"requestURL=\" requestURL \n | project-rename\n EventOriginalType = DeviceEventClassID,\n DstPortNumber = DestinationPort,\n DstIpAddr = DestinationIP,\n SrcPortNumber = SourcePort,\n SrcIpAddr = SourceIP,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n EventProductVersion = DeviceVersion,\n EventMessage = Message,\n DvcOriginalAction = DeviceAction,\n SrcBytes = SentBytes,\n DstBytes = ReceivedBytes,\n EventOriginalSubType = DeviceFacility,\n DvcId = DeviceExternalID,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n DvcIpAddr = DeviceAddress,\n EventOriginalSeverity = LogSeverity,\n ThreatId = DeviceCustomString3\n | invoke _ASIM_ResolveDvcFQDN('Computer')\n | extend\n ThreatCategory = column_ifexists(\"DeviceEventCategory\",\"\"),\n EventStartTime = todatetime(ReceiptTime),\n EventEndTime = todatetime(ReceiptTime),\n ipv6_parts = extract_all (@'^\\[(.+)\\](?:\\:(\\d+))?$',requestURL)[0],\n ipv4_parts = extract_all (@'^(\\d+\\.\\d+\\.\\d+\\.\\d+)(?:\\:(\\d+))?$',requestURL)[0],\n host_parts = extract_all (@'^([^\\\\\\d:]+)(?:\\:(\\d+))?$',requestURL)[0]\n | extend \n NetworkRuleName = case(isnotempty(DeviceCustomString2), strcat(DeviceCustomString1,',',DeviceCustomString2),\n DeviceCustomString1),\n DstDomainPart = tostring(host_parts[0]),\n DstIpAddr = coalesce(DstIpAddr, tostring(ipv4_parts[0]), tostring(ipv6_parts[0])),\n DstPortNumber = coalesce(DstPortNumber, toint(host_parts[1]), toint(ipv4_parts[1]), toint(ipv6_parts[1]))\n | invoke _ASIM_ResolveDstFQDN('DstDomainPart')\n | extend\n DvcIdType = case(isnotempty(DvcId), \"ForcepointId\",\n \"\"),\n DstPortNumber = case(\n isnotempty(DstPortNumber), DstPortNumber,\n ApplicationProtocol startswith \"TCP\", toint(split(ApplicationProtocol,'/')[1]),\n ApplicationProtocol startswith \"UDP\", toint(split(ApplicationProtocol,'/')[1]),\n int(null)),\n AdditionalFields = pack(iff(isnotempty(RequestMethod) and RequestMethod != \"UNKNOWN\", \"RequestMethod\", \"\"),RequestMethod,\n iff(isnotempty(DeviceCustomString4),\"VirusId\",\"\"),DeviceCustomString4),\n DstAppName = case(DestinationServiceName in~ (\"Generic-Web-HTTP\",\"Application-Unknown\",\"Unknown-Encrypted-Application\"), \"\",\n DestinationServiceName),\n DvcIpAddr = coalesce(DvcIpAddr,DeviceName)\n | extend\n Dvc = DvcIpAddr,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n DvcInterface = DvcInboundInterface,\n Hostname = DstHostname\n | project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, Protocol, ReceiptTime, Remote*, ReportReferenceLink, Request*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, ExtID, EventOutcome, FieldDevice*, Reason, ApplicationProtocol, Activity, requestURL, Computer, DstDomainPart, host_parts, ipv4_parts, ipv6_parts\n };\n parser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Force Point Firewall", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionForcePointFirewall", + "query": "let ApplicationProtocolLookup=datatable(ApplicationProtocol:string,NetworkApplicationProtocol:string)\n [\n \"HTTPS\",\"HTTPS\",\n \"HTTP-Over-QUIC\",\"HTTP\",\n \"HTTP\",\"HTTP\",\n \"DNS Over TLS\",\"DNS\",\n \"HTTP proxy\",\"HTTP\",\n \"IMAPS\",\"IMAPS\",\n \"SMTP\",\"SMTP\",\n \"IMAP\",\"IMAP\",\n \"POP3S\",\"POP3\",\n \"SMTP Submission Service\",\"SMTP\",\n \"X11\",\"X11\",\n \"RTSP\",\"RTSP\",\n \"Telnet\",\"TELNET\",\n \"NNTP\",\"NNTP\",\n \"ISAKMP\",\"ISAKMP\",\"ISAKMP\",\"ISAKMP\",\n \"POP3\",\"POP3\",\n \"BGP\",\"BGP\",\n \"FTP\",\"FTP\",\n \"RIP\",\"RIP\",\n \"Squid HTTP proxy\",\"HTTP\",\n \"TFTP\",\"TFTP\",\n \"QOTD\",\"QOTD\",\n \"SCCP\",\"SCCP\",\n \"Modbus\",\"MODBUS\",\n \"SVN\",\"SVN\",\n \"RADIUS (Accounting)\",\"RADIUS\",\n \"Kerberos\",\"KERBEROS\",\n \"GRE\",\"GRE\",\n \"UUCP-rlogin\",\"UUCP\",\n \"GTP User Data Tunneling\",\"GTP\",\n \"NNTPS\",\"NNTP\",\n \"GTP Control\",\"GTP\",\n \"IRC-default\",\"IRC\",\n \"FTPS (Control)\",\"FTPS\",\n \"ICCP\",\"ICCP\",\n \"IRCS\",\"IRC\",\n \"Telnets\",\"TELNET\",\n \"Finger\",\"FINGER\",\n \"ESP\",\"ESP\",\n \"Rlogin\",\"RLP\",\n \"IMAP3\",\"IMAP\",\n \"MGCP\",\"MGCP\",\n \"RADIUS Accounting (Old)\",\"RADIUS\",\n \"RADIUS (Old)\",\"RADIUS\",\n \"CVS\",\"CVS\",\n \"Ident\",\"IDENT\",\n \"Gopher\",\"GOPHER\",\n \"BGMP\",\"BGMP\",\n \"FTPS (Data)\",\"FTPS\",\n \"POP2\",\"POP\",\n \"TLISRV\",\"TLISRV\",\n \"INGRES-NET\",\"INGRES-NET\",\n \"IPIP\",\"IPIP\",\n \"XTP\",\"XTP\",\n \"UUCP\",\"UUCP\",\n \"IRC\",\"IRC\",\n \"Photuris (ICMP)\",\"ICMP\",\n \"TACACS-DS\",\"TACACS-DS\",\n \"WESP\",\"WESP\",\n \"EGP\",\"EGP\",\n \"WSN\",\"WSN\",\n \"XDMCP\",\"XDMCP\",\n \"Kerberos IV\",\"KERBEROS\",\n \"IRTP\",\"IRTP\",\n \"TTP\",\"TTP\",\n \"IRC-SERV\",\"IRC\",\n \"I-NLSP\",\"NLSP\",\n \"SNP\",\"SNP\",\n \"XNS-IDP\",\"XNS\",\n \"SECURE-VMTP\",\"VMTP\",\n \"VMTP\",\"VMTP\",\n \"IPLT\",\"IPLT\",\n \"GGP\",\"GGP\",\n \"MFE-NSP\",\"NSP\",\n \"HIP\",\"HIP\",\n \"MERIT-NSP\",\"NSP\",\n \"NSFNET-IGP\",\"IGP\",\n \"DCN-MEAS\",\"DCN\",\n \"STP\",\"STP\",\n \"SRP\",\"SRP\",\n \"HMP\",\"HMP\",\n \"XNET\",\"XNET\",\n \"VRRP\",\"VRRP\",\n \"ENCAP\",\"ENCAP\",\n \"CPNX\",\"CPNX\",\n \"PTP\",\"PTP\",\n \"SKIP\",\"SKIP\",\n \"SCPS\",\"SCPS\",\n \"Sprite-RPC\",\"RPC\",\n \"IPv6 ICMP\",\"ICMP\",\n \"MUX\",\"MUX\",\n \"CHAOS\",\"CHAOS\",\n \"SSCOPMCE\",\"SSCOPMCE\",\n \"CBT\",\"CBT\",\n \"SPS\",\"SPS\",\n \"ETHERIP\",\"ETHERIP\",\n \"MTP\",\"MTP\",\n \"ROHC\",\"ROHC\",\n \"CRTP\",\"CRTP\",\n \"PNNI\",\"PNNI\",\n \"NETBLT\",\"NETBLT\",\n \"TLSP\",\"TLSP\",\n \"IDPR\",\"IDPR\",\n \"DDX\",\"DDX\",\n \"PUP\",\"PUP\",\n \"DSR\",\"DSR\",\n \"NARP\",\"NARP\",\n \"CPHB\",\"CPHB\",\n \"SMP\",\"SMP\",\n \"L2TP\",\"L2TP\",\n \"IPv6 ICMP/143/0\",\"ICMP\",\n \"MICP\",\"MICP\",\n \"GMTP\",\"GMTP\",\n \"LARP\",\"LARP\",\n \"IFMP\",\"IFMP\",\n \"IGP\",\"IGP\",\n \"CFTP\",\"CFTP\",\n \"PGM\",\"PGM\",\n \"DDP\",\"DDP\",\n \"PIPE\",\"PIPE\",\n \"IATP\",\"IATP\",\n \"IGMP\",\"IGMP\",\n \"3PC\",\"3PC\",\n \"DGP\",\"DGP\",\n \"TCF\",\"TCF\",\n \"UTI\",\"UTI\",\n \"DCCP\",\"DCCP\",\n \"SWIPE\",\"SWIPE\",\n \"EMCON\",\"EMCON\",\n \"PIM\",\"PIM\",\n \"RVD\",\"RVD\",\n ];\n let ActionLookup=datatable(DeviceAction:string,DvcAction_ActionLookup:string,EventResult_ActionLookup:string,EventSeverity_ActionLookup:string)\n [\n \"Allow\",\"Allow\",\"Success\",\"Informational\", \n \"Discard\",\"Drop\",\"Failure\",\"Low\",\n \"Permit\",\"Allow\",\"Success\",\"Informational\", \n \"Refuse\",\"Deny\",\"Failure\",\"Low\",\n \"Terminate\",\"Reset Source\",\"Failure\",\"Low\", \n \"Terminate (failed)\",\"\",\"Failure\",\"Low\",\n \"Terminate (passive)\",\"Reset Destination\",\"Failure\",\"Low\", \n \"Terminate (reset)\",\"Reset\",\"Failure\",\"Low\",\n \"Wait for Authentication\",\"\",\"Success\",\"Informational\",\n \"Wait for Further Actions\",\"\",\"Success\",\"Informational\", \n \"Wait for RPC Reply\",\"\",\"Success\",\"Informational\"\n ];\n let DeviceEventClassIDLookup_Packet=datatable(DeviceEventClassID:string,EventSubType:string,DvcAction_DeviceEventClassIDLookup:string,EventResult_DeviceEventClassIDLookup:string,EventSeverity_DeviceEventClassIDLookup:string) //Add more codes if needed\n [\n \"70018\",\"Start\",\"Allow\",\"Success\",\"Informational\", // Connection_Allowed\n \"70019\",\"End\",\"Deny\",\"Failure\",\"Low\", // Connection_Discarded\n \"70021\",\"End\",\"Reset\",\"Failure\",\"Low\", // Connection_Closed\n \"70022\",\"End\",\"Reset\",\"Failure\",\"Low\", // Connection_Closed-Abnormally\n \"70026\",\"\",\"\",\"Success\",\"Informational\", // Connection_Progress\n ];\n let DeviceEventClassIDLookup_File=datatable(DeviceEventClassID:string,DvcAction_DeviceEventClassIDLookup:string,EventResult_DeviceEventClassIDLookup:string,EventSeverity_DeviceEventClassIDLookup:string)\n [\n \"76506\",\"Allow\",\"Success\",\"Informational\", // File_Allowed\n \"76508\",\"Deny\",\"Failure\",\"Low\", // File_Malware-Blocked\n \"76509\",\"\",\"Failure\",\"Low\" // File_Malware-Detected\n ];\n let MessageLookup = datatable (Message:string, DvcAction_MessageLookup:string, EventResult_MessageLookup:string, EventResultDetails:string, EventOriginalResultDetails:string) \n [\n \"Connection dropped\", \"Drop\", \"Failure\",\"Terminated\", \"Connection dropped\",\n \"Connection removed because NGFW Engine is low on memory.\",\"Drop\", \"Failure\",\"Terminated\",\"Connection removed because NGFW Engine is low on memory.\",\n \"Connection timeout in state TCP_CLOSE_WAIT\", \"\", \"Success\", \"Timeout\",\t\"One end of the Connection waits for the FIN packet (passive close).\",\n \"Connection timeout in state TCP_CLOSE_WAIT_ACK\", \"\", \"Success\", \"Timeout\", \"One end of the Connection waits for the FIN packet (passive close)\",\n \"Connection timeout in state TCP_CLOSING\", \"\", \"Success\", \"Timeout\", \"Closing packet (FIN) sent by one end of the Connection (simultaneous).\",\n \"Connection timeout in state TCP_CLOSING_ACK\", \"\", \"Success\", \"Timeout\", \"Waiting for ACK for the FIN before going to closing status (active close).\",\n \"Connection timeout in state TCP_ESTABLISHED\", \"\", \"Failure\", \"Timeout\", \"Normal status of TCP Connections for data transfer.\",\n \"Connection timeout in state TCP_FIN_WAIT_1\", \"\", \"Success\", \"Timeout\",\t\"One end of the Connection waits for sending the FIN packet (active close).\",\n \"Connection timeout in state TCP_FIN_WAIT_2\", \"\", \"Success\", \"Timeout\", \"One end of the Connection waits for receiving ACK packet.\",\n \"Connection timeout in state TCP_LAST_ACK\", \"\",\t\"Success\", \"Timeout\", \"One end of the Connection sent a FIN packet (passive close).\",\n \"Connection timeout in state TCP_LAST_ACK_WAIT\", \"\", \"Failure\",\t\"Timeout\", \"Waiting for the FIN packet to be acknowledged.\",\n \"Connection timeout in state TCP_SYN_ACK_SEEN\", \"\", \"Failure\",\t\"Timeout\", \"Second phase of the TCP three-way handshake, the server has replied to client sent SYN with SYN+ACK, next status will be established.\",\n \"Connection timeout in state TCP_SYN_FIN_SEEN\", \"\",\t\"Success\", \"Timeout\", \"T/TCP (Transactional TCP) Connection, RFC 1644.\",\n \"Connection timeout in state TCP_SYN_RETURN\", \"\", \"Failure\", \"Timeout\", \"Received simultaneous SYN from the other end (simultaneous open).\",\n \"Connection timeout in state TCP_SYN_SEEN\", \"\", \"Failure\", \"Timeout\", \"First packet sent by one end of the Connection.\",\n \"Connection timeout in state TCP_TIME_WAIT\", \"\", \"Success\", \"Timeout\", \"One end of the Connection acknowledged closing packet (FIN).\",\n \"Connection timeout in state TCP_TIME_WAIT_ACK\", \"\", \"Failure\",\t\"Timeout\", \"Waiting for ACK for the FIN status before going to time wait status (active close).\",\n \"Connection timeout in state ICMP_ECHO\", \"\", \"Failure\", \"Timeout\", \"Ping reply is expected.\",\n \"Connection timeout in state ICMP_REPLY_WAIT\", \"\", \"Failure\", \"Timeout\", \"Other ICMP request or reply types.\",\n \"Connection was reset by client\", \"Reset Source\", \"Failure\",\"Reset\", \"\",\n \"Connection was reset by server\", \"Reset Destination\", \"Failure\",\"Reset\", \"\",\n \"invalid packet (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [A] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [FA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [FPA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [PA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [RA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [SA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"TCP state violation\",\"Deny\",\"Failure\", \"Invalid TCP\", \"\",\n \"TCP state violation: Connection end-point replied with ACK to SYN-packet. Connection refused.\", \"Deny\", \"Failure\", \"Invalid TCP\", \"\",\n \"TSC error: Query timed out\", \"\", \"Failure\", \"Timeout\", \"\"\n ];\n let parser = (disabled:bool) { \n let ForcePointNetwork = CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor==\"FORCEPOINT\" and DeviceProduct==\"Firewall\"\n | where DeviceFacility in~ (\"Inspection\",\"Packet Filtering\",\"File Filtering\") and isnotempty(DeviceEventClassID) and DeviceEventClassID != \"0\" \n ;\n let PacketFilteringData = ForcePointNetwork\n | where DeviceFacility == \"Packet Filtering\" and DeviceEventClassID !in (\"70383\",\"70393\",\"70734\",\"71009\",\"71040\")\n | lookup DeviceEventClassIDLookup_Packet on DeviceEventClassID\n | lookup MessageLookup on Message\n | extend DvcAction = coalesce(DvcAction_MessageLookup, DvcAction_DeviceEventClassIDLookup), \n EventResult = case (Message startswith \"Referred connection not known\", \"Failure\",\n coalesce(EventResult_MessageLookup, EventResult_DeviceEventClassIDLookup)), \n EventSeverity = case(Message startswith \"Referred connection not known\", \"Low\",\n EventSeverity_DeviceEventClassIDLookup),\n EventOriginalResultDetails = case(Message startswith \"Referred connection not known\", Message,\n EventOriginalResultDetails),\n EventType = \"NetworkSession\"\n | project-away DvcAction_*, EventResult_*, EventSeverity_DeviceEventClassIDLookup;\n let FileFilteringData = ForcePointNetwork\n | where DeviceFacility == \"File Filtering\"\n | lookup DeviceEventClassIDLookup_File on DeviceEventClassID\n | extend ThreatName = case (DeviceEventClassID in (\"76508\", \"76509\"), Activity,\n \"\")\n | project-rename DvcAction = DvcAction_DeviceEventClassIDLookup\n | extend EventResult = case(isnotempty(Message), \"Failure\",\n EventResult_DeviceEventClassIDLookup), \n EventSeverity = case(isnotempty(Message), \"Low\",\n EventSeverity_DeviceEventClassIDLookup),\n EventOriginalResultDetails = case(isnotempty(Message), Message,\n \"\"),\n EventType = \"NetworkSession\"\n | project-away *_DeviceEventClassIDLookup;\n let InspectionData = ForcePointNetwork\n | where DeviceFacility == \"Inspection\" or DeviceEventClassID == \"70734\"\n | extend MessageCode = toint(DeviceEventClassID)\n | extend EventSeverity = case (DeviceAction in~ (\"Allow\",\"Permit\"), \"Informational\",\n MessageCode >= 200000, \"High\",\n MessageCode < 200000, \"Low\",\n \"\"),\n EventType = case (MessageCode < 80000, \"NetworkSession\",\n \"IDS\")\n | extend ThreatName = Activity\n | project-away MessageCode;\n union PacketFilteringData, FileFilteringData, InspectionData\n | extend NetworkProtocol = _ASIM_LookupNetworkProtocol(Protocol)\n | lookup ActionLookup on DeviceAction\n | extend DvcAction = coalesce(DvcAction,DvcAction_ActionLookup), \n EventResult = coalesce(EventResult,EventResult_ActionLookup), \n EventSeverity = coalesce(EventSeverity, EventSeverity_ActionLookup)\n | project-away *_ActionLookup\n | lookup ApplicationProtocolLookup on ApplicationProtocol\n | extend \n EventCount = toint(1),\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"Forcepoint\",\n EventProduct = \"Firewall\"\n | parse AdditionalExtensions with * \"requestURL=\" requestURL \n | project-rename\n EventOriginalType = DeviceEventClassID,\n DstPortNumber = DestinationPort,\n DstIpAddr = DestinationIP,\n SrcPortNumber = SourcePort,\n SrcIpAddr = SourceIP,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n EventProductVersion = DeviceVersion,\n EventMessage = Message,\n DvcOriginalAction = DeviceAction,\n SrcBytes = SentBytes,\n DstBytes = ReceivedBytes,\n EventOriginalSubType = DeviceFacility,\n DvcId = DeviceExternalID,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n DvcIpAddr = DeviceAddress,\n EventOriginalSeverity = LogSeverity,\n ThreatId = DeviceCustomString3\n | invoke _ASIM_ResolveDvcFQDN('Computer')\n | extend\n ThreatCategory = column_ifexists(\"DeviceEventCategory\",\"\"),\n EventStartTime = todatetime(ReceiptTime),\n EventEndTime = todatetime(ReceiptTime),\n ipv6_parts = extract_all (@'^\\[(.+)\\](?:\\:(\\d+))?$',requestURL)[0],\n ipv4_parts = extract_all (@'^(\\d+\\.\\d+\\.\\d+\\.\\d+)(?:\\:(\\d+))?$',requestURL)[0],\n host_parts = extract_all (@'^([^\\\\\\d:]+)(?:\\:(\\d+))?$',requestURL)[0]\n | extend \n NetworkRuleName = case(isnotempty(DeviceCustomString2), strcat(DeviceCustomString1,',',DeviceCustomString2),\n DeviceCustomString1),\n DstDomainPart = tostring(host_parts[0]),\n DstIpAddr = coalesce(DstIpAddr, tostring(ipv4_parts[0]), tostring(ipv6_parts[0])),\n DstPortNumber = coalesce(DstPortNumber, toint(host_parts[1]), toint(ipv4_parts[1]), toint(ipv6_parts[1]))\n | invoke _ASIM_ResolveDstFQDN('DstDomainPart')\n | extend\n DvcIdType = case(isnotempty(DvcId), \"ForcepointId\",\n \"\"),\n DstPortNumber = case(\n isnotempty(DstPortNumber), DstPortNumber,\n ApplicationProtocol startswith \"TCP\", toint(split(ApplicationProtocol,'/')[1]),\n ApplicationProtocol startswith \"UDP\", toint(split(ApplicationProtocol,'/')[1]),\n int(null)),\n AdditionalFields = pack(iff(isnotempty(RequestMethod) and RequestMethod != \"UNKNOWN\", \"RequestMethod\", \"\"),RequestMethod,\n iff(isnotempty(DeviceCustomString4),\"VirusId\",\"\"),DeviceCustomString4),\n DstAppName = case(DestinationServiceName in~ (\"Generic-Web-HTTP\",\"Application-Unknown\",\"Unknown-Encrypted-Application\"), \"\",\n DestinationServiceName),\n DvcIpAddr = coalesce(DvcIpAddr,DeviceName)\n | extend\n Dvc = DvcIpAddr,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n DvcInterface = DvcInboundInterface,\n Hostname = DstHostname\n | project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, Protocol, ReceiptTime, Remote*, ReportReferenceLink, Request*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, ExtID, EventOutcome, FieldDevice*, Reason, ApplicationProtocol, Activity, requestURL, Computer, DstDomainPart, host_parts, ipv4_parts, ipv6_parts\n };\n parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionFortinetFortiGate/ASimNetworkSessionFortinetFortiGate.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionFortinetFortiGate/ASimNetworkSessionFortinetFortiGate.json index 676d4a0067e..fb7d186be97 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionFortinetFortiGate/ASimNetworkSessionFortinetFortiGate.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionFortinetFortiGate/ASimNetworkSessionFortinetFortiGate.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionFortinetFortiGate')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionFortinetFortiGate", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Fortinet FortiGate", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionFortinetFortiGate", - "query": "let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string,EventResultDetails:string)\n[\n \"accept\",\"Allow\",\"Success\",\"\"\n , \"client-rst\",\"Reset Source\",\"Failure\",\"\"\n , \"close\",\"\",\"Success\",\"\"\n , \"deny\",\"Deny\",\"Failure\",\"\"\n , \"ip-conn\",\"\",\"Failure\",\"IP connection error\"\n , \"server-rst\",\"Reset Destination\",\"Failure\",\"\"\n , \"timeout\",\"\",\"Failure\",\"\"\n];\n// -- See https://docs.fortinet.com/document/fortigate/7.2.4/fortios-log-message-reference/671442/cef-priority-levels\nlet SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n[\n \"1\", \"Informational\", // Debug\n \"2\", \"Informational\", // Information\n \"3\", \"Informational\", // Notification\n \"4\", \"Low\", // Warning\n \"5\", \"Low\", // Error\n \"6\", \"Critical\", // High\n \"7\", \"Alert\", // Medium\n \"8\", \"High\" // Emergency\n];\nlet Parser=(disabled:bool=false){\n CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Fortinet\" and DeviceProduct startswith \"FortiGate\" and (column_ifexists(\"DeviceEventCategory\",\"\") has \"traffic\" or AdditionalExtensions has \"cat=traffic\")\n | where DeviceAction != \"dns\" and Activity !has \"dns\" \n | parse Activity with \"traffic:forward \" temp_DeviceAction:string \n | extend DeviceAction = coalesce(DeviceAction, temp_DeviceAction) \n | lookup EventLookup on DeviceAction \n | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, EventResultDetails, DvcAction\n | project-rename DstBytes = ReceivedBytes\n , DstInterfaceName = DeviceOutboundInterface\n , DstIpAddr = DestinationIP\n , DstPortNumber = DestinationPort\n , Dvc = Computer\n , EventMessage = Activity\n , EventOriginalSeverity = LogSeverity\n , EventProduct = DeviceProduct\n , EventProductVersion = DeviceVersion\n , SrcBytes = SentBytes\n , SrcInterfaceName = DeviceInboundInterface\n , SrcIpAddr = SourceIP\n , SrcPortNumber = SourcePort\n , DvcId = DeviceExternalID\n , EventUid = _ItemId\n | invoke _ASIM_ResolveNetworkProtocol ('Protocol')\n | project-rename DvcOriginalAction = DeviceAction\n | parse-kv AdditionalExtensions as (\n FortinetFortiGatestart:datetime,\n FortinetFortiGatesrcintfrole:string,\n FortinetFortiGatedstintfrole:string,\n FortinetFortiGateexternalID:string,\n FortinetFortiGatepolicyid:int,\n FortinetFortiGatedstcountry:string,\n FortinetFortiGatesrccountry:string,\n FortinetFortiGatecrscore:string,\n FortinetFortiGateduration:int,\n FortinetFortiGatesentpkt:long,\n FortinetFortiGatercvdpkt:long\n ) with (pair_delimiter=';', kv_delimiter='=')\n | project-rename\n EventStartTime = FortinetFortiGatestart,\n SrcZone = FortinetFortiGatesrcintfrole,\n DstZone = FortinetFortiGatedstintfrole,\n NetworkSessionId = FortinetFortiGateexternalID,\n NetworkRuleNumber = FortinetFortiGatepolicyid,\n NetworkDuration = FortinetFortiGateduration,\n DstGeoCountry = FortinetFortiGatedstcountry,\n SrcGeoCountry = FortinetFortiGatesrccountry,\n ThreatOriginalRiskLevel = FortinetFortiGatecrscore,\n SrcPackets = FortinetFortiGatesentpkt,\n DstPackets = FortinetFortiGatercvdpkt\n | extend EventCount = int(1)\n , EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.3\"\n , EventType = \"NetworkSession\"\n , EventVendor = \"Fortinet\"\n , DvcIdType = \"Other\"\n , NetworkBytes = DstBytes + SrcBytes\n , EventEndTime = TimeGenerated\n , EventStartTime = coalesce(EventStartTime, TimeGenerated)\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkPackets = DstPackets + SrcPackets\n | lookup SeverityLookup on EventOriginalSeverity\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Duration = NetworkDuration,\n Rule = tostring(NetworkRuleNumber)\n | project-away Protocol, AdditionalExtensions, NetworkProtocolNumber\n};\nParser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Fortinet FortiGate", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionFortinetFortiGate", + "query": "let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string,EventResultDetails:string)\n[\n \"accept\",\"Allow\",\"Success\",\"\"\n , \"client-rst\",\"Reset Source\",\"Failure\",\"\"\n , \"close\",\"\",\"Success\",\"\"\n , \"deny\",\"Deny\",\"Failure\",\"\"\n , \"ip-conn\",\"\",\"Failure\",\"IP connection error\"\n , \"server-rst\",\"Reset Destination\",\"Failure\",\"\"\n , \"timeout\",\"\",\"Failure\",\"\"\n];\n// -- See https://docs.fortinet.com/document/fortigate/7.2.4/fortios-log-message-reference/671442/cef-priority-levels\nlet SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n[\n \"1\", \"Informational\", // Debug\n \"2\", \"Informational\", // Information\n \"3\", \"Informational\", // Notification\n \"4\", \"Low\", // Warning\n \"5\", \"Low\", // Error\n \"6\", \"Critical\", // High\n \"7\", \"Alert\", // Medium\n \"8\", \"High\" // Emergency\n];\nlet Parser=(disabled:bool=false){\n CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Fortinet\" and DeviceProduct startswith \"FortiGate\" and (column_ifexists(\"DeviceEventCategory\",\"\") has \"traffic\" or AdditionalExtensions has \"cat=traffic\")\n | where DeviceAction != \"dns\" and Activity !has \"dns\" \n | parse Activity with \"traffic:forward \" temp_DeviceAction:string \n | extend DeviceAction = coalesce(DeviceAction, temp_DeviceAction) \n | lookup EventLookup on DeviceAction \n | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, EventResultDetails, DvcAction\n | project-rename DstBytes = ReceivedBytes\n , DstInterfaceName = DeviceOutboundInterface\n , DstIpAddr = DestinationIP\n , DstPortNumber = DestinationPort\n , Dvc = Computer\n , EventMessage = Activity\n , EventOriginalSeverity = LogSeverity\n , EventProduct = DeviceProduct\n , EventProductVersion = DeviceVersion\n , SrcBytes = SentBytes\n , SrcInterfaceName = DeviceInboundInterface\n , SrcIpAddr = SourceIP\n , SrcPortNumber = SourcePort\n , DvcId = DeviceExternalID\n , EventUid = _ItemId\n | invoke _ASIM_ResolveNetworkProtocol ('Protocol')\n | project-rename DvcOriginalAction = DeviceAction\n | parse-kv AdditionalExtensions as (\n FortinetFortiGatestart:datetime,\n FortinetFortiGatesrcintfrole:string,\n FortinetFortiGatedstintfrole:string,\n FortinetFortiGateexternalID:string,\n FortinetFortiGatepolicyid:int,\n FortinetFortiGatedstcountry:string,\n FortinetFortiGatesrccountry:string,\n FortinetFortiGatecrscore:string,\n FortinetFortiGateduration:int,\n FortinetFortiGatesentpkt:long,\n FortinetFortiGatercvdpkt:long\n ) with (pair_delimiter=';', kv_delimiter='=')\n | project-rename\n EventStartTime = FortinetFortiGatestart,\n SrcZone = FortinetFortiGatesrcintfrole,\n DstZone = FortinetFortiGatedstintfrole,\n NetworkSessionId = FortinetFortiGateexternalID,\n NetworkRuleNumber = FortinetFortiGatepolicyid,\n NetworkDuration = FortinetFortiGateduration,\n DstGeoCountry = FortinetFortiGatedstcountry,\n SrcGeoCountry = FortinetFortiGatesrccountry,\n ThreatOriginalRiskLevel = FortinetFortiGatecrscore,\n SrcPackets = FortinetFortiGatesentpkt,\n DstPackets = FortinetFortiGatercvdpkt\n | extend EventCount = int(1)\n , EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.3\"\n , EventType = \"NetworkSession\"\n , EventVendor = \"Fortinet\"\n , DvcIdType = \"Other\"\n , NetworkBytes = DstBytes + SrcBytes\n , EventEndTime = TimeGenerated\n , EventStartTime = coalesce(EventStartTime, TimeGenerated)\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkPackets = DstPackets + SrcPackets\n | lookup SeverityLookup on EventOriginalSeverity\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Duration = NetworkDuration,\n Rule = tostring(NetworkRuleNumber)\n | project-away Protocol, AdditionalExtensions, NetworkProtocolNumber\n};\nParser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionIllumioSaaSCore/ASimNetworkSessionIllumioSaaSCore.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionIllumioSaaSCore/ASimNetworkSessionIllumioSaaSCore.json new file mode 100644 index 00000000000..91734f78179 --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionIllumioSaaSCore/ASimNetworkSessionIllumioSaaSCore.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionIllumioSaaSCore')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "NetworkSession ASIM Parser for Illumio SaaS Core", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionIllumioSaaSCore", + "query": "let ProtocolLookup = datatable(proto:int, NetworkProtocol:string) [\n 0,\"HOPOPT\",\n 1,\"ICMP\",\n 2,\"IGMP\",\n 3,\"GGP\",\n 4,\"IPv4\",\n 5,\"ST\",\n 6,\"TCP\",\n 7,\"CBT\",\n 8,\"EGP\",\n 9,\"IGP\",\n 10,\"BBN-RCC-MON\",\n 11,\"NVP-II\",\n 12,\"PUP\",\n 13,\"ARGUS (deprecated)\",\n 14,\"EMCON\",\n 15,\"XNET\",\n 16,\"CHAOS\",\n 17,\"UDP\",\n 18,\"MUX\",\n 19,\"DCN-MEAS\",\n 20,\"HMP\",\n 21,\"PRM\",\n 22,\"XNS-IDP\",\n 23,\"TRUNK-1\",\n 24,\"TRUNK-2\",\n 25,\"LEAF-1\",\n 26,\"LEAF-2\",\n 27,\"RDP\",\n 28,\"IRTP\",\n 29,\"ISO-TP4\",\n 30,\"NETBLT\",\n 31,\"MFE-NSP\",\n 32,\"MERIT-INP\",\n 33,\"DCCP\",\n 34,\"3PC\",\n 35,\"IDPR\",\n 36,\"XTP\",\n 37,\"DDP\",\n 38,\"IDPR-CMTP\",\n 39,\"TP++\",\n 40,\"IL\",\n 41,\"IPv6\",\n 42,\"SDRP\",\n 43,\"IPv6-Route\",\n 44,\"IPv6-Frag\",\n 45,\"IDRP\",\n 46,\"RSVP\",\n 47,\"GRE\",\n 48,\"DSR\",\n 49,\"BNA\",\n 50,\"ESP\",\n 51,\"AH\",\n 52,\"I-NLSP\",\n 53,\"SWIPE (deprecated)\",\n 54,\"NARP\",\n 55,\"MOBILE\",\n 56,\"TLSP\",\n 57,\"SKIP\",\n 58,\"IPv6-ICMP\",\n 59,\"IPv6-NoNxt\",\n 60,\"IPv6-Opts\",\n 61,\"\",\n 62,\"CFTP\",\n 63,\"\",\n 64,\"SAT-EXPAK\",\n 65,\"KRYPTOLAN\",\n 66,\"RVD\",\n 67,\"IPPC\",\n 68,\"\",\n 69,\"SAT-MON\",\n 70,\"VISA\",\n 71,\"IPCV\",\n 72,\"CPNX\",\n 73,\"CPHB\",\n 74,\"WSN\",\n 75,\"PVP\",\n 76,\"BR-SAT-MON\",\n 77,\"SUN-ND\",\n 78,\"WB-MON\",\n 79,\"WB-EXPAK\",\n 80,\"ISO-IP\",\n 81,\"VMTP\",\n 82,\"SECURE-VMTP\",\n 83,\"VINES\",\n 84,\"TTP\",\n 84,\"IPTM\",\n 85,\"NSFNET-IGP\",\n 86,\"DGP\",\n 87,\"TCF\",\n 88,\"EIGRP\",\n 89,\"OSPFIGP\",\n 90,\"Sprite-RPC\",\n 91,\"LARP\",\n 92,\"MTP\",\n 93,\"AX.25\",\n 94,\"IPIP\",\n 95,\"MICP (deprecated)\",\n 96,\"SCC-SP\",\n 97,\"ETHERIP\",\n 98,\"ENCAP\",\n 99,\"\",\n 100,\"GMTP\",\n 101,\"IFMP\",\n 102,\"PNNI\",\n 103,\"PIM\",\n 104,\"ARIS\",\n 105,\"SCPS\",\n 106,\"QNX\",\n 107,\"A/N\",\n 108,\"IPComp\",\n 109,\"SNP\",\n 110,\"Compaq-Peer\",\n 111,\"IPX-in-IP\",\n 112,\"VRRP\",\n 113,\"PGM\",\n 114,\"\",\n 115,\"L2TP\",\n 116,\"DDX\",\n 117,\"IATP\",\n 118,\"STP\",\n 119,\"SRP\",\n 120,\"UTI\",\n 121,\"SMP\",\n 122,\"SM (deprecated)\",\n 123,\"PTP\",\n 124,\"ISIS over IPv4\",\n 125,\"FIRE\",\n 126,\"CRTP\",\n 127,\"CRUDP\",\n 128,\"SSCOPMCE\",\n 129,\"IPLT\",\n 130,\"SPS\",\n 131,\"PIPE\",\n 132,\"SCTP\",\n 133,\"FC\",\n 134,\"RSVP-E2E-IGNORE\",\n 135,\"Mobility Header\",\n 136,\"UDPLite\",\n 137,\"MPLS-in-IP\",\n 138,\"manet\",\n 139,\"HIP\",\n 140,\"Shim6\",\n 141,\"WESP\",\n 142,\"ROHC\",\n 143,\"Ethernet\",\n 253,\"\",\n 254,\"\",\n 255,\"Reserved\"\n ];\nlet NetworkProtocolVersionLookup = datatable(version: int, NetworkProtocolVersion: string)\n[\n 4,\"IPv4\",\n 6,\"IPv6\"\n];\nlet EventResultLookup = datatable(DvcAction: string, EventResult: string)\n[\n \"Deny\", \"Failure\",\n \"Allow\", \"Success\"\n];\nlet DvcActionLookup = datatable(pd: int, DvcAction: string)\n[\n// - Allow\n// - Deny\n// - Drop\n// - Drop ICMP\n// - Reset\n// - Reset Source\n// - Reset Destination\n// - Encrypt\n// - Decrypt\n// - VPNroute\n 2, \"Deny\",\n 1, \"Allow\",\n 0, \"Allow\"\n];\nlet ClassLookup = datatable(class: string, ClassDetail: string)\n[\n \"M\", \"Multicast\",\n \"B\", \"Broadcast\",\n \"U\", \"Unicast\"\n];\nlet parser=(disabled:bool=false){\n Illumio_Flow_Events_CL \n | where not(disabled)\n | lookup ProtocolLookup on proto\n | lookup NetworkProtocolVersionLookup on version\n | lookup DvcActionLookup on pd //set DvcAction\n | extend EventResult = iff(DvcAction == \"Deny\", \"Failure\", \"Success\")\n | lookup ClassLookup on class\n | extend\n EventCount = flow_count,\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventType = 'Flow',\n EventProduct = 'Core',\n EventVendor = 'Illumio',\n EventSchemaVersion = '0.2.6',\n EventSchema = 'NetworkSession',\n Dvc = pce_fqdn \n | extend NetworkDirection = case(\n dir=='I', 'Inbound',\n dir=='O', 'Outbound',\n 'Unknown'\n ),\n NetworkDuration = interval_sec,\n DstBytes = tolong(dst_dbo),\n SrcBytes = tolong(dst_dbi),\n DstIpAddr = dst_ip,\n SrcIpAddr = src_ip,\n DstPortNumber = dst_port,\n DstHostname = dst_hostname,\n SrcHostname = src_hostname,\n EventSeverity = case( \n DvcAction=='Deny', 'Low',\n 'Informational' \n )\n | extend \n SrcProcessName = iif(dir=='O', pn, ''),\n DstProcessName = iif(dir=='I', pn, ''),\n SrcUsername = iif(dir=='O', un, ''),\n DstUsername = iif(dir=='I', un, '')\n | extend\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername)\n //Aliases\n | extend \n DvcIpAddr = SrcIpAddr,\n DvcHostname = SrcHostname\n | extend\n AdditionalFields = bag_pack(\"Class\", ClassDetail,\n \"Network\",network,\n \"Source_Labels\", src_labels,\n \"Dest_Labels\", dst_labels,\n \"Src_href\", src_href, // can this be stored in SrcId instead?\n \"Dst_href\", dst_href // can this be stored in DvcId instead?\n // need to add SN here\n )\n // aliases \n | extend\n Duration = NetworkDuration,\n User = DstUsername,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n EventUid = _ItemId\n | project-away \n code,\n icmp_type,\n dst_dbi,\n dst_dbo,\n dst_tbi,\n dst_tbo,\n pce_fqdn,\n proto,\n dst_port,\n src_ip,\n dst_ip,\n dst_hostname,\n src_hostname,\n dir,\n flow_count,\n src_href,\n dst_href,\n src_labels,\n dst_labels,\n network,\n class,\n org_id,\n state, // decide how to use this\n pd_qualifier, //decide how to use this\n interval_sec,\n version,\n ddms, // not needed\n tdms, // not needed\n pn, \n un,\n pd,\n ClassDetail,\n TenantId\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionIllumioSaaSCore/README.md b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionIllumioSaaSCore/README.md new file mode 100644 index 00000000000..444d4e5f443 --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionIllumioSaaSCore/README.md @@ -0,0 +1,18 @@ +# Illumio SaaS Core ASIM NetworkSession Normalization Parser + +ARM template for ASIM NetworkSession schema parser for Illumio SaaS Core. + +This ASIM parser supports normalizing Illumio SaaS Core logs to the ASIM Network Session normalized schema. These events are captured through Illumio Sentinel Integration data connector. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionIllumioSaaSCore%2FASimNetworkSessionIllumioSaaSCore.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionIllumioSaaSCore%2FASimNetworkSessionIllumioSaaSCore.json) diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTAgent/ASimNetworkSessionMD4IoTAgent.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTAgent/ASimNetworkSessionMD4IoTAgent.json index ff905bc427b..733271c404f 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTAgent/ASimNetworkSessionMD4IoTAgent.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTAgent/ASimNetworkSessionMD4IoTAgent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionMD4IoTAgent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionMD4IoTAgent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Microsoft Defender for IoT micro agent", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionMD4IoTAgent", - "query": "let DirectionNetworkEvents =\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"NetworkActivity\"\n | parse EventDetails with * ',\"LocalPort\":' LocalPort:int ',\"RemotePort\":' RemotePort:int ',' *\n | extend outbound = LocalPort > RemotePort\n;\nlet parser = (T: (EventDetails: string)) {\n T \n | parse EventDetails with \n '{\"LocalAddress\":\"' LocalAddress:string '\",'\n '\"RemoteAddress\":\"' RemoteAddress:string '\",'\n *\n '\"BytesIn\":' BytesIn:long ','\n '\"BytesOut\":' BytesOut:long ','\n '\"Protocol\":\"' Protocol:string '\",'\n '\"ProcessId\":' ProcessId:string ','\n '\"UserId\":' UserId:string ','\n '\"ApplicationProtocol\":\"' ApplicationProtocol:string '\",'\n * // '\"AzureResourceId\":\"' AzureResourceId:string '\",'\n '\"DeviceId\":\"' DeviceId:string '\",'\n '\"MessageSource\":\"' MessageSource:string '\",'\n '\"OriginalEventId\":\"' OriginalEventId:string '\",'\n '\"TimestampUTC\":\"' TimestampUTC:datetime '\",'\n *\n}\n; \nlet OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | project-rename\n SrcBytes = BytesOut,\n DstBytes = BytesIn,\n SrcPortNumber = LocalPort,\n DstIpAddr = RemoteAddress,\n DstPortNumber = RemotePort,\n SrcProcessId = ProcessId\n | extend\n SrcIpAddr = LocalAddress,\n SrcDvcIdType = \"MD4IoTid\",\n SrcUserId = UserId,\n SrcUserIdType = \"UID\",\n SrcDvcId = DeviceId,\n Process = SrcProcessId, // alias\n SrcDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n;\nlet InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n | project-rename\n DstBytes = BytesOut,\n SrcBytes = BytesIn,\n DstPortNumber = LocalPort,\n SrcIpAddr = RemoteAddress,\n SrcPortNumber = RemotePort,\n DstProcessId = ProcessId\n | extend\n DstIpAddr = LocalAddress,\n DstDvcIdType = \"MD4IoTid\",\n DstUserId = UserId,\n DstUserIdType = \"UID\",\n DstDvcId = DeviceId,\n Process = DstProcessId, // alias\n DstDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n;\nlet NetworkSessionMD4IoT = \n union InboundNetworkEvents, OutboundNetworkEvents\n | extend\n EventCount = int(1),\n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = \"NetworkSession\", \n EventType = 'NetworkSession',\n EventStartTime = TimeGenerated, // Open question about timestamps\n EventEndTime = TimeGenerated, // Open question about timestamps\n EventResult = 'Success',\n EventSeverity = 'Informational'\n | project-rename\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId, \n EventOriginalUid = OriginalEventId, // OK pending question\n DvcOs = MessageSource,\n NetworkProtocol = Protocol,\n NetworkApplicationProtocol = ApplicationProtocol,\n DvcId = DeviceId,\n DvcIpAddr = LocalAddress\n | extend\n Dvc = DvcId,\n DvcIdType = \"MD4IoTid\",\n User = UserId,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n | project-away outbound\n;\nNetworkSessionMD4IoT\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Microsoft Defender for IoT micro agent", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionMD4IoTAgent", + "query": "let DirectionNetworkEvents =\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"NetworkActivity\"\n | parse EventDetails with * ',\"LocalPort\":' LocalPort:int ',\"RemotePort\":' RemotePort:int ',' *\n | extend outbound = LocalPort > RemotePort\n;\nlet parser = (T: (EventDetails: string)) {\n T \n | parse EventDetails with \n '{\"LocalAddress\":\"' LocalAddress:string '\",'\n '\"RemoteAddress\":\"' RemoteAddress:string '\",'\n *\n '\"BytesIn\":' BytesIn:long ','\n '\"BytesOut\":' BytesOut:long ','\n '\"Protocol\":\"' Protocol:string '\",'\n '\"ProcessId\":' ProcessId:string ','\n '\"UserId\":' UserId:string ','\n '\"ApplicationProtocol\":\"' ApplicationProtocol:string '\",'\n * // '\"AzureResourceId\":\"' AzureResourceId:string '\",'\n '\"DeviceId\":\"' DeviceId:string '\",'\n '\"MessageSource\":\"' MessageSource:string '\",'\n '\"OriginalEventId\":\"' OriginalEventId:string '\",'\n '\"TimestampUTC\":\"' TimestampUTC:datetime '\",'\n *\n}\n; \nlet OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | project-rename\n SrcBytes = BytesOut,\n DstBytes = BytesIn,\n SrcPortNumber = LocalPort,\n DstIpAddr = RemoteAddress,\n DstPortNumber = RemotePort,\n SrcProcessId = ProcessId\n | extend\n SrcIpAddr = LocalAddress,\n SrcDvcIdType = \"MD4IoTid\",\n SrcUserId = UserId,\n SrcUserIdType = \"UID\",\n SrcDvcId = DeviceId,\n Process = SrcProcessId, // alias\n SrcDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n;\nlet InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n | project-rename\n DstBytes = BytesOut,\n SrcBytes = BytesIn,\n DstPortNumber = LocalPort,\n SrcIpAddr = RemoteAddress,\n SrcPortNumber = RemotePort,\n DstProcessId = ProcessId\n | extend\n DstIpAddr = LocalAddress,\n DstDvcIdType = \"MD4IoTid\",\n DstUserId = UserId,\n DstUserIdType = \"UID\",\n DstDvcId = DeviceId,\n Process = DstProcessId, // alias\n DstDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n;\nlet NetworkSessionMD4IoT = \n union InboundNetworkEvents, OutboundNetworkEvents\n | extend\n EventCount = int(1),\n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = \"NetworkSession\", \n EventType = 'NetworkSession',\n EventStartTime = TimeGenerated, // Open question about timestamps\n EventEndTime = TimeGenerated, // Open question about timestamps\n EventResult = 'Success',\n EventSeverity = 'Informational'\n | project-rename\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId, \n EventOriginalUid = OriginalEventId, // OK pending question\n DvcOs = MessageSource,\n NetworkProtocol = Protocol,\n NetworkApplicationProtocol = ApplicationProtocol,\n DvcId = DeviceId,\n DvcIpAddr = LocalAddress\n | extend\n Dvc = DvcId,\n DvcIdType = \"MD4IoTid\",\n User = UserId,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n | project-away outbound\n;\nNetworkSessionMD4IoT\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTSensor/ASimNetworkSessionMD4IoTSensor.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTSensor/ASimNetworkSessionMD4IoTSensor.json index 7b1cef01a9c..ea1d0f87e44 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTSensor/ASimNetworkSessionMD4IoTSensor.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTSensor/ASimNetworkSessionMD4IoTSensor.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionMD4IoTSensor')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionMD4IoTSensor", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Microsoft Defender for IoT sensor logs", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionMD4IoTSensor", - "query": "let parser = (disabled:bool=false) \n{\n DefenderIoTRawEvent\n | where RawEventName == \"NetworkConnectionData\"\n | project-rename \n DvcSubscriptionId = AzureSubscriptionId\n | extend \n Dvc = tostring(EventDetails.SourceId),\n DstDvcId = tostring(EventDetails.Destination.DeviceId),\n DstMacAddr = tostring(EventDetails.Destination.MacAddress),\n DstIpAddr = tostring(EventDetails.Destination.IPAddress),\n DstPortNumber = toint(EventDetails.Destination.Port),\n DstDescription = tostring(EventDetails.Destination.DeviceName),\n SrcDvcId = tostring(EventDetails.Source.DeviceId),\n SrcMacAddr = tostring(EventDetails.Source.MacAddress),\n SrcIpAddr = tostring(EventDetails.Source.IPAddress),\n SrcPortNumber = toint(EventDetails.Source.Port),\n SrcDescription = tostring(EventDetails.Source.DeviceName),\n EventOriginalUid = tostring(EventDetails.Id),\n EventEndTime = todatetime(EventDetails.LastSeen),\n EventStartTime = todatetime(EventDetails.StartTime),\n NetworkProtocol = tostring(EventDetails.TransportProtocol)\n | extend\n EventProduct = 'Defender for IoT',\n EventResult = 'Success',\n EventSchema = 'NetworkSession',\n EventSchemaVersion='0.2.4',\n EventCount = toint(1),\n EventSeverity = 'Informational',\n EventType = iff(DstIpAddr=='' and SrcIpAddr == '','L2NetworkSession','NetworkSession'),\n NetworkDirection = iff(tobool(EventDetails.IsInternal), 'Local',''),\n EventVendor = 'Microsoft',\n DstDvcIdType = 'MD4IoTid',\n SrcDvcIdType = 'MD4IoTid'\n | extend // -- Aliases\n Dst = coalesce(DstIpAddr,DstMacAddr),\n Src = coalesce(SrcIpAddr,SrcMacAddr),\n IpAddr = SrcIpAddr,\n EventStartTime = EventEndTime\n | project-away \n RawEventCategory, RawEventName, RawEventType, SourceSystem, TenantId, AgentVersion, IoTRawEventId, IsEmpty, AgentId, DeviceId, TimeStamp\n | project-away EventDetails, AssociatedResourceId\n};\nparser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Microsoft Defender for IoT sensor logs", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionMD4IoTSensor", + "query": "let parser = (disabled:bool=false) \n{\n DefenderIoTRawEvent\n | where RawEventName == \"NetworkConnectionData\"\n | project-rename \n DvcSubscriptionId = AzureSubscriptionId\n | extend \n Dvc = tostring(EventDetails.SourceId),\n DstDvcId = tostring(EventDetails.Destination.DeviceId),\n DstMacAddr = tostring(EventDetails.Destination.MacAddress),\n DstIpAddr = tostring(EventDetails.Destination.IPAddress),\n DstPortNumber = toint(EventDetails.Destination.Port),\n DstDescription = tostring(EventDetails.Destination.DeviceName),\n SrcDvcId = tostring(EventDetails.Source.DeviceId),\n SrcMacAddr = tostring(EventDetails.Source.MacAddress),\n SrcIpAddr = tostring(EventDetails.Source.IPAddress),\n SrcPortNumber = toint(EventDetails.Source.Port),\n SrcDescription = tostring(EventDetails.Source.DeviceName),\n EventOriginalUid = tostring(EventDetails.Id),\n EventEndTime = todatetime(EventDetails.LastSeen),\n EventStartTime = todatetime(EventDetails.StartTime),\n NetworkProtocol = tostring(EventDetails.TransportProtocol)\n | extend\n EventProduct = 'Defender for IoT',\n EventResult = 'Success',\n EventSchema = 'NetworkSession',\n EventSchemaVersion='0.2.4',\n EventCount = toint(1),\n EventSeverity = 'Informational',\n EventType = iff(DstIpAddr=='' and SrcIpAddr == '','L2NetworkSession','NetworkSession'),\n NetworkDirection = iff(tobool(EventDetails.IsInternal), 'Local',''),\n EventVendor = 'Microsoft',\n DstDvcIdType = 'MD4IoTid',\n SrcDvcIdType = 'MD4IoTid'\n | extend // -- Aliases\n Dst = coalesce(DstIpAddr,DstMacAddr),\n Src = coalesce(SrcIpAddr,SrcMacAddr),\n IpAddr = SrcIpAddr,\n EventStartTime = EventEndTime\n | project-away \n RawEventCategory, RawEventName, RawEventType, SourceSystem, TenantId, AgentVersion, IoTRawEventId, IsEmpty, AgentId, DeviceId, TimeStamp\n | project-away EventDetails, AssociatedResourceId\n};\nparser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json index fa6db466080..52ceae1f101 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionMicrosoft365Defender')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionMicrosoft365Defender", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for M365 Defender for Endpoint", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionMicrosoft365Defender", - "query": "let M365Defender=(disabled:bool=false){\n let DirectionLookup=datatable(ActionType:string,NetworkDirection:string,Outbound:boolean)[\n 'ConnectionSuccess','Outbound', true\n ,'ConnectionFailed', 'Outbound', true\n ,'ConnectionRequest','Outbound', true\n ,'InboundConnectionAccepted', 'Inbound', false\n ,'ConnectionFound', 'Unknown', false\n ,'ListeningConnectionCreated', 'Listen', false \n ];\n // -- Common preprocessing to both input and outbound events\n let RawNetworkEvents = (select_outbound:boolean) {\n DeviceNetworkEvents | where not(disabled) \n | lookup DirectionLookup on ActionType\n | where Outbound == select_outbound\n | project-away AppGuardContainerId, LocalIPType, MachineGroup, RemoteIPType, Timestamp, Outbound //, SourceSystem, TenantId\n | extend\n // Event\n EventOriginalUid = tostring(ReportId),\n EventCount = int(1),\n EventProduct = 'M365 Defender for Endpoint',\n EventVendor = 'Microsoft',\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'NetworkSession',\n EventResult = iff(ActionType=='ConnectionFailed','Failure','Success'),\n EventSeverity = \"Informational\",\n DvcIdType = 'MDEid'\n | project-away \n ReportId\n | project-rename \n EventOriginalResultDetails = ActionType\n | extend\n RemoteUrl = extract (@\"(?:https?://)?(.*)\", 1, RemoteUrl)\n | extend\n User = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\n UsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\n SplitHostname = split(DeviceName,\".\"),\n SplitUrl = split(RemoteUrl,\".\"),\n NetworkProtocol = case (\n Protocol startswith \"Tcp\", \"TCP\",\n Protocol == \"Unknown\", \"\",\n toupper(Protocol)\n )\n | project-away Protocol\n | extend \n DvcHostname = tostring(SplitHostname[0]),\n DvcDomain = tostring(strcat_array(array_slice(SplitHostname, 1, -1), '.')),\n DvcFQDN = iif (DeviceName contains \".\", DeviceName, \"\"),\n UrlHostname = tostring(SplitUrl[0]),\n UrlDomain = tostring(strcat_array(array_slice(SplitUrl, 1, -1), '.')),\n UrlFQDN = iif(RemoteUrl contains \".\", RemoteUrl, \"\")\n | project-away RemoteUrl, DeviceName\n | extend\n DvcDomainType = iif(DvcFQDN != \"\", \"FQDN\", \"\"),\n UrlDomainType = iff(UrlFQDN != \"\", \"FQDN\", \"\"),\n DvcIpAddr = LocalIP\n | extend\n Dvc = DvcHostname \n | project-rename\n DvcId = DeviceId\n | project-away SplitUrl, SplitHostname\n };\n let OutboundNetworkEvents = \n RawNetworkEvents (true)\n | project-rename\n DstIpAddr = RemoteIP,\n SrcIpAddr = LocalIP,\n DstPortNumber = RemotePort,\n SrcPortNumber = LocalPort,\n SrcUsernameType = UsernameType,\n SrcUserAadId = InitiatingProcessAccountObjectId,\n SrcUserUpn = InitiatingProcessAccountUpn,\n SrcUserId = InitiatingProcessAccountSid\n | extend\n SrcUsername = User,\n SrcDvcId = DvcId,\n SrcDvcIdType = 'MDEid',\n SrcUserIdType = iff (SrcUserId <> \"S-1-0-0\", \"SID\", \"\"),\n SrcUserId = iff (SrcUserId <> \"S-1-0-0\", SrcUserId, \"\"),\n DstHostname = UrlHostname\n | project-rename\n DstDomain = UrlDomain,\n DstFQDN = UrlFQDN,\n DstDomainType = UrlDomainType\n | extend \n SrcHostname = DvcHostname,\n SrcDomain = DvcDomain,\n SrcFQDN = DvcDomain\n // Processes\n | extend\n SrcProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n SrcProcessName = InitiatingProcessFileName,\n SrcProcessCommandLine = InitiatingProcessCommandLine,\n SrcProcessCreationTime = InitiatingProcessCreationTime,\n SrcProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n SrcProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n // SrcProcessFileSize = InitiatingProcessFileSize,\n // SrcProcessCompany = InitiatingProcessVersionInfoCompanyName,\n // SrcProcessFileProduct = InitiatingProcessVersionInfoProductName,\n // SrcProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\n // SrcProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\n // SrcProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\n // SrcProcessFileDescription = InitiatingProcessVersionInfoFileDescription\n | extend\n Process = SrcProcessName,\n SrcAppName = SrcProcessName,\n SrcAppType = \"Process\"\n ;\n let InboundNetworkEvents = \n RawNetworkEvents (false)\n | project-rename\n SrcIpAddr = RemoteIP,\n DstIpAddr = LocalIP,\n SrcPortNumber = RemotePort,\n DstPortNumber = LocalPort,\n DstUsernameType = UsernameType,\n DstUserAadId = InitiatingProcessAccountObjectId,\n DstUserId = InitiatingProcessAccountSid,\n DstUserUpn = InitiatingProcessAccountUpn\n | extend\n DstUsername = User,\n DstDvcId = DvcId,\n DstDvcIdType = 'MDEid',\n DstUserIdType = 'SID',\n SrcHostname = UrlHostname\n | project-rename\n SrcDomain = UrlDomain,\n SrcFQDN = UrlFQDN,\n SrcDomainType = UrlDomainType,\n DstHostname = DvcHostname,\n DstDomain = DvcDomain,\n DstFQDN = DvcFQDN\n // Processes\n | extend\n DstProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n DstProcessName = InitiatingProcessFileName,\n DstProcessCommandLine = InitiatingProcessCommandLine,\n DstProcessCreationTime = InitiatingProcessCreationTime,\n DstProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n DstProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n // SrcProcessFileSize = InitiatingProcessFileSize,\n // SrcProcessCompany = InitiatingProcessVersionInfoCompanyName,\n // SrcProcessFileProduct = InitiatingProcessVersionInfoProductName,\n // SrcProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\n // SrcProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\n // SrcProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\n // SrcProcessFileDescription = InitiatingProcessVersionInfoFileDescription\n | extend\n Process = DstProcessName,\n DstAppName = DstProcessName,\n DstAppType = \"Process\"\n ;\n union InboundNetworkEvents, OutboundNetworkEvents\n | project-rename \n Hostname = UrlHostname\n | extend // aliases\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n };\n M365Defender (disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for M365 Defender for Endpoint", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionMicrosoft365Defender", + "query": "let M365Defender=(disabled:bool=false){\n let DirectionLookup=datatable(ActionType:string,NetworkDirection:string,Outbound:boolean)[\n 'ConnectionSuccess','Outbound', true\n ,'ConnectionFailed', 'Outbound', true\n ,'ConnectionRequest','Outbound', true\n ,'InboundConnectionAccepted', 'Inbound', false\n ,'ConnectionFound', 'Unknown', false\n ,'ListeningConnectionCreated', 'Listen', false \n ];\n // -- Common preprocessing to both input and outbound events\n let RawNetworkEvents = (select_outbound:boolean) {\n DeviceNetworkEvents | where not(disabled) \n | lookup DirectionLookup on ActionType\n | where Outbound == select_outbound\n | project-away AppGuardContainerId, LocalIPType, MachineGroup, RemoteIPType, Timestamp, Outbound //, SourceSystem, TenantId\n | extend\n // Event\n EventOriginalUid = tostring(ReportId),\n EventCount = int(1),\n EventProduct = 'M365 Defender for Endpoint',\n EventVendor = 'Microsoft',\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'NetworkSession',\n EventResult = iff(ActionType=='ConnectionFailed','Failure','Success'),\n EventSeverity = \"Informational\",\n DvcIdType = 'MDEid'\n | project-away \n ReportId\n | project-rename \n EventOriginalResultDetails = ActionType\n | extend\n RemoteUrl = extract (@\"(?:https?://)?(.*)\", 1, RemoteUrl)\n | extend\n User = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\n UsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\n SplitHostname = split(DeviceName,\".\"),\n SplitUrl = split(RemoteUrl,\".\"),\n NetworkProtocol = case (\n Protocol startswith \"Tcp\", \"TCP\",\n Protocol == \"Unknown\", \"\",\n toupper(Protocol)\n )\n | project-away Protocol\n | extend \n DvcHostname = tostring(SplitHostname[0]),\n DvcDomain = tostring(strcat_array(array_slice(SplitHostname, 1, -1), '.')),\n DvcFQDN = iif (DeviceName contains \".\", DeviceName, \"\"),\n UrlHostname = tostring(SplitUrl[0]),\n UrlDomain = tostring(strcat_array(array_slice(SplitUrl, 1, -1), '.')),\n UrlFQDN = iif(RemoteUrl contains \".\", RemoteUrl, \"\")\n | project-away RemoteUrl, DeviceName\n | extend\n DvcDomainType = iif(DvcFQDN != \"\", \"FQDN\", \"\"),\n UrlDomainType = iff(UrlFQDN != \"\", \"FQDN\", \"\"),\n DvcIpAddr = LocalIP\n | extend\n Dvc = DvcHostname \n | project-rename\n DvcId = DeviceId\n | project-away SplitUrl, SplitHostname\n };\n let OutboundNetworkEvents = \n RawNetworkEvents (true)\n | project-rename\n DstIpAddr = RemoteIP,\n SrcIpAddr = LocalIP,\n DstPortNumber = RemotePort,\n SrcPortNumber = LocalPort,\n SrcUsernameType = UsernameType,\n SrcUserAadId = InitiatingProcessAccountObjectId,\n SrcUserUpn = InitiatingProcessAccountUpn,\n SrcUserId = InitiatingProcessAccountSid\n | extend\n SrcUsername = User,\n SrcDvcId = DvcId,\n SrcDvcIdType = 'MDEid',\n SrcUserIdType = iff (SrcUserId <> \"S-1-0-0\", \"SID\", \"\"),\n SrcUserId = iff (SrcUserId <> \"S-1-0-0\", SrcUserId, \"\"),\n DstHostname = UrlHostname\n | project-rename\n DstDomain = UrlDomain,\n DstFQDN = UrlFQDN,\n DstDomainType = UrlDomainType\n | extend \n SrcHostname = DvcHostname,\n SrcDomain = DvcDomain,\n SrcFQDN = DvcDomain\n // Processes\n | extend\n SrcProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n SrcProcessName = InitiatingProcessFileName,\n SrcProcessCommandLine = InitiatingProcessCommandLine,\n SrcProcessCreationTime = InitiatingProcessCreationTime,\n SrcProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n SrcProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n // SrcProcessFileSize = InitiatingProcessFileSize,\n // SrcProcessCompany = InitiatingProcessVersionInfoCompanyName,\n // SrcProcessFileProduct = InitiatingProcessVersionInfoProductName,\n // SrcProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\n // SrcProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\n // SrcProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\n // SrcProcessFileDescription = InitiatingProcessVersionInfoFileDescription\n | extend\n Process = SrcProcessName,\n SrcAppName = SrcProcessName,\n SrcAppType = \"Process\"\n ;\n let InboundNetworkEvents = \n RawNetworkEvents (false)\n | project-rename\n SrcIpAddr = RemoteIP,\n DstIpAddr = LocalIP,\n SrcPortNumber = RemotePort,\n DstPortNumber = LocalPort,\n DstUsernameType = UsernameType,\n DstUserAadId = InitiatingProcessAccountObjectId,\n DstUserId = InitiatingProcessAccountSid,\n DstUserUpn = InitiatingProcessAccountUpn\n | extend\n DstUsername = User,\n DstDvcId = DvcId,\n DstDvcIdType = 'MDEid',\n DstUserIdType = 'SID',\n SrcHostname = UrlHostname\n | project-rename\n SrcDomain = UrlDomain,\n SrcFQDN = UrlFQDN,\n SrcDomainType = UrlDomainType,\n DstHostname = DvcHostname,\n DstDomain = DvcDomain,\n DstFQDN = DvcFQDN\n // Processes\n | extend\n DstProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n DstProcessName = InitiatingProcessFileName,\n DstProcessCommandLine = InitiatingProcessCommandLine,\n DstProcessCreationTime = InitiatingProcessCreationTime,\n DstProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n DstProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n // SrcProcessFileSize = InitiatingProcessFileSize,\n // SrcProcessCompany = InitiatingProcessVersionInfoCompanyName,\n // SrcProcessFileProduct = InitiatingProcessVersionInfoProductName,\n // SrcProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\n // SrcProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\n // SrcProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\n // SrcProcessFileDescription = InitiatingProcessVersionInfoFileDescription\n | extend\n Process = DstProcessName,\n DstAppName = DstProcessName,\n DstAppType = \"Process\"\n ;\n union InboundNetworkEvents, OutboundNetworkEvents\n | project-rename \n Hostname = UrlHostname\n | extend // aliases\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n };\n M365Defender (disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json index 71385d160dc..794febb6565 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionLinuxSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionLinuxSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Sysmon for Linux", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionLinuxSysmon", - "query": "let DirectionNetworkEvents =\n Syslog | where not(disabled)\n | project SyslogMessage, TimeGenerated, HostIP\n | where SyslogMessage has_all ('3')\n | parse SyslogMessage with * '' SrcIpAddr:string '' *\n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\n ;\n let parser = (T: (SyslogMessage: string)) {\n T \n | parse SyslogMessage with \n *\n '' EventOriginalUid:string ''\n *\n '' SysmonComputer:string ''\n *\n '' RuleName:string ''\n '' EventEndTime:datetime ''\n '{' ProcessGuid:string '}'\n '' ProcessId:string ''\n '' Process:string ''\n '' User:string ''\n '' Protocol:string '' // -- source is lowercase\n '' Initiated:bool '' \n '' SourceIsIpv6:bool ''\t\t\n '' * ''\n '' SrcHostname:string ''\n '' SrcPortNumber:int ''\n '' SrcPortName:string ''\n '' DestinationIsIpv6:bool ''\n '' DstIpAddr:string ''\n '' DstHostname:string ''\n '' DstPortNumber:int ''\n '' DstPortName:string ''\n *\n | project-away DstPortName, DestinationIsIpv6, Initiated, SourceIsIpv6, SrcPortName, RuleName\n };\n let OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | extend\n SrcUsernameType = 'Simple',\n SrcAppType = 'Process'\n | project-rename \n SrcUsername = User,\n SrcProcessId = ProcessId, \n SrcProcessGuid = ProcessGuid,\n SrcProcessName = Process\n | extend\n SrcAppName = SrcProcessName\n | project-away SyslogMessage\n ;\n let InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n | extend\n DstUsernameType = 'Simple',\n DstAppType = 'Process'\n | project-rename \n DstUsername = User,\n DstProcessId = ProcessId, \n DstProcessGuid = ProcessGuid,\n DstProcessName = Process\n | extend\n DstAppName = DstProcessName\n | project-away SyslogMessage\n ; \n let SysmonForLinuxNetwork=\n union OutboundNetworkEvents, InboundNetworkEvents\n | extend \n EventType = 'NetworkSession',\n EventStartTime = EventEndTime,\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon for Linux',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Linux',\n NetworkProtocol = toupper(Protocol),\n NetworkDirection = iff(outbound, \"Outbound\", \"Inbound\"),\n EventOriginalType = '3' // Set with a constant value to avoid parsing\n | project-away\n outbound, Protocol\n | project-rename \n DvcIpAddr = HostIP,\n DvcHostname = SysmonComputer\n | extend // aliases\n Dvc = DvcHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n ;\n SysmonForLinuxNetwork", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Sysmon for Linux", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionLinuxSysmon", + "query": "let DirectionNetworkEvents =\n Syslog | where not(disabled)\n | project SyslogMessage, TimeGenerated, HostIP\n | where SyslogMessage has_all ('3')\n | parse SyslogMessage with * '' SrcIpAddr:string '' *\n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\n ;\n let parser = (T: (SyslogMessage: string)) {\n T \n | parse SyslogMessage with \n *\n '' EventOriginalUid:string ''\n *\n '' SysmonComputer:string ''\n *\n '' RuleName:string ''\n '' EventEndTime:datetime ''\n '{' ProcessGuid:string '}'\n '' ProcessId:string ''\n '' Process:string ''\n '' User:string ''\n '' Protocol:string '' // -- source is lowercase\n '' Initiated:bool '' \n '' SourceIsIpv6:bool ''\t\t\n '' * ''\n '' SrcHostname:string ''\n '' SrcPortNumber:int ''\n '' SrcPortName:string ''\n '' DestinationIsIpv6:bool ''\n '' DstIpAddr:string ''\n '' DstHostname:string ''\n '' DstPortNumber:int ''\n '' DstPortName:string ''\n *\n | project-away DstPortName, DestinationIsIpv6, Initiated, SourceIsIpv6, SrcPortName, RuleName\n };\n let OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | extend\n SrcUsernameType = 'Simple',\n SrcAppType = 'Process'\n | project-rename \n SrcUsername = User,\n SrcProcessId = ProcessId, \n SrcProcessGuid = ProcessGuid,\n SrcProcessName = Process\n | extend\n SrcAppName = SrcProcessName\n | project-away SyslogMessage\n ;\n let InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n | extend\n DstUsernameType = 'Simple',\n DstAppType = 'Process'\n | project-rename \n DstUsername = User,\n DstProcessId = ProcessId, \n DstProcessGuid = ProcessGuid,\n DstProcessName = Process\n | extend\n DstAppName = DstProcessName\n | project-away SyslogMessage\n ; \n let SysmonForLinuxNetwork=\n union OutboundNetworkEvents, InboundNetworkEvents\n | extend \n EventType = 'NetworkSession',\n EventStartTime = EventEndTime,\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon for Linux',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Linux',\n NetworkProtocol = toupper(Protocol),\n NetworkDirection = iff(outbound, \"Outbound\", \"Inbound\"),\n EventOriginalType = '3' // Set with a constant value to avoid parsing\n | project-away\n outbound, Protocol\n | project-rename \n DvcIpAddr = HostIP,\n DvcHostname = SysmonComputer\n | extend // aliases\n Dvc = DvcHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n ;\n SysmonForLinuxNetwork", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSecurityEventFirewall/ASimNetworkSessionMicrosoftSecurityEventFirewall.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSecurityEventFirewall/ASimNetworkSessionMicrosoftSecurityEventFirewall.json index 56a3a8a5e44..5445e521a0c 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSecurityEventFirewall/ASimNetworkSessionMicrosoftSecurityEventFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSecurityEventFirewall/ASimNetworkSessionMicrosoftSecurityEventFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionMicrosoftSecurityEventFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionMicrosoftSecurityEventFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Microsoft Windows Firewall Events", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionMicrosoftSecurityEventFirewall", - "query": "// Data tables for mapping raw values into string\nlet LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\n '%%14596', 'IP Packet',\n '%%14597', 'Transport',\n '%%14598', 'Forward',\n '%%14599', 'Stream',\n '%%14600', 'Datagram Data',\n '%%14601', 'ICMP Error',\n '%%14602', 'MAC 802.3',\n '%%14603', 'MAC Native',\n '%%14604', 'vSwitch',\n '%%14608', 'Resource Assignment',\n '%%14609', 'Listen',\n '%%14610', 'Receive/Accept',\n '%%14611', 'Connect',\n '%%14612', 'Flow Established',\n '%%14614', 'Resource Release',\n '%%14615', 'Endpoint Closure',\n '%%14616', 'Connect Redirect',\n '%%14617', 'Bind Redirect',\n '%%14624', 'Stream Packet'];\nlet ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\n 1, 'ICMP',\n 3, 'GGP',\n 6, 'TCP',\n 8, 'EGP',\n 12, 'PUP',\n 17, 'UDP',\n 20, 'HMP',\n 27, 'RDP',\n 46, 'RSVP',\n 47, 'PPTP data over GRE',\n 50, 'ESP',\n 51, 'AH',\n 66, 'RVD',\n 88, 'IGMP',\n 89, 'OSPF'];\nlet Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\n '%%14592', 'Inbound', false,\n '%%14593', 'Outbound', true,\n '%%14594', 'Forward',false,\n '%%14595', 'Bidirectional', false,\n '%%14609', 'Listen', false];\n///////////////////////////////////////////////////////\n// this query extract data fields from EventData column from SecurityEvent table\n///////////////////////////////////////////////////////\nlet parser = (disabled: bool=false) {\nlet WindowsFirewall_SecurityEvent=(){ // Event IDs between (5151 .. 5159)\n// will be extracting Event specific fields from 'EventData' field\n let SecurityEventProjected =\n SecurityEvent\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\n ;\n let SecurityEvent_5152 = \n SecurityEventProjected | where not(disabled)\n | where EventID==5152\n | parse EventData with * ''ProcessId:string''\n '\\x0d\\x0a 'Application''\n '\\x0d\\x0a 'DirectionCode''\n '\\x0d\\x0a 'SrcIpAddr:string''\n '\\x0d\\x0a 'SrcPortNumber:int''\n '\\x0d\\x0a 'DstIpAddr:string''\n '\\x0d\\x0a 'DstPortNumber:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber:int''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''*\n | project-away EventData;\n let SecurityEvent_5154_5155_5158_5159 =\n SecurityEventProjected | where not(disabled)\n | where EventID in (5154, 5155, 5158, 5159)\n | parse EventData with * ''ProcessId:string'' \n '\\x0d\\x0a 'Application''\n '\\x0d\\x0a 'SrcIpAddr:string''\n '\\x0d\\x0a 'SrcPortNumber:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber:int''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''*\n | extend DirectionCode = \"%%14609\"\n | project-away EventData;\n let SecurityEvent_5156_5157 =\n SecurityEventProjected | where not(disabled)\n | where EventID in (5156, 5157)\n | parse EventData with * ''ProcessId:string''\n '\\x0d\\x0a 'Application:string''\n '\\x0d\\x0a 'DirectionCode:string''\n '\\x0d\\x0a 'SrcIpAddr:string''\n '\\x0d\\x0a 'SrcPortNumber:int''\n '\\x0d\\x0a 'DstIpAddr:string''\n '\\x0d\\x0a 'DstPortNumber:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber:int''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''\n '\\x0d\\x0a 'RemoteUserID''\n '\\x0d\\x0a 'RemoteMachineID''*\n | project-away EventData;\n union SecurityEvent_5152, SecurityEvent_5156_5157, SecurityEvent_5154_5155_5158_5159\n | lookup Directions on DirectionCode\n | project-rename DvcHostname = Computer\n | extend\n SrcAppName = iff(isOutBound, Application, \"\"),\n DstAppName = iff(not(isOutBound), Application, \"\"),\n SrcDvcId = iff(isOutBound, RemoteMachineID, \"\"),\n DstDvcId = iff(not(isOutBound), RemoteMachineID, \"\"),\n SrcProcessId = iff(isOutBound, tostring(ProcessId), \"\"),\n DstProcessId = iff(not(isOutBound), tostring(ProcessId), \"\"),\n DstUserId = iff(isOutBound, RemoteUserID, \"\"),\n SrcUserId = iff(not(isOutBound), RemoteUserID, \"\"),\n DstHostname = iff(isOutBound, \"\", DvcHostname),\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\n | project-away Application, RemoteMachineID, RemoteUserID, ProcessId\n};\nWindowsFirewall_SecurityEvent \n | extend \n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\n DvcOs = 'Windows',\n DstAppType = \"Process\",\n SrcUserIdType = iff (SrcUserId <> \"S-1-0-0\", \"SID\", \"\"),\n SrcUserId = iff (SrcUserId <> \"S-1-0-0\", SrcUserId, \"\"),\n DstUserIdType = iff (DstUserId <> \"S-1-0-0\", \"SID\", \"\"),\n DstUserId = iff (DstUserId <> \"S-1-0-0\", DstUserId, \"\"),\n SrcAppType = \"Process\",\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.0\",\n EventCount=toint(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Windows Firewall\",\n EventResult = iff(EventID in (5154, 5156, 5158), \"Success\", \"Failure\"),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\"),\n EventOriginalType = tostring(EventID),\n DstDvcIdType = iff (DstDvcId != \"\", \"SID\", \"\"),\n SrcDvcIdType = iff (SrcDvcId != \"\", \"SID\", \"\")\n // aliases\n | extend\n Dvc = DvcHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = tostring (NetworkRuleNumber)\n | lookup LayerCodeTable on LayerCode\n | lookup ProtocolTable on Protocol\n | project-away LayerCode, DirectionCode, Protocol, isOutBound, LayerName, EventID, LayerRTID,_ResourceId,_SubscriptionId\n };\n parser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Microsoft Windows Firewall Events", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionMicrosoftSecurityEventFirewall", + "query": "// Data tables for mapping raw values into string\nlet LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\n '%%14596', 'IP Packet',\n '%%14597', 'Transport',\n '%%14598', 'Forward',\n '%%14599', 'Stream',\n '%%14600', 'Datagram Data',\n '%%14601', 'ICMP Error',\n '%%14602', 'MAC 802.3',\n '%%14603', 'MAC Native',\n '%%14604', 'vSwitch',\n '%%14608', 'Resource Assignment',\n '%%14609', 'Listen',\n '%%14610', 'Receive/Accept',\n '%%14611', 'Connect',\n '%%14612', 'Flow Established',\n '%%14614', 'Resource Release',\n '%%14615', 'Endpoint Closure',\n '%%14616', 'Connect Redirect',\n '%%14617', 'Bind Redirect',\n '%%14624', 'Stream Packet'];\nlet ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\n 1, 'ICMP',\n 3, 'GGP',\n 6, 'TCP',\n 8, 'EGP',\n 12, 'PUP',\n 17, 'UDP',\n 20, 'HMP',\n 27, 'RDP',\n 46, 'RSVP',\n 47, 'PPTP data over GRE',\n 50, 'ESP',\n 51, 'AH',\n 66, 'RVD',\n 88, 'IGMP',\n 89, 'OSPF'];\nlet Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\n '%%14592', 'Inbound', false,\n '%%14593', 'Outbound', true,\n '%%14594', 'Forward',false,\n '%%14595', 'Bidirectional', false,\n '%%14609', 'Listen', false];\n///////////////////////////////////////////////////////\n// this query extract data fields from EventData column from SecurityEvent table\n///////////////////////////////////////////////////////\nlet parser = (disabled: bool=false) {\nlet WindowsFirewall_SecurityEvent=(){ // Event IDs between (5151 .. 5159)\n// will be extracting Event specific fields from 'EventData' field\n let SecurityEventProjected =\n SecurityEvent\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\n ;\n let SecurityEvent_5152 = \n SecurityEventProjected | where not(disabled)\n | where EventID==5152\n | parse EventData with * ''ProcessId:string''\n '\\x0d\\x0a 'Application''\n '\\x0d\\x0a 'DirectionCode''\n '\\x0d\\x0a 'SrcIpAddr:string''\n '\\x0d\\x0a 'SrcPortNumber:int''\n '\\x0d\\x0a 'DstIpAddr:string''\n '\\x0d\\x0a 'DstPortNumber:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber:int''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''*\n | project-away EventData;\n let SecurityEvent_5154_5155_5158_5159 =\n SecurityEventProjected | where not(disabled)\n | where EventID in (5154, 5155, 5158, 5159)\n | parse EventData with * ''ProcessId:string'' \n '\\x0d\\x0a 'Application''\n '\\x0d\\x0a 'SrcIpAddr:string''\n '\\x0d\\x0a 'SrcPortNumber:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber:int''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''*\n | extend DirectionCode = \"%%14609\"\n | project-away EventData;\n let SecurityEvent_5156_5157 =\n SecurityEventProjected | where not(disabled)\n | where EventID in (5156, 5157)\n | parse EventData with * ''ProcessId:string''\n '\\x0d\\x0a 'Application:string''\n '\\x0d\\x0a 'DirectionCode:string''\n '\\x0d\\x0a 'SrcIpAddr:string''\n '\\x0d\\x0a 'SrcPortNumber:int''\n '\\x0d\\x0a 'DstIpAddr:string''\n '\\x0d\\x0a 'DstPortNumber:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber:int''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''\n '\\x0d\\x0a 'RemoteUserID''\n '\\x0d\\x0a 'RemoteMachineID''*\n | project-away EventData;\n union SecurityEvent_5152, SecurityEvent_5156_5157, SecurityEvent_5154_5155_5158_5159\n | lookup Directions on DirectionCode\n | project-rename DvcHostname = Computer\n | extend\n SrcAppName = iff(isOutBound, Application, \"\"),\n DstAppName = iff(not(isOutBound), Application, \"\"),\n SrcDvcId = iff(isOutBound, RemoteMachineID, \"\"),\n DstDvcId = iff(not(isOutBound), RemoteMachineID, \"\"),\n SrcProcessId = iff(isOutBound, tostring(ProcessId), \"\"),\n DstProcessId = iff(not(isOutBound), tostring(ProcessId), \"\"),\n DstUserId = iff(isOutBound, RemoteUserID, \"\"),\n SrcUserId = iff(not(isOutBound), RemoteUserID, \"\"),\n DstHostname = iff(isOutBound, \"\", DvcHostname),\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\n | project-away Application, RemoteMachineID, RemoteUserID, ProcessId\n};\nWindowsFirewall_SecurityEvent \n | extend \n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\n DvcOs = 'Windows',\n DstAppType = \"Process\",\n SrcUserIdType = iff (SrcUserId <> \"S-1-0-0\", \"SID\", \"\"),\n SrcUserId = iff (SrcUserId <> \"S-1-0-0\", SrcUserId, \"\"),\n DstUserIdType = iff (DstUserId <> \"S-1-0-0\", \"SID\", \"\"),\n DstUserId = iff (DstUserId <> \"S-1-0-0\", DstUserId, \"\"),\n SrcAppType = \"Process\",\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.0\",\n EventCount=toint(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Windows Firewall\",\n EventResult = iff(EventID in (5154, 5156, 5158), \"Success\", \"Failure\"),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\"),\n EventOriginalType = tostring(EventID),\n DstDvcIdType = iff (DstDvcId != \"\", \"SID\", \"\"),\n SrcDvcIdType = iff (SrcDvcId != \"\", \"SID\", \"\")\n // aliases\n | extend\n Dvc = DvcHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = tostring (NetworkRuleNumber)\n | lookup LayerCodeTable on LayerCode\n | lookup ProtocolTable on Protocol\n | project-away LayerCode, DirectionCode, Protocol, isOutBound, LayerName, EventID, LayerRTID,_ResourceId,_SubscriptionId\n };\n parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmon/ASimNetworkSessionMicrosoftSysmon.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmon/ASimNetworkSessionMicrosoftSysmon.json index cf727567889..b65dbd9550e 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmon/ASimNetworkSessionMicrosoftSysmon.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmon/ASimNetworkSessionMicrosoftSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionMicrosoftSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionMicrosoftSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session Event ASIM parser for Sysmon (Event 3)", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionMicrosoftSysmon", - "query": "let parser = (disabled:bool = false) {\n Event\n | where not(disabled)\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID==3\n | parse-kv EventData as (\n SourceIp:string,\n DestinationIp:string,\n SourceHostname:string,\n DestinationHostname:string,\n Initiated:bool, // Initiated indicates the process initiated a connection (meaning outbound)\n RuleName:string,\n UtcTime:datetime,\n ProcessGuid:string,\n ProcessId:string,\n Image:string,\n User:string,\n Protocol:string,\n SourceIsIpv6:bool,\n SourcePort:int,\n SourcePortName:string,\n DestinationIsIpv6:bool,\n DestinationPort:int,\n DestinationPortName:string\n ) with (regex=@'{?([^>]*?)}?')\n | project-away EventData\n | project-rename\n SrcHostname = SourceHostname,\n DstHostname = DestinationHostname\n | project-away\n Source,\n EventLog,\n EventCategory,\n UserName,\n Message,\n ParameterXml,\n RenderedDescription,\n MG,\n AzureDeploymentID,\n Role\n | extend\n AppName = tostring(split(Image, \"\\\\\")[-1])\n | extend\n SrcUsernameType = iff(not(Initiated), \"Windows\", \"\"),\n SrcUsername = iff(not(Initiated), tostring(User), \"\"),\n SrcProcessId = iff(not(Initiated), tostring(ProcessId), \"\"),\n SrcProcessGuid = iff(not(Initiated), ProcessGuid, \"\"),\n SrcProcessName = iff(not(Initiated), tostring(Image), \"\"),\n SrcAppName = iff(not(Initiated), AppName, \"\"),\n SrcAppType = iff(not(Initiated), 'Process', \"\"),\n DstUsernameType = iff(Initiated, \"Windows\", \"\"),\n DstUsername = iff(Initiated, tostring(User), \"\"),\n DstProcessId = iff(Initiated, tostring(ProcessId), \"\"),\n DstProcessGuid = iff(Initiated, ProcessGuid, \"\"),\n DstProcessName = iff(Initiated, tostring(Image), \"\"),\n DstAppName = iff(Initiated, AppName, \"\"),\n DstAppType = iff(Initiated, 'Process', \"\"),\n EventUid = _ItemId\n | project-away ProcessId, ProcessGuid, Image, AppName\n | project-rename \n EventStartTime = UtcTime,\n Dvc = Computer,\n SrcIpAddr = SourceIp,\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort,\n SrcPortNumber = SourcePort,\n NetworkRuleName = RuleName \n | extend \n EventEndTime = EventStartTime,\n Hostname = case(\n Initiated, DstHostname,\n not(Initiated), SrcHostname,\n Dvc),\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n DvcIpAddr = iff(Initiated, SrcIpAddr, DstIpAddr),\n IpAddr = SrcIpAddr,\n EventType = 'EndpointNetworkSession',\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.5',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Windows',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing \n | extend\n DvcHostname = Hostname\n | extend\n SrcHostname = iff( SrcHostname == \"-\", \"\", SrcHostname),\n DvcHostname = iff( DvcHostname == \"-\", \"\", DvcHostname),\n DstHostname = iff( DstHostname == \"-\", \"\", DstHostname) // let's make empty values actually empty\n | project-rename\n TmpSrcHostname = SrcHostname,\n TmpDvcHostname = DvcHostname,\n TmpDstHostname = DstHostname\n | invoke \n _ASIM_ResolveSrcFQDN('TmpSrcHostname')\n | invoke \n _ASIM_ResolveDvcFQDN('TmpDvcHostname')\n | invoke \n _ASIM_ResolveDstFQDN('TmpDstHostname')\n | project-away\n TmpSrcHostname,\n TmpDvcHostname,\n TmpDstHostname\n | extend \n NetworkProtocolVersion = iff((DestinationIsIpv6) or (SourceIsIpv6), \"IPV6\", \"IPV4\"),\n NetworkProtocol = toupper(Protocol)\n | project-away \n Destination*,\n Initiated,\n ManagementGroupName,\n TenantId,\n Protocol,\n Source*,\n EventID,\n EventLevelName,\n EventLevel,_ResourceId\n };\n parser (disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session Event ASIM parser for Sysmon (Event 3)", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionMicrosoftSysmon", + "query": "let parser = (disabled:bool = false) {\n Event\n | where not(disabled)\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID==3\n | parse-kv EventData as (\n SourceIp:string,\n DestinationIp:string,\n SourceHostname:string,\n DestinationHostname:string,\n Initiated:bool, // Initiated indicates the process initiated a connection (meaning outbound)\n RuleName:string,\n UtcTime:datetime,\n ProcessGuid:string,\n ProcessId:string,\n Image:string,\n User:string,\n Protocol:string,\n SourceIsIpv6:bool,\n SourcePort:int,\n SourcePortName:string,\n DestinationIsIpv6:bool,\n DestinationPort:int,\n DestinationPortName:string\n ) with (regex=@'{?([^>]*?)}?')\n | project-away EventData\n | project-rename\n SrcHostname = SourceHostname,\n DstHostname = DestinationHostname\n | project-away\n Source,\n EventLog,\n EventCategory,\n UserName,\n Message,\n ParameterXml,\n RenderedDescription,\n MG,\n AzureDeploymentID,\n Role\n | extend\n AppName = tostring(split(Image, \"\\\\\")[-1])\n | extend\n SrcUsernameType = iff(not(Initiated), \"Windows\", \"\"),\n SrcUsername = iff(not(Initiated), tostring(User), \"\"),\n SrcProcessId = iff(not(Initiated), tostring(ProcessId), \"\"),\n SrcProcessGuid = iff(not(Initiated), ProcessGuid, \"\"),\n SrcProcessName = iff(not(Initiated), tostring(Image), \"\"),\n SrcAppName = iff(not(Initiated), AppName, \"\"),\n SrcAppType = iff(not(Initiated), 'Process', \"\"),\n DstUsernameType = iff(Initiated, \"Windows\", \"\"),\n DstUsername = iff(Initiated, tostring(User), \"\"),\n DstProcessId = iff(Initiated, tostring(ProcessId), \"\"),\n DstProcessGuid = iff(Initiated, ProcessGuid, \"\"),\n DstProcessName = iff(Initiated, tostring(Image), \"\"),\n DstAppName = iff(Initiated, AppName, \"\"),\n DstAppType = iff(Initiated, 'Process', \"\"),\n EventUid = _ItemId\n | project-away ProcessId, ProcessGuid, Image, AppName\n | project-rename \n EventStartTime = UtcTime,\n Dvc = Computer,\n SrcIpAddr = SourceIp,\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort,\n SrcPortNumber = SourcePort,\n NetworkRuleName = RuleName \n | extend \n EventEndTime = EventStartTime,\n Hostname = case(\n Initiated, DstHostname,\n not(Initiated), SrcHostname,\n Dvc),\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n DvcIpAddr = iff(Initiated, SrcIpAddr, DstIpAddr),\n IpAddr = SrcIpAddr,\n EventType = 'EndpointNetworkSession',\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.5',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Windows',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing \n | extend\n DvcHostname = Hostname\n | extend\n SrcHostname = iff( SrcHostname == \"-\", \"\", SrcHostname),\n DvcHostname = iff( DvcHostname == \"-\", \"\", DvcHostname),\n DstHostname = iff( DstHostname == \"-\", \"\", DstHostname) // let's make empty values actually empty\n | project-rename\n TmpSrcHostname = SrcHostname,\n TmpDvcHostname = DvcHostname,\n TmpDstHostname = DstHostname\n | invoke \n _ASIM_ResolveSrcFQDN('TmpSrcHostname')\n | invoke \n _ASIM_ResolveDvcFQDN('TmpDvcHostname')\n | invoke \n _ASIM_ResolveDstFQDN('TmpDstHostname')\n | project-away\n TmpSrcHostname,\n TmpDvcHostname,\n TmpDstHostname\n | extend \n NetworkProtocolVersion = iff((DestinationIsIpv6) or (SourceIsIpv6), \"IPV6\", \"IPV4\"),\n NetworkProtocol = toupper(Protocol)\n | project-away \n Destination*,\n Initiated,\n ManagementGroupName,\n TenantId,\n Protocol,\n Source*,\n EventID,\n EventLevelName,\n EventLevel,_ResourceId\n };\n parser (disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmonWindowsEvent/ASimNetworkSessionMicrosoftSysmonWindowsEvent.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmonWindowsEvent/ASimNetworkSessionMicrosoftSysmonWindowsEvent.json index da140e9352d..010dd89612a 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmonWindowsEvent/ASimNetworkSessionMicrosoftSysmonWindowsEvent.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmonWindowsEvent/ASimNetworkSessionMicrosoftSysmonWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionMicrosoftSysmonWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionMicrosoftSysmonWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session Event ASIM parser for Sysmon (Event 3)", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionMicrosoftSysmonWindowsEvent", - "query": "let parser = (disabled:bool = false) {\nlet Sysmon3_WindowsEvent=(disabled:bool=false){\n WindowsEvent\n | where not(disabled) \n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 3\n | extend\n SourceIp = tostring(EventData.SourceIp),\n DestinationIp = tostring(EventData.DestinationIp),\n DstHostname = tostring(EventData.DestinationHostname),\n SrcHostname = tostring(EventData.SrcHostname),\n RuleName = tostring(EventData.RuleName),\n UtcTime = todatetime(EventData.UtcTime),\n ProcessId = tostring(EventData.ProcessId),\n Image = tostring(EventData.Image),\n User = tostring(EventData.User),\n Protocol = tostring(EventData.Protocol),\n Initiated = tobool(EventData.Initiated), // Initiated indicates the process initiated a connection (meaning outbound)\n SourceIsIpv6 = tobool(EventData.SourceIsIpv6),\n SourcePort = toint(EventData.SourcePort),\n SourcePortName = tostring(EventData.SourcePortName),\n DestinationIsIpv6 = tobool(EventData.DestinationIsIpv6),\n DestinationPort = toint(EventData.DestinationPort),\n DestinationPortName = tostring(EventData.DestinationPortName)\n | parse EventData.ProcessGuid with \"{\" ProcessGuid \"}\"\n | project-away EventData\n | project-away\n Provider,\n Channel,\n Task,\n Data,\n RawEventData,\n EventOriginId\n };\nSysmon3_WindowsEvent\n | extend\n AppName = tostring(split(Image, \"\\\\\")[-1])\n | extend\n SrcUsernameType = iff(not(Initiated), \"Windows\", \"\"),\n SrcUsername = iff(not(Initiated), tostring(User), \"\"),\n SrcProcessId = iff(not(Initiated), tostring(ProcessId), \"\"),\n SrcProcessGuid = iff(not(Initiated), ProcessGuid, \"\"),\n SrcProcessName = iff(not(Initiated), tostring(Image), \"\"),\n SrcAppName = iff(not(Initiated), AppName, \"\"),\n SrcAppType = iff(not(Initiated), 'Process', \"\"),\n DstUsernameType = iff(Initiated, \"Windows\", \"\"),\n DstUsername = iff(Initiated, tostring(User), \"\"),\n DstProcessId = iff(Initiated, tostring(ProcessId), \"\"),\n DstProcessGuid = iff(Initiated, ProcessGuid, \"\"),\n DstProcessName = iff(Initiated, tostring(Image), \"\"),\n DstAppName = iff(Initiated, AppName, \"\"),\n DstAppType = iff(Initiated, 'Process', \"\"),\n EventUid = _ItemId\n | project-away ProcessId, ProcessGuid, Image, AppName\n | project-rename \n EventStartTime = UtcTime,\n Dvc = Computer,\n SrcIpAddr = SourceIp,\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort,\n SrcPortNumber = SourcePort,\n NetworkRuleName = RuleName \n | extend \n EventEndTime = EventStartTime,\n Hostname = case(\n Initiated, DstHostname,\n not(Initiated), SrcHostname,\n Dvc),\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n DvcIpAddr = iff(Initiated, SrcIpAddr, DstIpAddr),\n IpAddr = SrcIpAddr,\n EventType = 'EndpointNetworkSession',\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.5',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Windows',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing \n | extend\n DvcHostname = Hostname\n | extend\n SrcHostname = iff( SrcHostname == \"-\", \"\", SrcHostname),\n DvcHostname = iff( DvcHostname == \"-\", \"\", DvcHostname),\n DstHostname = iff( DstHostname == \"-\", \"\", DstHostname) // let's make empty values actually empty\n | project-rename\n TmpSrcHostname = SrcHostname,\n TmpDvcHostname = DvcHostname,\n TmpDstHostname = DstHostname\n | invoke \n _ASIM_ResolveSrcFQDN('TmpSrcHostname')\n | invoke \n _ASIM_ResolveDvcFQDN('TmpDvcHostname')\n | invoke \n _ASIM_ResolveDstFQDN('TmpDstHostname')\n | project-away\n TmpSrcHostname,\n TmpDvcHostname,\n TmpDstHostname\n | extend \n NetworkProtocolVersion = iff((DestinationIsIpv6) or (SourceIsIpv6), \"IPV6\", \"IPV4\"),\n NetworkProtocol = toupper(Protocol)\n | project-away \n Destination*,\n Initiated,\n ManagementGroupName,\n TenantId,\n Protocol,\n Source*,\n EventID,\n EventLevelName,\n EventLevel,Correlation,EventRecordId,Keywords,Opcode,SystemProcessId,SystemThreadId,SystemUserId,TimeCreated,_ResourceId,Version\n };\n parser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session Event ASIM parser for Sysmon (Event 3)", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionMicrosoftSysmonWindowsEvent", + "query": "let parser = (disabled:bool = false) {\nlet Sysmon3_WindowsEvent=(disabled:bool=false){\n WindowsEvent\n | where not(disabled) \n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 3\n | extend\n SourceIp = tostring(EventData.SourceIp),\n DestinationIp = tostring(EventData.DestinationIp),\n DstHostname = tostring(EventData.DestinationHostname),\n SrcHostname = tostring(EventData.SrcHostname),\n RuleName = tostring(EventData.RuleName),\n UtcTime = todatetime(EventData.UtcTime),\n ProcessId = tostring(EventData.ProcessId),\n Image = tostring(EventData.Image),\n User = tostring(EventData.User),\n Protocol = tostring(EventData.Protocol),\n Initiated = tobool(EventData.Initiated), // Initiated indicates the process initiated a connection (meaning outbound)\n SourceIsIpv6 = tobool(EventData.SourceIsIpv6),\n SourcePort = toint(EventData.SourcePort),\n SourcePortName = tostring(EventData.SourcePortName),\n DestinationIsIpv6 = tobool(EventData.DestinationIsIpv6),\n DestinationPort = toint(EventData.DestinationPort),\n DestinationPortName = tostring(EventData.DestinationPortName)\n | parse EventData.ProcessGuid with \"{\" ProcessGuid \"}\"\n | project-away EventData\n | project-away\n Provider,\n Channel,\n Task,\n Data,\n RawEventData,\n EventOriginId\n };\nSysmon3_WindowsEvent\n | extend\n AppName = tostring(split(Image, \"\\\\\")[-1])\n | extend\n SrcUsernameType = iff(not(Initiated), \"Windows\", \"\"),\n SrcUsername = iff(not(Initiated), tostring(User), \"\"),\n SrcProcessId = iff(not(Initiated), tostring(ProcessId), \"\"),\n SrcProcessGuid = iff(not(Initiated), ProcessGuid, \"\"),\n SrcProcessName = iff(not(Initiated), tostring(Image), \"\"),\n SrcAppName = iff(not(Initiated), AppName, \"\"),\n SrcAppType = iff(not(Initiated), 'Process', \"\"),\n DstUsernameType = iff(Initiated, \"Windows\", \"\"),\n DstUsername = iff(Initiated, tostring(User), \"\"),\n DstProcessId = iff(Initiated, tostring(ProcessId), \"\"),\n DstProcessGuid = iff(Initiated, ProcessGuid, \"\"),\n DstProcessName = iff(Initiated, tostring(Image), \"\"),\n DstAppName = iff(Initiated, AppName, \"\"),\n DstAppType = iff(Initiated, 'Process', \"\"),\n EventUid = _ItemId\n | project-away ProcessId, ProcessGuid, Image, AppName\n | project-rename \n EventStartTime = UtcTime,\n Dvc = Computer,\n SrcIpAddr = SourceIp,\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort,\n SrcPortNumber = SourcePort,\n NetworkRuleName = RuleName \n | extend \n EventEndTime = EventStartTime,\n Hostname = case(\n Initiated, DstHostname,\n not(Initiated), SrcHostname,\n Dvc),\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n DvcIpAddr = iff(Initiated, SrcIpAddr, DstIpAddr),\n IpAddr = SrcIpAddr,\n EventType = 'EndpointNetworkSession',\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.5',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Windows',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing \n | extend\n DvcHostname = Hostname\n | extend\n SrcHostname = iff( SrcHostname == \"-\", \"\", SrcHostname),\n DvcHostname = iff( DvcHostname == \"-\", \"\", DvcHostname),\n DstHostname = iff( DstHostname == \"-\", \"\", DstHostname) // let's make empty values actually empty\n | project-rename\n TmpSrcHostname = SrcHostname,\n TmpDvcHostname = DvcHostname,\n TmpDstHostname = DstHostname\n | invoke \n _ASIM_ResolveSrcFQDN('TmpSrcHostname')\n | invoke \n _ASIM_ResolveDvcFQDN('TmpDvcHostname')\n | invoke \n _ASIM_ResolveDstFQDN('TmpDstHostname')\n | project-away\n TmpSrcHostname,\n TmpDvcHostname,\n TmpDstHostname\n | extend \n NetworkProtocolVersion = iff((DestinationIsIpv6) or (SourceIsIpv6), \"IPV6\", \"IPV4\"),\n NetworkProtocol = toupper(Protocol)\n | project-away \n Destination*,\n Initiated,\n ManagementGroupName,\n TenantId,\n Protocol,\n Source*,\n EventID,\n EventLevelName,\n EventLevel,Correlation,EventRecordId,Keywords,Opcode,SystemProcessId,SystemThreadId,SystemUserId,TimeCreated,_ResourceId,Version\n };\n parser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json index cf88e86eb9a..dd09199cb10 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionMicrosoftWindowsEventFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionMicrosoftWindowsEventFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Microsoft Windows Firewall Events", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionMicrosoftWindowsEventFirewall", - "query": "// Data tables for mapping raw values into string\nlet LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\n '%%14596', 'IP Packet',\n '%%14597', 'Transport',\n '%%14598', 'Forward',\n '%%14599', 'Stream',\n '%%14600', 'Datagram Data',\n '%%14601', 'ICMP Error',\n '%%14602', 'MAC 802.3',\n '%%14603', 'MAC Native',\n '%%14604', 'vSwitch',\n '%%14608', 'Resource Assignment',\n '%%14609', 'Listen',\n '%%14610', 'Receive/Accept',\n '%%14611', 'Connect',\n '%%14612', 'Flow Established',\n '%%14614', 'Resource Release',\n '%%14615', 'Endpoint Closure',\n '%%14616', 'Connect Redirect',\n '%%14617', 'Bind Redirect',\n '%%14624', 'Stream Packet'];\nlet ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\n 1, 'ICMP',\n 3, 'GGP',\n 6, 'TCP',\n 8, 'EGP',\n 12, 'PUP',\n 17, 'UDP',\n 20, 'HMP',\n 27, 'RDP',\n 46, 'RSVP',\n 47, 'PPTP data over GRE',\n 50, 'ESP',\n 51, 'AH',\n 66, 'RVD',\n 88, 'IGMP',\n 89, 'OSPF'];\nlet Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\n '%%14592', 'Inbound', false,\n '%%14593', 'Outbound', true,\n '%%14594', 'Forward',false,\n '%%14595', 'Bidirectional', false,\n '%%14609', 'Listen', false];\n//////////////////////////////////////////////////////\n// this query extract the data from WindowsEvent table\n//////////////////////////////////////////////////////\nlet parser = (disabled: bool=false) {\nlet WindowsFirewall_WindowsEvent=(){ \n WindowsEvent | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\n | where EventID between (5150 .. 5159)\n | project-rename DvcHostname = Computer\n | extend \n EventSeverity=tostring(EventData.Severity),\n LayerCode = tostring(EventData.LayerName),\n NetworkRuleNumber = toint(EventData.FilterRTID),\n Protocol = toint(EventData.Protocol),\n DirectionCode = iff(EventID in (5154, 5155, 5158, 5159), \"%%14609\",tostring(EventData.Direction))\n | lookup Directions on DirectionCode \n | extend SrcAppName = iff(isOutBound, tostring(EventData.Application), \"\"),\n DstAppName = iff(not(isOutBound), tostring(EventData.Application), \"\"),\n SrcIpAddr = tostring(EventData.SourceAddress),\n DstIpAddr = tostring(EventData.DestAddress),\n SrcDvcId = iff(isOutBound, tostring(EventData.RemoteMachineID), \"\"),\n DstDvcId = iff(not(isOutBound), tostring(EventData.RemoteMachineID), \"\"),\n SrcPortNumber=toint(EventData.SourcePort),\n DstPortNumber=toint(EventData.DestPort),\n SrcProcessId = iff(isOutBound, tostring(EventData.ProcessId), \"\"),\n DstProcessId = iff(not(isOutBound), tostring(EventData.ProcessId), \"\"),\n DstUserId = iff(isOutBound, tostring(EventData.RemoteUserID), \"\"),\n SrcUserId = iff(not(isOutBound), tostring(EventData.RemoteUserID), \"\"),\n DstHostname = iff(isOutBound, \"\", DvcHostname),\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\n | project-away EventData\n };\n// Main query -> outputs both schemas as one normalized table\nWindowsFirewall_WindowsEvent \n | extend \n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\n DvcOs = 'Windows',\n DstAppType = \"Process\",\n SrcUserIdType = iff (SrcUserId <> \"S-1-0-0\", \"SID\", \"\"),\n SrcUserId = iff (SrcUserId <> \"S-1-0-0\", SrcUserId, \"\"),\n DstUserIdType = iff (DstUserId <> \"S-1-0-0\", \"SID\", \"\"),\n DstUserId = iff (DstUserId <> \"S-1-0-0\", DstUserId, \"\"),\n SrcAppType = \"Process\",\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.0\",\n EventCount=toint(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Windows Firewall\",\n EventResult = iff(EventID in (5154, 5156, 5158), \"Success\", \"Failure\"),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\"),\n EventOriginalType = tostring(EventID),\n DstDvcIdType = iff (DstDvcId != \"\", \"SID\", \"\"),\n SrcDvcIdType = iff (SrcDvcId != \"\", \"SID\", \"\")\n // aliases\n | extend\n Dvc = DvcHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = tostring (NetworkRuleNumber)\n | lookup LayerCodeTable on LayerCode\n | lookup ProtocolTable on Protocol\n | project-away LayerCode, DirectionCode, Protocol, isOutBound, LayerName, EventID,_ResourceId,_SubscriptionId\n }; \n parser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Microsoft Windows Firewall Events", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionMicrosoftWindowsEventFirewall", + "query": "// Data tables for mapping raw values into string\nlet LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\n '%%14596', 'IP Packet',\n '%%14597', 'Transport',\n '%%14598', 'Forward',\n '%%14599', 'Stream',\n '%%14600', 'Datagram Data',\n '%%14601', 'ICMP Error',\n '%%14602', 'MAC 802.3',\n '%%14603', 'MAC Native',\n '%%14604', 'vSwitch',\n '%%14608', 'Resource Assignment',\n '%%14609', 'Listen',\n '%%14610', 'Receive/Accept',\n '%%14611', 'Connect',\n '%%14612', 'Flow Established',\n '%%14614', 'Resource Release',\n '%%14615', 'Endpoint Closure',\n '%%14616', 'Connect Redirect',\n '%%14617', 'Bind Redirect',\n '%%14624', 'Stream Packet'];\nlet ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\n 1, 'ICMP',\n 3, 'GGP',\n 6, 'TCP',\n 8, 'EGP',\n 12, 'PUP',\n 17, 'UDP',\n 20, 'HMP',\n 27, 'RDP',\n 46, 'RSVP',\n 47, 'PPTP data over GRE',\n 50, 'ESP',\n 51, 'AH',\n 66, 'RVD',\n 88, 'IGMP',\n 89, 'OSPF'];\nlet Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\n '%%14592', 'Inbound', false,\n '%%14593', 'Outbound', true,\n '%%14594', 'Forward',false,\n '%%14595', 'Bidirectional', false,\n '%%14609', 'Listen', false];\n//////////////////////////////////////////////////////\n// this query extract the data from WindowsEvent table\n//////////////////////////////////////////////////////\nlet parser = (disabled: bool=false) {\nlet WindowsFirewall_WindowsEvent=(){ \n WindowsEvent | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\n | where EventID between (5150 .. 5159)\n | project-rename DvcHostname = Computer\n | extend \n EventSeverity=tostring(EventData.Severity),\n LayerCode = tostring(EventData.LayerName),\n NetworkRuleNumber = toint(EventData.FilterRTID),\n Protocol = toint(EventData.Protocol),\n DirectionCode = iff(EventID in (5154, 5155, 5158, 5159), \"%%14609\",tostring(EventData.Direction))\n | lookup Directions on DirectionCode \n | extend SrcAppName = iff(isOutBound, tostring(EventData.Application), \"\"),\n DstAppName = iff(not(isOutBound), tostring(EventData.Application), \"\"),\n SrcIpAddr = tostring(EventData.SourceAddress),\n DstIpAddr = tostring(EventData.DestAddress),\n SrcDvcId = iff(isOutBound, tostring(EventData.RemoteMachineID), \"\"),\n DstDvcId = iff(not(isOutBound), tostring(EventData.RemoteMachineID), \"\"),\n SrcPortNumber=toint(EventData.SourcePort),\n DstPortNumber=toint(EventData.DestPort),\n SrcProcessId = iff(isOutBound, tostring(EventData.ProcessId), \"\"),\n DstProcessId = iff(not(isOutBound), tostring(EventData.ProcessId), \"\"),\n DstUserId = iff(isOutBound, tostring(EventData.RemoteUserID), \"\"),\n SrcUserId = iff(not(isOutBound), tostring(EventData.RemoteUserID), \"\"),\n DstHostname = iff(isOutBound, \"\", DvcHostname),\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\n | project-away EventData\n };\n// Main query -> outputs both schemas as one normalized table\nWindowsFirewall_WindowsEvent \n | extend \n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\n DvcOs = 'Windows',\n DstAppType = \"Process\",\n SrcUserIdType = iff (SrcUserId <> \"S-1-0-0\", \"SID\", \"\"),\n SrcUserId = iff (SrcUserId <> \"S-1-0-0\", SrcUserId, \"\"),\n DstUserIdType = iff (DstUserId <> \"S-1-0-0\", \"SID\", \"\"),\n DstUserId = iff (DstUserId <> \"S-1-0-0\", DstUserId, \"\"),\n SrcAppType = \"Process\",\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.0\",\n EventCount=toint(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Windows Firewall\",\n EventResult = iff(EventID in (5154, 5156, 5158), \"Success\", \"Failure\"),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\"),\n EventOriginalType = tostring(EventID),\n DstDvcIdType = iff (DstDvcId != \"\", \"SID\", \"\"),\n SrcDvcIdType = iff (SrcDvcId != \"\", \"SID\", \"\")\n // aliases\n | extend\n Dvc = DvcHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = tostring (NetworkRuleNumber)\n | lookup LayerCodeTable on LayerCode\n | lookup ProtocolTable on Protocol\n | project-away LayerCode, DirectionCode, Protocol, isOutBound, LayerName, EventID,_ResourceId,_SubscriptionId\n }; \n parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionNative/ASimNetworkSessionNative.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionNative/ASimNetworkSessionNative.json index 6014945874e..3e228a66b59 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionNative/ASimNetworkSessionNative.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionNative/ASimNetworkSessionNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Microsoft Sentinel native Network Session table", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionNative", - "query": "let parser=(disabled:bool=false) \n{\n ASimNetworkSessionLogs | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"NetworkSession\",\n DvcScopeId = iff(isempty(DvcSubscriptionId), _SubscriptionId, DvcSubscriptionId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = case(EventType == 'L2NetworkSession',\n coalesce (DvcFQDN, DvcHostname, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct)),\n coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct))\n ),\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n DvcInterface = iff(isempty(DvcInterface), coalesce(DvcInboundInterface, DvcOutboundInterface), DvcInterface),\n Hostname = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), SrcHostname, DstHostname),\n IpAddr = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), DstIpAddr, SrcIpAddr),\n Rule = coalesce(NetworkRuleName, tostring(NetworkRuleNumber)),\n Duration = NetworkDuration,\n SessionId = NetworkSessionId,\n User = DstUsername,\n InnerVlanId = SrcVlanId,\n OuterVlanId = DstVlanId\n | project-away\n TenantId, SourceSystem, DvcSubscriptionId, _SubscriptionId, _ResourceId\n };\nparser (disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Microsoft Sentinel native Network Session table", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionNative", + "query": "let parser=(disabled:bool=false) \n{\n ASimNetworkSessionLogs | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"NetworkSession\",\n DvcScopeId = iff(isempty(DvcSubscriptionId), _SubscriptionId, DvcSubscriptionId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = case(EventType == 'L2NetworkSession',\n coalesce (DvcFQDN, DvcHostname, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct)),\n coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct))\n ),\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n DvcInterface = iff(isempty(DvcInterface), coalesce(DvcInboundInterface, DvcOutboundInterface), DvcInterface),\n Hostname = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), SrcHostname, DstHostname),\n IpAddr = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), DstIpAddr, SrcIpAddr),\n Rule = coalesce(NetworkRuleName, tostring(NetworkRuleNumber)),\n Duration = NetworkDuration,\n SessionId = NetworkSessionId,\n User = DstUsername,\n InnerVlanId = SrcVlanId,\n OuterVlanId = DstVlanId\n | project-away\n TenantId, SourceSystem, DvcSubscriptionId, _SubscriptionId, _ResourceId\n };\nparser (disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCEF/ASimNetworkSessionPaloAltoCEF.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCEF/ASimNetworkSessionPaloAltoCEF.json index 6bb0362af18..feb595a1a95 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCEF/ASimNetworkSessionPaloAltoCEF.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCEF/ASimNetworkSessionPaloAltoCEF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionPaloAltoCEF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionPaloAltoCEF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Palo Alto PanOS", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionPaloAltoCEF", - "query": "let Actions=datatable(DeviceAction:string,DvcAction:string)\n[ \"reset client\",\"Reset Source\"\n, \"reset server\",\"Reset Destination\"\n, \"reset both\", \"Reset\"\n, \"allow\",\"Allow\"\n, \"deny\",\"Deny\"\n, \"drop\", \"Drop\"\n, \"drop ICMP\", \"Drop ICMP\"\n, \"reset-client\",\"Reset Source\"\n, \"reset-server\",\"Reset Destination\"\n, \"reset-both\", \"Reset\"\n, \"drop-icmp\", \"Drop ICMP\"];\nlet NWParser=(disabled:bool=false){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"PAN-OS\" and Activity == \"TRAFFIC\"\n| parse AdditionalExtensions with \"PanOSPacketsReceived=\" DstPackets:long * \"PanOSPacketsSent=\" SrcPackets:long *\n // -- Adjustment to support both old and new CSL fields.\n| extend \n EventStartTime = coalesce(\n todatetime(StartTime), \n extract(@'start=(.*?)(?:;|$)',1, AdditionalExtensions,typeof(datetime)),\n datetime(null)\n ),\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string)),\n \"\"\n )\n| project-rename \n EventProductVersion=DeviceVersion // Not Documented\n , Dvc=DeviceName \n , NetworkApplicationProtocol=ApplicationProtocol\n , SrcZone=DeviceCustomString4 \n , DstZone=DeviceCustomString5\n , NetworkRuleName=DeviceCustomString1\n , SrcUsername=SourceUserName \n , DstUsername=DestinationUserName \n , EventOriginalSeverity=LogSeverity // not documented\n , SrcNatIpAddr=SourceTranslatedAddress\n , DstNatIpAddr=DestinationTranslatedAddress\n , PaloAltoFlags=FlexString1 // Flags\n| extend\nEventVendor=\"Palo Alto\"\n ,EventProduct=\"PanOS\" // Not Documented\n , SrcBytes=tolong(SentBytes)\n , DstBytes=tolong(ReceivedBytes) \n , NetworkProtocol=toupper(Protocol)\n , NetworkBytes=tolong(FlexNumber1)\n , SrcUsernameType=case(isempty(SrcUsername), \"\", SrcUsername contains \"@\", \"UPN\", \"Simple\")\n , DstUsernameType=case(isempty(DstUsername), \"\", DstUsername contains \"@\", \"UPN\", \"Simple\")\n , EventType=\"NetworkSession\"\n , EventCount=toint(1)\n , EventResult=case(DeviceAction==\"allow\",\"Success\",\"Failure\")\n // -- Adjustment to support both old and new CSL fields.\n , NetworkPackets = coalesce(\n tolong(column_ifexists(\"FieldDeviceCustomNumber2\", long(null))),\n tolong(column_ifexists(\"DeviceCustomNumber2\",long(null)))\n )\n , NetworkSessionId = coalesce(\n tostring(column_ifexists(\"FieldDeviceCustomNumber1\", long(null))),\n tostring(column_ifexists(\"DeviceCustomNumber1\",long(null)))\n )\n , NetworkDuration= coalesce(\n toint(1000*column_ifexists(\"FieldDeviceCustomNumber3\", 0)),\n toint(1000*column_ifexists(\"DeviceCustomNumber3\",0)),\n int(null)\n )\n , EventSchemaVersion=\"0.2.1\"\n , EventSchema=\"NetworkSession\"\n , EventSeverity = \"Informational\"\n| extend hostelements=split(Dvc,'.')\n| extend DvcHostname=tostring(hostelements[0])\n , DvcDomain=strcat_array( array_slice(hostelements,1,-1), '.')\n| extend DvcFQDN = iff(Dvc contains \".\",Dvc,\"\" )\n , DvcDomainType=iff(Dvc contains \".\",\"FQDN\",\"\" )\n| project-away hostelements\n| lookup Actions on DeviceAction\n| project-rename\n DstMacAddr=DestinationMACAddress\n , SrcMacAddr=SourceMACAddress\n , DstIpAddr=DestinationIP\n , DstPortNumber=DestinationPort\n , DstNatPortNumber=DestinationTranslatedPort\n , SrcPortNumber=SourcePort\n , SrcIpAddr=SourceIP\n , SrcNatPortNumber=SourceTranslatedPort\n , DvcOutboundInterface=DeviceOutboundInterface\n , DvcInboundInterface=DeviceInboundInterface\n , EventMessage=Message\n , DvcOriginalAction=DeviceAction\n// -- Aliases\n| extend\nIpAddr = SrcIpAddr,\nRule=NetworkRuleName,\nDst=DstIpAddr,\n// Host=DstHostname, \nUser=DstUsername,\nDuration=NetworkDuration,\nSessionId=NetworkSessionId,\nEventEndTime =EventStartTime,\nSrc=SrcIpAddr\n| project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ReportReferenceLink, Activity, Computer, OriginalLogSeverity, PaloAltoFlags, Protocol\n};\nNWParser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Palo Alto PanOS", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionPaloAltoCEF", + "query": "let Actions=datatable(DeviceAction:string,DvcAction:string)\n[ \"reset client\",\"Reset Source\"\n, \"reset server\",\"Reset Destination\"\n, \"reset both\", \"Reset\"\n, \"allow\",\"Allow\"\n, \"deny\",\"Deny\"\n, \"drop\", \"Drop\"\n, \"drop ICMP\", \"Drop ICMP\"\n, \"reset-client\",\"Reset Source\"\n, \"reset-server\",\"Reset Destination\"\n, \"reset-both\", \"Reset\"\n, \"drop-icmp\", \"Drop ICMP\"];\nlet NWParser=(disabled:bool=false){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"PAN-OS\" and Activity == \"TRAFFIC\"\n| parse AdditionalExtensions with \"PanOSPacketsReceived=\" DstPackets:long * \"PanOSPacketsSent=\" SrcPackets:long *\n // -- Adjustment to support both old and new CSL fields.\n| extend \n EventStartTime = coalesce(\n todatetime(StartTime), \n extract(@'start=(.*?)(?:;|$)',1, AdditionalExtensions,typeof(datetime)),\n datetime(null)\n ),\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string)),\n \"\"\n )\n| project-rename \n EventProductVersion=DeviceVersion // Not Documented\n , Dvc=DeviceName \n , NetworkApplicationProtocol=ApplicationProtocol\n , SrcZone=DeviceCustomString4 \n , DstZone=DeviceCustomString5\n , NetworkRuleName=DeviceCustomString1\n , SrcUsername=SourceUserName \n , DstUsername=DestinationUserName \n , EventOriginalSeverity=LogSeverity // not documented\n , SrcNatIpAddr=SourceTranslatedAddress\n , DstNatIpAddr=DestinationTranslatedAddress\n , PaloAltoFlags=FlexString1 // Flags\n| extend\nEventVendor=\"Palo Alto\"\n ,EventProduct=\"PanOS\" // Not Documented\n , SrcBytes=tolong(SentBytes)\n , DstBytes=tolong(ReceivedBytes) \n , NetworkProtocol=toupper(Protocol)\n , NetworkBytes=tolong(FlexNumber1)\n , SrcUsernameType=case(isempty(SrcUsername), \"\", SrcUsername contains \"@\", \"UPN\", \"Simple\")\n , DstUsernameType=case(isempty(DstUsername), \"\", DstUsername contains \"@\", \"UPN\", \"Simple\")\n , EventType=\"NetworkSession\"\n , EventCount=toint(1)\n , EventResult=case(DeviceAction==\"allow\",\"Success\",\"Failure\")\n // -- Adjustment to support both old and new CSL fields.\n , NetworkPackets = coalesce(\n tolong(column_ifexists(\"FieldDeviceCustomNumber2\", long(null))),\n tolong(column_ifexists(\"DeviceCustomNumber2\",long(null)))\n )\n , NetworkSessionId = coalesce(\n tostring(column_ifexists(\"FieldDeviceCustomNumber1\", long(null))),\n tostring(column_ifexists(\"DeviceCustomNumber1\",long(null)))\n )\n , NetworkDuration= coalesce(\n toint(1000*column_ifexists(\"FieldDeviceCustomNumber3\", 0)),\n toint(1000*column_ifexists(\"DeviceCustomNumber3\",0)),\n int(null)\n )\n , EventSchemaVersion=\"0.2.1\"\n , EventSchema=\"NetworkSession\"\n , EventSeverity = \"Informational\"\n| extend hostelements=split(Dvc,'.')\n| extend DvcHostname=tostring(hostelements[0])\n , DvcDomain=strcat_array( array_slice(hostelements,1,-1), '.')\n| extend DvcFQDN = iff(Dvc contains \".\",Dvc,\"\" )\n , DvcDomainType=iff(Dvc contains \".\",\"FQDN\",\"\" )\n| project-away hostelements\n| lookup Actions on DeviceAction\n| project-rename\n DstMacAddr=DestinationMACAddress\n , SrcMacAddr=SourceMACAddress\n , DstIpAddr=DestinationIP\n , DstPortNumber=DestinationPort\n , DstNatPortNumber=DestinationTranslatedPort\n , SrcPortNumber=SourcePort\n , SrcIpAddr=SourceIP\n , SrcNatPortNumber=SourceTranslatedPort\n , DvcOutboundInterface=DeviceOutboundInterface\n , DvcInboundInterface=DeviceInboundInterface\n , EventMessage=Message\n , DvcOriginalAction=DeviceAction\n// -- Aliases\n| extend\nIpAddr = SrcIpAddr,\nRule=NetworkRuleName,\nDst=DstIpAddr,\n// Host=DstHostname, \nUser=DstUsername,\nDuration=NetworkDuration,\nSessionId=NetworkSessionId,\nEventEndTime =EventStartTime,\nSrc=SrcIpAddr\n| project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ReportReferenceLink, Activity, Computer, OriginalLogSeverity, PaloAltoFlags, Protocol\n};\nNWParser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCortexDataLake/ASimNetworkSessionPaloAltoCortexDataLake.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCortexDataLake/ASimNetworkSessionPaloAltoCortexDataLake.json index 2435b3abd71..e546d3d2859 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCortexDataLake/ASimNetworkSessionPaloAltoCortexDataLake.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCortexDataLake/ASimNetworkSessionPaloAltoCortexDataLake.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionPaloAltoCortexDataLake')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionPaloAltoCortexDataLake", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Palo Alto Cortex Data Lake", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionPaloAltoCortexDataLake", - "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventResultDvcActionLookup = datatable (\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"allow\", \"Allow\", \"Success\",\n \"deny\", \"Deny\", \"Failure\",\n \"reset client\", \"Reset Source\", \"Failure\",\n \"reset server\", \"Reset Destination\", \"Failure\",\n \"reset both\", \"Reset\", \"Failure\",\n \"drop\", \"Drop\", \"Failure\",\n \"drop ICMP\", \"Drop ICMP\", \"Failure\",\n \"reset-both\", \"Reset\", \"Failure\"\n];\nlet EventResultDetailsLookup = datatable(Reason: string, EventResultDetails: string)[\n \"threat\", \"Reset\",\n \"policy-deny\", \"Unknown\",\n \"decrypt-cert-validation\", \"Terminated\",\n \"decrypt-unsupport-param\", \"Terminated\",\n \"decrypt-error\", \"Terminated\",\n \"tcp-rst-from-client\", \"Reset\",\n \"tcp-rst-from-server\", \"Reset\",\n \"resources-unavailable\", \"Unknown\",\n \"tcp-fin\", \"Unknown\",\n \"tcp-reuse\", \"Unknown\",\n \"decoder\", \"Unknown\",\n \"aged-out\", \"Unknown\",\n \"unknown\", \"Unknown\",\n \"n/a\", \"NA\",\n];\nlet ThreatRiskLevelLookup = datatable(PanOSApplicationRisk: string, ThreatRiskLevel: int)\n [\n \"1\", 20,\n \"2\", 40,\n \"3\", 60,\n \"4\", 80,\n \"5\", 100\n];\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"TRAFFIC\"\n | parse-kv AdditionalExtensions as (PanOSSessionStartTime: string, PanOSDestinationDeviceHost: string, PanOSSourceDeviceHost: string, PanOSDestinationUUID: string, PanOSDestinationLocation: string, PanOSSourceUUID: string, PanOSDestinationDeviceMac: string, PanOsBytes: long, PanOSIsClienttoServer: string, PanOSSourceLocation: string, PanOSSourceDeviceMac: string, PanOSPacketsReceived: long, PanOSPacketsSent: long, PanOSRuleUUID: int, PanOSApplicationCategory: string, PanOSApplicationSubcategory: string, PanOSChunksReceived: string, PanOSChunksSent: string, PanOSChunksTotal: string, PanOSApplicationContainer: string, PanOSDestinationDeviceCategory: string, PanOSLinkChangeCount: string, PanOSLinkSwitches: string, PanOSLogSource: string, PanOSNSSAINetworkSliceDifferentiator: string, PanOSNSSAINetworkSliceType: string, PanOSOutboundInterfaceDetailsPort: string, PanOSOutboundInterfaceDetailsSlot: string, PanOSOutboundInterfaceDetailsType: string, PanOSOutboundInterfaceDetailsUnit: string, PanOSParentSessionID: string, PanOsRuleUUID: string, PanOSSourceDeviceOS: string, PanOSSourceDeviceOSFamily: string, PanOSSourceDeviceOSVersion: string, PanOSSourceDeviceCategory: string, PanOSVirtualSystemID: string, PanOSVirtualSystemName: string, PanOSCortexDataLakeTenantID: string, PanOSApplicationRisk: string, PanOSIsSaaSApplication: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveDstFQDN('PanOSDestinationDeviceHost')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | lookup EventResultDvcActionLookup on DeviceAction\n | lookup EventSeverityLookup on LogSeverity\n | lookup EventResultDetailsLookup on Reason\n | lookup ThreatRiskLevelLookup on PanOSApplicationRisk\n | extend\n EventStartTime = todatetime(PanOSSessionStartTime),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n NetworkSessionId = tostring(FieldDeviceCustomNumber1),\n NetworkDuration = toint(FieldDeviceCustomNumber3),\n DstBytes = tolong(ReceivedBytes),\n SrcBytes = tolong(SentBytes),\n SrcDomain = coalesce(SourceNTDomain, SrcDomain),\n DstDomain = coalesce(DestinationNTDomain, DstDomain),\n AdditionalFields = bag_pack(\n \"urlcategory\",\n DeviceCustomString2,\n \"virtualLocation\",\n DeviceCustomString3,\n \"PanOSApplicationCategory\",\n PanOSApplicationCategory,\n \"PanOSApplicationSubcategory\",\n PanOSApplicationSubcategory,\n \"PanOSChunksReceived\",\n PanOSChunksReceived,\n \"PanOSChunksSent\",\n PanOSChunksSent,\n \"PanOSChunksTotal\",\n PanOSChunksTotal,\n \"PanOSApplicationContainer\",\n PanOSApplicationContainer,\n \"PanOSDestinationDeviceCategory\",\n PanOSDestinationDeviceCategory,\n \"PanOSIsClienttoServer\",\n PanOSIsClienttoServer,\n \"PanOSLinkChangeCount\",\n PanOSLinkChangeCount,\n \"PanOSLinkSwitches\",\n PanOSLinkSwitches,\n \"PanOSLogSource\",\n PanOSLogSource,\n \"PanOSNSSAINetworkSliceDifferentiator\",\n PanOSNSSAINetworkSliceDifferentiator,\n \"PanOSNSSAINetworkSliceType\",\n PanOSNSSAINetworkSliceType,\n \"PanOSOutboundInterfaceDetailsPort\",\n PanOSOutboundInterfaceDetailsPort,\n \"PanOSOutboundInterfaceDetailsSlot\",\n PanOSOutboundInterfaceDetailsSlot,\n \"PanOSOutboundInterfaceDetailsType\",\n PanOSOutboundInterfaceDetailsType,\n \"PanOSOutboundInterfaceDetailsUnit\",\n PanOSOutboundInterfaceDetailsUnit,\n \"PanOSParentSessionID\",\n PanOSParentSessionID,\n \"PanOsRuleUUID\",\n PanOsRuleUUID,\n \"PanOSSourceDeviceOS\",\n PanOSSourceDeviceOS,\n \"PanOSSourceDeviceOSFamily\",\n PanOSSourceDeviceOSFamily,\n \"PanOSSourceDeviceOSVersion\",\n PanOSSourceDeviceOSVersion,\n \"PanOSSourceDeviceCategory\",\n PanOSSourceDeviceCategory,\n \"PanOSVirtualSystemID\",\n PanOSVirtualSystemID,\n \"PanOSVirtualSystemName\",\n PanOSVirtualSystemName\n )\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DstDvcId = PanOSDestinationUUID,\n DstGeoCountry = PanOSDestinationLocation,\n DstMacAddr = PanOSDestinationDeviceMac,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n DstPackets = PanOSPacketsReceived,\n DstPortNumber = DestinationPort,\n DstUsername = DestinationUserName,\n DvcId = DeviceExternalID,\n DvcOriginalAction = DeviceAction,\n EventOriginalSeverity = LogSeverity,\n DstZone = DeviceCustomString5,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n NetworkPackets = FieldDeviceCustomNumber2,\n NetworkRuleName = DeviceCustomString1,\n SrcDvcId = PanOSSourceUUID,\n SrcGeoCountry = PanOSSourceLocation,\n SrcMacAddr = PanOSSourceDeviceMac,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n SrcPackets = PanOSPacketsSent,\n SrcPortNumber = SourcePort,\n SrcUsername = SourceUserName,\n SrcZone = DeviceCustomString4,\n DvcScopeId = PanOSCortexDataLakeTenantID,\n EventOriginalSubType = Activity,\n DstUserId = DestinationUserID,\n EventOriginalResultDetails = Reason,\n SrcUserId = SourceUserID,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n SrcAppName = ApplicationProtocol,\n ThreatOriginalRiskLevel = PanOSApplicationRisk\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = coalesce(DstDvcId, DstHostname, DstIpAddr),\n Src = coalesce(SrcDvcId, SrcHostname, SrcIpAddr),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\"),\n NetworkProtocol = toupper(Protocol),\n NetworkBytes = SrcBytes + DstBytes,\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n ),\n NetworkDirection = iff(PanOSIsClienttoServer == \"true\", \"Outbound\", \"Inbound\"),\n Rule = NetworkRuleName,\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n SessionId = NetworkSessionId,\n User = DstUsername,\n Hostname = DstHostname,\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\"),\n DstDvcIdType = iff(isnotempty(DstDvcId), \"Other\", \"\"),\n SrcDomainType = iff(isnotempty(SourceNTDomain), \"Windows\", SrcDomainType),\n DstDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", DstDomainType),\n DstUserIdType = iff(isnotempty(DstUserId), \"UID\", \"\"),\n SrcUserIdType = iff(isnotempty(SrcUserId), \"UID\", \"\"),\n SrcAppType = case(\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"true\",\n \"SaaS Application\",\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"false\",\n \"Other\",\n \"\"\n )\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n PanOs*,\n Protocol,\n SimplifiedDeviceAction,\n ExternalID,\n Message,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n StartTime,\n TenantId,\n ReportReferenceLink,\n ReceiptTime,\n Indicator*,\n _ResourceId,\n ThreatConfidence,\n ThreatDescription,\n ThreatSeverity\n};\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Palo Alto Cortex Data Lake", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionPaloAltoCortexDataLake", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventResultDvcActionLookup = datatable (\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"allow\", \"Allow\", \"Success\",\n \"deny\", \"Deny\", \"Failure\",\n \"reset client\", \"Reset Source\", \"Failure\",\n \"reset server\", \"Reset Destination\", \"Failure\",\n \"reset both\", \"Reset\", \"Failure\",\n \"drop\", \"Drop\", \"Failure\",\n \"drop ICMP\", \"Drop ICMP\", \"Failure\",\n \"reset-both\", \"Reset\", \"Failure\"\n];\nlet EventResultDetailsLookup = datatable(Reason: string, EventResultDetails: string)[\n \"threat\", \"Reset\",\n \"policy-deny\", \"Unknown\",\n \"decrypt-cert-validation\", \"Terminated\",\n \"decrypt-unsupport-param\", \"Terminated\",\n \"decrypt-error\", \"Terminated\",\n \"tcp-rst-from-client\", \"Reset\",\n \"tcp-rst-from-server\", \"Reset\",\n \"resources-unavailable\", \"Unknown\",\n \"tcp-fin\", \"Unknown\",\n \"tcp-reuse\", \"Unknown\",\n \"decoder\", \"Unknown\",\n \"aged-out\", \"Unknown\",\n \"unknown\", \"Unknown\",\n \"n/a\", \"NA\",\n];\nlet ThreatRiskLevelLookup = datatable(PanOSApplicationRisk: string, ThreatRiskLevel: int)\n [\n \"1\", 20,\n \"2\", 40,\n \"3\", 60,\n \"4\", 80,\n \"5\", 100\n];\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"TRAFFIC\"\n | parse-kv AdditionalExtensions as (PanOSSessionStartTime: string, PanOSDestinationDeviceHost: string, PanOSSourceDeviceHost: string, PanOSDestinationUUID: string, PanOSDestinationLocation: string, PanOSSourceUUID: string, PanOSDestinationDeviceMac: string, PanOsBytes: long, PanOSIsClienttoServer: string, PanOSSourceLocation: string, PanOSSourceDeviceMac: string, PanOSPacketsReceived: long, PanOSPacketsSent: long, PanOSRuleUUID: int, PanOSApplicationCategory: string, PanOSApplicationSubcategory: string, PanOSChunksReceived: string, PanOSChunksSent: string, PanOSChunksTotal: string, PanOSApplicationContainer: string, PanOSDestinationDeviceCategory: string, PanOSLinkChangeCount: string, PanOSLinkSwitches: string, PanOSLogSource: string, PanOSNSSAINetworkSliceDifferentiator: string, PanOSNSSAINetworkSliceType: string, PanOSOutboundInterfaceDetailsPort: string, PanOSOutboundInterfaceDetailsSlot: string, PanOSOutboundInterfaceDetailsType: string, PanOSOutboundInterfaceDetailsUnit: string, PanOSParentSessionID: string, PanOsRuleUUID: string, PanOSSourceDeviceOS: string, PanOSSourceDeviceOSFamily: string, PanOSSourceDeviceOSVersion: string, PanOSSourceDeviceCategory: string, PanOSVirtualSystemID: string, PanOSVirtualSystemName: string, PanOSCortexDataLakeTenantID: string, PanOSApplicationRisk: string, PanOSIsSaaSApplication: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveDstFQDN('PanOSDestinationDeviceHost')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | lookup EventResultDvcActionLookup on DeviceAction\n | lookup EventSeverityLookup on LogSeverity\n | lookup EventResultDetailsLookup on Reason\n | lookup ThreatRiskLevelLookup on PanOSApplicationRisk\n | extend\n EventStartTime = todatetime(PanOSSessionStartTime),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n NetworkSessionId = tostring(FieldDeviceCustomNumber1),\n NetworkDuration = toint(FieldDeviceCustomNumber3),\n DstBytes = tolong(ReceivedBytes),\n SrcBytes = tolong(SentBytes),\n SrcDomain = coalesce(SourceNTDomain, SrcDomain),\n DstDomain = coalesce(DestinationNTDomain, DstDomain),\n AdditionalFields = bag_pack(\n \"urlcategory\",\n DeviceCustomString2,\n \"virtualLocation\",\n DeviceCustomString3,\n \"PanOSApplicationCategory\",\n PanOSApplicationCategory,\n \"PanOSApplicationSubcategory\",\n PanOSApplicationSubcategory,\n \"PanOSChunksReceived\",\n PanOSChunksReceived,\n \"PanOSChunksSent\",\n PanOSChunksSent,\n \"PanOSChunksTotal\",\n PanOSChunksTotal,\n \"PanOSApplicationContainer\",\n PanOSApplicationContainer,\n \"PanOSDestinationDeviceCategory\",\n PanOSDestinationDeviceCategory,\n \"PanOSIsClienttoServer\",\n PanOSIsClienttoServer,\n \"PanOSLinkChangeCount\",\n PanOSLinkChangeCount,\n \"PanOSLinkSwitches\",\n PanOSLinkSwitches,\n \"PanOSLogSource\",\n PanOSLogSource,\n \"PanOSNSSAINetworkSliceDifferentiator\",\n PanOSNSSAINetworkSliceDifferentiator,\n \"PanOSNSSAINetworkSliceType\",\n PanOSNSSAINetworkSliceType,\n \"PanOSOutboundInterfaceDetailsPort\",\n PanOSOutboundInterfaceDetailsPort,\n \"PanOSOutboundInterfaceDetailsSlot\",\n PanOSOutboundInterfaceDetailsSlot,\n \"PanOSOutboundInterfaceDetailsType\",\n PanOSOutboundInterfaceDetailsType,\n \"PanOSOutboundInterfaceDetailsUnit\",\n PanOSOutboundInterfaceDetailsUnit,\n \"PanOSParentSessionID\",\n PanOSParentSessionID,\n \"PanOsRuleUUID\",\n PanOsRuleUUID,\n \"PanOSSourceDeviceOS\",\n PanOSSourceDeviceOS,\n \"PanOSSourceDeviceOSFamily\",\n PanOSSourceDeviceOSFamily,\n \"PanOSSourceDeviceOSVersion\",\n PanOSSourceDeviceOSVersion,\n \"PanOSSourceDeviceCategory\",\n PanOSSourceDeviceCategory,\n \"PanOSVirtualSystemID\",\n PanOSVirtualSystemID,\n \"PanOSVirtualSystemName\",\n PanOSVirtualSystemName\n )\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DstDvcId = PanOSDestinationUUID,\n DstGeoCountry = PanOSDestinationLocation,\n DstMacAddr = PanOSDestinationDeviceMac,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n DstPackets = PanOSPacketsReceived,\n DstPortNumber = DestinationPort,\n DstUsername = DestinationUserName,\n DvcId = DeviceExternalID,\n DvcOriginalAction = DeviceAction,\n EventOriginalSeverity = LogSeverity,\n DstZone = DeviceCustomString5,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n NetworkPackets = FieldDeviceCustomNumber2,\n NetworkRuleName = DeviceCustomString1,\n SrcDvcId = PanOSSourceUUID,\n SrcGeoCountry = PanOSSourceLocation,\n SrcMacAddr = PanOSSourceDeviceMac,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n SrcPackets = PanOSPacketsSent,\n SrcPortNumber = SourcePort,\n SrcUsername = SourceUserName,\n SrcZone = DeviceCustomString4,\n DvcScopeId = PanOSCortexDataLakeTenantID,\n EventOriginalSubType = Activity,\n DstUserId = DestinationUserID,\n EventOriginalResultDetails = Reason,\n SrcUserId = SourceUserID,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n SrcAppName = ApplicationProtocol,\n ThreatOriginalRiskLevel = PanOSApplicationRisk\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = coalesce(DstDvcId, DstHostname, DstIpAddr),\n Src = coalesce(SrcDvcId, SrcHostname, SrcIpAddr),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\"),\n NetworkProtocol = toupper(Protocol),\n NetworkBytes = SrcBytes + DstBytes,\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n ),\n NetworkDirection = iff(PanOSIsClienttoServer == \"true\", \"Outbound\", \"Inbound\"),\n Rule = NetworkRuleName,\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n SessionId = NetworkSessionId,\n User = DstUsername,\n Hostname = DstHostname,\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\"),\n DstDvcIdType = iff(isnotempty(DstDvcId), \"Other\", \"\"),\n SrcDomainType = iff(isnotempty(SourceNTDomain), \"Windows\", SrcDomainType),\n DstDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", DstDomainType),\n DstUserIdType = iff(isnotempty(DstUserId), \"UID\", \"\"),\n SrcUserIdType = iff(isnotempty(SrcUserId), \"UID\", \"\"),\n SrcAppType = case(\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"true\",\n \"SaaS Application\",\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"false\",\n \"Other\",\n \"\"\n )\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n PanOs*,\n Protocol,\n SimplifiedDeviceAction,\n ExternalID,\n Message,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n StartTime,\n TenantId,\n ReportReferenceLink,\n ReceiptTime,\n Indicator*,\n _ResourceId,\n ThreatConfidence,\n ThreatDescription,\n ThreatSeverity\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSentinelOne/ASimNetworkSessionSentinelOne.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSentinelOne/ASimNetworkSessionSentinelOne.json index 23bd6190fe3..7c0188f1f05 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSentinelOne/ASimNetworkSessionSentinelOne.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSentinelOne/ASimNetworkSessionSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionSentinelOne", - "query": "let NetworkDirectionLookup = datatable (\n alertInfo_netEventDirection_s: string, \n NetworkDirection: string\n)[\n \"OUTGOING\", \"Outbound\",\n \"INCOMING\", \"Inbound\",\n];\nlet DeviceTypeLookup = datatable (\n agentDetectionInfo_machineType_s: string,\n SrcDeviceType: string\n)\n [\n \"desktop\", \"Computer\",\n \"server\", \"Computer\",\n \"laptop\", \"Computer\",\n \"kubernetes node\", \"Other\",\n \"unknown\", \"Other\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (disabled: bool=false) {\n let alldata = SentinelOne_CL\n | where not(disabled) \n and event_name_s == \"Alerts.\" \n and alertInfo_eventType_s == \"TCPV4\"\n | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s\n | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s;\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maliciousdata\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend \n DstPortNumber = toint(alertInfo_dstPort_s),\n SrcPortNumber = toint(alertInfo_srcPort_s),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n DstIpAddr = alertInfo_dstIp_s,\n EventUid = _ItemId,\n SrcIpAddr = alertInfo_srcIp_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n SrcProcessName = sourceProcessInfo_name_s,\n SrcProcessId = sourceProcessInfo_pid_s,\n SrcUsername = sourceProcessInfo_user_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n DvcIpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n SrcHostname = DvcHostname,\n SrcDvcId = DvcId,\n IpAddr = SrcIpAddr,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n SrcDvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | extend\n Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr),\n Hostname = SrcHostname\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventResult = \"Success\",\n DvcAction = \"Allow\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventResultDetails = \"NA\",\n EventType = \"EndpointNetworkSession\",\n EventVendor = \"SentinelOne\",\n NetworkProtocol = \"TCP\",\n NetworkProtocolVersion = \"IPv4\"\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionSentinelOne", + "query": "let NetworkDirectionLookup = datatable (\n alertInfo_netEventDirection_s: string, \n NetworkDirection: string\n)[\n \"OUTGOING\", \"Outbound\",\n \"INCOMING\", \"Inbound\",\n];\nlet DeviceTypeLookup = datatable (\n agentDetectionInfo_machineType_s: string,\n SrcDeviceType: string\n)\n [\n \"desktop\", \"Computer\",\n \"server\", \"Computer\",\n \"laptop\", \"Computer\",\n \"kubernetes node\", \"Other\",\n \"unknown\", \"Other\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (disabled: bool=false) {\n let alldata = SentinelOne_CL\n | where not(disabled) \n and event_name_s == \"Alerts.\" \n and alertInfo_eventType_s == \"TCPV4\"\n | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s\n | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s;\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maliciousdata\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend \n DstPortNumber = toint(alertInfo_dstPort_s),\n SrcPortNumber = toint(alertInfo_srcPort_s),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n DstIpAddr = alertInfo_dstIp_s,\n EventUid = _ItemId,\n SrcIpAddr = alertInfo_srcIp_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n SrcProcessName = sourceProcessInfo_name_s,\n SrcProcessId = sourceProcessInfo_pid_s,\n SrcUsername = sourceProcessInfo_user_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n DvcIpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n SrcHostname = DvcHostname,\n SrcDvcId = DvcId,\n IpAddr = SrcIpAddr,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n SrcDvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | extend\n Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr),\n Hostname = SrcHostname\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventResult = \"Success\",\n DvcAction = \"Allow\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventResultDetails = \"NA\",\n EventType = \"EndpointNetworkSession\",\n EventVendor = \"SentinelOne\",\n NetworkProtocol = \"TCP\",\n NetworkProtocolVersion = \"IPv4\"\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSonicWallFirewall/ASimNetworkSessionSonicWallFirewall.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSonicWallFirewall/ASimNetworkSessionSonicWallFirewall.json index 4999eb6a334..7f0c242b9d2 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSonicWallFirewall/ASimNetworkSessionSonicWallFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSonicWallFirewall/ASimNetworkSessionSonicWallFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionSonicWallFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionSonicWallFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for SonicWall firewalls", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionSonicWallFirewall", - "query": "let Actions=datatable(fw_action:string,DvcAction:string)\n[ \"reset client\",\"Reset Source\"\n, \"reset server\",\"Reset Destination\"\n, \"reset both\", \"Reset\" \n, \"allow\",\"Allow\"\n, \"\\\"forward\\\"\",\"Allow\"\n, \"\\\"mgmt\\\"\",\"Other\"\n, \"\\\"NA\\\"\",\"Other\"\n, \"deny\",\"Deny\"\n, \"\\\"drop\\\"\", \"Drop\"\n, \"drop ICMP\", \"Drop ICMP\"];\nlet Parser=(disabled:bool=false){\nCommonSecurityLog\n| where not(disabled)\n| where DeviceVendor == \"SonicWall\"\n| where DeviceEventClassID !in (14, 97, 1382, 440, 441, 442, 646, 647, 734, 735)\n| parse-kv AdditionalExtensions as (['gcat']:string, ['app']:string, ['arg']:string, ['dstV6']:string, ['srcV6']:string, ['snpt']:string, ['dnpt']:string, ['susr']:string,['appName']:string, ['appcat']:string, ['appid']:string, ['sid']:string, ['catid']:string, ['ipscat']:string, ['ipspri']:string, ['spycat']:string, ['spypri']:string, ['fw_action']:string, ['dpi']:string, ['bid']:string, ['af_action']:string, ['af_polid']:string, ['af_policy']:string, ['af_type']:string, ['af_service']:string, ['af_object']:string, ['contentObject']:string, ['fileid']:string, ['uuid']:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n| extend\n SourceIP = coalesce(SourceIP, srcV6)\n , DestinationIP = coalesce(DestinationIP, dstV6)\n| where ( isnotempty(SourceIP) and isnotempty(DestinationIP) )\n| where gcat in (3, 5, 6, 10) // Include only these event categories.\n| lookup Actions on fw_action\n// Sets the mandatory EventResult based on the DvcAction.\n| extend EventResult = case(DvcAction == \"Allow\", \"Success\",\n DvcAction == \"Management\", \"NA\",\n DvcAction == \"NA\", \"NA\",\n DvcAction == \"Other\", \"NA\",\n \"Failure\"\n )\n| extend sosLogMsgSeverity = case(LogSeverity == 10, \"Emergency (0)\",\n LogSeverity == 9, \"Alert (1)\",\n LogSeverity == 8, \"Critical (2)\",\n LogSeverity == 7, \"Error (3)\",\n LogSeverity == 6, \"Warning (4)\",\n LogSeverity == 5, \"Notice (5)\",\n LogSeverity == 4, \"Info (6)/Debug (7)\",\n LogSeverity == 3, \"Not Mapped (3)\",\n LogSeverity == 2, \"Not Mapped (2)\",\n LogSeverity == 1, \"Not Mapped (1)\",\n \"Not Mapped\"\n )\n| extend EventSeverity = case(tolong(LogSeverity) <= 4, \"Informational\"\n , tolong(LogSeverity) <= 6, \"Low\"\n , tolong(LogSeverity) <= 8, \"Medium\"\n , tolong(LogSeverity) > 8, \"High\"\n , \"\"\n )\n| extend NetworkProtocolVersion = case(DestinationIP has \".\", \"IPv4\"\n , DestinationIP has \":\", \"IPv6\"\n , \"\"\n )\n , NetworkProtocol = toupper(iff(Protocol contains \"-\" and Protocol !contains \"/\", toupper(trim_start(@\".*-\", Protocol)), toupper(trim_end(@\"/.*\", Protocol))))\n , NetworkApplicationProtocol = tostring(toupper(trim_start(@\".*/\", Protocol)))\n , EventOriginalType = DeviceEventClassID\n| project-rename\n DstMacAddr = DestinationMACAddress\n , SrcMacAddr = SourceMACAddress\n , DstIpAddr = DestinationIP\n , SrcIpAddr = SourceIP\n , DstPortNumber = DestinationPort\n , SrcPortNumber = SourcePort\n , EventMessage = Activity\n , sosEventMessageDetail = Message\n , EventProductVersion = DeviceVersion\n , sosSerialNumber = Computer\n , DvcOutboundInterface = DeviceOutboundInterface\n , DvcInboundInterface = DeviceInboundInterface\n , sosApplicationID = ApplicationProtocol // Application ID number (when Flow Reporting is enabled).\n , sosCFSFullString = Reason // CFS Category ID and Name\n , NetworkRuleName = DeviceCustomString1 // Rule ID. Identify a policy or rule associated with an event.\n , sosSourceVPNPolicyName = DeviceCustomString2 // Displays the source VPN policy name associated with the event.\n , sosDestinationVPNPolicyName = DeviceCustomString3 // Displays the destination VPN policy name associated with the event.\n , sosLogMsgNote = DeviceCustomString6 // \"Note\" field. Additional information that is application-dependent.\n , SrcNatIpAddr = DeviceCustomString1Label // NAT'ed source IP4/IPv6 address.\n , DstNatIpAddr = DeviceCustomString2Label // NAT'ed destination IPv4/IPv6 address.\n , sosSourceZone = DeviceCustomString3Label // Source Zone on Gen7. Src Zone Type on Gen6.\n , sosDestinationZone = DeviceCustomString4Label // Destination Zone on Gen7. Dest Zone Type (Trusted/Untrusted, etc.) on Gen6.\n , sosUserSessionType = DeviceCustomString5Label // String indicating the user session type, determined by the auth mechanism.\n , sosUserSessionDuration = DeviceCustomString6Label // User session duration in seconds.\n , NetworkIcmpType = FieldDeviceCustomNumber1 // ICMP Type\n , NetworkIcmpCode = FieldDeviceCustomNumber2 // ICMP Code\n , SrcUsername = SourceUserName\n , ThreatOriginalConfidence = ThreatConfidence\n| extend sosLogMsgCategory = case(gcat == 1, \"System (1)\",\n gcat == 2, \"Log (2)\",\n gcat == 3, \"Security Services (3)\",\n gcat == 4, \"Users (4)\",\n gcat == 5, \"Firewall Settings (5)\",\n gcat == 6, \"Network (6)\",\n gcat == 7, \"VPN (7)\",\n gcat == 8, \"High Availability (8)\",\n gcat == 9, \"3G/4G, Modem, and Module (9)\",\n gcat == 10, \"Firewall (10)\",\n gcat == 11, \"Wireless (11)\",\n gcat == 12, \"VoIP (12)\",\n gcat == 13, \"SSL VPN (13)\",\n gcat == 14, \"Anti-Spam (14)\",\n gcat == 15, \"WAN Acceleration (15)\",\n gcat == 16, \"Object (16)\",\n gcat == 17, \"SD-WAN (17)\",\n gcat == 18, \"Multi-Instance (18)\",\n gcat == 19, \"Unified Policy Engine (19)\",\n \"Log Category Not Mapped\"\n )\n| extend sosLegacyMessageCategory = case(DeviceEventCategory == 0, \"None (0)\",\n DeviceEventCategory == 1, \"System Maintenance (1)\",\n DeviceEventCategory == 2, \"System Errors (2)\",\n DeviceEventCategory == 4, \"Blocked Web Sites (4)\",\n DeviceEventCategory == 8, \"Blocked Java Etc. (8)\",\n DeviceEventCategory == 16, \"User Activity (16)\",\n DeviceEventCategory == 32, \"Attacks (32)\",\n DeviceEventCategory == 64, \"Dropped TCP (64)\",\n DeviceEventCategory == 128, \"Dropped UDP (128)\",\n DeviceEventCategory == 256, \"Dropped ICMP (256)\",\n DeviceEventCategory == 512, \"Network Debug (512)\",\n DeviceEventCategory == 1024, \"Connection Closed (1024)\",\n DeviceEventCategory == 2048, \"Dropped LAN TCP (2048)\",\n DeviceEventCategory == 4096, \"Dropped LAN UDP (4096)\",\n DeviceEventCategory == 8192, \"Dropped LAN ICMP (8192)\",\n DeviceEventCategory == 32768, \"Modem Debug (32768)\",\n DeviceEventCategory == 65536, \"VPN Tunnel Status (65536)\",\n DeviceEventCategory == 131072, \"IEEE 802.11 Management (131072)\",\n DeviceEventCategory == 262144, \"Connection Opened (262144)\",\n DeviceEventCategory == 524288, \"System Environment (524288)\",\n DeviceEventCategory == 1048576, \"Expanded - VoIP Activity (1048576)\",\n DeviceEventCategory == 2097152, \"Expanded - WLAN IDS Activity (2097152)\",\n DeviceEventCategory == 4194304, \"Expanded - SonicPoint Activity (4194304)\",\n DeviceEventCategory == 8388608, \"Expanded - Unified Policy Engine (8388608)\",\n \"Legacy Category Not Mapped\"\n )\n| extend sosIPSPriority = case(ipspri == 1, \"High (1)\",\n ipspri == 2, \"Medium (2)\",\n ipspri == 3, \"Low (3)\",\n \"\"\n )\n| extend sosAntiSpywarePriority = case(spypri == 1, \"High (1)\",\n spypri == 2, \"Medium (2)\",\n spypri == 3, \"Low (3)\",\n \"\"\n )\n| extend\n EventVendor = \"SonicWall\"\n , EventProduct = \"Firewall\"\n , DvcOs = \"SonicOS\"\n , DvcOsVersion = EventProductVersion\n , DvcIdType = \"Other\"\n , Dvc = sosSerialNumber\n , DvcDescription = DeviceProduct\n , ASimMatchingHostname = \"-\"\n , ASimMatchingIpAddr = \"-\"\n , NetworkIcmpType = tostring(NetworkIcmpType)\n , NetworkIcmpCode = toint(NetworkIcmpCode)\n , Rule = NetworkRuleName\n , NetworkBytes = tolong(coalesce(toint(ReceivedBytes), 0) + coalesce(toint(SentBytes), 0))\n , sosIPSFullString = ipscat\n , ipscat = extract(@'^\"?([a-zA-Z-\\/]+)', 1, ipscat) // IPS Category/Signature\n , sosIPSSignatureName = extract(@'[ ](.*)\\S', 1, ipscat) // IPS Signature name\n , FileSize = tolong(coalesce(FileSize, long(null)))\n , sosAppControlFileName = extract(@'.*Filename: (.*)\\\"', 1, sosEventMessageDetail) // App Control Filename Logging\n , sosCaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\\. ', 1, sosEventMessageDetail)\n , sosGAVSignatureName = extract(@'Gateway Anti-Virus Alert: (.*) blocked\\.', 1, sosEventMessageDetail)\n , sosASWSignatureName = extract(@'Anti-Spyware Detection Alert: (.*)\\. ', 1, sosEventMessageDetail)\n , sosCountry = extract(@'Country Name:(.*)\\\"$', 1, sosEventMessageDetail)\n , SrcZone = sosSourceZone\n , DstZone = sosDestinationZone\n , EventOriginalSeverity = LogSeverity\n , Dst = DstIpAddr\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , sosCFSCategoryID = extract(@'(\\d+)\\s', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSCategoryName = extract(@'.*-(\"(.*))', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSPolicyName = extract(@'Policy: (.*), Info:', 1, coalesce(sosLogMsgNote, \"\"))\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.6\"\n , EventSchema = \"NetworkSession\"\n , EventCount = toint(1)\n , EventUid = _ItemId\n , EventResultDetails = \"NA\"\n , ThreatConfidence = coalesce(toint(ThreatOriginalConfidence), int(null))\n| extend\n SrcUsername = coalesce(susr, SrcUsername)\n , FileName = coalesce(FileName, sosAppControlFileName)\n , NetworkDirection = case(SrcZone == \"\" and DstZone == \"\", \"NA\"\n , SrcZone == \"WAN\" and (DstZone == \"WAN\" and DstIpAddr !has \".255\"), \"Inbound\"\n , SrcZone == \"WAN\" and DstZone == \"WAN\", \"External\"\n , SrcZone == \"WAN\" and DstZone != \"WAN\", \"Inbound\"\n , SrcZone == \"VPN\" and DstZone == \"WAN\", \"Outbound\"\n , SrcZone == \"VPN\" and DstZone != \"WAN\", \"Inbound\"\n , DstZone == \"MULTICAST\", \"NA\"\n , DstZone == \"WAN\", \"Outbound\"\n , \"Local\"\n )\n| extend\n SrcUsernameType = case(SrcUsername has \"=\", \"DN\",\n SrcUsername has \"\\\\\", \"Windows\",\n SrcUsername has \"@\", \"UPN\",\n SrcUsername == \"Unknown (external IP)\", \"\",\n SrcUsername == \"Unknown (SSO bypassed)\", \"\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"\n )\n , ThreatField = case(isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\"\n , isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\"\n , \"\"\n )\n| extend\n ThreatIpAddr = case(ThreatField == \"SrcIpAddr\", SrcIpAddr\n , ThreatField == \"DstIpAddr\", DstIpAddr\n , \"\"\n )\n| extend\n SrcGeoCountry = iff(NetworkDirection == \"Inbound\", sosCountry, \"\")\n , DstGeoCountry = iff(NetworkDirection == \"Outbound\", sosCountry, \"\")\n , SrcAppName = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , DstAppName = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , SrcAppId = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), sid, \"\")\n , DstAppId = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), sid, \"\")\n| extend\n SrcAppType = case(isempty(SrcAppName), \"\"\n , SrcAppName contains \"\\'General \" or SrcAppName contains \"\\'Service \", \"Service\", \"Other\")\n , DstAppType = case(isempty(DstAppName), \"\"\n , DstAppName contains \"\\'General \" or DstAppName contains \"\\'Service \", \"Service\", \"Other\")\n| project-rename\n sosReceivedPackets = DeviceCustomNumber1Label // DeviceCustomNumberXLabel (cnXLabel=)\n , sosSentPackets = DeviceCustomNumber2Label // DeviceCustomNumberXLabel (cnXLabel=)\n| extend\n DstPackets = case(NetworkDirection == \"Outbound\", tolong(sosReceivedPackets)\n , NetworkDirection == \"Inbound\", tolong(sosSentPackets)\n , tolong(long(null))\n )\n , SrcPackets = case(NetworkDirection == \"Outbound\", tolong(sosSentPackets)\n , NetworkDirection == \"Inbound\", tolong(sosReceivedPackets)\n , tolong(long(null))\n )\n| project-rename\n sosConnectionDuration = DeviceCustomNumber3Label // Applies to \"Connection Closed\"\n , sosUser = susr // Logged-in username associated with the log event.\n , sosAppRulePolicyId = af_polid // App Rule Policy ID.\n , sosAppRulePolicyName = af_policy // App Rule Policy Name.\n , sosAppRuleService = af_service // App Rule Service Name.\n , sosAppRuleType = af_type // App Rule Policy Type.\n , sosAppRuleObject = af_object // App Rule Object Name.\n , sosAppRuleObjectContent = contentObject // App Rule Object Content.\n , sosAppRuleAction = af_action\n , sosSourceIPv6Address = srcV6\n , sosDestinationIPv6Address = dstV6\n , sosAppFullString = appcat // The full \" -- \" string.\n , sosAppIDNumber = app // Numeric Application ID. Not the same as \"ApplicationProtocol\".\n , sosAppID = appid // Application ID from App Control\n , sosAppCategoryID = catid // Application Category ID\n , sosAppSignatureID = sid // Application Signature ID\n , sosIPSCategoryName = ipscat // IPS Category Name\n , sosAntiSpywareCategory = spycat // Anti-Spyware Category\n , sosURLPathName = arg // URL. Represents the URL path name.\n , sosFileIdentifier = fileid // File hash or URL\n , sosDPIInspectedFlow = dpi // Indicates a flow was inspected by DPI. Applies only to Connection Closed messages.\n , DstNatPortNumber = dnpt\n , SrcNatPortNumber = snpt\n , sosBladeID = bid // Blade ID\n , sosUUID = uuid\n , sosFileName = FileName\n , DvcOriginalAction = fw_action\n| extend\n ThreatName = coalesce(sosASWSignatureName, sosGAVSignatureName, sosIPSSignatureName, \"\")\n , ThreatId = coalesce(sosAppSignatureID, \"\")\n , ThreatCategory = coalesce(sosIPSCategoryName, sosAntiSpywareCategory, \"\")\n , DstNatPortNumber = toint(DstNatPortNumber)\n , SrcNatPortNumber = toint(SrcNatPortNumber)\n| extend AdditionalFields = bag_pack(\n \"AppRulePolicyId\", sosAppRulePolicyId\n , \"AppRulePolicyName\", sosAppRulePolicyName\n , \"AppRuleService\", sosAppRuleService\n , \"AppRuleType\", sosAppRuleType\n , \"AppRuleObject\", sosAppRuleObject\n , \"AppRuleObjectContent\", sosAppRuleObjectContent\n , \"AppRuleAction\", sosAppRuleAction\n , \"AppID\", sosAppID\n , \"AppCategoryID\", sosAppCategoryID\n , \"IPSCategoryName\", sosIPSCategoryName\n , \"AntiSpywareCategory\", sosAntiSpywareCategory\n , \"FileIdentifier\", sosFileIdentifier\n , \"DPIInspectedFlow\", sosDPIInspectedFlow\n , \"BladeID\", sosBladeID\n , \"UUID\", sosUUID\n , \"FileName\", sosFileName\n , \"FileSize\", FileSize\n , \"CaptureATPVerdict\", sosCaptureATPVerdict\n , \"CFSCategoryID\", sosCFSCategoryID\n , \"CFSCategoryName\", sosCFSCategoryName\n , \"CFSPolicyName\", sosCFSPolicyName\n , \"AppControlFileName\", sosAppControlFileName\n , \"IPSFullString\", sosIPSFullString\n , \"IPSSignatureName\", sosIPSSignatureName\n , \"LegacyMessageCategory\", sosLegacyMessageCategory\n , \"LogMsgCategory\", sosLogMsgCategory\n , \"LogMsgNote\", sosLogMsgNote\n , \"LogMsgSeverity\", sosLogMsgSeverity\n , \"SourceVPNPolicyName\", sosSourceVPNPolicyName\n , \"DestinationVPNPolicyName\", sosDestinationVPNPolicyName\n , \"EventMessageDetail\", sosEventMessageDetail\n , \"UserSessionType\", sosUserSessionType\n )\n| project-away\n DeviceEventCategory\n , gcat\n , RequestMethod\n , ipspri\n , spypri\n , sos*\n , RequestURL\n , Protocol\n , appName\n , AdditionalExtensions\n , Flex*\n , Indicator*\n , Malicious*\n , Field*\n , DeviceCustom*\n , Old*\n , File*\n , Source*\n , Destination*\n , Device*\n , SimplifiedDeviceAction\n , ExternalID\n , ExtID\n , TenantId\n , ProcessName\n , ProcessID\n , ExtID\n , OriginalLogSeverity\n , LogSeverity\n , EventOutcome\n , StartTime\n , EndTime\n , ReceiptTime\n , Remote*\n , ThreatDescription\n , ThreatSeverity\n , RequestContext\n , RequestCookies\n , CommunicationDirection\n , ReportReferenceLink\n , ReceivedBytes\n , SentBytes\n , _ResourceId\n , _ItemId\n| project-reorder\n TimeGenerated\n , EventVendor\n , EventProduct\n , DvcDescription\n , Dvc\n , DvcOs\n , DvcOsVersion\n};\nParser (disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for SonicWall firewalls", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionSonicWallFirewall", + "query": "let Actions=datatable(fw_action:string,DvcAction:string)\n[ \"reset client\",\"Reset Source\"\n, \"reset server\",\"Reset Destination\"\n, \"reset both\", \"Reset\" \n, \"allow\",\"Allow\"\n, \"\\\"forward\\\"\",\"Allow\"\n, \"\\\"mgmt\\\"\",\"Other\"\n, \"\\\"NA\\\"\",\"Other\"\n, \"deny\",\"Deny\"\n, \"\\\"drop\\\"\", \"Drop\"\n, \"drop ICMP\", \"Drop ICMP\"];\nlet Parser=(disabled:bool=false){\nCommonSecurityLog\n| where not(disabled)\n| where DeviceVendor == \"SonicWall\"\n| where DeviceEventClassID !in (14, 97, 1382, 440, 441, 442, 646, 647, 734, 735)\n| parse-kv AdditionalExtensions as (['gcat']:string, ['app']:string, ['arg']:string, ['dstV6']:string, ['srcV6']:string, ['snpt']:string, ['dnpt']:string, ['susr']:string,['appName']:string, ['appcat']:string, ['appid']:string, ['sid']:string, ['catid']:string, ['ipscat']:string, ['ipspri']:string, ['spycat']:string, ['spypri']:string, ['fw_action']:string, ['dpi']:string, ['bid']:string, ['af_action']:string, ['af_polid']:string, ['af_policy']:string, ['af_type']:string, ['af_service']:string, ['af_object']:string, ['contentObject']:string, ['fileid']:string, ['uuid']:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n| extend\n SourceIP = coalesce(SourceIP, srcV6)\n , DestinationIP = coalesce(DestinationIP, dstV6)\n| where ( isnotempty(SourceIP) and isnotempty(DestinationIP) )\n| where gcat in (3, 5, 6, 10) // Include only these event categories.\n| lookup Actions on fw_action\n// Sets the mandatory EventResult based on the DvcAction.\n| extend EventResult = case(DvcAction == \"Allow\", \"Success\",\n DvcAction == \"Management\", \"NA\",\n DvcAction == \"NA\", \"NA\",\n DvcAction == \"Other\", \"NA\",\n \"Failure\"\n )\n| extend sosLogMsgSeverity = case(LogSeverity == 10, \"Emergency (0)\",\n LogSeverity == 9, \"Alert (1)\",\n LogSeverity == 8, \"Critical (2)\",\n LogSeverity == 7, \"Error (3)\",\n LogSeverity == 6, \"Warning (4)\",\n LogSeverity == 5, \"Notice (5)\",\n LogSeverity == 4, \"Info (6)/Debug (7)\",\n LogSeverity == 3, \"Not Mapped (3)\",\n LogSeverity == 2, \"Not Mapped (2)\",\n LogSeverity == 1, \"Not Mapped (1)\",\n \"Not Mapped\"\n )\n| extend EventSeverity = case(tolong(LogSeverity) <= 4, \"Informational\"\n , tolong(LogSeverity) <= 6, \"Low\"\n , tolong(LogSeverity) <= 8, \"Medium\"\n , tolong(LogSeverity) > 8, \"High\"\n , \"\"\n )\n| extend NetworkProtocolVersion = case(DestinationIP has \".\", \"IPv4\"\n , DestinationIP has \":\", \"IPv6\"\n , \"\"\n )\n , NetworkProtocol = toupper(iff(Protocol contains \"-\" and Protocol !contains \"/\", toupper(trim_start(@\".*-\", Protocol)), toupper(trim_end(@\"/.*\", Protocol))))\n , NetworkApplicationProtocol = tostring(toupper(trim_start(@\".*/\", Protocol)))\n , EventOriginalType = DeviceEventClassID\n| project-rename\n DstMacAddr = DestinationMACAddress\n , SrcMacAddr = SourceMACAddress\n , DstIpAddr = DestinationIP\n , SrcIpAddr = SourceIP\n , DstPortNumber = DestinationPort\n , SrcPortNumber = SourcePort\n , EventMessage = Activity\n , sosEventMessageDetail = Message\n , EventProductVersion = DeviceVersion\n , sosSerialNumber = Computer\n , DvcOutboundInterface = DeviceOutboundInterface\n , DvcInboundInterface = DeviceInboundInterface\n , sosApplicationID = ApplicationProtocol // Application ID number (when Flow Reporting is enabled).\n , sosCFSFullString = Reason // CFS Category ID and Name\n , NetworkRuleName = DeviceCustomString1 // Rule ID. Identify a policy or rule associated with an event.\n , sosSourceVPNPolicyName = DeviceCustomString2 // Displays the source VPN policy name associated with the event.\n , sosDestinationVPNPolicyName = DeviceCustomString3 // Displays the destination VPN policy name associated with the event.\n , sosLogMsgNote = DeviceCustomString6 // \"Note\" field. Additional information that is application-dependent.\n , SrcNatIpAddr = DeviceCustomString1Label // NAT'ed source IP4/IPv6 address.\n , DstNatIpAddr = DeviceCustomString2Label // NAT'ed destination IPv4/IPv6 address.\n , sosSourceZone = DeviceCustomString3Label // Source Zone on Gen7. Src Zone Type on Gen6.\n , sosDestinationZone = DeviceCustomString4Label // Destination Zone on Gen7. Dest Zone Type (Trusted/Untrusted, etc.) on Gen6.\n , sosUserSessionType = DeviceCustomString5Label // String indicating the user session type, determined by the auth mechanism.\n , sosUserSessionDuration = DeviceCustomString6Label // User session duration in seconds.\n , NetworkIcmpType = FieldDeviceCustomNumber1 // ICMP Type\n , NetworkIcmpCode = FieldDeviceCustomNumber2 // ICMP Code\n , SrcUsername = SourceUserName\n , ThreatOriginalConfidence = ThreatConfidence\n| extend sosLogMsgCategory = case(gcat == 1, \"System (1)\",\n gcat == 2, \"Log (2)\",\n gcat == 3, \"Security Services (3)\",\n gcat == 4, \"Users (4)\",\n gcat == 5, \"Firewall Settings (5)\",\n gcat == 6, \"Network (6)\",\n gcat == 7, \"VPN (7)\",\n gcat == 8, \"High Availability (8)\",\n gcat == 9, \"3G/4G, Modem, and Module (9)\",\n gcat == 10, \"Firewall (10)\",\n gcat == 11, \"Wireless (11)\",\n gcat == 12, \"VoIP (12)\",\n gcat == 13, \"SSL VPN (13)\",\n gcat == 14, \"Anti-Spam (14)\",\n gcat == 15, \"WAN Acceleration (15)\",\n gcat == 16, \"Object (16)\",\n gcat == 17, \"SD-WAN (17)\",\n gcat == 18, \"Multi-Instance (18)\",\n gcat == 19, \"Unified Policy Engine (19)\",\n \"Log Category Not Mapped\"\n )\n| extend sosLegacyMessageCategory = case(DeviceEventCategory == 0, \"None (0)\",\n DeviceEventCategory == 1, \"System Maintenance (1)\",\n DeviceEventCategory == 2, \"System Errors (2)\",\n DeviceEventCategory == 4, \"Blocked Web Sites (4)\",\n DeviceEventCategory == 8, \"Blocked Java Etc. (8)\",\n DeviceEventCategory == 16, \"User Activity (16)\",\n DeviceEventCategory == 32, \"Attacks (32)\",\n DeviceEventCategory == 64, \"Dropped TCP (64)\",\n DeviceEventCategory == 128, \"Dropped UDP (128)\",\n DeviceEventCategory == 256, \"Dropped ICMP (256)\",\n DeviceEventCategory == 512, \"Network Debug (512)\",\n DeviceEventCategory == 1024, \"Connection Closed (1024)\",\n DeviceEventCategory == 2048, \"Dropped LAN TCP (2048)\",\n DeviceEventCategory == 4096, \"Dropped LAN UDP (4096)\",\n DeviceEventCategory == 8192, \"Dropped LAN ICMP (8192)\",\n DeviceEventCategory == 32768, \"Modem Debug (32768)\",\n DeviceEventCategory == 65536, \"VPN Tunnel Status (65536)\",\n DeviceEventCategory == 131072, \"IEEE 802.11 Management (131072)\",\n DeviceEventCategory == 262144, \"Connection Opened (262144)\",\n DeviceEventCategory == 524288, \"System Environment (524288)\",\n DeviceEventCategory == 1048576, \"Expanded - VoIP Activity (1048576)\",\n DeviceEventCategory == 2097152, \"Expanded - WLAN IDS Activity (2097152)\",\n DeviceEventCategory == 4194304, \"Expanded - SonicPoint Activity (4194304)\",\n DeviceEventCategory == 8388608, \"Expanded - Unified Policy Engine (8388608)\",\n \"Legacy Category Not Mapped\"\n )\n| extend sosIPSPriority = case(ipspri == 1, \"High (1)\",\n ipspri == 2, \"Medium (2)\",\n ipspri == 3, \"Low (3)\",\n \"\"\n )\n| extend sosAntiSpywarePriority = case(spypri == 1, \"High (1)\",\n spypri == 2, \"Medium (2)\",\n spypri == 3, \"Low (3)\",\n \"\"\n )\n| extend\n EventVendor = \"SonicWall\"\n , EventProduct = \"Firewall\"\n , DvcOs = \"SonicOS\"\n , DvcOsVersion = EventProductVersion\n , DvcIdType = \"Other\"\n , Dvc = sosSerialNumber\n , DvcDescription = DeviceProduct\n , ASimMatchingHostname = \"-\"\n , ASimMatchingIpAddr = \"-\"\n , NetworkIcmpType = tostring(NetworkIcmpType)\n , NetworkIcmpCode = toint(NetworkIcmpCode)\n , Rule = NetworkRuleName\n , NetworkBytes = tolong(coalesce(toint(ReceivedBytes), 0) + coalesce(toint(SentBytes), 0))\n , sosIPSFullString = ipscat\n , ipscat = extract(@'^\"?([a-zA-Z-\\/]+)', 1, ipscat) // IPS Category/Signature\n , sosIPSSignatureName = extract(@'[ ](.*)\\S', 1, ipscat) // IPS Signature name\n , FileSize = tolong(coalesce(FileSize, long(null)))\n , sosAppControlFileName = extract(@'.*Filename: (.*)\\\"', 1, sosEventMessageDetail) // App Control Filename Logging\n , sosCaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\\. ', 1, sosEventMessageDetail)\n , sosGAVSignatureName = extract(@'Gateway Anti-Virus Alert: (.*) blocked\\.', 1, sosEventMessageDetail)\n , sosASWSignatureName = extract(@'Anti-Spyware Detection Alert: (.*)\\. ', 1, sosEventMessageDetail)\n , sosCountry = extract(@'Country Name:(.*)\\\"$', 1, sosEventMessageDetail)\n , SrcZone = sosSourceZone\n , DstZone = sosDestinationZone\n , EventOriginalSeverity = LogSeverity\n , Dst = DstIpAddr\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , sosCFSCategoryID = extract(@'(\\d+)\\s', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSCategoryName = extract(@'.*-(\"(.*))', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSPolicyName = extract(@'Policy: (.*), Info:', 1, coalesce(sosLogMsgNote, \"\"))\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.6\"\n , EventSchema = \"NetworkSession\"\n , EventCount = toint(1)\n , EventUid = _ItemId\n , EventResultDetails = \"NA\"\n , ThreatConfidence = coalesce(toint(ThreatOriginalConfidence), int(null))\n| extend\n SrcUsername = coalesce(susr, SrcUsername)\n , FileName = coalesce(FileName, sosAppControlFileName)\n , NetworkDirection = case(SrcZone == \"\" and DstZone == \"\", \"NA\"\n , SrcZone == \"WAN\" and (DstZone == \"WAN\" and DstIpAddr !has \".255\"), \"Inbound\"\n , SrcZone == \"WAN\" and DstZone == \"WAN\", \"External\"\n , SrcZone == \"WAN\" and DstZone != \"WAN\", \"Inbound\"\n , SrcZone == \"VPN\" and DstZone == \"WAN\", \"Outbound\"\n , SrcZone == \"VPN\" and DstZone != \"WAN\", \"Inbound\"\n , DstZone == \"MULTICAST\", \"NA\"\n , DstZone == \"WAN\", \"Outbound\"\n , \"Local\"\n )\n| extend\n SrcUsernameType = case(SrcUsername has \"=\", \"DN\",\n SrcUsername has \"\\\\\", \"Windows\",\n SrcUsername has \"@\", \"UPN\",\n SrcUsername == \"Unknown (external IP)\", \"\",\n SrcUsername == \"Unknown (SSO bypassed)\", \"\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"\n )\n , ThreatField = case(isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\"\n , isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\"\n , \"\"\n )\n| extend\n ThreatIpAddr = case(ThreatField == \"SrcIpAddr\", SrcIpAddr\n , ThreatField == \"DstIpAddr\", DstIpAddr\n , \"\"\n )\n| extend\n SrcGeoCountry = iff(NetworkDirection == \"Inbound\", sosCountry, \"\")\n , DstGeoCountry = iff(NetworkDirection == \"Outbound\", sosCountry, \"\")\n , SrcAppName = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , DstAppName = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , SrcAppId = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), sid, \"\")\n , DstAppId = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), sid, \"\")\n| extend\n SrcAppType = case(isempty(SrcAppName), \"\"\n , SrcAppName contains \"\\'General \" or SrcAppName contains \"\\'Service \", \"Service\", \"Other\")\n , DstAppType = case(isempty(DstAppName), \"\"\n , DstAppName contains \"\\'General \" or DstAppName contains \"\\'Service \", \"Service\", \"Other\")\n| project-rename\n sosReceivedPackets = DeviceCustomNumber1Label // DeviceCustomNumberXLabel (cnXLabel=)\n , sosSentPackets = DeviceCustomNumber2Label // DeviceCustomNumberXLabel (cnXLabel=)\n| extend\n DstPackets = case(NetworkDirection == \"Outbound\", tolong(sosReceivedPackets)\n , NetworkDirection == \"Inbound\", tolong(sosSentPackets)\n , tolong(long(null))\n )\n , SrcPackets = case(NetworkDirection == \"Outbound\", tolong(sosSentPackets)\n , NetworkDirection == \"Inbound\", tolong(sosReceivedPackets)\n , tolong(long(null))\n )\n| project-rename\n sosConnectionDuration = DeviceCustomNumber3Label // Applies to \"Connection Closed\"\n , sosUser = susr // Logged-in username associated with the log event.\n , sosAppRulePolicyId = af_polid // App Rule Policy ID.\n , sosAppRulePolicyName = af_policy // App Rule Policy Name.\n , sosAppRuleService = af_service // App Rule Service Name.\n , sosAppRuleType = af_type // App Rule Policy Type.\n , sosAppRuleObject = af_object // App Rule Object Name.\n , sosAppRuleObjectContent = contentObject // App Rule Object Content.\n , sosAppRuleAction = af_action\n , sosSourceIPv6Address = srcV6\n , sosDestinationIPv6Address = dstV6\n , sosAppFullString = appcat // The full \" -- \" string.\n , sosAppIDNumber = app // Numeric Application ID. Not the same as \"ApplicationProtocol\".\n , sosAppID = appid // Application ID from App Control\n , sosAppCategoryID = catid // Application Category ID\n , sosAppSignatureID = sid // Application Signature ID\n , sosIPSCategoryName = ipscat // IPS Category Name\n , sosAntiSpywareCategory = spycat // Anti-Spyware Category\n , sosURLPathName = arg // URL. Represents the URL path name.\n , sosFileIdentifier = fileid // File hash or URL\n , sosDPIInspectedFlow = dpi // Indicates a flow was inspected by DPI. Applies only to Connection Closed messages.\n , DstNatPortNumber = dnpt\n , SrcNatPortNumber = snpt\n , sosBladeID = bid // Blade ID\n , sosUUID = uuid\n , sosFileName = FileName\n , DvcOriginalAction = fw_action\n| extend\n ThreatName = coalesce(sosASWSignatureName, sosGAVSignatureName, sosIPSSignatureName, \"\")\n , ThreatId = coalesce(sosAppSignatureID, \"\")\n , ThreatCategory = coalesce(sosIPSCategoryName, sosAntiSpywareCategory, \"\")\n , DstNatPortNumber = toint(DstNatPortNumber)\n , SrcNatPortNumber = toint(SrcNatPortNumber)\n| extend AdditionalFields = bag_pack(\n \"AppRulePolicyId\", sosAppRulePolicyId\n , \"AppRulePolicyName\", sosAppRulePolicyName\n , \"AppRuleService\", sosAppRuleService\n , \"AppRuleType\", sosAppRuleType\n , \"AppRuleObject\", sosAppRuleObject\n , \"AppRuleObjectContent\", sosAppRuleObjectContent\n , \"AppRuleAction\", sosAppRuleAction\n , \"AppID\", sosAppID\n , \"AppCategoryID\", sosAppCategoryID\n , \"IPSCategoryName\", sosIPSCategoryName\n , \"AntiSpywareCategory\", sosAntiSpywareCategory\n , \"FileIdentifier\", sosFileIdentifier\n , \"DPIInspectedFlow\", sosDPIInspectedFlow\n , \"BladeID\", sosBladeID\n , \"UUID\", sosUUID\n , \"FileName\", sosFileName\n , \"FileSize\", FileSize\n , \"CaptureATPVerdict\", sosCaptureATPVerdict\n , \"CFSCategoryID\", sosCFSCategoryID\n , \"CFSCategoryName\", sosCFSCategoryName\n , \"CFSPolicyName\", sosCFSPolicyName\n , \"AppControlFileName\", sosAppControlFileName\n , \"IPSFullString\", sosIPSFullString\n , \"IPSSignatureName\", sosIPSSignatureName\n , \"LegacyMessageCategory\", sosLegacyMessageCategory\n , \"LogMsgCategory\", sosLogMsgCategory\n , \"LogMsgNote\", sosLogMsgNote\n , \"LogMsgSeverity\", sosLogMsgSeverity\n , \"SourceVPNPolicyName\", sosSourceVPNPolicyName\n , \"DestinationVPNPolicyName\", sosDestinationVPNPolicyName\n , \"EventMessageDetail\", sosEventMessageDetail\n , \"UserSessionType\", sosUserSessionType\n )\n| project-away\n DeviceEventCategory\n , gcat\n , RequestMethod\n , ipspri\n , spypri\n , sos*\n , RequestURL\n , Protocol\n , appName\n , AdditionalExtensions\n , Flex*\n , Indicator*\n , Malicious*\n , Field*\n , DeviceCustom*\n , Old*\n , File*\n , Source*\n , Destination*\n , Device*\n , SimplifiedDeviceAction\n , ExternalID\n , ExtID\n , TenantId\n , ProcessName\n , ProcessID\n , ExtID\n , OriginalLogSeverity\n , LogSeverity\n , EventOutcome\n , StartTime\n , EndTime\n , ReceiptTime\n , Remote*\n , ThreatDescription\n , ThreatSeverity\n , RequestContext\n , RequestCookies\n , CommunicationDirection\n , ReportReferenceLink\n , ReceivedBytes\n , SentBytes\n , _ResourceId\n , _ItemId\n| project-reorder\n TimeGenerated\n , EventVendor\n , EventProduct\n , DvcDescription\n , Dvc\n , DvcOs\n , DvcOsVersion\n};\nParser (disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json index b805da82caf..ee37d31ea88 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionVMConnection')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionVMConnection", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for VM connection information collected using the Log Analytics agent", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionVMConnection", - "query": "let SeverityLookup = datatable (EventOriginalSeverity: string, EventSeverity:string) [\n '', 'Informational', \n '0', 'Informational',\n '1', 'Low',\n '2', 'Medium',\n '3', 'High'\n];\nlet VMConnectionProjected = VMConnection | project-away AdditionalInformation, AgentId, TenantId, TLPLevel, SourceSystem, IsActive, *ReportedDateTime, LinksFailed, LinksLive, LinksTerminated, Description, Responses, ResponseTimeMin, ResponseTimeMax, RemoteClassification, RemoteDnsQuestions;\nlet outbound = (disabled:bool=false) {\n VMConnectionProjected\n | where not (disabled)\n | where Direction == \"outbound\"\n | extend\n SrcAppType = \"Process\",\n SrcDvcIdType = \"VMConnectionId\",\n SrcHostnameType = \"Simple\",\n DstGeoCountry = RemoteCountry,\n DstGeoLongitude = RemoteLongitude,\n DstGeoLatitude = RemoteLatitude,\n SrcAppId = Process,\n SrcAppName = ProcessName,\n SrcDvcId = Machine,\n ThreatField = iff (MaliciousIp != \"\", \"DstIpAddr\", \"\")\n | invoke _ASIM_ResolveSrcFQDN (\"Computer\")\n | extend FQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\n | invoke _ASIM_ResolveDstFQDN(\"FQDN\")\n | project-away Computer, RemoteDnsCanonicalNames\n | extend\n RemoteFQDN = DstFQDN,\n RemoteHostname = DstHostname,\n RemoteDomain = DstDomain,\n RemoteDomainType = DstDomainType,\n LocalFQDN = SrcFQDN,\n LocalHostname = SrcHostname,\n LocalDomain = SrcDomain,\n LocalDomainType = SrcDomainType,\n LocalIpAddr = SourceIp\n};\nlet inbound = (disabled:bool=false) {\n VMConnectionProjected\n | where not (disabled)\n | where Direction == \"inbound\"\n | extend\n DstAppType = \"Process\",\n DstDvcIdType = \"VMConnectionId\",\n SrcGeoCountry = RemoteCountry,\n SrcGeoLongitude = RemoteLongitude,\n SrcGeoLatitude = RemoteLatitude,\n DstAppId = Process,\n DstAppName = ProcessName,\n DstDvcId = Machine,\n ThreatField = iff (MaliciousIp != \"\", \"SrcIpAddr\", \"\")\n | invoke _ASIM_ResolveDstFQDN (\"Computer\")\n | extend FQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\n | invoke _ASIM_ResolveSrcFQDN(\"FQDN\")\n | project-away Computer, RemoteDnsCanonicalNames\n | extend\n RemoteFQDN = SrcFQDN,\n RemoteHostname = SrcHostname,\n RemoteDomain = SrcDomain,\n RemoteDomainType = SrcDomainType,\n LocalFQDN = DstFQDN,\n LocalHostname = DstHostname,\n LocalDomain = DstDomain,\n LocalDomainType = DstDomainType,\n LocalIpAddr = DestinationIp\n};\nlet parser=(disabled:bool=false){\n union outbound(disabled), inbound(disabled)\n // Event fields\n | extend \n EventCount = toint(LinksEstablished), // -- prioritized over LinksLive and LinksTerminated\n EventStartTime = TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"VMConnection\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.2\",\n EventType = \"EndpointNetworkSession\",\n DvcIdType = \"VMConnectionId\",\n NetworkDirection = iff(Direction==\"inbound\", \"Inbound\", \"Outbound\"),\n EventEndTime = TimeGenerated\n | project-rename\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort, \n SrcIpAddr = SourceIp, \n NetworkSessionId = ConnectionId,\n ThreatName = IndicatorThreatType,\n RemoteGeoCountry = RemoteCountry,\n RemoteGeoLatitude = RemoteLatitude, \n RemoteGeoLongitude = RemoteLongitude,\n LocalAppId = Process,\n LocalAppName = ProcessName,\n DvcId = Machine,\n RemoteIpAddr = RemoteIp,\n EventReportUrl = ReportReferenceLink,\n ThreatIpAddr = MaliciousIp\n // -- Calculated fields\n | extend EventOriginalSeverity = tostring(Severity)\n | lookup SeverityLookup on EventOriginalSeverity\n | extend\n EventResult = \"Success\",\n LocalAppType = \"Process\",\n NetworkDuration = toint(ResponseTimeSum/LinksEstablished) ,\n ThreatRiskLevel = toint(Confidence),\n NetworkProtocol = toupper(Protocol),\n SrcBytes = tolong(BytesSent),\n DstBytes = tolong(BytesReceived)\n | project-away BytesSent, BytesReceived, Confidence, ResponseTimeSum, Protocol, Direction, Severity, LinksEstablished\n // -- Aliases\n | extend\n IpAddr = RemoteIpAddr,\n Src = SrcIpAddr,\n Local = LocalIpAddr,\n DvcIpAddr = LocalIpAddr,\n Dst = DstIpAddr,\n Remote = RemoteIpAddr,\n Dvc = LocalHostname,\n DvcHostname = LocalHostname,\n DvcDomain = LocalDomain,\n DvcDomainType = LocalDomainType,\n DvcFQDN = LocalFQDN,\n Hostname = RemoteHostname,\n Duration = NetworkDuration,\n SessionId = NetworkSessionId\n};\nparser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for VM connection information collected using the Log Analytics agent", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionVMConnection", + "query": "let SeverityLookup = datatable (EventOriginalSeverity: string, EventSeverity:string) [\n '', 'Informational', \n '0', 'Informational',\n '1', 'Low',\n '2', 'Medium',\n '3', 'High'\n];\nlet VMConnectionProjected = VMConnection | project-away AdditionalInformation, AgentId, TenantId, TLPLevel, SourceSystem, IsActive, *ReportedDateTime, LinksFailed, LinksLive, LinksTerminated, Description, Responses, ResponseTimeMin, ResponseTimeMax, RemoteClassification, RemoteDnsQuestions;\nlet outbound = (disabled:bool=false) {\n VMConnectionProjected\n | where not (disabled)\n | where Direction == \"outbound\"\n | extend\n SrcAppType = \"Process\",\n SrcDvcIdType = \"VMConnectionId\",\n SrcHostnameType = \"Simple\",\n DstGeoCountry = RemoteCountry,\n DstGeoLongitude = RemoteLongitude,\n DstGeoLatitude = RemoteLatitude,\n SrcAppId = Process,\n SrcAppName = ProcessName,\n SrcDvcId = Machine,\n ThreatField = iff (MaliciousIp != \"\", \"DstIpAddr\", \"\")\n | invoke _ASIM_ResolveSrcFQDN (\"Computer\")\n | extend FQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\n | invoke _ASIM_ResolveDstFQDN(\"FQDN\")\n | project-away Computer, RemoteDnsCanonicalNames\n | extend\n RemoteFQDN = DstFQDN,\n RemoteHostname = DstHostname,\n RemoteDomain = DstDomain,\n RemoteDomainType = DstDomainType,\n LocalFQDN = SrcFQDN,\n LocalHostname = SrcHostname,\n LocalDomain = SrcDomain,\n LocalDomainType = SrcDomainType,\n LocalIpAddr = SourceIp\n};\nlet inbound = (disabled:bool=false) {\n VMConnectionProjected\n | where not (disabled)\n | where Direction == \"inbound\"\n | extend\n DstAppType = \"Process\",\n DstDvcIdType = \"VMConnectionId\",\n SrcGeoCountry = RemoteCountry,\n SrcGeoLongitude = RemoteLongitude,\n SrcGeoLatitude = RemoteLatitude,\n DstAppId = Process,\n DstAppName = ProcessName,\n DstDvcId = Machine,\n ThreatField = iff (MaliciousIp != \"\", \"SrcIpAddr\", \"\")\n | invoke _ASIM_ResolveDstFQDN (\"Computer\")\n | extend FQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\n | invoke _ASIM_ResolveSrcFQDN(\"FQDN\")\n | project-away Computer, RemoteDnsCanonicalNames\n | extend\n RemoteFQDN = SrcFQDN,\n RemoteHostname = SrcHostname,\n RemoteDomain = SrcDomain,\n RemoteDomainType = SrcDomainType,\n LocalFQDN = DstFQDN,\n LocalHostname = DstHostname,\n LocalDomain = DstDomain,\n LocalDomainType = DstDomainType,\n LocalIpAddr = DestinationIp\n};\nlet parser=(disabled:bool=false){\n union outbound(disabled), inbound(disabled)\n // Event fields\n | extend \n EventCount = toint(LinksEstablished), // -- prioritized over LinksLive and LinksTerminated\n EventStartTime = TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"VMConnection\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.2\",\n EventType = \"EndpointNetworkSession\",\n DvcIdType = \"VMConnectionId\",\n NetworkDirection = iff(Direction==\"inbound\", \"Inbound\", \"Outbound\"),\n EventEndTime = TimeGenerated\n | project-rename\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort, \n SrcIpAddr = SourceIp, \n NetworkSessionId = ConnectionId,\n ThreatName = IndicatorThreatType,\n RemoteGeoCountry = RemoteCountry,\n RemoteGeoLatitude = RemoteLatitude, \n RemoteGeoLongitude = RemoteLongitude,\n LocalAppId = Process,\n LocalAppName = ProcessName,\n DvcId = Machine,\n RemoteIpAddr = RemoteIp,\n EventReportUrl = ReportReferenceLink,\n ThreatIpAddr = MaliciousIp\n // -- Calculated fields\n | extend EventOriginalSeverity = tostring(Severity)\n | lookup SeverityLookup on EventOriginalSeverity\n | extend\n EventResult = \"Success\",\n LocalAppType = \"Process\",\n NetworkDuration = toint(ResponseTimeSum/LinksEstablished) ,\n ThreatRiskLevel = toint(Confidence),\n NetworkProtocol = toupper(Protocol),\n SrcBytes = tolong(BytesSent),\n DstBytes = tolong(BytesReceived)\n | project-away BytesSent, BytesReceived, Confidence, ResponseTimeSum, Protocol, Direction, Severity, LinksEstablished\n // -- Aliases\n | extend\n IpAddr = RemoteIpAddr,\n Src = SrcIpAddr,\n Local = LocalIpAddr,\n DvcIpAddr = LocalIpAddr,\n Dst = DstIpAddr,\n Remote = RemoteIpAddr,\n Dvc = LocalHostname,\n DvcHostname = LocalHostname,\n DvcDomain = LocalDomain,\n DvcDomainType = LocalDomainType,\n DvcFQDN = LocalFQDN,\n Hostname = RemoteHostname,\n Duration = NetworkDuration,\n SessionId = NetworkSessionId\n};\nparser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMwareCarbonBlackCloud/ASimNetworkSessionVMwareCarbonBlackCloud.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMwareCarbonBlackCloud/ASimNetworkSessionVMwareCarbonBlackCloud.json index 70e46480888..53c687b9be5 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMwareCarbonBlackCloud/ASimNetworkSessionVMwareCarbonBlackCloud.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMwareCarbonBlackCloud/ASimNetworkSessionVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "NetworkSession ASIM Parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionVMwareCarbonBlackCloud", - "query": "let NetworkProtocolLookup = datatable (netconn_protocol_s: string, NetworkProtocol: string)\n [\n \"PROTO_TCP\", \"TCP\",\n \"PROTO_UDP\", \"UDP\"\n ];\n let DvcActionLookup = datatable (sensor_action_s: string, DvcAction: string)\n [\n \"ACTION_ALLOW\", \"Allow\",\n \"ACTION_SUSPEND\", \"Drop\",\n \"ACTION_TERMINATE\", \"Drop\",\n \"ACTION_BREAK\", \"Drop\",\n \"ACTION_BLOCK\", \"Deny\"\n ];\n let EventSeverityLookup = datatable (DvcAction: string, EventSeverity: string)\n [\n \"Allow\", \"Informational\",\n \"Drop\", \"Low\",\n \"Deny\", \"Low\"\n ];\n let ThreatConfidenceLookup = datatable (ThreatOriginalConfidence: string, ThreatConfidence: int)\n [\n \"1\", 10,\n \"2\", 20,\n \"3\", 30,\n \"4\", 40,\n \"5\", 50,\n \"6\", 60,\n \"7\", 70,\n \"8\", 80,\n \"9\", 90,\n \"10\", 100\n ];\n let parser=(disabled: bool=false) {\n let CarbonBlackEventsSchema = datatable ( \n eventType_s: string,\n netconn_protocol_s: string,\n sensor_action_s: string,\n alert_id_g: string,\n device_name_s: string,\n action_s: string,\n createTime_s: string,\n netconn_domain_s: string,\n remote_ip_s: string,\n netconn_inbound_b: bool,\n process_guid_s: string,\n remote_port_d: real,\n local_port_d: real,\n process_pid_d: real,\n device_external_ip_s: string,\n local_ip_s: string,\n device_id_s: string,\n device_os_s: string,\n event_description_s: string,\n event_id_g: string,\n event_origin_s: string,\n process_path_s: string,\n process_username_s: string,\n org_key_s: string,\n )[];\n let CarbonBlackNotificationsSchema = datatable (\n type_s: string,\n threatInfo_incidentId_g: string,\n threatInfo_score_d: real,\n threatInfo_summary_s: string,\n threatInfo_time_d: real,\n threatInfo_threatCause_threatCategory_s: string,\n threatInfo_threatCause_causeEventId_g: string,\n ruleName_s: string,\n deviceInfo_deviceVersion_s: string,\n threatInfo_threatCause_originSourceType_s: string,\n threatInfo_threatCause_reputation_s: string,\n threatInfo_threatCause_reason_s: string,\n id_g: string,\n primary_event_id_g: string,\n threat_id_g: string\n )[];\n let alldata = union (CarbonBlackEventsSchema), (CarbonBlackEvents_CL)\n | where not(disabled)\n | where eventType_s == \"endpoint.event.netconn\"\n | lookup NetworkProtocolLookup on netconn_protocol_s\n | lookup DvcActionLookup on sensor_action_s\n | lookup EventSeverityLookup on DvcAction;\n let alldatawiththreat = alldata \n | where isnotempty(alert_id_g)\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"THREAT\"\n | project\n threatInfo_incidentId_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_time_d,\n threatInfo_threatCause_threatCategory_s,\n threatInfo_threatCause_causeEventId_g,\n ruleName_s,\n deviceInfo_deviceVersion_s,\n threatInfo_threatCause_originSourceType_s,\n threatInfo_threatCause_reputation_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.threatInfo_incidentId_g\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"CB_ANALYTICS\"\n | project\n id_g,\n deviceInfo_deviceVersion_s,\n threat_id_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.id_g\n | extend \n ThreatCategory = threatInfo_threatCause_threatCategory_s,\n ThreatFirstReportedTime = unixtime_milliseconds_todatetime(threatInfo_time_d),\n RuleName = ruleName_s,\n AdditionalFields_threat = bag_pack(\n \"threatInfo_threatCause_reason\",\n coalesce(threatInfo_threatCause_reason_s, threatInfo_threatCause_reason_s1),\n \"threatInfo_threatCause_reputation\",\n threatInfo_threatCause_reputation_s,\n \"threatInfo_threatCause_originSourceType\",\n threatInfo_threatCause_originSourceType_s,\n \"threatInfo_summary\",\n coalesce(threatInfo_summary_s, threatInfo_summary_s1)\n ),\n ThreatId = threat_id_g,\n ThreatOriginalConfidence = tostring(toint(coalesce(threatInfo_score_d, threatInfo_score_d1))),\n DvcOsVersion = coalesce(deviceInfo_deviceVersion_s, deviceInfo_deviceVersion_s1)\n | lookup ThreatConfidenceLookup on ThreatOriginalConfidence;\n let alldatawithoutthreat = alldata\n | where isempty(alert_id_g);\n union alldatawiththreat, alldatawithoutthreat\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | extend temp_action = tostring(split(action_s, \"|\")[0])\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n SrcDomain = case(\n netconn_domain_s == remote_ip_s or netconn_domain_s has \":\" or netconn_domain_s !has \".\",\n \"\",\n netconn_inbound_b,\n netconn_domain_s,\n \"\"\n ),\n AdditionalFields_Common = bag_pack(\n \"Process Guid\",\n process_guid_s\n ),\n DstPortNumber = toint(remote_port_d),\n NetworkDirection = case(\n temp_action == \"ACTION_CONNECTION_LISTEN\",\n \"Listen\",\n netconn_inbound_b == true,\n \"Inbound\",\n \"Unknown\"\n ),\n SrcPortNumber = toint(local_port_d),\n SrcProcessId = tostring(toint(process_pid_d))\n | project-rename\n DstIpAddr = remote_ip_s,\n DvcIpAddr = device_external_ip_s,\n EventUid = _ItemId,\n SrcIpAddr = local_ip_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n SrcProcessName = process_path_s,\n SrcUsername = process_username_s,\n DvcScopeId = org_key_s\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"EndpointNetworkSession\",\n EventVendor = \"VMware\",\n SrcHostname = SrcIpAddr,\n DstHostname = iff(NetworkDirection == \"Inbound\", coalesce(DvcHostname, DstIpAddr), DstIpAddr),\n EventResult = case(\n temp_action == \"ACTION_CONNECTION_CREATE_FAILED\",\n \"Failure\",\n DvcOriginalAction == \"ACTION_ALLOW\" or isempty(DvcOriginalAction),\n \"Success\",\n \"Failure\"\n ),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n )\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = coalesce(DstHostname, DstIpAddr),\n Src = coalesce(SrcHostname, SrcIpAddr),\n IpAddr = SrcIpAddr,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n SrcDomainType = iff(isnotempty(SrcDomain), \"FQDN\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n AdditionalFields = bag_merge(AdditionalFields_threat, AdditionalFields_Common),\n SrcAppName = SrcProcessName,\n SrcAppId = SrcProcessId,\n SrcAppType = \"Process\",\n Hostname = DstHostname\n | project-away\n *_d,\n *_s,\n *_g,\n *_b,\n temp_action,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n AdditionalFields_*\n };\n parser(disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "NetworkSession ASIM Parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionVMwareCarbonBlackCloud", + "query": "let NetworkProtocolLookup = datatable (netconn_protocol_s: string, NetworkProtocol: string)\n [\n \"PROTO_TCP\", \"TCP\",\n \"PROTO_UDP\", \"UDP\"\n ];\n let DvcActionLookup = datatable (sensor_action_s: string, DvcAction: string)\n [\n \"ACTION_ALLOW\", \"Allow\",\n \"ACTION_SUSPEND\", \"Drop\",\n \"ACTION_TERMINATE\", \"Drop\",\n \"ACTION_BREAK\", \"Drop\",\n \"ACTION_BLOCK\", \"Deny\"\n ];\n let EventSeverityLookup = datatable (DvcAction: string, EventSeverity: string)\n [\n \"Allow\", \"Informational\",\n \"Drop\", \"Low\",\n \"Deny\", \"Low\"\n ];\n let ThreatConfidenceLookup = datatable (ThreatOriginalConfidence: string, ThreatConfidence: int)\n [\n \"1\", 10,\n \"2\", 20,\n \"3\", 30,\n \"4\", 40,\n \"5\", 50,\n \"6\", 60,\n \"7\", 70,\n \"8\", 80,\n \"9\", 90,\n \"10\", 100\n ];\n let parser=(disabled: bool=false) {\n let CarbonBlackEventsSchema = datatable ( \n eventType_s: string,\n netconn_protocol_s: string,\n sensor_action_s: string,\n alert_id_g: string,\n device_name_s: string,\n action_s: string,\n createTime_s: string,\n netconn_domain_s: string,\n remote_ip_s: string,\n netconn_inbound_b: bool,\n process_guid_s: string,\n remote_port_d: real,\n local_port_d: real,\n process_pid_d: real,\n device_external_ip_s: string,\n local_ip_s: string,\n device_id_s: string,\n device_os_s: string,\n event_description_s: string,\n event_id_g: string,\n event_origin_s: string,\n process_path_s: string,\n process_username_s: string,\n org_key_s: string,\n )[];\n let CarbonBlackNotificationsSchema = datatable (\n type_s: string,\n threatInfo_incidentId_g: string,\n threatInfo_score_d: real,\n threatInfo_summary_s: string,\n threatInfo_time_d: real,\n threatInfo_threatCause_threatCategory_s: string,\n threatInfo_threatCause_causeEventId_g: string,\n ruleName_s: string,\n deviceInfo_deviceVersion_s: string,\n threatInfo_threatCause_originSourceType_s: string,\n threatInfo_threatCause_reputation_s: string,\n threatInfo_threatCause_reason_s: string,\n id_g: string,\n primary_event_id_g: string,\n threat_id_g: string\n )[];\n let alldata = union (CarbonBlackEventsSchema), (CarbonBlackEvents_CL)\n | where not(disabled)\n | where eventType_s == \"endpoint.event.netconn\"\n | lookup NetworkProtocolLookup on netconn_protocol_s\n | lookup DvcActionLookup on sensor_action_s\n | lookup EventSeverityLookup on DvcAction;\n let alldatawiththreat = alldata \n | where isnotempty(alert_id_g)\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"THREAT\"\n | project\n threatInfo_incidentId_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_time_d,\n threatInfo_threatCause_threatCategory_s,\n threatInfo_threatCause_causeEventId_g,\n ruleName_s,\n deviceInfo_deviceVersion_s,\n threatInfo_threatCause_originSourceType_s,\n threatInfo_threatCause_reputation_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.threatInfo_incidentId_g\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"CB_ANALYTICS\"\n | project\n id_g,\n deviceInfo_deviceVersion_s,\n threat_id_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.id_g\n | extend \n ThreatCategory = threatInfo_threatCause_threatCategory_s,\n ThreatFirstReportedTime = unixtime_milliseconds_todatetime(threatInfo_time_d),\n RuleName = ruleName_s,\n AdditionalFields_threat = bag_pack(\n \"threatInfo_threatCause_reason\",\n coalesce(threatInfo_threatCause_reason_s, threatInfo_threatCause_reason_s1),\n \"threatInfo_threatCause_reputation\",\n threatInfo_threatCause_reputation_s,\n \"threatInfo_threatCause_originSourceType\",\n threatInfo_threatCause_originSourceType_s,\n \"threatInfo_summary\",\n coalesce(threatInfo_summary_s, threatInfo_summary_s1)\n ),\n ThreatId = threat_id_g,\n ThreatOriginalConfidence = tostring(toint(coalesce(threatInfo_score_d, threatInfo_score_d1))),\n DvcOsVersion = coalesce(deviceInfo_deviceVersion_s, deviceInfo_deviceVersion_s1)\n | lookup ThreatConfidenceLookup on ThreatOriginalConfidence;\n let alldatawithoutthreat = alldata\n | where isempty(alert_id_g);\n union alldatawiththreat, alldatawithoutthreat\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | extend temp_action = tostring(split(action_s, \"|\")[0])\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n SrcDomain = case(\n netconn_domain_s == remote_ip_s or netconn_domain_s has \":\" or netconn_domain_s !has \".\",\n \"\",\n netconn_inbound_b,\n netconn_domain_s,\n \"\"\n ),\n AdditionalFields_Common = bag_pack(\n \"Process Guid\",\n process_guid_s\n ),\n DstPortNumber = toint(remote_port_d),\n NetworkDirection = case(\n temp_action == \"ACTION_CONNECTION_LISTEN\",\n \"Listen\",\n netconn_inbound_b == true,\n \"Inbound\",\n \"Unknown\"\n ),\n SrcPortNumber = toint(local_port_d),\n SrcProcessId = tostring(toint(process_pid_d))\n | project-rename\n DstIpAddr = remote_ip_s,\n DvcIpAddr = device_external_ip_s,\n EventUid = _ItemId,\n SrcIpAddr = local_ip_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n SrcProcessName = process_path_s,\n SrcUsername = process_username_s,\n DvcScopeId = org_key_s\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"EndpointNetworkSession\",\n EventVendor = \"VMware\",\n SrcHostname = SrcIpAddr,\n DstHostname = iff(NetworkDirection == \"Inbound\", coalesce(DvcHostname, DstIpAddr), DstIpAddr),\n EventResult = case(\n temp_action == \"ACTION_CONNECTION_CREATE_FAILED\",\n \"Failure\",\n DvcOriginalAction == \"ACTION_ALLOW\" or isempty(DvcOriginalAction),\n \"Success\",\n \"Failure\"\n ),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n )\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = coalesce(DstHostname, DstIpAddr),\n Src = coalesce(SrcHostname, SrcIpAddr),\n IpAddr = SrcIpAddr,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n SrcDomainType = iff(isnotempty(SrcDomain), \"FQDN\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n AdditionalFields = bag_merge(AdditionalFields_threat, AdditionalFields_Common),\n SrcAppName = SrcProcessName,\n SrcAppId = SrcProcessId,\n SrcAppType = \"Process\",\n Hostname = DstHostname\n | project-away\n *_d,\n *_s,\n *_g,\n *_b,\n temp_action,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n AdditionalFields_*\n };\n parser(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVectraAI/ASimNetworkSessionVectraAI.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVectraAI/ASimNetworkSessionVectraAI.json index a027a6e6e33..5c2ae6a55b5 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVectraAI/ASimNetworkSessionVectraAI.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVectraAI/ASimNetworkSessionVectraAI.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionVectraAI')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionVectraAI", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Vectra AI Streams", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionVectraAI", - "query": "let parser = (disabled:bool=false, pack:bool=false) \n{\n let NetworkDirectionLookup = datatable(local_orig_b:bool, local_resp_b:bool, NetworkDirection:string)[\n false, true, 'Inbound',\n true, false, 'Outbound',\n true, true, 'Local',\n false, false, 'External'];\n let EventSubTypeLookup = datatable(conn_state_s:string, EventSubType:string)[\n \"S1\", 'Start',\n \"SF\", 'End'];\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\n VectraStream_CL\n | where metadata_type_s == 'metadata_isession'\n | project-away MG, ManagementGroupName, RawData, SourceSystem, TenantId\n | project-rename\n DstIpAddr = id_resp_h_s,\n DvcDescription = hostname_s,\n DstDescription = resp_hostname_s,\n SrcDescription = orig_hostname_s,\n // -- huid does not seem to be unique per device and not mapped for now\n // DstDvcId = resp_huid_s, \n // SrcDvcId = orig_huid_s,\n DvcId = sensor_uid_s,\n // -- community id is just a hash of addresses and ports, and not unique for the session\n // NetworkSessionId = community_id_s,\n SrcIpAddr = id_orig_h_s,\n EventUid = _ItemId\n // -- the domain field may have invalid values. Most of them are IP addresses filtered out, but a small fraction are not filtered.\n | extend resp_domain_s = iff (ipv4_is_match(resp_domain_s, \"0.0.0.0\",0), \"\", resp_domain_s)\n | extend SplitRespDomain = split(resp_domain_s,\".\")\n | extend \n DstDomain = tostring(strcat_array(array_slice(SplitRespDomain, 1, -1), '.')),\n DstFQDN = iif (array_length(SplitRespDomain) > 1, resp_domain_s, ''),\n DstDomainType = iif (array_length(SplitRespDomain) > 1, 'FQDN', '')\n | extend\n DstHostname = case (\n resp_domain_s != \"\", tostring(SplitRespDomain[0]),\n DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\",\n DstDescription)\n | project-away SplitRespDomain\n | extend\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\n NetworkApplicationProtocol = toupper(service_s),\n NetworkProtocol = toupper(protoName_s),\n NetworkProtocolVersion = toupper(id_ip_ver_s),\n Dst = DstIpAddr,\n DstBytes = tolong(resp_ip_bytes_d),\n DstPackets = tolong(resp_pkts_d),\n DstPortNumber = toint(id_resp_p_d),\n DstVlanId = tostring(toint(resp_vlan_id_d)),\n EventCount = toint(1),\n EventEndTime = unixtime_milliseconds_todatetime(ts_d),\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\n EventProduct = 'Vectra Stream',\n EventResult = 'Success',\n EventSchema = 'NetworkSession',\n EventSchemaVersion='0.2.2',\n EventSeverity = 'Informational',\n EventStartTime = unixtime_milliseconds_todatetime(session_start_time_d),\n EventType = 'NetworkSession',\n EventVendor = 'Vectra AI',\n SrcBytes = tolong(orig_ip_bytes_d),\n SrcPackets = tolong(orig_pkts_d),\n SrcPortNumber = toint(id_orig_p_d),\n SrcVlanId = tostring(toint(orig_vlan_id_d)),\n // -- No ID mapped, since huid found not to be unique\n // SrcDvcIdType = 'VectraId',\n // DstDvcIdType = 'VectraId',\n DvcIdType = 'VectraId',\n NetworkDuration = toint(duration_d)\n | extend \n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n // SessionId = NetworkSessionId,\n Src = SrcIpAddr,\n Dvc = DvcId,\n Duration = NetworkDuration,\n InnerVlanId = SrcVlanId,\n NetworkBytes = SrcBytes + DstBytes,\n NetworkPackets = SrcPackets + DstPackets,\n OuterVlanId = DstVlanId\n | lookup NetworkDirectionLookup on local_orig_b, local_resp_b\n | lookup EventSubTypeLookup on conn_state_s\n // -- preserving non-normalized important fields\n | extend AdditionalFields = iff (\n pack, \n bag_pack (\n \"first_orig_resp_data_pkt\", first_orig_resp_data_pkt_s,\n \"first_resp_orig_data_pkt\", first_resp_orig_data_pkt_s,\n \"orig_sluid\", orig_sluid_s, \n \"resp_sluid\", resp_sluid_s,\n \"orig_huid\", orig_huid_s,\n \"resp_huid\", resp_huid_s,\n \"community_id\", community_id_s,\n \"resp_multihome\", resp_multihomed_b,\n \"host_multihomed\", host_multihomed_b,\n \"first_orig_resp_data_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_data_pkt_time_d),\n \"first_orig_resp_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_pkt_time_d),\n \"first_resp_orig_data_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_data_pkt_time_d),\n \"first_resp_orig_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_pkt_time_d)\n ),\n dynamic([])\n )\n | project-away\n *_d, *_s, *_b, *_g, Computer\n};\nparser (disabled=disabled, pack=pack)", - "version": 1, - "functionParameters": "disabled:bool=False,pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Vectra AI Streams", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionVectraAI", + "query": "let parser = (disabled:bool=false, pack:bool=false) \n{\n let NetworkDirectionLookup = datatable(local_orig_b:bool, local_resp_b:bool, NetworkDirection:string)[\n false, true, 'Inbound',\n true, false, 'Outbound',\n true, true, 'Local',\n false, false, 'External'];\n let EventSubTypeLookup = datatable(conn_state_s:string, EventSubType:string)[\n \"S1\", 'Start',\n \"SF\", 'End'];\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\n VectraStream_CL\n | where metadata_type_s == 'metadata_isession'\n | project-away MG, ManagementGroupName, RawData, SourceSystem, TenantId\n | project-rename\n DstIpAddr = id_resp_h_s,\n DvcDescription = hostname_s,\n DstDescription = resp_hostname_s,\n SrcDescription = orig_hostname_s,\n // -- huid does not seem to be unique per device and not mapped for now\n // DstDvcId = resp_huid_s, \n // SrcDvcId = orig_huid_s,\n DvcId = sensor_uid_s,\n // -- community id is just a hash of addresses and ports, and not unique for the session\n // NetworkSessionId = community_id_s,\n SrcIpAddr = id_orig_h_s,\n EventUid = _ItemId\n // -- the domain field may have invalid values. Most of them are IP addresses filtered out, but a small fraction are not filtered.\n | extend resp_domain_s = iff (ipv4_is_match(resp_domain_s, \"0.0.0.0\",0), \"\", resp_domain_s)\n | extend SplitRespDomain = split(resp_domain_s,\".\")\n | extend \n DstDomain = tostring(strcat_array(array_slice(SplitRespDomain, 1, -1), '.')),\n DstFQDN = iif (array_length(SplitRespDomain) > 1, resp_domain_s, ''),\n DstDomainType = iif (array_length(SplitRespDomain) > 1, 'FQDN', '')\n | extend\n DstHostname = case (\n resp_domain_s != \"\", tostring(SplitRespDomain[0]),\n DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\",\n DstDescription)\n | project-away SplitRespDomain\n | extend\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\n NetworkApplicationProtocol = toupper(service_s),\n NetworkProtocol = toupper(protoName_s),\n NetworkProtocolVersion = toupper(id_ip_ver_s),\n Dst = DstIpAddr,\n DstBytes = tolong(resp_ip_bytes_d),\n DstPackets = tolong(resp_pkts_d),\n DstPortNumber = toint(id_resp_p_d),\n DstVlanId = tostring(toint(resp_vlan_id_d)),\n EventCount = toint(1),\n EventEndTime = unixtime_milliseconds_todatetime(ts_d),\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\n EventProduct = 'Vectra Stream',\n EventResult = 'Success',\n EventSchema = 'NetworkSession',\n EventSchemaVersion='0.2.2',\n EventSeverity = 'Informational',\n EventStartTime = unixtime_milliseconds_todatetime(session_start_time_d),\n EventType = 'NetworkSession',\n EventVendor = 'Vectra AI',\n SrcBytes = tolong(orig_ip_bytes_d),\n SrcPackets = tolong(orig_pkts_d),\n SrcPortNumber = toint(id_orig_p_d),\n SrcVlanId = tostring(toint(orig_vlan_id_d)),\n // -- No ID mapped, since huid found not to be unique\n // SrcDvcIdType = 'VectraId',\n // DstDvcIdType = 'VectraId',\n DvcIdType = 'VectraId',\n NetworkDuration = toint(duration_d)\n | extend \n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n // SessionId = NetworkSessionId,\n Src = SrcIpAddr,\n Dvc = DvcId,\n Duration = NetworkDuration,\n InnerVlanId = SrcVlanId,\n NetworkBytes = SrcBytes + DstBytes,\n NetworkPackets = SrcPackets + DstPackets,\n OuterVlanId = DstVlanId\n | lookup NetworkDirectionLookup on local_orig_b, local_resp_b\n | lookup EventSubTypeLookup on conn_state_s\n // -- preserving non-normalized important fields\n | extend AdditionalFields = iff (\n pack, \n bag_pack (\n \"first_orig_resp_data_pkt\", first_orig_resp_data_pkt_s,\n \"first_resp_orig_data_pkt\", first_resp_orig_data_pkt_s,\n \"orig_sluid\", orig_sluid_s, \n \"resp_sluid\", resp_sluid_s,\n \"orig_huid\", orig_huid_s,\n \"resp_huid\", resp_huid_s,\n \"community_id\", community_id_s,\n \"resp_multihome\", resp_multihomed_b,\n \"host_multihomed\", host_multihomed_b,\n \"first_orig_resp_data_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_data_pkt_time_d),\n \"first_orig_resp_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_pkt_time_d),\n \"first_resp_orig_data_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_data_pkt_time_d),\n \"first_resp_orig_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_pkt_time_d)\n ),\n dynamic([])\n )\n | project-away\n *_d, *_s, *_b, *_g, Computer\n};\nparser (disabled=disabled, pack=pack)", + "version": 1, + "functionParameters": "disabled:bool=False,pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionWatchGuardFirewareOS/ASimNetworkSessionWatchGuardFirewareOS.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionWatchGuardFirewareOS/ASimNetworkSessionWatchGuardFirewareOS.json index 3216b4523ab..bc3861e4c88 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionWatchGuardFirewareOS/ASimNetworkSessionWatchGuardFirewareOS.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionWatchGuardFirewareOS/ASimNetworkSessionWatchGuardFirewareOS.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionWatchGuardFirewareOS')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionWatchGuardFirewareOS", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for WatchGuard Fireware OS", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionWatchGuardFirewareOS", - "query": "let Parser=(disabled:bool=false){\n let EventLookup=datatable(DvcAction:string,EventResult:string,EventSeverity:string)\n [\n \"Allow\",\"Success\",\"Informational\"\n , \"Deny\",\"Failure\",\"Low\"\n ];\n let SyslogParser = (T:(SyslogMessage:string)) {\n T\n | parse-kv SyslogMessage as (geo_src:string\n , geo_dst:string\n , src_user:string\n , dst_user:string\n , duration:int\n , sent_bytes:long\n , rcvd_bytes:long\n , fqdn_src_match:string\n , fqdn_dst_match:string) with (pair_delimiter=' ', kv_delimiter='=', quote='\"')\n | project-rename SrcGeoCountry = geo_src\n , DstGeoCountry = geo_dst\n , SrcUsername = src_user\n , DstUsername = dst_user\n , NetworkDuration = duration\n , SrcBytes = sent_bytes\n , DstBytes = rcvd_bytes\n , DstDomain = fqdn_dst_match\n , SrcDomain = fqdn_src_match\n | extend DvcAction = extract(@'\" (Allow|Deny) ', 1, SyslogMessage)\n | lookup EventLookup on DvcAction\n | extend DstDomainType = iif(isnotempty(DstDomain),\"FQDN\",\"\")\n | extend SrcDomainType = iif(isnotempty(SrcDomain),\"FQDN\",\"\")\n | extend NetworkProtocol = extract(@\" (tcp|udp|icmp|igmp) \", 1, SyslogMessage)\n | extend SrcUsernameType = case(isempty(SrcUsername), \"\"\n , countof(SrcUsername, \"@\") == 1, \"UPN\"\n , \"Simple\"\n )\n | extend DstUsernameType = case(isempty(DstUsername), \"\"\n , countof(DstUsername, \"@\") == 1, \"UPN\"\n , \"Simple\"\n )\n | parse SyslogMessage with * \"repeated \" EventCount:int \" times\" *\n | extend EventCount = iif(isnotempty(EventCount), EventCount, toint(1))\n | project-away SyslogMessage\n };\n let AllSyslog = \n Syslog\n | where not(disabled)\n | where SyslogMessage has_any('msg_id=\"3000-0148\"' \n , 'msg_id=\"3000-0149\"' \n , 'msg_id=\"3000-0150\"'\n , 'msg_id=\"3000-0151\"'\n , 'msg_id=\"3000-0173\"'\n ) and SyslogMessage !has 'msg=\"DNS Forwarding\" '\n | project TimeGenerated, SyslogMessage, HostName\n ;\n let Parse1 = \n AllSyslog\n | where SyslogMessage !has \"icmp\" and SyslogMessage !has \"igmp\" and SyslogMessage !has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} (tcp|udp) \\d{2,5} \\d{2,5} \" SrcIpAddr \" \" DstIpAddr \" \" SrcPortNumber:int @\" \" DstPortNumber:int @\" \" *\n | invoke SyslogParser()\n ;\n let Parse2 = \n AllSyslog\n | where SyslogMessage !has \"icmp\" and SyslogMessage !has \"igmp\" and SyslogMessage has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" (tcp|udp) \" SrcIpAddr \" \" DstIpAddr \" \" SrcPortNumber:int @\" \" DstPortNumber:int @\" \" *\n | invoke SyslogParser()\n ;\n let Parse3 = \n AllSyslog\n | where SyslogMessage has \"icmp\" and SyslogMessage !has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} icmp \\d{2,5} \\d{1,5} \" SrcIpAddr \" \" DstIpAddr \" \" * \n | invoke SyslogParser()\n ;\n let Parse4 = \n AllSyslog\n | where SyslogMessage has \"icmp\" and SyslogMessage has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" icmp \" SrcIpAddr \" \" DstIpAddr \" \" * \n | invoke SyslogParser()\n ;\n let Parse5 = \n AllSyslog\n | where SyslogMessage has \"igmp\" and SyslogMessage !has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} igmp \\d{2,5} \\d{1,5} \" SrcIpAddr \" \" DstIpAddr \" \" * \n | invoke SyslogParser()\n ;\n union isfuzzy=false Parse1, Parse2, Parse3, Parse4, Parse5\n | extend EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.4\"\n , EventVendor = \"WatchGuard\"\n , EventProduct = \"Fireware\"\n , EventType = \"NetworkSession\"\n , DvcHostname = HostName\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkProtocol = toupper(NetworkProtocol)\n , NetworkDuration = toint(NetworkDuration * toint(1000))\n , NetworkBytes = SrcBytes + DstBytes\n , EventEndTime = TimeGenerated\n , EventStartTime = TimeGenerated\n , Src = SrcIpAddr\n , Dst = DstIpAddr\n , Duration = NetworkDuration\n , User = DstUsername\n , IpAddr = SrcIpAddr\n | project-rename Dvc = HostName\n};\nParser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for WatchGuard Fireware OS", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionWatchGuardFirewareOS", + "query": "let Parser=(disabled:bool=false){\n let EventLookup=datatable(DvcAction:string,EventResult:string,EventSeverity:string)\n [\n \"Allow\",\"Success\",\"Informational\"\n , \"Deny\",\"Failure\",\"Low\"\n ];\n let SyslogParser = (T:(SyslogMessage:string)) {\n T\n | parse-kv SyslogMessage as (geo_src:string\n , geo_dst:string\n , src_user:string\n , dst_user:string\n , duration:int\n , sent_bytes:long\n , rcvd_bytes:long\n , fqdn_src_match:string\n , fqdn_dst_match:string) with (pair_delimiter=' ', kv_delimiter='=', quote='\"')\n | project-rename SrcGeoCountry = geo_src\n , DstGeoCountry = geo_dst\n , SrcUsername = src_user\n , DstUsername = dst_user\n , NetworkDuration = duration\n , SrcBytes = sent_bytes\n , DstBytes = rcvd_bytes\n , DstDomain = fqdn_dst_match\n , SrcDomain = fqdn_src_match\n | extend DvcAction = extract(@'\" (Allow|Deny) ', 1, SyslogMessage)\n | lookup EventLookup on DvcAction\n | extend DstDomainType = iif(isnotempty(DstDomain),\"FQDN\",\"\")\n | extend SrcDomainType = iif(isnotempty(SrcDomain),\"FQDN\",\"\")\n | extend NetworkProtocol = extract(@\" (tcp|udp|icmp|igmp) \", 1, SyslogMessage)\n | extend SrcUsernameType = case(isempty(SrcUsername), \"\"\n , countof(SrcUsername, \"@\") == 1, \"UPN\"\n , \"Simple\"\n )\n | extend DstUsernameType = case(isempty(DstUsername), \"\"\n , countof(DstUsername, \"@\") == 1, \"UPN\"\n , \"Simple\"\n )\n | parse SyslogMessage with * \"repeated \" EventCount:int \" times\" *\n | extend EventCount = iif(isnotempty(EventCount), EventCount, toint(1))\n | project-away SyslogMessage\n };\n let AllSyslog = \n Syslog\n | where not(disabled)\n | where SyslogMessage has_any('msg_id=\"3000-0148\"' \n , 'msg_id=\"3000-0149\"' \n , 'msg_id=\"3000-0150\"'\n , 'msg_id=\"3000-0151\"'\n , 'msg_id=\"3000-0173\"'\n ) and SyslogMessage !has 'msg=\"DNS Forwarding\" '\n | project TimeGenerated, SyslogMessage, HostName\n ;\n let Parse1 = \n AllSyslog\n | where SyslogMessage !has \"icmp\" and SyslogMessage !has \"igmp\" and SyslogMessage !has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} (tcp|udp) \\d{2,5} \\d{2,5} \" SrcIpAddr \" \" DstIpAddr \" \" SrcPortNumber:int @\" \" DstPortNumber:int @\" \" *\n | invoke SyslogParser()\n ;\n let Parse2 = \n AllSyslog\n | where SyslogMessage !has \"icmp\" and SyslogMessage !has \"igmp\" and SyslogMessage has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" (tcp|udp) \" SrcIpAddr \" \" DstIpAddr \" \" SrcPortNumber:int @\" \" DstPortNumber:int @\" \" *\n | invoke SyslogParser()\n ;\n let Parse3 = \n AllSyslog\n | where SyslogMessage has \"icmp\" and SyslogMessage !has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} icmp \\d{2,5} \\d{1,5} \" SrcIpAddr \" \" DstIpAddr \" \" * \n | invoke SyslogParser()\n ;\n let Parse4 = \n AllSyslog\n | where SyslogMessage has \"icmp\" and SyslogMessage has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" icmp \" SrcIpAddr \" \" DstIpAddr \" \" * \n | invoke SyslogParser()\n ;\n let Parse5 = \n AllSyslog\n | where SyslogMessage has \"igmp\" and SyslogMessage !has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} igmp \\d{2,5} \\d{1,5} \" SrcIpAddr \" \" DstIpAddr \" \" * \n | invoke SyslogParser()\n ;\n union isfuzzy=false Parse1, Parse2, Parse3, Parse4, Parse5\n | extend EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.4\"\n , EventVendor = \"WatchGuard\"\n , EventProduct = \"Fireware\"\n , EventType = \"NetworkSession\"\n , DvcHostname = HostName\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkProtocol = toupper(NetworkProtocol)\n , NetworkDuration = toint(NetworkDuration * toint(1000))\n , NetworkBytes = SrcBytes + DstBytes\n , EventEndTime = TimeGenerated\n , EventStartTime = TimeGenerated\n , Src = SrcIpAddr\n , Dst = DstIpAddr\n , Duration = NetworkDuration\n , User = DstUsername\n , IpAddr = SrcIpAddr\n | project-rename Dvc = HostName\n};\nParser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json index cd5255af492..c873b739c5c 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionZscalerZIA')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionZscalerZIA", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Zscaler ZIA Firewall", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionZscalerZIA", - "query": "let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\n // See https://help.zscaler.com/zia/firewall-insights-logs-filters\n 'Allow','Allow',\n 'Allow due to insufficient app data','Allow',\n 'Block/Drop','Drop',\n 'Block/ICMP','Drop ICMP',\n 'Block/Reset', 'Reset',\n 'IPS Drop', 'Drop',\n 'IPS Reset', 'Reset',\n // Observed in real world events\n 'Block ICMP', 'Drop ICMP',\n 'Drop', 'Drop'\n];\nlet parser=(disabled:bool=false){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSFWlog\"\n// Event fields\n| extend \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Firewall\", \n EventSchema = \"NetworkSession\", \n EventSchemaVersion=\"0.2.1\", \n EventType = 'NetworkSession', \n EventSeverity = 'Informational',\n EventEndTime=TimeGenerated \n| project-rename\n DvcOriginalAction = DeviceAction, \n DvcHostname = Computer, \n EventProductVersion = DeviceVersion, \n NetworkProtocol = Protocol, \n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n DstNatIpAddr = DestinationTranslatedAddress, \n DstNatPortNumber = DestinationTranslatedPort,\n DstAppName = DeviceCustomString3, \n NetworkApplicationProtocol = DeviceCustomString2, \n SrcIpAddr = SourceIP, \n SrcPortNumber = SourcePort, \n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress, \n SrcNatPortNumber = SourceTranslatedPort, \n SrcUserDepartment = DeviceCustomString1, // Not in standard schema\n SrcUserLocation = SourceUserPrivileges, // Not in standard schema\n ThreatName = DeviceCustomString6, \n ThreatCategory = DeviceCustomString5, \n NetworkRuleName = Activity,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message\n// -- Calculated fields\n| lookup ActionLookup on DvcOriginalAction \n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventCount=coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber2\", int(null))), \n toint(column_ifexists(\"DeviceCustomNumber2\",int(null)))\n ),\n NetworkDuration = coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\n SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername),\n DstBytes = tolong(ReceivedBytes), \n SrcBytes = tolong(SentBytes)\n// -- Enrichment\n| extend\n EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\"),\n DstAppType = \"Service\", \n SrcUsernameType = \"UPN\" \n// -- Aliases\n| extend\n Dvc = DvcHostname,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = NetworkRuleName,\n Duration = NetworkDuration\n| project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ApplicationProtocol, ReportReferenceLink\n};\nparser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Zscaler ZIA Firewall", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionZscalerZIA", + "query": "let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\n // See https://help.zscaler.com/zia/firewall-insights-logs-filters\n 'Allow','Allow',\n 'Allow due to insufficient app data','Allow',\n 'Block/Drop','Drop',\n 'Block/ICMP','Drop ICMP',\n 'Block/Reset', 'Reset',\n 'IPS Drop', 'Drop',\n 'IPS Reset', 'Reset',\n // Observed in real world events\n 'Block ICMP', 'Drop ICMP',\n 'Drop', 'Drop'\n];\nlet parser=(disabled:bool=false){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSFWlog\"\n// Event fields\n| extend \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Firewall\", \n EventSchema = \"NetworkSession\", \n EventSchemaVersion=\"0.2.1\", \n EventType = 'NetworkSession', \n EventSeverity = 'Informational',\n EventEndTime=TimeGenerated \n| project-rename\n DvcOriginalAction = DeviceAction, \n DvcHostname = Computer, \n EventProductVersion = DeviceVersion, \n NetworkProtocol = Protocol, \n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n DstNatIpAddr = DestinationTranslatedAddress, \n DstNatPortNumber = DestinationTranslatedPort,\n DstAppName = DeviceCustomString3, \n NetworkApplicationProtocol = DeviceCustomString2, \n SrcIpAddr = SourceIP, \n SrcPortNumber = SourcePort, \n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress, \n SrcNatPortNumber = SourceTranslatedPort, \n SrcUserDepartment = DeviceCustomString1, // Not in standard schema\n SrcUserLocation = SourceUserPrivileges, // Not in standard schema\n ThreatName = DeviceCustomString6, \n ThreatCategory = DeviceCustomString5, \n NetworkRuleName = Activity,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message\n// -- Calculated fields\n| lookup ActionLookup on DvcOriginalAction \n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventCount=coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber2\", int(null))), \n toint(column_ifexists(\"DeviceCustomNumber2\",int(null)))\n ),\n NetworkDuration = coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\n SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername),\n DstBytes = tolong(ReceivedBytes), \n SrcBytes = tolong(SentBytes)\n// -- Enrichment\n| extend\n EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\"),\n DstAppType = \"Service\", \n SrcUsernameType = \"UPN\" \n// -- Aliases\n| extend\n Dvc = DvcHostname,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = NetworkRuleName,\n Duration = NetworkDuration\n| project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ApplicationProtocol, ReportReferenceLink\n};\nparser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json b/Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json index 66b122ce568..16d740103d0 100644 --- a/Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json +++ b/Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json @@ -358,6 +358,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimNetworkSessionIllumioSaaSCore", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionIllumioSaaSCore/ASimNetworkSessionIllumioSaaSCore.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -1078,6 +1098,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimNetworkSessionIllumioSaaSCore", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionIllumioSaaSCore/vimNetworkSessionIllumioSaaSCore.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", diff --git a/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json b/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json index da1ce681b1d..f0c37dbad81 100644 --- a/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json +++ b/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/imNetworkSession')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "imNetworkSession", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser", - "category": "ASIM", - "FunctionAlias": "imNetworkSession", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludevimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n dstipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null),\n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]),\n eventresult:string='*',\n pack:bool=false)\n{\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , vimNetworkSessionLinuxSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoft365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , vimNetworkSessionMD4IoTAgent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMD4IoTAgent' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftWindowsEventFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftSecurityEventFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftSecurityEventFirewall' in (DisabledParsers) ))\n , vimNetworkSessionPaloAltoCEF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , vimNetworkSessionVMConnection (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMConnection' in (DisabledParsers) ))\n , vimNetworkSessionAWSVPC (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , vimNetworkSessionAzureFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , vimNetworkSessionAzureNSG (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , vimNetworkSessionVectraAI (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludevimNetworkSessionVectraAI' in (DisabledParsers) )))\n , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , vimNetworkSessionCiscoMerakiSyslog (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMerakiSyslog' in (DisabledParsers) ))\n , vimNetworkSessionAppGateSDP (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n , vimNetworkSessionFortinetFortiGate (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionFortinetFortiGate' in (DisabledParsers) ))\n , vimNetworkSessionCorelightZeek (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCorelightZeek' in (DisabledParsers) ))\n , vimNetworkSessionCheckPointFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCheckPointFirewall' in (DisabledParsers) ))\n , vimNetworkSessionWatchGuardFirewareOS (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionWatchGuardFirewareOS' in (DisabledParsers) ))\n , vimNetworkSessionCiscoASA (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoASA' in (DisabledParsers) ))\n , vimNetworkSessionForcePointFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionForcePointFirewall' in (DisabledParsers) ))\n , vimNetworkSessionNative (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionNative' in (DisabledParsers) ))\n , vimNetworkSessionSentinelOne (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionSentinelOne' in (DisabledParsers) ))\n , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , vimNetworkSessionCiscoISE (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoISE' in (DisabledParsers) ))\n , vimNetworkSessionBarracudaWAF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionBarracudaWAF' in (DisabledParsers) ))\n , vimNetworkSessionBarracudaCEF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionBarracudaCEF' in (DisabledParsers) ))\n , vimNetworkSessionCiscoFirepower (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoFirepower' in (DisabledParsers) ))\n , vimNetworkSessionCrowdStrikeFalconHost (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCrowdStrikeFalconHost' in (DisabledParsers) ))\n , vimNetworkSessionVMwareCarbonBlackCloud (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMwareCarbonBlackCloud' in (DisabledParsers) ))\n , vimNetworkSessionPaloAltoCortexDataLake (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionPaloAltoCortexDataLake' in (DisabledParsers) ))\n , vimNetworkSessionSonicWallFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionSonicWallFirewall' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftSysmon' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftSysmonWindowsEvent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser", + "category": "ASIM", + "FunctionAlias": "imNetworkSession", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludevimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n dstipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null),\n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]),\n eventresult:string='*',\n pack:bool=false)\n{\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , vimNetworkSessionLinuxSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoft365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , vimNetworkSessionMD4IoTAgent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMD4IoTAgent' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftWindowsEventFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftSecurityEventFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftSecurityEventFirewall' in (DisabledParsers) ))\n , vimNetworkSessionPaloAltoCEF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , vimNetworkSessionVMConnection (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMConnection' in (DisabledParsers) ))\n , vimNetworkSessionAWSVPC (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , vimNetworkSessionAzureFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , vimNetworkSessionAzureNSG (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , vimNetworkSessionVectraAI (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludevimNetworkSessionVectraAI' in (DisabledParsers) )))\n , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , vimNetworkSessionCiscoMerakiSyslog (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMerakiSyslog' in (DisabledParsers) ))\n , vimNetworkSessionAppGateSDP (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n , vimNetworkSessionFortinetFortiGate (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionFortinetFortiGate' in (DisabledParsers) ))\n , vimNetworkSessionCorelightZeek (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCorelightZeek' in (DisabledParsers) ))\n , vimNetworkSessionCheckPointFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCheckPointFirewall' in (DisabledParsers) ))\n , vimNetworkSessionWatchGuardFirewareOS (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionWatchGuardFirewareOS' in (DisabledParsers) ))\n , vimNetworkSessionCiscoASA (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoASA' in (DisabledParsers) ))\n , vimNetworkSessionForcePointFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionForcePointFirewall' in (DisabledParsers) ))\n , vimNetworkSessionNative (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionNative' in (DisabledParsers) ))\n , vimNetworkSessionSentinelOne (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionSentinelOne' in (DisabledParsers) ))\n , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , vimNetworkSessionCiscoISE (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoISE' in (DisabledParsers) ))\n , vimNetworkSessionBarracudaWAF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionBarracudaWAF' in (DisabledParsers) ))\n , vimNetworkSessionBarracudaCEF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionBarracudaCEF' in (DisabledParsers) ))\n , vimNetworkSessionCiscoFirepower (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoFirepower' in (DisabledParsers) ))\n , vimNetworkSessionCrowdStrikeFalconHost (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCrowdStrikeFalconHost' in (DisabledParsers) ))\n , vimNetworkSessionVMwareCarbonBlackCloud (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMwareCarbonBlackCloud' in (DisabledParsers) ))\n , vimNetworkSessionPaloAltoCortexDataLake (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionPaloAltoCortexDataLake' in (DisabledParsers) ))\n , vimNetworkSessionSonicWallFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionSonicWallFirewall' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftSysmon' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftSysmonWindowsEvent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))\n , vimNetworkSessionIllumioSaaSCore (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionIllumioSaaSCore' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json index e08743f5f8e..e237c6fb537 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionAWSVPC')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionAWSVPC", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for AWS VPC logs", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionAWSVPC", - "query": "let ProtocolLookup = datatable(Protocol:int, NetworkProtocol:string) [\n 0,\"HOPOPT\",\n 1,\"ICMP\",\n 2,\"IGMP\",\n 3,\"GGP\",\n 4,\"IPv4\",\n 5,\"ST\",\n 6,\"TCP\",\n 7,\"CBT\",\n 8,\"EGP\",\n 9,\"IGP\",\n 10,\"BBN-RCC-MON\",\n 11,\"NVP-II\",\n 12,\"PUP\",\n 13,\"ARGUS (deprecated)\",\n 14,\"EMCON\",\n 15,\"XNET\",\n 16,\"CHAOS\",\n 17,\"UDP\",\n 18,\"MUX\",\n 19,\"DCN-MEAS\",\n 20,\"HMP\",\n 21,\"PRM\",\n 22,\"XNS-IDP\",\n 23,\"TRUNK-1\",\n 24,\"TRUNK-2\",\n 25,\"LEAF-1\",\n 26,\"LEAF-2\",\n 27,\"RDP\",\n 28,\"IRTP\",\n 29,\"ISO-TP4\",\n 30,\"NETBLT\",\n 31,\"MFE-NSP\",\n 32,\"MERIT-INP\",\n 33,\"DCCP\",\n 34,\"3PC\",\n 35,\"IDPR\",\n 36,\"XTP\",\n 37,\"DDP\",\n 38,\"IDPR-CMTP\",\n 39,\"TP++\",\n 40,\"IL\",\n 41,\"IPv6\",\n 42,\"SDRP\",\n 43,\"IPv6-Route\",\n 44,\"IPv6-Frag\",\n 45,\"IDRP\",\n 46,\"RSVP\",\n 47,\"GRE\",\n 48,\"DSR\",\n 49,\"BNA\",\n 50,\"ESP\",\n 51,\"AH\",\n 52,\"I-NLSP\",\n 53,\"SWIPE (deprecated)\",\n 54,\"NARP\",\n 55,\"MOBILE\",\n 56,\"TLSP\",\n 57,\"SKIP\",\n 58,\"IPv6-ICMP\",\n 59,\"IPv6-NoNxt\",\n 60,\"IPv6-Opts\",\n 61,\"\",\n 62,\"CFTP\",\n 63,\"\",\n 64,\"SAT-EXPAK\",\n 65,\"KRYPTOLAN\",\n 66,\"RVD\",\n 67,\"IPPC\",\n 68,\"\",\n 69,\"SAT-MON\",\n 70,\"VISA\",\n 71,\"IPCV\",\n 72,\"CPNX\",\n 73,\"CPHB\",\n 74,\"WSN\",\n 75,\"PVP\",\n 76,\"BR-SAT-MON\",\n 77,\"SUN-ND\",\n 78,\"WB-MON\",\n 79,\"WB-EXPAK\",\n 80,\"ISO-IP\",\n 81,\"VMTP\",\n 82,\"SECURE-VMTP\",\n 83,\"VINES\",\n 84,\"TTP\",\n 84,\"IPTM\",\n 85,\"NSFNET-IGP\",\n 86,\"DGP\",\n 87,\"TCF\",\n 88,\"EIGRP\",\n 89,\"OSPFIGP\",\n 90,\"Sprite-RPC\",\n 91,\"LARP\",\n 92,\"MTP\",\n 93,\"AX.25\",\n 94,\"IPIP\",\n 95,\"MICP (deprecated)\",\n 96,\"SCC-SP\",\n 97,\"ETHERIP\",\n 98,\"ENCAP\",\n 99,\"\",\n 100,\"GMTP\",\n 101,\"IFMP\",\n 102,\"PNNI\",\n 103,\"PIM\",\n 104,\"ARIS\",\n 105,\"SCPS\",\n 106,\"QNX\",\n 107,\"A/N\",\n 108,\"IPComp\",\n 109,\"SNP\",\n 110,\"Compaq-Peer\",\n 111,\"IPX-in-IP\",\n 112,\"VRRP\",\n 113,\"PGM\",\n 114,\"\",\n 115,\"L2TP\",\n 116,\"DDX\",\n 117,\"IATP\",\n 118,\"STP\",\n 119,\"SRP\",\n 120,\"UTI\",\n 121,\"SMP\",\n 122,\"SM (deprecated)\",\n 123,\"PTP\",\n 124,\"ISIS over IPv4\",\n 125,\"FIRE\",\n 126,\"CRTP\",\n 127,\"CRUDP\",\n 128,\"SSCOPMCE\",\n 129,\"IPLT\",\n 130,\"SPS\",\n 131,\"PIPE\",\n 132,\"SCTP\",\n 133,\"FC\",\n 134,\"RSVP-E2E-IGNORE\",\n 135,\"Mobility Header\",\n 136,\"UDPLite\",\n 137,\"MPLS-in-IP\",\n 138,\"manet\",\n 139,\"HIP\",\n 140,\"Shim6\",\n 141,\"WESP\",\n 142,\"ROHC\",\n 143,\"Ethernet\",\n 253,\"\",\n 254,\"\",\n 255,\"Reserved\"\n ];\n let DirectionLookup = datatable (FlowDirection:string, NetworkDirection:string) [\n 'ingress', 'Inbound',\n 'egress', 'Outbound'\n ];\n let ActionLookup = datatable (Action:string, DvcAction:string) [\n 'ACCEPT', 'Allow',\n 'REJECT', 'Deny'\n ];\n let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false\n )\n {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n AWSVPCFlow \n | where(isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where not(disabled)\n | where LogStatus == \"OK\"\n // -- Pre-filtering:\n | where\n (isnull(dstportnumber) or (DstPort == dstportnumber))\n and (array_length(hostname_has_any) == 0)\n | extend EventResult = iff (Action==\"ACCEPT\",\"Success\",\"Failure\")\n | where (eventresult == \"*\" or eventresult == EventResult) \n | lookup ActionLookup on Action\n | where (array_length(dvcaction) == 0 or DvcAction in (dvcaction))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcAddr,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DstAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | project-away temp_*\n | where ASimMatchingIpAddr != \"No match\"\n // -- End pre-filtering\n | extend\n EventVendor=\"AWS\", \n EventProduct=\"VPC\",\n NetworkBytes = tolong(Bytes),\n NetworkPackets = tolong(Packets),\n EventProductVersion = tostring(Version),\n EventType=\"NetworkSession\",\n EventCount=toint(1),\n EventSeverity = iff (Action==\"ACCEPT\",\"Informational\",\"Low\"),\n EventSchemaVersion=\"0.2.3\",\n EventSchema=\"NetworkSession\",\n SrcAppType = iff (PktSrcAwsService != \"\", \"CloudService\", \"\"),\n DstAppType = iff (PktDstAwsService != \"\", \"CloudService\", \"\"),\n DvcIdType = \"AwsVpcId\"\n | lookup ProtocolLookup on Protocol\n | lookup DirectionLookup on FlowDirection\n | project-rename\n DstIpAddr = DstAddr, \n DstPortNumber = DstPort, \n SrcNatIpAddr=PktSrcAddr, \n DstNatIpAddr=PktDstAddr, \n SrcPortNumber = SrcPort, \n SrcIpAddr = SrcAddr, \n EventEndTime = End, \n DvcInboundInterface = InterfaceId,\n DvcSubscriptionId = AccountId,\n DvcId = VpcId,\n NetworkProtocolVersion = TrafficType,\n EventOriginalResultDetails = LogStatus,\n SrcAppName = PktSrcAwsService,\n DstAppName = PktDstAwsService\n // -- Aliases\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventStartTime = TimeGenerated,\n DvcInterface = DvcInboundInterface\n | project-away Action, AzId, Bytes, FlowDirection, InstanceId, Packets, Protocol, Region, SourceSystem, SublocationId, SublocationType, SubnetId, TcpFlags, TenantId, TrafficPath, Version\n };\n parser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix,dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for AWS VPC logs", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionAWSVPC", + "query": "let ProtocolLookup = datatable(Protocol:int, NetworkProtocol:string) [\n 0,\"HOPOPT\",\n 1,\"ICMP\",\n 2,\"IGMP\",\n 3,\"GGP\",\n 4,\"IPv4\",\n 5,\"ST\",\n 6,\"TCP\",\n 7,\"CBT\",\n 8,\"EGP\",\n 9,\"IGP\",\n 10,\"BBN-RCC-MON\",\n 11,\"NVP-II\",\n 12,\"PUP\",\n 13,\"ARGUS (deprecated)\",\n 14,\"EMCON\",\n 15,\"XNET\",\n 16,\"CHAOS\",\n 17,\"UDP\",\n 18,\"MUX\",\n 19,\"DCN-MEAS\",\n 20,\"HMP\",\n 21,\"PRM\",\n 22,\"XNS-IDP\",\n 23,\"TRUNK-1\",\n 24,\"TRUNK-2\",\n 25,\"LEAF-1\",\n 26,\"LEAF-2\",\n 27,\"RDP\",\n 28,\"IRTP\",\n 29,\"ISO-TP4\",\n 30,\"NETBLT\",\n 31,\"MFE-NSP\",\n 32,\"MERIT-INP\",\n 33,\"DCCP\",\n 34,\"3PC\",\n 35,\"IDPR\",\n 36,\"XTP\",\n 37,\"DDP\",\n 38,\"IDPR-CMTP\",\n 39,\"TP++\",\n 40,\"IL\",\n 41,\"IPv6\",\n 42,\"SDRP\",\n 43,\"IPv6-Route\",\n 44,\"IPv6-Frag\",\n 45,\"IDRP\",\n 46,\"RSVP\",\n 47,\"GRE\",\n 48,\"DSR\",\n 49,\"BNA\",\n 50,\"ESP\",\n 51,\"AH\",\n 52,\"I-NLSP\",\n 53,\"SWIPE (deprecated)\",\n 54,\"NARP\",\n 55,\"MOBILE\",\n 56,\"TLSP\",\n 57,\"SKIP\",\n 58,\"IPv6-ICMP\",\n 59,\"IPv6-NoNxt\",\n 60,\"IPv6-Opts\",\n 61,\"\",\n 62,\"CFTP\",\n 63,\"\",\n 64,\"SAT-EXPAK\",\n 65,\"KRYPTOLAN\",\n 66,\"RVD\",\n 67,\"IPPC\",\n 68,\"\",\n 69,\"SAT-MON\",\n 70,\"VISA\",\n 71,\"IPCV\",\n 72,\"CPNX\",\n 73,\"CPHB\",\n 74,\"WSN\",\n 75,\"PVP\",\n 76,\"BR-SAT-MON\",\n 77,\"SUN-ND\",\n 78,\"WB-MON\",\n 79,\"WB-EXPAK\",\n 80,\"ISO-IP\",\n 81,\"VMTP\",\n 82,\"SECURE-VMTP\",\n 83,\"VINES\",\n 84,\"TTP\",\n 84,\"IPTM\",\n 85,\"NSFNET-IGP\",\n 86,\"DGP\",\n 87,\"TCF\",\n 88,\"EIGRP\",\n 89,\"OSPFIGP\",\n 90,\"Sprite-RPC\",\n 91,\"LARP\",\n 92,\"MTP\",\n 93,\"AX.25\",\n 94,\"IPIP\",\n 95,\"MICP (deprecated)\",\n 96,\"SCC-SP\",\n 97,\"ETHERIP\",\n 98,\"ENCAP\",\n 99,\"\",\n 100,\"GMTP\",\n 101,\"IFMP\",\n 102,\"PNNI\",\n 103,\"PIM\",\n 104,\"ARIS\",\n 105,\"SCPS\",\n 106,\"QNX\",\n 107,\"A/N\",\n 108,\"IPComp\",\n 109,\"SNP\",\n 110,\"Compaq-Peer\",\n 111,\"IPX-in-IP\",\n 112,\"VRRP\",\n 113,\"PGM\",\n 114,\"\",\n 115,\"L2TP\",\n 116,\"DDX\",\n 117,\"IATP\",\n 118,\"STP\",\n 119,\"SRP\",\n 120,\"UTI\",\n 121,\"SMP\",\n 122,\"SM (deprecated)\",\n 123,\"PTP\",\n 124,\"ISIS over IPv4\",\n 125,\"FIRE\",\n 126,\"CRTP\",\n 127,\"CRUDP\",\n 128,\"SSCOPMCE\",\n 129,\"IPLT\",\n 130,\"SPS\",\n 131,\"PIPE\",\n 132,\"SCTP\",\n 133,\"FC\",\n 134,\"RSVP-E2E-IGNORE\",\n 135,\"Mobility Header\",\n 136,\"UDPLite\",\n 137,\"MPLS-in-IP\",\n 138,\"manet\",\n 139,\"HIP\",\n 140,\"Shim6\",\n 141,\"WESP\",\n 142,\"ROHC\",\n 143,\"Ethernet\",\n 253,\"\",\n 254,\"\",\n 255,\"Reserved\"\n ];\n let DirectionLookup = datatable (FlowDirection:string, NetworkDirection:string) [\n 'ingress', 'Inbound',\n 'egress', 'Outbound'\n ];\n let ActionLookup = datatable (Action:string, DvcAction:string) [\n 'ACCEPT', 'Allow',\n 'REJECT', 'Deny'\n ];\n let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false\n )\n {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n AWSVPCFlow \n | where(isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where not(disabled)\n | where LogStatus == \"OK\"\n // -- Pre-filtering:\n | where\n (isnull(dstportnumber) or (DstPort == dstportnumber))\n and (array_length(hostname_has_any) == 0)\n | extend EventResult = iff (Action==\"ACCEPT\",\"Success\",\"Failure\")\n | where (eventresult == \"*\" or eventresult == EventResult) \n | lookup ActionLookup on Action\n | where (array_length(dvcaction) == 0 or DvcAction in (dvcaction))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcAddr,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DstAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | project-away temp_*\n | where ASimMatchingIpAddr != \"No match\"\n // -- End pre-filtering\n | extend\n EventVendor=\"AWS\", \n EventProduct=\"VPC\",\n NetworkBytes = tolong(Bytes),\n NetworkPackets = tolong(Packets),\n EventProductVersion = tostring(Version),\n EventType=\"NetworkSession\",\n EventCount=toint(1),\n EventSeverity = iff (Action==\"ACCEPT\",\"Informational\",\"Low\"),\n EventSchemaVersion=\"0.2.3\",\n EventSchema=\"NetworkSession\",\n SrcAppType = iff (PktSrcAwsService != \"\", \"CloudService\", \"\"),\n DstAppType = iff (PktDstAwsService != \"\", \"CloudService\", \"\"),\n DvcIdType = \"AwsVpcId\"\n | lookup ProtocolLookup on Protocol\n | lookup DirectionLookup on FlowDirection\n | project-rename\n DstIpAddr = DstAddr, \n DstPortNumber = DstPort, \n SrcNatIpAddr=PktSrcAddr, \n DstNatIpAddr=PktDstAddr, \n SrcPortNumber = SrcPort, \n SrcIpAddr = SrcAddr, \n EventEndTime = End, \n DvcInboundInterface = InterfaceId,\n DvcSubscriptionId = AccountId,\n DvcId = VpcId,\n NetworkProtocolVersion = TrafficType,\n EventOriginalResultDetails = LogStatus,\n SrcAppName = PktSrcAwsService,\n DstAppName = PktDstAwsService\n // -- Aliases\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventStartTime = TimeGenerated,\n DvcInterface = DvcInboundInterface\n | project-away Action, AzId, Bytes, FlowDirection, InstanceId, Packets, Protocol, Region, SourceSystem, SublocationId, SublocationType, SubnetId, TcpFlags, TenantId, TrafficPath, Version\n };\n parser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix,dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAppGateSDP/vimNetworkSessionAppGateSDP.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAppGateSDP/vimNetworkSessionAppGateSDP.json index 6aea2485afd..20b167404e3 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAppGateSDP/vimNetworkSessionAppGateSDP.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAppGateSDP/vimNetworkSessionAppGateSDP.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionAppGateSDP')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionAppGateSDP", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for AppGate SDP", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionAppGateSDP", - "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false\n) \n{\n let DirectionLookup = datatable (direction:string, NetworkDirection:string) \n [\n 'up', 'Inbound',\n 'down', 'Outbound'\n ];\n let ActionLookup = datatable (DvcOriginalAction:string, DvcAction:string, EventSeverity:string, EventResult:string)\n [\n 'allow', 'Allow', 'Informational', 'Success',\n 'drop', 'Drop', 'Low', 'Failure',\n 'reject', 'Deny', 'Low', 'Failure',\n 'block', 'Deny', 'Low', 'Failure',\n 'block_report', 'Deny', 'Low', 'Failure',\n 'allow_report', 'Allow', 'Informational', 'Success'\n ];\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let ip_access_events = \n Syslog\n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n and not(disabled)\n and (array_length(hostname_has_any) == 0)\n and ProcessName in (\"cz-sessiond\", \"cz-vpnd\")\n and SyslogMessage has_all (\"[AUDIT]\",'\"event_type\":\"ip_access\"')\n | project TimeGenerated, SyslogMessage, Computer\n ;\n let tcpupd_success = \n ip_access_events\n | where \n SyslogMessage has '\"rule_name\"'\n and SyslogMessage has_any ('\"protocol\":\"UDP\"','\"protocol\":\"TCP\"') \n and (array_length(ip_any)==0 or has_any_ipv4_prefix(SyslogMessage,ip_any)) \n and (isnull(dstportnumber) or SyslogMessage has (strcat('\"destination_port\":', tostring(dstportnumber)))) \n and (eventresult=='*' or iff(eventresult=='Success', SyslogMessage has 'allow', SyslogMessage has_any('drop', 'reject','block')))\n | parse SyslogMessage with * '\"action\":\"' DvcOriginalAction:string '\",' * \n | lookup ActionLookup on DvcOriginalAction\n | where \n (array_length(dvcaction) == 0 or DvcAction in (dvcaction))\n and (eventresult=='*' or EventResult == eventresult)\n | parse-where SyslogMessage with \n *\n '\"client_ip\":\"' SrcIpAddr:string '\",' *\n '\"client_port\":' SrcPortNumber:int ',' *\n '\"destination_ip\":\"' DstIpAddr:string '\",' *\n '\"destination_port\":' DstPortNumber:int ',' *\n '\"direction\":\"' direction:string '\",' * \n '\"distinguished_name_device_id\":\"' SrcDvcId:string '\",' *\n '\"distinguished_name_user\":\"' SrcUsername:string '\",' *\n '\"entitlement_token_id\":\"' NetworkSessionId:string '\",' *\n '\"packet_size\":' SrcBytes:long ',' *\n '\"protocol\":\"' NetworkProtocol:string '\",' * \n '\"rule_name\":\"' NetworkRuleName:string '\",' * \n '\"source_ip\":\"' SrcNatIpAddr:string '\",' *\n '\"source_port\":' SrcNatPortNumber:int ',' * \n '\"version\":' EventProductVersion:string '}' *\n ;\n let tcpupd_fail = \n ip_access_events\n | where \n SyslogMessage has'\"drop-reason\"'\n and SyslogMessage has_any ('\"protocol\":\"UDP\"','\"protocol\":\"TCP\"') \n and (array_length(ip_any)==0 or has_any_ipv4_prefix(SyslogMessage,ip_any)) \n and (isnull(dstportnumber) or SyslogMessage has (strcat('\"destination_port\":', tostring(dstportnumber)))) \n and (eventresult=='*' or iff(eventresult=='Success', SyslogMessage has 'allow', SyslogMessage has_any('drop', 'reject','block')))\n | parse SyslogMessage with * '\"action\":\"' DvcOriginalAction:string '\",' * \n | lookup ActionLookup on DvcOriginalAction\n | where \n (array_length(dvcaction) == 0 or DvcAction in (dvcaction))\n and (eventresult=='*' or EventResult == eventresult)\n | parse-where SyslogMessage with \n *\n '\"client_ip\":\"' SrcIpAddr:string '\",' *\n '\"client_port\":' SrcPortNumber:int ',' *\n '\"destination_ip\":\"' DstIpAddr:string '\",' *\n '\"destination_port\":' DstPortNumber:int ',' *\n '\"direction\":\"' direction:string '\",' * \n '\"distinguished_name_device_id\":\"' SrcDvcId:string '\",' *\n '\"distinguished_name_user\":\"' SrcUsername:string '\",' *\n '\"drop-reason\":\"' EventOriginalResultDetails:string '\",' *\n '\"entitlement_token_id\":\"' NetworkSessionId:string '\",' *\n '\"packet_size\":' SrcBytes:long ',' *\n '\"protocol\":\"' NetworkProtocol:string '\",' *\n '\"source_ip\":\"' SrcNatIpAddr:string '\",' *\n '\"source_port\":' SrcNatPortNumber:int ',' * \n '\"version\":' EventProductVersion:string '}' *\n ;\n let icmp_success = \n ip_access_events\n | where \n SyslogMessage has '\"ICMP\"'\n and (array_length(ip_any)==0 or has_any_ipv4_prefix(SyslogMessage,ip_any)) \n and (isnull(dstportnumber)) \n and (eventresult=='*' or iff(eventresult=='Success', SyslogMessage has 'allow', SyslogMessage has_any('drop', 'reject','block')))\n | parse SyslogMessage with * '\"action\":\"' DvcOriginalAction:string '\",' * \n | lookup ActionLookup on DvcOriginalAction\n | where \n (array_length(dvcaction) == 0 or DvcAction in (dvcaction))\n and (eventresult=='*' or EventResult == eventresult)\n | parse-where SyslogMessage with \n *\n '\"action\":\"' DvcOriginalAction:string '\",' * \n '\"client_ip\":\"' SrcIpAddr:string '\",' *\n '\"client_port\":' SrcPortNumber:int ',' *\n '\"destination_ip\":\"' DstIpAddr:string '\",' *\n '\"direction\":\"' direction:string '\",' * \n '\"distinguished_name_device_id\":\"' SrcDvcId:string '\",' *\n '\"distinguished_name_user\":\"' SrcUsername:string '\",' *\n '\"entitlement_token_id\":\"' NetworkSessionId:string '\",' *\n '\"icmp_code\":' NetworkIcmpSubCode:int ',' *\n '\"icmp_type\":' NetworkIcmpCode:int ',' * \n '\"packet_size\":' SrcBytes:long ',' *\n '\"protocol\":\"' NetworkProtocol:string '\",' * \n '\"rule_name\":\"' NetworkRuleName:string '\",' * \n '\"source_ip\":\"' SrcNatIpAddr:string '\",' *\n '\"version\":' EventProductVersion:string '}' *\n ;\n union tcpupd_success, tcpupd_fail, icmp_success \n | extend \n temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | project-away temp*\n | where ASimMatchingIpAddr != \"No match\"\n | parse SyslogMessage with \n *\n '\"country_name\":\"' SrcGeoCountry:string '\",' *\n '\"lat\":' SrcGeoLatitude:real ',' * \n '\"lon\":' SrcGeoLongitude:real '}' *\n | parse SyslogMessage with \n *\n '\"city_name\":\"' SrcGeoCity:string '\",' *\n '\"region_name\":\"' SrcGeoRegion:string '\",' *\n | extend \n SrcDvcIdType = 'AppGateId',\n SrcUsernameType = 'UPN'\n // -- Event fields\n | project-rename \n DvcHostname = Computer\n | extend \n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.2.3',\n EventVendor = 'AppGate',\n EventProduct = 'SDP',\n EventType = 'NetworkSession'\n | lookup DirectionLookup on direction\n // -- Aliases\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcHostname,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n // -- Entity identifier explicit aliases\n SrcUserUpn = SrcUsername\n | project-away \n SyslogMessage, direction\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for AppGate SDP", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionAppGateSDP", + "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false\n) \n{\n let DirectionLookup = datatable (direction:string, NetworkDirection:string) \n [\n 'up', 'Inbound',\n 'down', 'Outbound'\n ];\n let ActionLookup = datatable (DvcOriginalAction:string, DvcAction:string, EventSeverity:string, EventResult:string)\n [\n 'allow', 'Allow', 'Informational', 'Success',\n 'drop', 'Drop', 'Low', 'Failure',\n 'reject', 'Deny', 'Low', 'Failure',\n 'block', 'Deny', 'Low', 'Failure',\n 'block_report', 'Deny', 'Low', 'Failure',\n 'allow_report', 'Allow', 'Informational', 'Success'\n ];\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let ip_access_events = \n Syslog\n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n and not(disabled)\n and (array_length(hostname_has_any) == 0)\n and ProcessName in (\"cz-sessiond\", \"cz-vpnd\")\n and SyslogMessage has_all (\"[AUDIT]\",'\"event_type\":\"ip_access\"')\n | project TimeGenerated, SyslogMessage, Computer\n ;\n let tcpupd_success = \n ip_access_events\n | where \n SyslogMessage has '\"rule_name\"'\n and SyslogMessage has_any ('\"protocol\":\"UDP\"','\"protocol\":\"TCP\"') \n and (array_length(ip_any)==0 or has_any_ipv4_prefix(SyslogMessage,ip_any)) \n and (isnull(dstportnumber) or SyslogMessage has (strcat('\"destination_port\":', tostring(dstportnumber)))) \n and (eventresult=='*' or iff(eventresult=='Success', SyslogMessage has 'allow', SyslogMessage has_any('drop', 'reject','block')))\n | parse SyslogMessage with * '\"action\":\"' DvcOriginalAction:string '\",' * \n | lookup ActionLookup on DvcOriginalAction\n | where \n (array_length(dvcaction) == 0 or DvcAction in (dvcaction))\n and (eventresult=='*' or EventResult == eventresult)\n | parse-where SyslogMessage with \n *\n '\"client_ip\":\"' SrcIpAddr:string '\",' *\n '\"client_port\":' SrcPortNumber:int ',' *\n '\"destination_ip\":\"' DstIpAddr:string '\",' *\n '\"destination_port\":' DstPortNumber:int ',' *\n '\"direction\":\"' direction:string '\",' * \n '\"distinguished_name_device_id\":\"' SrcDvcId:string '\",' *\n '\"distinguished_name_user\":\"' SrcUsername:string '\",' *\n '\"entitlement_token_id\":\"' NetworkSessionId:string '\",' *\n '\"packet_size\":' SrcBytes:long ',' *\n '\"protocol\":\"' NetworkProtocol:string '\",' * \n '\"rule_name\":\"' NetworkRuleName:string '\",' * \n '\"source_ip\":\"' SrcNatIpAddr:string '\",' *\n '\"source_port\":' SrcNatPortNumber:int ',' * \n '\"version\":' EventProductVersion:string '}' *\n ;\n let tcpupd_fail = \n ip_access_events\n | where \n SyslogMessage has'\"drop-reason\"'\n and SyslogMessage has_any ('\"protocol\":\"UDP\"','\"protocol\":\"TCP\"') \n and (array_length(ip_any)==0 or has_any_ipv4_prefix(SyslogMessage,ip_any)) \n and (isnull(dstportnumber) or SyslogMessage has (strcat('\"destination_port\":', tostring(dstportnumber)))) \n and (eventresult=='*' or iff(eventresult=='Success', SyslogMessage has 'allow', SyslogMessage has_any('drop', 'reject','block')))\n | parse SyslogMessage with * '\"action\":\"' DvcOriginalAction:string '\",' * \n | lookup ActionLookup on DvcOriginalAction\n | where \n (array_length(dvcaction) == 0 or DvcAction in (dvcaction))\n and (eventresult=='*' or EventResult == eventresult)\n | parse-where SyslogMessage with \n *\n '\"client_ip\":\"' SrcIpAddr:string '\",' *\n '\"client_port\":' SrcPortNumber:int ',' *\n '\"destination_ip\":\"' DstIpAddr:string '\",' *\n '\"destination_port\":' DstPortNumber:int ',' *\n '\"direction\":\"' direction:string '\",' * \n '\"distinguished_name_device_id\":\"' SrcDvcId:string '\",' *\n '\"distinguished_name_user\":\"' SrcUsername:string '\",' *\n '\"drop-reason\":\"' EventOriginalResultDetails:string '\",' *\n '\"entitlement_token_id\":\"' NetworkSessionId:string '\",' *\n '\"packet_size\":' SrcBytes:long ',' *\n '\"protocol\":\"' NetworkProtocol:string '\",' *\n '\"source_ip\":\"' SrcNatIpAddr:string '\",' *\n '\"source_port\":' SrcNatPortNumber:int ',' * \n '\"version\":' EventProductVersion:string '}' *\n ;\n let icmp_success = \n ip_access_events\n | where \n SyslogMessage has '\"ICMP\"'\n and (array_length(ip_any)==0 or has_any_ipv4_prefix(SyslogMessage,ip_any)) \n and (isnull(dstportnumber)) \n and (eventresult=='*' or iff(eventresult=='Success', SyslogMessage has 'allow', SyslogMessage has_any('drop', 'reject','block')))\n | parse SyslogMessage with * '\"action\":\"' DvcOriginalAction:string '\",' * \n | lookup ActionLookup on DvcOriginalAction\n | where \n (array_length(dvcaction) == 0 or DvcAction in (dvcaction))\n and (eventresult=='*' or EventResult == eventresult)\n | parse-where SyslogMessage with \n *\n '\"action\":\"' DvcOriginalAction:string '\",' * \n '\"client_ip\":\"' SrcIpAddr:string '\",' *\n '\"client_port\":' SrcPortNumber:int ',' *\n '\"destination_ip\":\"' DstIpAddr:string '\",' *\n '\"direction\":\"' direction:string '\",' * \n '\"distinguished_name_device_id\":\"' SrcDvcId:string '\",' *\n '\"distinguished_name_user\":\"' SrcUsername:string '\",' *\n '\"entitlement_token_id\":\"' NetworkSessionId:string '\",' *\n '\"icmp_code\":' NetworkIcmpSubCode:int ',' *\n '\"icmp_type\":' NetworkIcmpCode:int ',' * \n '\"packet_size\":' SrcBytes:long ',' *\n '\"protocol\":\"' NetworkProtocol:string '\",' * \n '\"rule_name\":\"' NetworkRuleName:string '\",' * \n '\"source_ip\":\"' SrcNatIpAddr:string '\",' *\n '\"version\":' EventProductVersion:string '}' *\n ;\n union tcpupd_success, tcpupd_fail, icmp_success \n | extend \n temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | project-away temp*\n | where ASimMatchingIpAddr != \"No match\"\n | parse SyslogMessage with \n *\n '\"country_name\":\"' SrcGeoCountry:string '\",' *\n '\"lat\":' SrcGeoLatitude:real ',' * \n '\"lon\":' SrcGeoLongitude:real '}' *\n | parse SyslogMessage with \n *\n '\"city_name\":\"' SrcGeoCity:string '\",' *\n '\"region_name\":\"' SrcGeoRegion:string '\",' *\n | extend \n SrcDvcIdType = 'AppGateId',\n SrcUsernameType = 'UPN'\n // -- Event fields\n | project-rename \n DvcHostname = Computer\n | extend \n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.2.3',\n EventVendor = 'AppGate',\n EventProduct = 'SDP',\n EventType = 'NetworkSession'\n | lookup DirectionLookup on direction\n // -- Aliases\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcHostname,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n // -- Entity identifier explicit aliases\n SrcUserUpn = SrcUsername\n | project-away \n SyslogMessage, direction\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureFirewall/vimNetworkSessionAzureFirewall.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureFirewall/vimNetworkSessionAzureFirewall.json index c27aa3cc9c5..a5e94f01714 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureFirewall/vimNetworkSessionAzureFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureFirewall/vimNetworkSessionAzureFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionAzureFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionAzureFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Azure Firewall logs", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionAzureFirewall", - "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let ip_any=set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let AzureFirewallNetworkRuleLogs = \n AzureDiagnostics\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and not(disabled)\n | where Category == \"AzureFirewallNetworkRule\"\n | where isnotempty(msg_s)\n | project msg_s, OperationName, SubscriptionId, ResourceId, TimeGenerated, Type, _ResourceId;\n let prefilter = (T: (msg_s:string, TimeGenerated:datetime, OperationName:string)) {\n T | where \n //(isnull(starttime) or TimeGenerated >= starttime) \n // and (isnull(endtime) or TimeGenerated <= endtime) \n (array_length(hostname_has_any) == 0)\n and (isnull(dstportnumber) or msg_s has (tostring(dstportnumber)))\n and (array_length(ip_any)==0 \n or has_any_ipv4_prefix(msg_s,ip_any)\n ) \n };\n let AzureFirewallSessionLogs = \n AzureFirewallNetworkRuleLogs\n | where OperationName in (\"AzureFirewallNetworkRuleLog\",\"AzureFirewallThreatIntelLog\")\n // -- pre-filter\n | where (array_length(dvcaction) == 0) or (msg_s has_any (dvcaction))\n | where (eventresult == \"*\") or ((eventresult == \"Success\") and (msg_s has \"Allow\")) or ((eventresult == \"Failure\") and (msg_s has \"Deny\"))\n | invoke prefilter()\n // -- end pre-filter\n | parse-where\n msg_s with NetworkProtocol:string \n \" request from \" SrcIpAddr:string\n \":\" SrcPortNumber:int\n \" to \" DstIpAddr:string\n \":\" DstPortNumber:int\n \". Action: \" DvcAction:string\n \".\" *\n | project-away msg_s\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" \n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | project-away temp_*\n | where ASimMatchingIpAddr != \"No match\"\n | extend NetworkIcmpCode = iff(NetworkProtocol startswith \"ICMP\", toint(extract (\"type=(\\\\d+)\",1,NetworkProtocol)), int(null))\n | extend NetworkIcmpType = iff(isnotnull(NetworkIcmpCode), _ASIM_LookupICMPType(NetworkIcmpCode), \"\")\n | extend NetworkProtocol = iff(NetworkProtocol startswith \"ICMP\", \"ICMP\", NetworkProtocol)\n | extend EventSeverity = case (\n OperationName == \"AzureFirewallThreatIntelLog\", \"Medium\",\n DvcAction == \"Deny\", \"Low\",\n \"Informational\")\n | extend EventResult = iff(DvcAction == \"Allow\", \"Success\", \"Failure\")\n ;\n let AzureFirewallNATLogs = \n AzureFirewallNetworkRuleLogs\n | where OperationName == \"AzureFirewallNatRuleLog\"\n // -- pre-filter\n | where (array_length(dvcaction) == 0) or (\"Allow\" in (dvcaction))\n | where eventresult in (\"*\", \"Success\")\n | invoke prefilter()\n // -- end pre-filter\n | parse-where\n msg_s with NetworkProtocol:string \n \" request from \" SrcIpAddr:string\n \":\" SrcPortNumber:int\n \" to \" DstIpAddr:string\n \":\" DstPortNumber:int\n \" was DNAT'ed to \" DstNatIpAddr:string\n \":\" DstNatPortNumber:int\n | project-away msg_s\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" \n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | project-away temp_*\n | where ASimMatchingIpAddr != \"No match\"\n | extend EventSeverity = \"Informational\"\n | extend EventResult = \"Success\"\n | extend DvcAction = \"Allow\"\n ;\n union AzureFirewallSessionLogs, AzureFirewallNATLogs\n | where \n (isnull(dstportnumber) or DstPortNumber ==dstportnumber)\n // -- end post-filtering\n | extend\n EventVendor=\"Microsoft\",\n EventProduct=\"Azure Firewall\",\n EventType=\"NetworkSession\",\n EventCount=toint(1),\n EventSchemaVersion=\"0.2.3\",\n EventSchema=\"NetworkSession\",\n DvcIdType = \"AzureResourceId\"\n | project-rename\n DvcSubscriptionId = SubscriptionId,\n DvcId = ResourceId\n // -- Aliases\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated // ??\n | project-keep\n ASim*,\n Src*,\n Dst*,\n Event*,\n Dvc*,\n IpAddr,\n NetworkIcmpCode,\n NetworkIcmpType,\n NetworkProtocol,\n Type,\n _ResourceId,\n TimeGenerated\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Azure Firewall logs", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionAzureFirewall", + "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let ip_any=set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let AzureFirewallNetworkRuleLogs = \n AzureDiagnostics\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and not(disabled)\n | where Category == \"AzureFirewallNetworkRule\"\n | where isnotempty(msg_s)\n | project msg_s, OperationName, SubscriptionId, ResourceId, TimeGenerated, Type, _ResourceId;\n let prefilter = (T: (msg_s:string, TimeGenerated:datetime, OperationName:string)) {\n T | where \n //(isnull(starttime) or TimeGenerated >= starttime) \n // and (isnull(endtime) or TimeGenerated <= endtime) \n (array_length(hostname_has_any) == 0)\n and (isnull(dstportnumber) or msg_s has (tostring(dstportnumber)))\n and (array_length(ip_any)==0 \n or has_any_ipv4_prefix(msg_s,ip_any)\n ) \n };\n let AzureFirewallSessionLogs = \n AzureFirewallNetworkRuleLogs\n | where OperationName in (\"AzureFirewallNetworkRuleLog\",\"AzureFirewallThreatIntelLog\")\n // -- pre-filter\n | where (array_length(dvcaction) == 0) or (msg_s has_any (dvcaction))\n | where (eventresult == \"*\") or ((eventresult == \"Success\") and (msg_s has \"Allow\")) or ((eventresult == \"Failure\") and (msg_s has \"Deny\"))\n | invoke prefilter()\n // -- end pre-filter\n | parse-where\n msg_s with NetworkProtocol:string \n \" request from \" SrcIpAddr:string\n \":\" SrcPortNumber:int\n \" to \" DstIpAddr:string\n \":\" DstPortNumber:int\n \". Action: \" DvcAction:string\n \".\" *\n | project-away msg_s\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" \n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | project-away temp_*\n | where ASimMatchingIpAddr != \"No match\"\n | extend NetworkIcmpCode = iff(NetworkProtocol startswith \"ICMP\", toint(extract (\"type=(\\\\d+)\",1,NetworkProtocol)), int(null))\n | extend NetworkIcmpType = iff(isnotnull(NetworkIcmpCode), _ASIM_LookupICMPType(NetworkIcmpCode), \"\")\n | extend NetworkProtocol = iff(NetworkProtocol startswith \"ICMP\", \"ICMP\", NetworkProtocol)\n | extend EventSeverity = case (\n OperationName == \"AzureFirewallThreatIntelLog\", \"Medium\",\n DvcAction == \"Deny\", \"Low\",\n \"Informational\")\n | extend EventResult = iff(DvcAction == \"Allow\", \"Success\", \"Failure\")\n ;\n let AzureFirewallNATLogs = \n AzureFirewallNetworkRuleLogs\n | where OperationName == \"AzureFirewallNatRuleLog\"\n // -- pre-filter\n | where (array_length(dvcaction) == 0) or (\"Allow\" in (dvcaction))\n | where eventresult in (\"*\", \"Success\")\n | invoke prefilter()\n // -- end pre-filter\n | parse-where\n msg_s with NetworkProtocol:string \n \" request from \" SrcIpAddr:string\n \":\" SrcPortNumber:int\n \" to \" DstIpAddr:string\n \":\" DstPortNumber:int\n \" was DNAT'ed to \" DstNatIpAddr:string\n \":\" DstNatPortNumber:int\n | project-away msg_s\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" \n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | project-away temp_*\n | where ASimMatchingIpAddr != \"No match\"\n | extend EventSeverity = \"Informational\"\n | extend EventResult = \"Success\"\n | extend DvcAction = \"Allow\"\n ;\n union AzureFirewallSessionLogs, AzureFirewallNATLogs\n | where \n (isnull(dstportnumber) or DstPortNumber ==dstportnumber)\n // -- end post-filtering\n | extend\n EventVendor=\"Microsoft\",\n EventProduct=\"Azure Firewall\",\n EventType=\"NetworkSession\",\n EventCount=toint(1),\n EventSchemaVersion=\"0.2.3\",\n EventSchema=\"NetworkSession\",\n DvcIdType = \"AzureResourceId\"\n | project-rename\n DvcSubscriptionId = SubscriptionId,\n DvcId = ResourceId\n // -- Aliases\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated // ??\n | project-keep\n ASim*,\n Src*,\n Dst*,\n Event*,\n Dvc*,\n IpAddr,\n NetworkIcmpCode,\n NetworkIcmpType,\n NetworkProtocol,\n Type,\n _ResourceId,\n TimeGenerated\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json index 7bb43152b02..fafe9b3f1db 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionAzureNSG')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionAzureNSG", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Azure NSG flows", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionAzureNSG", - "query": "let DvcActionLookup = datatable(FlowStatus_s:string, DvcAction:string, EventResult:string) [\n 'A', 'Allow', 'Success',\n 'D', 'Deny', 'Failure',\n];\nlet NetworkDirectionLookup = datatable(FlowDirection_s:string, NetworkDirection:string, isOutBound:bool) [\n 'I', 'Inbound', false,\n 'O', 'Outbound', true\n];\nlet NetworkProtocolLookup = datatable(L4Protocol_s:string, NetworkProtocol:string)[\n 'T', 'TCP',\n 'U', 'UDP'\n];\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let prefilter = (T:(TimeGenerated:datetime, SrcIP_s:string, SrcPublicIPs_s:string, DestIP_s:string, DestPublicIPs_s:string, DestPort_d:real, FlowStatus_s:string, VM1_s:string, VM2_s:string)) { \n T\n | where\n (isnull(dstportnumber) or dstportnumber == toint(DestPort_d)) \n | extend dataSrcIPs = strcat(SrcIP_s,\" \",SrcPublicIPs_s),\n dataDstIPs = strcat(DestIP_s,\" \",DestPublicIPs_s)\n | extend temp_isSrcMatch=has_any_ipv4_prefix(dataSrcIPs,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(dataDstIPs,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend temp_is_MatchSrcHostname = VM1_s has_any (hostname_has_any)\n , temp_is_MatchDstHostname = VM2_s has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,\"-\",\n temp_is_MatchSrcHostname and temp_is_MatchDstHostname, \"Both\",\n temp_is_MatchSrcHostname, \"SrcHostname\",\n temp_is_MatchDstHostname, \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-away temp_*\n | lookup DvcActionLookup on FlowStatus_s\n | where array_length(dvcaction) == 0 or DvcAction in (dvcaction)\n | where (eventresult=='*' or EventResult == eventresult)\n }; // prefilter ends\n let AzureNetworkAnalytics = \n AzureNetworkAnalytics_CL\n | where\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where not(disabled) and isnotempty(FlowType_s)\n | lookup NetworkDirectionLookup on FlowDirection_s\n ;\n let AzureNetworkAnalyticsInbound =\n AzureNetworkAnalytics\n | where not(isOutBound)\n | invoke prefilter()\n | project-rename\n DstMacAddr = MACAddress_s\n | extend\n DstBytes = tolong(OutboundBytes_d), // -- size fields seem not to be populated for inbound\n DstPackets = tolong(OutboundPackets_d),\n SrcBytes = tolong(InboundBytes_d),\n SrcPackets = tolong(InboundPackets_d),\n SrcInterfaceName = tostring(split(NIC_s, '/')[1]),\n SrcGeoCountry = toupper(Country_s)\n | extend hostelements=split(VM2_s,'/')\n | extend \n DstFQDN = strcat(hostelements[0], @\"\\\", hostelements[1]),\n DstHostname = tostring(hostelements[1]),\n DstDomain = tostring(hostelements[0]),\n DstDomainType = \"ResourceGroup\"\n | extend Hostname = DstHostname\n | project-away hostelements, isOutBound\n ; \n let AzureNetworkAnalyticsOutbound =\n AzureNetworkAnalytics\n | where isOutBound\n | invoke prefilter()\n | project-rename\n SrcMacAddr = MACAddress_s\n | extend\n SrcBytes = tolong(OutboundBytes_d), \n SrcPackets = tolong(OutboundPackets_d),\n DstBytes = tolong(InboundBytes_d),\n DstPackets = tolong(InboundPackets_d),\n DstInterfaceName = tostring(split(NIC_s, '/')[1]),\n DstGeoCountry = toupper(Country_s)\n | extend hostelements=split(VM1_s,'/')\n | extend \n SrcFQDN = strcat(hostelements[0], @\"\\\", hostelements[1]),\n SrcHostname = tostring(hostelements[1]),\n SrcDomain = tostring(hostelements[0]),\n SrcDomainType = \"ResourceGroup\"\n | extend Hostname = SrcHostname\n | project-away hostelements, isOutBound\n ;\n union AzureNetworkAnalyticsInbound, AzureNetworkAnalyticsOutbound\n | project-rename\n Dvc = NSGList_s,\n DvcSubscriptionId = Subscription_g,\n EventEndTime = FlowEndTime_t,\n EventStartTime = FlowStartTime_t,\n NetworkApplicationProtocol = L7Protocol_s,\n NetworkRuleName = NSGRule_s,\n NetworkSessionId = ConnectionName_s,\n EventOriginalSubType = FlowType_s\n | extend\n DstPortNumber = toint(DestPort_d),\n EventProduct = 'NSGFlow',\n EventSchema = 'NetworkSession',\n EventSchemaVersion='0.2.3',\n EventSeverity = 'Informational', //??\n EventType = 'Flow',\n EventVendor = 'Microsoft',\n EventCount = toint(AllowedInFlows_d+DeniedInFlows_d+AllowedOutFlows_d+DeniedOutFlows_d),\n NetworkDuration = toint((((EventEndTime - datetime(1970-01-01)) / 1s) - ((EventStartTime - datetime(1970-01-01)) / 1s )) * 1000),\n Rule = NetworkRuleName,\n SessionId = NetworkSessionId\n | extend \n DstIpAddr = iff(isnotempty(DestIP_s),\n DestIP_s,\n split(DestPublicIPs_s, '|')[0]),\n Duration = NetworkDuration,\n NetworkBytes = tolong(DstBytes + SrcBytes),\n NetworkPackets = tolong(DstPackets + SrcPackets),\n SrcIpAddr = iff(isnotempty(SrcIP_s),\n SrcIP_s,\n split(SrcPublicIPs_s, '|')[0])\n | extend\n Dst = DstIpAddr,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | lookup NetworkProtocolLookup on L4Protocol_s\n | project-keep\n Src*,\n Dst*,\n Event*,\n Dvc*,\n Network*,\n IpAddr,\n Hostname,\n Type,\n Duration,\n SessionId,\n _ResourceId,\n TimeGenerated,\n ASim*\n | project-away *_s\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Azure NSG flows", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionAzureNSG", + "query": "let DvcActionLookup = datatable(FlowStatus_s:string, DvcAction:string, EventResult:string) [\n 'A', 'Allow', 'Success',\n 'D', 'Deny', 'Failure',\n];\nlet NetworkDirectionLookup = datatable(FlowDirection_s:string, NetworkDirection:string, isOutBound:bool) [\n 'I', 'Inbound', false,\n 'O', 'Outbound', true\n];\nlet NetworkProtocolLookup = datatable(L4Protocol_s:string, NetworkProtocol:string)[\n 'T', 'TCP',\n 'U', 'UDP'\n];\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let prefilter = (T:(TimeGenerated:datetime, SrcIP_s:string, SrcPublicIPs_s:string, DestIP_s:string, DestPublicIPs_s:string, DestPort_d:real, FlowStatus_s:string, VM1_s:string, VM2_s:string)) { \n T\n | where\n (isnull(dstportnumber) or dstportnumber == toint(DestPort_d)) \n | extend dataSrcIPs = strcat(SrcIP_s,\" \",SrcPublicIPs_s),\n dataDstIPs = strcat(DestIP_s,\" \",DestPublicIPs_s)\n | extend temp_isSrcMatch=has_any_ipv4_prefix(dataSrcIPs,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(dataDstIPs,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend temp_is_MatchSrcHostname = VM1_s has_any (hostname_has_any)\n , temp_is_MatchDstHostname = VM2_s has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,\"-\",\n temp_is_MatchSrcHostname and temp_is_MatchDstHostname, \"Both\",\n temp_is_MatchSrcHostname, \"SrcHostname\",\n temp_is_MatchDstHostname, \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-away temp_*\n | lookup DvcActionLookup on FlowStatus_s\n | where array_length(dvcaction) == 0 or DvcAction in (dvcaction)\n | where (eventresult=='*' or EventResult == eventresult)\n }; // prefilter ends\n let AzureNetworkAnalytics = \n AzureNetworkAnalytics_CL\n | where\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where not(disabled) and isnotempty(FlowType_s)\n | lookup NetworkDirectionLookup on FlowDirection_s\n ;\n let AzureNetworkAnalyticsInbound =\n AzureNetworkAnalytics\n | where not(isOutBound)\n | invoke prefilter()\n | project-rename\n DstMacAddr = MACAddress_s\n | extend\n DstBytes = tolong(OutboundBytes_d), // -- size fields seem not to be populated for inbound\n DstPackets = tolong(OutboundPackets_d),\n SrcBytes = tolong(InboundBytes_d),\n SrcPackets = tolong(InboundPackets_d),\n SrcInterfaceName = tostring(split(NIC_s, '/')[1]),\n SrcGeoCountry = toupper(Country_s)\n | extend hostelements=split(VM2_s,'/')\n | extend \n DstFQDN = strcat(hostelements[0], @\"\\\", hostelements[1]),\n DstHostname = tostring(hostelements[1]),\n DstDomain = tostring(hostelements[0]),\n DstDomainType = \"ResourceGroup\"\n | extend Hostname = DstHostname\n | project-away hostelements, isOutBound\n ; \n let AzureNetworkAnalyticsOutbound =\n AzureNetworkAnalytics\n | where isOutBound\n | invoke prefilter()\n | project-rename\n SrcMacAddr = MACAddress_s\n | extend\n SrcBytes = tolong(OutboundBytes_d), \n SrcPackets = tolong(OutboundPackets_d),\n DstBytes = tolong(InboundBytes_d),\n DstPackets = tolong(InboundPackets_d),\n DstInterfaceName = tostring(split(NIC_s, '/')[1]),\n DstGeoCountry = toupper(Country_s)\n | extend hostelements=split(VM1_s,'/')\n | extend \n SrcFQDN = strcat(hostelements[0], @\"\\\", hostelements[1]),\n SrcHostname = tostring(hostelements[1]),\n SrcDomain = tostring(hostelements[0]),\n SrcDomainType = \"ResourceGroup\"\n | extend Hostname = SrcHostname\n | project-away hostelements, isOutBound\n ;\n union AzureNetworkAnalyticsInbound, AzureNetworkAnalyticsOutbound\n | project-rename\n Dvc = NSGList_s,\n DvcSubscriptionId = Subscription_g,\n EventEndTime = FlowEndTime_t,\n EventStartTime = FlowStartTime_t,\n NetworkApplicationProtocol = L7Protocol_s,\n NetworkRuleName = NSGRule_s,\n NetworkSessionId = ConnectionName_s,\n EventOriginalSubType = FlowType_s\n | extend\n DstPortNumber = toint(DestPort_d),\n EventProduct = 'NSGFlow',\n EventSchema = 'NetworkSession',\n EventSchemaVersion='0.2.3',\n EventSeverity = 'Informational', //??\n EventType = 'Flow',\n EventVendor = 'Microsoft',\n EventCount = toint(AllowedInFlows_d+DeniedInFlows_d+AllowedOutFlows_d+DeniedOutFlows_d),\n NetworkDuration = toint((((EventEndTime - datetime(1970-01-01)) / 1s) - ((EventStartTime - datetime(1970-01-01)) / 1s )) * 1000),\n Rule = NetworkRuleName,\n SessionId = NetworkSessionId\n | extend \n DstIpAddr = iff(isnotempty(DestIP_s),\n DestIP_s,\n split(DestPublicIPs_s, '|')[0]),\n Duration = NetworkDuration,\n NetworkBytes = tolong(DstBytes + SrcBytes),\n NetworkPackets = tolong(DstPackets + SrcPackets),\n SrcIpAddr = iff(isnotempty(SrcIP_s),\n SrcIP_s,\n split(SrcPublicIPs_s, '|')[0])\n | extend\n Dst = DstIpAddr,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | lookup NetworkProtocolLookup on L4Protocol_s\n | project-keep\n Src*,\n Dst*,\n Event*,\n Dvc*,\n Network*,\n IpAddr,\n Hostname,\n Type,\n Duration,\n SessionId,\n _ResourceId,\n TimeGenerated,\n ASim*\n | project-away *_s\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaCEF/vimNetworkSessionBarracudaCEF.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaCEF/vimNetworkSessionBarracudaCEF.json index 5a0afb90a5e..8e63af38325 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaCEF/vimNetworkSessionBarracudaCEF.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaCEF/vimNetworkSessionBarracudaCEF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionBarracudaCEF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionBarracudaCEF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Barracuda WAF", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionBarracudaCEF", - "query": "let ProtocolLookup = datatable(\n Protocol_s: string,\n NetworkProtocol: string,\n NetworkProtocolVersion: string\n)[\n \"TCP\", \"TCP\", \"\",\n \"TCP/ip\", \"TCP\", \"\",\n \"UDP\", \"UDP\", \"\",\n \"UDP/ip\", \"UDP\", \"\",\n \"ICMP\", \"ICMP\", \"IPV4\",\n \"ICMPv6\", \"ICMP\", \"IPV6\",\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventResultLookup = datatable (\n ActionID_s: string,\n EventResult: string,\n DvcAction: string\n)\n [\n \"ALLOW\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n dstipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]),\n dstportnumber: int=int(null), \n hostname_has_any: dynamic=dynamic([]),\n dvcaction: dynamic=dynamic([]), \n eventresult: string='*', \n disabled: bool=false){\nlet src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\nlet BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"NF\"\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(DestinationIP, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n and (array_length(hostname_has_any) == 0 or DeviceName has_any (hostname_has_any))\n | where (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | lookup EventResultLookup on $left.DeviceAction == $right.ActionID_s\n | where (array_length(dvcaction) == 0 or DvcAction has_any(dvcaction))\n | where (eventresult == '*' or EventResult =~ eventresult)\n | extend \n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | lookup ProtocolLookup on $left.Protocol == $right.Protocol_s\n | extend\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventVendor = \"Barracuda\"\n | extend\n Dvc = DeviceName,\n DstIpAddr = DestinationIP,\n SrcIpAddr = SourceIP,\n DvcHostname = DeviceName,\n DvcIpAddr = DestinationIP, \n DstPortNumber = toint(DestinationPort),\n SrcPortNumber = toint(SourcePort),\n EventProductVersion = DeviceVersion,\n EventUid = _ItemId,\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime)))\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst=DstIpAddr,\n EventEndTime = EventStartTime\n | project-away\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n temp_*,\n TenantId,CollectorHostName;\nBarracudaCEF\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber,\n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction,\n eventresult=eventresult, \n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionBarracudaCEF", + "query": "let ProtocolLookup = datatable(\n Protocol_s: string,\n NetworkProtocol: string,\n NetworkProtocolVersion: string\n)[\n \"TCP\", \"TCP\", \"\",\n \"TCP/ip\", \"TCP\", \"\",\n \"UDP\", \"UDP\", \"\",\n \"UDP/ip\", \"UDP\", \"\",\n \"ICMP\", \"ICMP\", \"IPV4\",\n \"ICMPv6\", \"ICMP\", \"IPV6\",\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventResultLookup = datatable (\n ActionID_s: string,\n EventResult: string,\n DvcAction: string\n)\n [\n \"ALLOW\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n dstipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]),\n dstportnumber: int=int(null), \n hostname_has_any: dynamic=dynamic([]),\n dvcaction: dynamic=dynamic([]), \n eventresult: string='*', \n disabled: bool=false){\nlet src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\nlet BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"NF\"\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(DestinationIP, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n and (array_length(hostname_has_any) == 0 or DeviceName has_any (hostname_has_any))\n | where (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | lookup EventResultLookup on $left.DeviceAction == $right.ActionID_s\n | where (array_length(dvcaction) == 0 or DvcAction has_any(dvcaction))\n | where (eventresult == '*' or EventResult =~ eventresult)\n | extend \n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | lookup ProtocolLookup on $left.Protocol == $right.Protocol_s\n | extend\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventVendor = \"Barracuda\"\n | extend\n Dvc = DeviceName,\n DstIpAddr = DestinationIP,\n SrcIpAddr = SourceIP,\n DvcHostname = DeviceName,\n DvcIpAddr = DestinationIP, \n DstPortNumber = toint(DestinationPort),\n SrcPortNumber = toint(SourcePort),\n EventProductVersion = DeviceVersion,\n EventUid = _ItemId,\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime)))\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst=DstIpAddr,\n EventEndTime = EventStartTime\n | project-away\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n temp_*,\n TenantId,CollectorHostName;\nBarracudaCEF\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber,\n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction,\n eventresult=eventresult, \n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaWAF/vimNetworkSessionBarracudaWAF.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaWAF/vimNetworkSessionBarracudaWAF.json index f5c9d9086ee..59268e62134 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaWAF/vimNetworkSessionBarracudaWAF.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaWAF/vimNetworkSessionBarracudaWAF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionBarracudaWAF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionBarracudaWAF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Barracuda WAF", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionBarracudaWAF", - "query": "let barracudaSchema = datatable(\n UnitName_s: string,\n DeviceReceiptTime_s: string,\n ActionID_s: string,\n DestinationIP_s: string,\n SourceIP: string,\n host_s: string,\n HostIP_s: string,\n Severity_s: string,\n LogType_s: string,\n DestinationPort_d: real,\n SourcePort_d: real,\n Protocol_s: string,\n DeviceVersion_s: string,\n TimeTaken_d: real,\n _ResourceId: string,\n RawData: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string,\n TimeGenerated: datetime\n)[];\nlet ProtocolLookup = datatable(\n Protocol_s: string,\n NetworkProtocol: string,\n NetworkProtocolVersion: string\n)[\n \"TCP\", \"TCP\", \"\",\n \"TCP/ip\", \"TCP\", \"\",\n \"UDP\", \"UDP\", \"\",\n \"UDP/ip\", \"UDP\", \"\",\n \"ICMP\", \"ICMP\", \"IPV4\",\n \"ICMPv6\", \"ICMP\", \"IPV6\",\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventResultLookup = datatable (\n ActionID_s: string,\n EventResult: string,\n DvcAction: string\n)\n [\n \"ALLOW\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n dstipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]),\n dstportnumber: int=int(null), \n hostname_has_any: dynamic=dynamic([]),\n dvcaction: dynamic=dynamic([]), \n eventresult: string='*', \n disabled: bool=false){\nlet src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\nlet BarracudaCustom = union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled)\n and LogType_s == \"NF\"\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(DestinationIP_s, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n and (array_length(hostname_has_any) == 0 or host_s has_any (hostname_has_any))\n | where (isnull(dstportnumber) or (DestinationPort_d == dstportnumber))\n | lookup EventResultLookup on ActionID_s\n | where (array_length(dvcaction) == 0 or DvcAction has_any(dvcaction))\n | where (eventresult == '*' or EventResult =~ eventresult)\n | extend \n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | lookup ProtocolLookup on Protocol_s\n | extend\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventVendor = \"Barracuda\"\n | extend\n Dvc = UnitName_s,\n DstIpAddr = DestinationIP_s,\n SrcIpAddr = SourceIP,\n DvcHostname = host_s,\n DvcIpAddr = HostIP_s, \n DstPortNumber = toint(DestinationPort_d),\n SrcPortNumber = toint(SourcePort_d),\n EventProductVersion = DeviceVersion_s,\n EventUid = _ItemId,\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)))\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n EventEndTime = EventStartTime\n | project-away\n *_d,\n *_s,\n _ResourceId,\n severity,\n RawData,\n Message,\n Computer,\n MG,\n ManagementGroupName,\n TenantId,\n SourceSystem,\n temp_SrcMatch,\n temp_DstMatch,\n SourceIP;\nBarracudaCustom\n};parser(\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber,\n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction,\n eventresult=eventresult, \n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionBarracudaWAF", + "query": "let barracudaSchema = datatable(\n UnitName_s: string,\n DeviceReceiptTime_s: string,\n ActionID_s: string,\n DestinationIP_s: string,\n SourceIP: string,\n host_s: string,\n HostIP_s: string,\n Severity_s: string,\n LogType_s: string,\n DestinationPort_d: real,\n SourcePort_d: real,\n Protocol_s: string,\n DeviceVersion_s: string,\n TimeTaken_d: real,\n _ResourceId: string,\n RawData: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string,\n TimeGenerated: datetime\n)[];\nlet ProtocolLookup = datatable(\n Protocol_s: string,\n NetworkProtocol: string,\n NetworkProtocolVersion: string\n)[\n \"TCP\", \"TCP\", \"\",\n \"TCP/ip\", \"TCP\", \"\",\n \"UDP\", \"UDP\", \"\",\n \"UDP/ip\", \"UDP\", \"\",\n \"ICMP\", \"ICMP\", \"IPV4\",\n \"ICMPv6\", \"ICMP\", \"IPV6\",\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventResultLookup = datatable (\n ActionID_s: string,\n EventResult: string,\n DvcAction: string\n)\n [\n \"ALLOW\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n dstipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]),\n dstportnumber: int=int(null), \n hostname_has_any: dynamic=dynamic([]),\n dvcaction: dynamic=dynamic([]), \n eventresult: string='*', \n disabled: bool=false){\nlet src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\nlet BarracudaCustom = union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled)\n and LogType_s == \"NF\"\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(DestinationIP_s, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n and (array_length(hostname_has_any) == 0 or host_s has_any (hostname_has_any))\n | where (isnull(dstportnumber) or (DestinationPort_d == dstportnumber))\n | lookup EventResultLookup on ActionID_s\n | where (array_length(dvcaction) == 0 or DvcAction has_any(dvcaction))\n | where (eventresult == '*' or EventResult =~ eventresult)\n | extend \n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | lookup ProtocolLookup on Protocol_s\n | extend\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventVendor = \"Barracuda\"\n | extend\n Dvc = UnitName_s,\n DstIpAddr = DestinationIP_s,\n SrcIpAddr = SourceIP,\n DvcHostname = host_s,\n DvcIpAddr = HostIP_s, \n DstPortNumber = toint(DestinationPort_d),\n SrcPortNumber = toint(SourcePort_d),\n EventProductVersion = DeviceVersion_s,\n EventUid = _ItemId,\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)))\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n EventEndTime = EventStartTime\n | project-away\n *_d,\n *_s,\n _ResourceId,\n severity,\n RawData,\n Message,\n Computer,\n MG,\n ManagementGroupName,\n TenantId,\n SourceSystem,\n temp_SrcMatch,\n temp_DstMatch,\n SourceIP;\nBarracudaCustom\n};parser(\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber,\n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction,\n eventresult=eventresult, \n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCheckPointFirewall/vimNetworkSessionCheckPointFirewall.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCheckPointFirewall/vimNetworkSessionCheckPointFirewall.json index d2f729b1aed..ec48ec479c9 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCheckPointFirewall/vimNetworkSessionCheckPointFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCheckPointFirewall/vimNetworkSessionCheckPointFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionCheckPointFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionCheckPointFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Check Point Firewall", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionCheckPointFirewall", - "query": "let ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)\n [\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"];\n let DirectionLookup=datatable(conn_direction:string,NetworkDirection:string)\n [\n \"Incoming\",\"Inbound\", \n \"Outgoing\",\"Outbound\", \n \"Internal\",\"Local\"];\n let ActionLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string,EventSeverity:string)\n [\n \"Accept\",\"Allow\",\"Success\",\"Informational\",\n \"Allow\",\"Allow\",\"Success\",\"Informational\",\n \"Drop\",\"Drop\",\"Failure\",\"Low\",\n \"Reject\",\"Deny\",\"Failure\",\"Low\",\n \"Encrypt\",\"Encrypt\",\"Success\",\"Informational\",\n \"Decrypt\",\"Decrypt\",\"Success\",\"Informational\",\n \"Bypass\",\"Allow\",\"Success\",\"Informational\",\n \"Block\",\"Deny\",\"Failure\",\"Low\",\n \"\",\"\",\"NA\",\"Informational\"\n ];\n let NWParser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n CommonSecurityLog\n | where not(disabled)\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where \n array_length(hostname_has_any) == 0\n | where DeviceVendor==\"Check Point\" and DeviceProduct==\"VPN-1 & FireWall-1\"\n | where (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | lookup ActionLookup on DeviceAction\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or (EventResult == eventresult))\n | lookup ProtocolLookup on Protocol\n | extend \n EventProduct = \"Firewall\",\n EventCount = toint(1),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\"\n | parse-kv AdditionalExtensions as (\n rule_uid:string,\n loguid:string,\n origin:string,\n originsicname:string,\n inzone:string,\n outzone:string,\n conn_direction:string,\n alert:string,\n inspection_category:string,\n inspection_item:string\n ) with (pair_delimiter=';', kv_delimiter='=')\n | extend\n ThreatCategory = coalesce(alert, inspection_category),\n NetworkRuleName = coalesce(DeviceCustomString2, rule_uid, Activity),\n EventStartTime = TimeGenerated\n | parse originsicname with \"CN\\\\=\" DvcHostname \",\" *\n | project-rename\n Dvc = origin, \n EventOriginalUid = loguid,\n ThreatName = inspection_item,\n EventVendor = DeviceVendor,\n DstPortNumber = DestinationPort,\n DstIpAddr = DestinationIP,\n SrcPortNumber = SourcePort,\n SrcIpAddr = SourceIP,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n EventProductVersion = DeviceVersion,\n EventOriginalSeverity = LogSeverity,\n Rule = NetworkRuleName,\n DvcOriginalAction = DeviceAction,\n DstAppName = Activity,\n EventMessage = Message\n | lookup DirectionLookup on conn_direction\n | extend \n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n NetworkDirection = case(\n isnotempty(NetworkDirection), NetworkDirection,\n inzone == \"Internal\" and (outzone == \"Internal\" or outzone == \"Local\"), \"Local\",\n (inzone == \"Internal\" or inzone == \"Local\") and outzone == \"External\", \"Outbound\",\n inzone == \"External\" and (outzone == \"Internal\" or outzone == \"Local\"), \"Inbound\",\n CommunicationDirection == \"0\", \"Inbound\",\n CommunicationDirection == \"1\", \"Outbound\",\n \"\"\n ),\n EventSeverity = iif(isnotempty(ThreatCategory),\"High\",EventSeverity),\n NetworkIcmpType = coalesce(\n tostring(column_ifexists(\"FieldDeviceCustomNumber2\", long(null))),\n tostring(column_ifexists(\"DeviceCustomNumber2\",long(null)))\n ),\n NetworkIcmpCode = coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber3\", long(null))),\n toint(column_ifexists(\"DeviceCustomNumber3\",long(null)))\n )\n | project-away ApplicationProtocol, AdditionalExtensions, CommunicationDirection, Computer, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, Protocol, ReceiptTime, ReceivedBytes, Remote*, ReportReferenceLink, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, rule_uid, originsicname, inzone, outzone, alert, conn_direction, inspection_category, temp_isDstMatch, temp_isSrcMatch, ExtID, EventOutcome, FieldDevice*, Reason\n };\n NWParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Check Point Firewall", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionCheckPointFirewall", + "query": "let ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)\n [\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"];\n let DirectionLookup=datatable(conn_direction:string,NetworkDirection:string)\n [\n \"Incoming\",\"Inbound\", \n \"Outgoing\",\"Outbound\", \n \"Internal\",\"Local\"];\n let ActionLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string,EventSeverity:string)\n [\n \"Accept\",\"Allow\",\"Success\",\"Informational\",\n \"Allow\",\"Allow\",\"Success\",\"Informational\",\n \"Drop\",\"Drop\",\"Failure\",\"Low\",\n \"Reject\",\"Deny\",\"Failure\",\"Low\",\n \"Encrypt\",\"Encrypt\",\"Success\",\"Informational\",\n \"Decrypt\",\"Decrypt\",\"Success\",\"Informational\",\n \"Bypass\",\"Allow\",\"Success\",\"Informational\",\n \"Block\",\"Deny\",\"Failure\",\"Low\",\n \"\",\"\",\"NA\",\"Informational\"\n ];\n let NWParser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n CommonSecurityLog\n | where not(disabled)\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where \n array_length(hostname_has_any) == 0\n | where DeviceVendor==\"Check Point\" and DeviceProduct==\"VPN-1 & FireWall-1\"\n | where (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | lookup ActionLookup on DeviceAction\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or (EventResult == eventresult))\n | lookup ProtocolLookup on Protocol\n | extend \n EventProduct = \"Firewall\",\n EventCount = toint(1),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\"\n | parse-kv AdditionalExtensions as (\n rule_uid:string,\n loguid:string,\n origin:string,\n originsicname:string,\n inzone:string,\n outzone:string,\n conn_direction:string,\n alert:string,\n inspection_category:string,\n inspection_item:string\n ) with (pair_delimiter=';', kv_delimiter='=')\n | extend\n ThreatCategory = coalesce(alert, inspection_category),\n NetworkRuleName = coalesce(DeviceCustomString2, rule_uid, Activity),\n EventStartTime = TimeGenerated\n | parse originsicname with \"CN\\\\=\" DvcHostname \",\" *\n | project-rename\n Dvc = origin, \n EventOriginalUid = loguid,\n ThreatName = inspection_item,\n EventVendor = DeviceVendor,\n DstPortNumber = DestinationPort,\n DstIpAddr = DestinationIP,\n SrcPortNumber = SourcePort,\n SrcIpAddr = SourceIP,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n EventProductVersion = DeviceVersion,\n EventOriginalSeverity = LogSeverity,\n Rule = NetworkRuleName,\n DvcOriginalAction = DeviceAction,\n DstAppName = Activity,\n EventMessage = Message\n | lookup DirectionLookup on conn_direction\n | extend \n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n NetworkDirection = case(\n isnotempty(NetworkDirection), NetworkDirection,\n inzone == \"Internal\" and (outzone == \"Internal\" or outzone == \"Local\"), \"Local\",\n (inzone == \"Internal\" or inzone == \"Local\") and outzone == \"External\", \"Outbound\",\n inzone == \"External\" and (outzone == \"Internal\" or outzone == \"Local\"), \"Inbound\",\n CommunicationDirection == \"0\", \"Inbound\",\n CommunicationDirection == \"1\", \"Outbound\",\n \"\"\n ),\n EventSeverity = iif(isnotempty(ThreatCategory),\"High\",EventSeverity),\n NetworkIcmpType = coalesce(\n tostring(column_ifexists(\"FieldDeviceCustomNumber2\", long(null))),\n tostring(column_ifexists(\"DeviceCustomNumber2\",long(null)))\n ),\n NetworkIcmpCode = coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber3\", long(null))),\n toint(column_ifexists(\"DeviceCustomNumber3\",long(null)))\n )\n | project-away ApplicationProtocol, AdditionalExtensions, CommunicationDirection, Computer, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, Protocol, ReceiptTime, ReceivedBytes, Remote*, ReportReferenceLink, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, rule_uid, originsicname, inzone, outzone, alert, conn_direction, inspection_category, temp_isDstMatch, temp_isSrcMatch, ExtID, EventOutcome, FieldDevice*, Reason\n };\n NWParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json index d2019c2da19..a921bb70636 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionCiscoASA')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionCiscoASA", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Cisco ASA", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionCiscoASA", - "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n { \n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction) or DvcAction == \"\")\n | where ((eventresult == \"*\") or EventResult == eventresult or EventResult == \"\")\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | where (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | where Message has tostring(dstportnumber)\n and ((array_length(src_or_any) == 0 or has_any_ipv4_prefix(Message,src_or_any)) \n or (array_length(dst_or_any) == 0 or has_any_ipv4_prefix(Message,dst_or_any)))\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * \n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\";\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, temp_*, Device*\n };\n NWParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Cisco ASA", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionCiscoASA", + "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n { \n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction) or DvcAction == \"\")\n | where ((eventresult == \"*\") or EventResult == eventresult or EventResult == \"\")\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | where (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | where Message has tostring(dstportnumber)\n and ((array_length(src_or_any) == 0 or has_any_ipv4_prefix(Message,src_or_any)) \n or (array_length(dst_or_any) == 0 or has_any_ipv4_prefix(Message,dst_or_any)))\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * \n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\";\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, temp_*, Device*\n };\n NWParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFirepower/vimNetworkSessionCiscoFirepower.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFirepower/vimNetworkSessionCiscoFirepower.json index d8c98d66d55..51dc52a1955 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFirepower/vimNetworkSessionCiscoFirepower.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFirepower/vimNetworkSessionCiscoFirepower.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionCiscoFirepower')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionCiscoFirepower", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Cisco Firepower", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionCiscoFirepower", - "query": "let ActionLookup = datatable(\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n[\n \"Blocked\", \"Deny\", \"Failure\",\n \"Alerted\", \"Allow\", \"Success\",\n \"Rewritten\", \"Allow\", \"Success\",\n \"Would be Rewritten\", \"Allow\", \"Partial\",\n \"Would be Blocked\", \"Deny\", \"Partial\",\n \"Would Be Blocked\", \"Deny\", \"Partial\",\n \"Dropped\", \"Drop\", \"Failure\",\n \"Would be Dropped\", \"Drop\", \"Partial\",\n \"Partially Dropped\", \"Drop\", \"Partial\",\n \"Would be Block\", \"Deny\", \"Partial\",\n \"Partial Blocked\", \"Deny\", \"Partial\",\n \"Rejected\", \"Deny\", \"Failure\",\n \"Would be Rejected\", \"Deny\", \"Partial\",\n \"Would Rejected\", \"Deny\", \"Partial\",\n \"Block\", \"Deny\", \"Failure\",\n \"Partial Block\", \"Deny\", \"Partial\",\n \"Drop\", \"Drop\", \"Failure\",\n \"Would Drop\", \"Drop\", \"Partial\",\n \"Reject\", \"Deny\", \"Failure\",\n \"Rewrite\", \"Allow\", \"Success\",\n \"Allow\", \"Allow\", \"Success\",\n \"Monitor\", \"Allow\", \"Success\"\n];\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Medium\",\n \"5\", \"Medium\",\n \"6\", \"Medium\",\n \"7\", \"High\",\n \"8\", \"High\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventResultDetailsLookup = datatable(Reason: string, EventResultDetails: string)\n[\n \"N/A\", \"NA\",\n \"IP Block\", \"Terminated\",\n \"IP Monitor\", \"Unknown\",\n \"User Bypass\", \"Unknown\",\n \"File Monitor\", \"Unknown\",\n \"File Block\", \"Terminated\",\n \"Intrusion Monitor\", \"Unknown\",\n \"Intrusion Block\", \"Terminated\",\n \"File Resume Block\", \"Terminated\",\n \"File Resume Allow\", \"Unknown\",\n \"File Custom Detection\", \"Unknown\"\n];\nlet parser = (starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n dstipaddr_has_any_prefix: dynamic=dynamic([]), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n dstportnumber: int=int(null), \n hostname_has_any: dynamic=dynamic([]), \n dvcaction: dynamic=dynamic([]), \n eventresult: string='*', \n disabled: bool=false) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let AllLogs = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Cisco\" and DeviceProduct == \"Firepower\"\n and DeviceEventClassID has_any(\"INTRUSION:400\", \"PV:112\", \"RNA:1003:1\")\n and (array_length(hostname_has_any) == 0 or DestinationDnsDomain has_any (hostname_has_any)) \n and (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend\n temp_isSrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any), \n temp_isDstMatch = has_any_ipv4_prefix(DestinationIP, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", \n (temp_isSrcMatch and temp_isDstMatch), \"Both\", \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\" \n ) \n | where ASimMatchingIpAddr != \"No match\"\n | invoke _ASIM_ResolveDstFQDN('DestinationDnsDomain')\n | extend temp_is_MatchDstHostname = DstHostname has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0,\n \"-\",\n temp_is_MatchDstHostname,\n \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | invoke _ASIM_ResolveNetworkProtocol('Protocol')\n | extend NetworkProtocol = iff(NetworkProtocol == \"Unassigned\" and Protocol !in (63, 68, 99, 114, 253, 254), Protocol, NetworkProtocol);\n let Connection_Statistics_Events = AllLogs\n | where DeviceEventClassID has \"RNA:1003:1\"\n | parse-kv AdditionalExtensions as (\n start: long,\n end: long,\n bytesIn: long,\n bytesOut: long,\n )\n with (pair_delimiter=';', kv_delimiter='=') \n | lookup EventResultDetailsLookup on Reason\n | extend\n SrcBytes = bytesIn,\n DstBytes = bytesOut,\n EventOriginalResultDetails = Reason,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1,\n \"instanceID\", ProcessID,\n \"clientApplicationID\", RequestClientApplication,\n \"clientUrl\", RequestURL);\n let Intrusion_Events = AllLogs\n | where DeviceEventClassID has \"INTRUSION:400\"\n | parse-kv AdditionalExtensions as (\n start: long\n )\n with (pair_delimiter=';', kv_delimiter='=')\n | extend \n EventMessage = Activity,\n ThreatCategory = DeviceEventCategory,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1,\n \"ipspolicy\", DeviceCustomString5,\n \"clientApplicationID\", RequestClientApplication,\n \"clientUrl\", RequestURL);\n let Policy_Violation_Events = AllLogs\n | where DeviceEventClassID has \"PV:112\"\n | extend\n EventMessage = Message,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1)\n | project-rename DstUsername = DestinationUserName\n | extend\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\");\n union Connection_Statistics_Events, Intrusion_Events, Policy_Violation_Events\n | extend\n SrcPortNumber = iff(NetworkProtocol == \"ICMP\", int(null), SourcePort),\n DstPortNumber = iff(NetworkProtocol == \"ICMP\", int(null), DestinationPort),\n NetworkIcmpCode = iff(NetworkProtocol == \"ICMP\", DestinationPort, int(null)),\n NetworkIcmpType = iff(NetworkProtocol == \"ICMP\", tostring(SourcePort), \"\"),\n SrcZone = DeviceCustomString3,\n DstZone = DeviceCustomString4\n | lookup ActionLookup on DeviceAction\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | lookup EventSeverityLookup on LogSeverity\n | extend \n EventStartTime = coalesce(unixtime_milliseconds_todatetime(start), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n EventOriginalType = iff(DeviceEventClassID has \"INTRUSION:400\", \"INTRUSION EVENT\", Activity),\n SrcVlanId = tostring(DeviceCustomNumber1)\n | extend\n EventEndTime = coalesce(unixtime_milliseconds_todatetime(end), EventStartTime),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\",\n DstIpAddr contains \":\",\n \"IPv6\",\n \"\"\n )\n | extend Ip_device = iff(DeviceName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", DeviceName, \"\")\n | extend\n DvcIpAddr = Ip_device,\n DeviceName = iff(isempty(Ip_device), DeviceName, \"\")\n | extend host = coalesce(DeviceName, Computer)\n | invoke _ASIM_ResolveDvcFQDN('host')\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventCount = int(1)\n | project-rename \n EventProduct = DeviceProduct,\n EventVendor = DeviceVendor,\n SrcUsername = SourceUserName,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n EventOriginalSeverity = LogSeverity,\n DvcId = DeviceExternalID,\n NetworkApplicationProtocol = ApplicationProtocol,\n EventProductVersion = DeviceVersion,\n EventOriginalUid = ExtID,\n NetworkRuleName = DeviceCustomString2,\n EventUid = _ItemId,\n DvcOriginalAction = DeviceAction\n | extend\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DvcIdType = \"Other\"\n | extend \n IpAddr = SrcIpAddr,\n InnerVlanId = SrcVlanId,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = coalesce(DvcIpAddr, DvcHostname),\n Rule = NetworkRuleName,\n User = SrcUsername,\n Hostname = DstHostname\n | project-away\n bytesIn,\n bytesOut,\n start,\n end,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n ProcessID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n ThreatConfidence,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId,\n Ip_*,\n host,\n NetworkProtocolNumber,\n temp*\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction, \n eventresult=eventresult, \n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Cisco Firepower", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionCiscoFirepower", + "query": "let ActionLookup = datatable(\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n[\n \"Blocked\", \"Deny\", \"Failure\",\n \"Alerted\", \"Allow\", \"Success\",\n \"Rewritten\", \"Allow\", \"Success\",\n \"Would be Rewritten\", \"Allow\", \"Partial\",\n \"Would be Blocked\", \"Deny\", \"Partial\",\n \"Would Be Blocked\", \"Deny\", \"Partial\",\n \"Dropped\", \"Drop\", \"Failure\",\n \"Would be Dropped\", \"Drop\", \"Partial\",\n \"Partially Dropped\", \"Drop\", \"Partial\",\n \"Would be Block\", \"Deny\", \"Partial\",\n \"Partial Blocked\", \"Deny\", \"Partial\",\n \"Rejected\", \"Deny\", \"Failure\",\n \"Would be Rejected\", \"Deny\", \"Partial\",\n \"Would Rejected\", \"Deny\", \"Partial\",\n \"Block\", \"Deny\", \"Failure\",\n \"Partial Block\", \"Deny\", \"Partial\",\n \"Drop\", \"Drop\", \"Failure\",\n \"Would Drop\", \"Drop\", \"Partial\",\n \"Reject\", \"Deny\", \"Failure\",\n \"Rewrite\", \"Allow\", \"Success\",\n \"Allow\", \"Allow\", \"Success\",\n \"Monitor\", \"Allow\", \"Success\"\n];\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Medium\",\n \"5\", \"Medium\",\n \"6\", \"Medium\",\n \"7\", \"High\",\n \"8\", \"High\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventResultDetailsLookup = datatable(Reason: string, EventResultDetails: string)\n[\n \"N/A\", \"NA\",\n \"IP Block\", \"Terminated\",\n \"IP Monitor\", \"Unknown\",\n \"User Bypass\", \"Unknown\",\n \"File Monitor\", \"Unknown\",\n \"File Block\", \"Terminated\",\n \"Intrusion Monitor\", \"Unknown\",\n \"Intrusion Block\", \"Terminated\",\n \"File Resume Block\", \"Terminated\",\n \"File Resume Allow\", \"Unknown\",\n \"File Custom Detection\", \"Unknown\"\n];\nlet parser = (starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n dstipaddr_has_any_prefix: dynamic=dynamic([]), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n dstportnumber: int=int(null), \n hostname_has_any: dynamic=dynamic([]), \n dvcaction: dynamic=dynamic([]), \n eventresult: string='*', \n disabled: bool=false) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let AllLogs = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Cisco\" and DeviceProduct == \"Firepower\"\n and DeviceEventClassID has_any(\"INTRUSION:400\", \"PV:112\", \"RNA:1003:1\")\n and (array_length(hostname_has_any) == 0 or DestinationDnsDomain has_any (hostname_has_any)) \n and (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend\n temp_isSrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any), \n temp_isDstMatch = has_any_ipv4_prefix(DestinationIP, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", \n (temp_isSrcMatch and temp_isDstMatch), \"Both\", \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\" \n ) \n | where ASimMatchingIpAddr != \"No match\"\n | invoke _ASIM_ResolveDstFQDN('DestinationDnsDomain')\n | extend temp_is_MatchDstHostname = DstHostname has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0,\n \"-\",\n temp_is_MatchDstHostname,\n \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | invoke _ASIM_ResolveNetworkProtocol('Protocol')\n | extend NetworkProtocol = iff(NetworkProtocol == \"Unassigned\" and Protocol !in (63, 68, 99, 114, 253, 254), Protocol, NetworkProtocol);\n let Connection_Statistics_Events = AllLogs\n | where DeviceEventClassID has \"RNA:1003:1\"\n | parse-kv AdditionalExtensions as (\n start: long,\n end: long,\n bytesIn: long,\n bytesOut: long,\n )\n with (pair_delimiter=';', kv_delimiter='=') \n | lookup EventResultDetailsLookup on Reason\n | extend\n SrcBytes = bytesIn,\n DstBytes = bytesOut,\n EventOriginalResultDetails = Reason,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1,\n \"instanceID\", ProcessID,\n \"clientApplicationID\", RequestClientApplication,\n \"clientUrl\", RequestURL);\n let Intrusion_Events = AllLogs\n | where DeviceEventClassID has \"INTRUSION:400\"\n | parse-kv AdditionalExtensions as (\n start: long\n )\n with (pair_delimiter=';', kv_delimiter='=')\n | extend \n EventMessage = Activity,\n ThreatCategory = DeviceEventCategory,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1,\n \"ipspolicy\", DeviceCustomString5,\n \"clientApplicationID\", RequestClientApplication,\n \"clientUrl\", RequestURL);\n let Policy_Violation_Events = AllLogs\n | where DeviceEventClassID has \"PV:112\"\n | extend\n EventMessage = Message,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1)\n | project-rename DstUsername = DestinationUserName\n | extend\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\");\n union Connection_Statistics_Events, Intrusion_Events, Policy_Violation_Events\n | extend\n SrcPortNumber = iff(NetworkProtocol == \"ICMP\", int(null), SourcePort),\n DstPortNumber = iff(NetworkProtocol == \"ICMP\", int(null), DestinationPort),\n NetworkIcmpCode = iff(NetworkProtocol == \"ICMP\", DestinationPort, int(null)),\n NetworkIcmpType = iff(NetworkProtocol == \"ICMP\", tostring(SourcePort), \"\"),\n SrcZone = DeviceCustomString3,\n DstZone = DeviceCustomString4\n | lookup ActionLookup on DeviceAction\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | lookup EventSeverityLookup on LogSeverity\n | extend \n EventStartTime = coalesce(unixtime_milliseconds_todatetime(start), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n EventOriginalType = iff(DeviceEventClassID has \"INTRUSION:400\", \"INTRUSION EVENT\", Activity),\n SrcVlanId = tostring(DeviceCustomNumber1)\n | extend\n EventEndTime = coalesce(unixtime_milliseconds_todatetime(end), EventStartTime),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\",\n DstIpAddr contains \":\",\n \"IPv6\",\n \"\"\n )\n | extend Ip_device = iff(DeviceName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", DeviceName, \"\")\n | extend\n DvcIpAddr = Ip_device,\n DeviceName = iff(isempty(Ip_device), DeviceName, \"\")\n | extend host = coalesce(DeviceName, Computer)\n | invoke _ASIM_ResolveDvcFQDN('host')\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventCount = int(1)\n | project-rename \n EventProduct = DeviceProduct,\n EventVendor = DeviceVendor,\n SrcUsername = SourceUserName,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n EventOriginalSeverity = LogSeverity,\n DvcId = DeviceExternalID,\n NetworkApplicationProtocol = ApplicationProtocol,\n EventProductVersion = DeviceVersion,\n EventOriginalUid = ExtID,\n NetworkRuleName = DeviceCustomString2,\n EventUid = _ItemId,\n DvcOriginalAction = DeviceAction\n | extend\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DvcIdType = \"Other\"\n | extend \n IpAddr = SrcIpAddr,\n InnerVlanId = SrcVlanId,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = coalesce(DvcIpAddr, DvcHostname),\n Rule = NetworkRuleName,\n User = SrcUsername,\n Hostname = DstHostname\n | project-away\n bytesIn,\n bytesOut,\n start,\n end,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n ProcessID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n ThreatConfidence,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId,\n Ip_*,\n host,\n NetworkProtocolNumber,\n temp*\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction, \n eventresult=eventresult, \n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoISE/vimNetworkSessionCiscoISE.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoISE/vimNetworkSessionCiscoISE.json index 253a98e8572..c70fbc26768 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoISE/vimNetworkSessionCiscoISE.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoISE/vimNetworkSessionCiscoISE.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionCiscoISE')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionCiscoISE", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Cisco ISE", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionCiscoISE", - "query": "let EventFieldsLookup=datatable(\nEventOriginalType: string,\nEventResult: string,\nDvcAction: string,\nEventResultDetails: string,\nEventSubType: string,\nEventOriginalSeverity: string,\nEventSeverity: string,\nEventMessage: string,\nEventOriginalResultDetails: string\n)[\n\"25023\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"LDAP connect to domain controller succeeded\", \"LDAP connect to domain controller succeeded\",\n\"25024\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"LDAP connect to domain controller failed\", \"LDAP connect to domain controller failed\",\n\"25025\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"LDAP connect to global catalog succeeded\", \"LDAP connect to domain controller succeeded\",\n\"25026\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"LDAP connect to global catalog failed\", \"LDAP connect to domain controller failed\",\n\"25027\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"RPC connect to domain controller succeeded\", \"RPC connect to domain controller succeeded\",\n\"25028\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"RPC connect to domain controller failed\", \"RPC connect to domain controller failed\",\n\"25029\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"KDC connect to domain controller succeeded\", \"KDC connect to domain controller succeeded\",\n\"25030\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"KDC connect to domain controller failed\", \"KDC connect to domain controller failed\",\n\"25101\", \"Success\", \"Allow\", \"\", \"Start\", \"DEBUG\", \"Informational\", \"Successfully connected to external REST ID store server\", \"ISE successfully connect to external REST ID store server\",\n\"25102\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"DEBUG\", \"Low\", \"Connection to external REST database failed\", \"ISE failed to establish a new connection to external REST database\",\n\"60188\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"INFO\", \"Low\", \"An attempted SSH connection has failed\", \"An attempted SSH connection has failed\",\n\"60234\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"The SXP connection has been disconnected\", \"The SXP connection has been disconnected\",\n\"60235\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"SXP connection succeeded\", \"SXP connection succeeded\",\n\"60236\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"SXP connection failed\", \"SXP connection failed\",\n\"61010\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"ISE has established connection to APIC\", \"ISE has established connection to APIC\",\n\"61011\", \"Success\", \"Allow\", \"\", \"End\", \"INFO\", \"Informational\", \"ISE was disconnected from APIC\", \"ISE was disconnected from APIC\",\n\"61025\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Open secure connection with TLS peer\", \"Secure connection established with TLS peer\",\n\"61026\", \"Success\", \"Allow\", \"\", \"End\", \"INFO\", \"Informational\", \"Shutdown secure connection with TLS peer\", \"Secure connection with TLS peer shutdown\",\n\"60509\", \"Failure\", \"Deny\", \"Maximum Retry\", \"End\", \"ERROR\", \"Low\", \"ERS request was denied as maximum possible connection was exceeded\", \"ERS request was denied as maximum possible connection was exceeded\",\n\"61231\", \"Failure\", \"Drop\", \"Routing issue\", \"End\", \"WARN\", \"Low\", \"Kafka connection to ACI error while receiving message\", \"Kafka connection to ACI error while receiving message\",\n\"61232\", \"Failure\", \"Drop\", \"Routing issue\", \"End\", \"WARN\", \"Low\", \"Kafka connection to ACI error while sending message\", \"Kafka connection to ACI error while sending message\",\n\"89003\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"Failed to connect to MDM server\", \"Failed to connect to MDM server\",\n\"24000\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Connection established with LDAP server\", \"Connection established with LDAP server\",\n\"24001\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Cannot establish connection with LDAP server\", \"Cannot establish connection with LDAP server\",\n\"24019\", \"Failure\", \"Drop\", \"Unknown\", \"End\", \"ERROR\", \"Low\", \"LDAP connection error was encountered\", \"ISE cannot connect to LDAP external ID store\",\n\"24030\", \"Failure\", \"Drop\", \"Unknown\", \"End\", \"ERROR\", \"Low\", \"SSL connection error was encountered\", \"SSL connection error was encountered\",\n\"24400\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Connection to ISE Active Directory agent established successfully\", \"Connection to ISE Active Directory agent established successfully\",\n\"24401\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Could not establish connection with ISE Active Directory agent\", \"Could not establish connection with ISE Active Directory agent\",\n\"24428\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Connection related error has occurred in either LRPC, LDAP or KERBEROS\", \"This RPC connection problem may be because the stub received incorrect data\",\n\"24429\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Could not establish connection with Active Directory\", \"Could not establish connection with Active Directory\",\n\"24850\", \"Success\", \"Allow\", \"\", \"Start\", \"DEBUG\", \"Informational\", \"Successfully connected to external ODBC database\", \"ISE successfully established a new connection to external ODBC database\",\n\"24851\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"DEBUG\", \"Low\", \"Connection to external ODBC database failed\", \"ISE failed to establish a new connection to external ODBC database\",\n\"34120\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Profiler failed to get the connection to NAC Manager\", \"Profiler sends a notification event to NAC Manager, but the notification fails because could not connect to NAC Manager\",\n\"34147\", \"Failure\", \"Deny\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"JGroups TLS Handshake Failed\", \"JGroups TLS Handshake Failed\",\n\"34148\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"JGroups TLS Handshake Succeeded\", \"JGroups TLS Handshake Succeeded\",\n\"34149\", \"Failure\", \"Deny\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"HTTPS TLS Handshake Failed\", \"HTTPS TLS Handshake Failed\",\n\"34150\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"HTTPS TLS Handshake Succeeded\", \"HTTPS TLS Handshake Succeeded\",\n\"34159\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"LDAPS connection established successfully\", \"LDAPS connection established successfully\",\n\"34160\", \"Success\", \"Allow\", \"\", \"End\", \"INFO\", \"Informational\", \"LDAPS connection terminated successfully\", \"LDAPS connection terminated successfully\",\n\"34161\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection establishment failed with SSL error\", \"LDAPS connection establishment failed with SSL error\",\n\"34162\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection terminated with SSL error\", \"LDAPS connection terminated with SSL error\",\n\"34163\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection establishment failed with non-SSL error\", \"LDAPS connection establishment failed with non-SSL error\",\n\"34164\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection terminated with non-SSL error\", \"LDAPS connection terminated with non-SSL error\",\n\"90062\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Cannot connect to Domain Controller\", \"Cannot connect to Domain Controller\",\n\"90063\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Successfully establish connection to Domain Controller\", \"Successfully establish connection to Domain Controller\",\n\"90066\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Lost connection with Domain Controller\", \"Lost connection with Domain Controller\",\n\"90078\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Closed connection to Domain Controller\", \"Closed connection to Domain Controller\",\n\"91082\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"RADIUS DTLS: Connection to OCSP server failed\", \"RADIUS DTLS: Connection attempt to OCSP server failed.\",\n\"11317\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"TrustSec SSH connection failed\", \"ISE failed to establish SSH connection to a network device. Verify network device SSH credentials in the Network Device page are similar to the credentials configured on the network device. Check network device enabled ssh connections from ISE (ip address)\",\n\"5405\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"NOTICE\", \"Low\", \"RADIUS Request dropped\", \"RADIUS request dropped\",\n\"5406\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"NOTICE\", \"Low\", \"TACACS+ Request dropped\", \"TACACS+ request dropped\"\n];\nlet GetSrcIpAddr = (src_ip: string) {\n case ( \n src_ip matches regex @\"\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\",\n src_ip,\n \"\"\n )\n};\nlet GetMacAddr = (mac: string) {\n case ( \n mac matches regex @\"[a-fA-F0-9\\-:]{17}\",\n mac,\n \"\"\n )\n};\nlet CiscoISENSParser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null),\nsrcipaddr_has_any_prefix: dynamic=dynamic([]), \ndstipaddr_has_any_prefix: dynamic=dynamic([]), \nipaddr_has_any_prefix: dynamic=dynamic([]),\ndstportnumber: int=int(null), \nhostname_has_any: dynamic=dynamic([]), \ndvcaction: dynamic=dynamic([]), \neventresult: string='*', \ndisabled: bool=false) {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let EventOriginalTypeList = toscalar(EventFieldsLookup\n | where (eventresult == \"*\" or eventresult == EventResult) \n and (array_length(dvcaction) == 0 or DvcAction in~ (dvcaction))\n | summarize make_set(EventOriginalType));\n Syslog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse kind = regex SyslogMessage with @\"\\d{10}\\s\" EventOriginalType @\"\\s(NOTICE|INFO|WARN|WARNING|ERROR|FATAL|DEBUG)\"\n | where EventOriginalType in (EventOriginalTypeList)\n and (array_length(ip_any) == 0 or has_any_ipv4_prefix(SyslogMessage, ip_any)) \n and (array_length(hostname_has_any) == 0 or SyslogMessage has_any(hostname_has_any)) \n and (isnull(dstportnumber) or SyslogMessage has (strcat('DestinationPort=', tostring(dstportnumber))))\n | lookup EventFieldsLookup on EventOriginalType\n | parse-kv SyslogMessage as (FailureReason: string, NetworkDeviceName: string, DestinationIPAddress: string, DestinationPort: int, ['Remote-Address']: string, ['Device IP Address']: string, ['User-Name']: string, UserName: string, User: string, ['Device Port']: int, Protocol: string, ['Calling-Station-ID']: string, ['Called-Station-ID']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n DstIpAddr=DestinationIPAddress\n , DstPortNumber=DestinationPort\n , SrcPortNumber=['Device Port']\n , NetworkApplicationProtocol=Protocol\n | invoke _ASIM_ResolveSrcFQDN(\"['Calling-Station-ID']\")\n | extend \n EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.6\"\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventType = \"NetworkSession\"\n , EventOriginalResultDetails = case(isnotempty(FailureReason), FailureReason, EventOriginalResultDetails)\n , DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , DstMacAddr = GetMacAddr(['Called-Station-ID'])\n , SrcMacAddr = GetMacAddr(['Calling-Station-ID'])\n , DstUsername = coalesce(UserName, ['User-Name'], User)\n | extend\n DstUsernameType = _ASIM_GetUsernameType(DstUsername)\n , DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n , SrcIpAddr = coalesce(['Device IP Address'], ['Remote-Address'], GetSrcIpAddr(['Calling-Station-ID']))\n //********************** ************************\n | extend \n Dvc = coalesce(DvcHostname, DvcIpAddr)\n , IpAddr = SrcIpAddr\n , Dst = DstIpAddr\n , Src = SrcIpAddr\n , User = DstUsername\n //********************** ***********************\n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n FailureReason,\n NetworkDeviceName,\n ['User-Name'],\n UserName,\n ['Device IP Address'],\n ['Remote-Address'],\n ['Calling-Station-ID'],\n ['Called-Station-ID']\n};\nCiscoISENSParser(\nstarttime=starttime,\nendtime=endtime, \nsrcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \ndstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \nipaddr_has_any_prefix=ipaddr_has_any_prefix, \ndstportnumber=dstportnumber, \nhostname_has_any=hostname_has_any, \ndvcaction=dvcaction, \neventresult=eventresult, \ndisabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Cisco ISE", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionCiscoISE", + "query": "let EventFieldsLookup=datatable(\nEventOriginalType: string,\nEventResult: string,\nDvcAction: string,\nEventResultDetails: string,\nEventSubType: string,\nEventOriginalSeverity: string,\nEventSeverity: string,\nEventMessage: string,\nEventOriginalResultDetails: string\n)[\n\"25023\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"LDAP connect to domain controller succeeded\", \"LDAP connect to domain controller succeeded\",\n\"25024\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"LDAP connect to domain controller failed\", \"LDAP connect to domain controller failed\",\n\"25025\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"LDAP connect to global catalog succeeded\", \"LDAP connect to domain controller succeeded\",\n\"25026\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"LDAP connect to global catalog failed\", \"LDAP connect to domain controller failed\",\n\"25027\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"RPC connect to domain controller succeeded\", \"RPC connect to domain controller succeeded\",\n\"25028\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"RPC connect to domain controller failed\", \"RPC connect to domain controller failed\",\n\"25029\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"KDC connect to domain controller succeeded\", \"KDC connect to domain controller succeeded\",\n\"25030\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"KDC connect to domain controller failed\", \"KDC connect to domain controller failed\",\n\"25101\", \"Success\", \"Allow\", \"\", \"Start\", \"DEBUG\", \"Informational\", \"Successfully connected to external REST ID store server\", \"ISE successfully connect to external REST ID store server\",\n\"25102\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"DEBUG\", \"Low\", \"Connection to external REST database failed\", \"ISE failed to establish a new connection to external REST database\",\n\"60188\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"INFO\", \"Low\", \"An attempted SSH connection has failed\", \"An attempted SSH connection has failed\",\n\"60234\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"The SXP connection has been disconnected\", \"The SXP connection has been disconnected\",\n\"60235\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"SXP connection succeeded\", \"SXP connection succeeded\",\n\"60236\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"SXP connection failed\", \"SXP connection failed\",\n\"61010\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"ISE has established connection to APIC\", \"ISE has established connection to APIC\",\n\"61011\", \"Success\", \"Allow\", \"\", \"End\", \"INFO\", \"Informational\", \"ISE was disconnected from APIC\", \"ISE was disconnected from APIC\",\n\"61025\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Open secure connection with TLS peer\", \"Secure connection established with TLS peer\",\n\"61026\", \"Success\", \"Allow\", \"\", \"End\", \"INFO\", \"Informational\", \"Shutdown secure connection with TLS peer\", \"Secure connection with TLS peer shutdown\",\n\"60509\", \"Failure\", \"Deny\", \"Maximum Retry\", \"End\", \"ERROR\", \"Low\", \"ERS request was denied as maximum possible connection was exceeded\", \"ERS request was denied as maximum possible connection was exceeded\",\n\"61231\", \"Failure\", \"Drop\", \"Routing issue\", \"End\", \"WARN\", \"Low\", \"Kafka connection to ACI error while receiving message\", \"Kafka connection to ACI error while receiving message\",\n\"61232\", \"Failure\", \"Drop\", \"Routing issue\", \"End\", \"WARN\", \"Low\", \"Kafka connection to ACI error while sending message\", \"Kafka connection to ACI error while sending message\",\n\"89003\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"Failed to connect to MDM server\", \"Failed to connect to MDM server\",\n\"24000\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Connection established with LDAP server\", \"Connection established with LDAP server\",\n\"24001\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Cannot establish connection with LDAP server\", \"Cannot establish connection with LDAP server\",\n\"24019\", \"Failure\", \"Drop\", \"Unknown\", \"End\", \"ERROR\", \"Low\", \"LDAP connection error was encountered\", \"ISE cannot connect to LDAP external ID store\",\n\"24030\", \"Failure\", \"Drop\", \"Unknown\", \"End\", \"ERROR\", \"Low\", \"SSL connection error was encountered\", \"SSL connection error was encountered\",\n\"24400\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Connection to ISE Active Directory agent established successfully\", \"Connection to ISE Active Directory agent established successfully\",\n\"24401\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Could not establish connection with ISE Active Directory agent\", \"Could not establish connection with ISE Active Directory agent\",\n\"24428\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Connection related error has occurred in either LRPC, LDAP or KERBEROS\", \"This RPC connection problem may be because the stub received incorrect data\",\n\"24429\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Could not establish connection with Active Directory\", \"Could not establish connection with Active Directory\",\n\"24850\", \"Success\", \"Allow\", \"\", \"Start\", \"DEBUG\", \"Informational\", \"Successfully connected to external ODBC database\", \"ISE successfully established a new connection to external ODBC database\",\n\"24851\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"DEBUG\", \"Low\", \"Connection to external ODBC database failed\", \"ISE failed to establish a new connection to external ODBC database\",\n\"34120\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Profiler failed to get the connection to NAC Manager\", \"Profiler sends a notification event to NAC Manager, but the notification fails because could not connect to NAC Manager\",\n\"34147\", \"Failure\", \"Deny\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"JGroups TLS Handshake Failed\", \"JGroups TLS Handshake Failed\",\n\"34148\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"JGroups TLS Handshake Succeeded\", \"JGroups TLS Handshake Succeeded\",\n\"34149\", \"Failure\", \"Deny\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"HTTPS TLS Handshake Failed\", \"HTTPS TLS Handshake Failed\",\n\"34150\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"HTTPS TLS Handshake Succeeded\", \"HTTPS TLS Handshake Succeeded\",\n\"34159\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"LDAPS connection established successfully\", \"LDAPS connection established successfully\",\n\"34160\", \"Success\", \"Allow\", \"\", \"End\", \"INFO\", \"Informational\", \"LDAPS connection terminated successfully\", \"LDAPS connection terminated successfully\",\n\"34161\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection establishment failed with SSL error\", \"LDAPS connection establishment failed with SSL error\",\n\"34162\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection terminated with SSL error\", \"LDAPS connection terminated with SSL error\",\n\"34163\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection establishment failed with non-SSL error\", \"LDAPS connection establishment failed with non-SSL error\",\n\"34164\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection terminated with non-SSL error\", \"LDAPS connection terminated with non-SSL error\",\n\"90062\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Cannot connect to Domain Controller\", \"Cannot connect to Domain Controller\",\n\"90063\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Successfully establish connection to Domain Controller\", \"Successfully establish connection to Domain Controller\",\n\"90066\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Lost connection with Domain Controller\", \"Lost connection with Domain Controller\",\n\"90078\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Closed connection to Domain Controller\", \"Closed connection to Domain Controller\",\n\"91082\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"RADIUS DTLS: Connection to OCSP server failed\", \"RADIUS DTLS: Connection attempt to OCSP server failed.\",\n\"11317\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"TrustSec SSH connection failed\", \"ISE failed to establish SSH connection to a network device. Verify network device SSH credentials in the Network Device page are similar to the credentials configured on the network device. Check network device enabled ssh connections from ISE (ip address)\",\n\"5405\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"NOTICE\", \"Low\", \"RADIUS Request dropped\", \"RADIUS request dropped\",\n\"5406\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"NOTICE\", \"Low\", \"TACACS+ Request dropped\", \"TACACS+ request dropped\"\n];\nlet GetSrcIpAddr = (src_ip: string) {\n case ( \n src_ip matches regex @\"\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\",\n src_ip,\n \"\"\n )\n};\nlet GetMacAddr = (mac: string) {\n case ( \n mac matches regex @\"[a-fA-F0-9\\-:]{17}\",\n mac,\n \"\"\n )\n};\nlet CiscoISENSParser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null),\nsrcipaddr_has_any_prefix: dynamic=dynamic([]), \ndstipaddr_has_any_prefix: dynamic=dynamic([]), \nipaddr_has_any_prefix: dynamic=dynamic([]),\ndstportnumber: int=int(null), \nhostname_has_any: dynamic=dynamic([]), \ndvcaction: dynamic=dynamic([]), \neventresult: string='*', \ndisabled: bool=false) {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let EventOriginalTypeList = toscalar(EventFieldsLookup\n | where (eventresult == \"*\" or eventresult == EventResult) \n and (array_length(dvcaction) == 0 or DvcAction in~ (dvcaction))\n | summarize make_set(EventOriginalType));\n Syslog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse kind = regex SyslogMessage with @\"\\d{10}\\s\" EventOriginalType @\"\\s(NOTICE|INFO|WARN|WARNING|ERROR|FATAL|DEBUG)\"\n | where EventOriginalType in (EventOriginalTypeList)\n and (array_length(ip_any) == 0 or has_any_ipv4_prefix(SyslogMessage, ip_any)) \n and (array_length(hostname_has_any) == 0 or SyslogMessage has_any(hostname_has_any)) \n and (isnull(dstportnumber) or SyslogMessage has (strcat('DestinationPort=', tostring(dstportnumber))))\n | lookup EventFieldsLookup on EventOriginalType\n | parse-kv SyslogMessage as (FailureReason: string, NetworkDeviceName: string, DestinationIPAddress: string, DestinationPort: int, ['Remote-Address']: string, ['Device IP Address']: string, ['User-Name']: string, UserName: string, User: string, ['Device Port']: int, Protocol: string, ['Calling-Station-ID']: string, ['Called-Station-ID']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n DstIpAddr=DestinationIPAddress\n , DstPortNumber=DestinationPort\n , SrcPortNumber=['Device Port']\n , NetworkApplicationProtocol=Protocol\n | invoke _ASIM_ResolveSrcFQDN(\"['Calling-Station-ID']\")\n | extend \n EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.6\"\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventType = \"NetworkSession\"\n , EventOriginalResultDetails = case(isnotempty(FailureReason), FailureReason, EventOriginalResultDetails)\n , DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , DstMacAddr = GetMacAddr(['Called-Station-ID'])\n , SrcMacAddr = GetMacAddr(['Calling-Station-ID'])\n , DstUsername = coalesce(UserName, ['User-Name'], User)\n | extend\n DstUsernameType = _ASIM_GetUsernameType(DstUsername)\n , DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n , SrcIpAddr = coalesce(['Device IP Address'], ['Remote-Address'], GetSrcIpAddr(['Calling-Station-ID']))\n //********************** ************************\n | extend \n Dvc = coalesce(DvcHostname, DvcIpAddr)\n , IpAddr = SrcIpAddr\n , Dst = DstIpAddr\n , Src = SrcIpAddr\n , User = DstUsername\n //********************** ***********************\n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n FailureReason,\n NetworkDeviceName,\n ['User-Name'],\n UserName,\n ['Device IP Address'],\n ['Remote-Address'],\n ['Calling-Station-ID'],\n ['Called-Station-ID']\n};\nCiscoISENSParser(\nstarttime=starttime,\nendtime=endtime, \nsrcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \ndstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \nipaddr_has_any_prefix=ipaddr_has_any_prefix, \ndstportnumber=dstportnumber, \nhostname_has_any=hostname_has_any, \ndvcaction=dvcaction, \neventresult=eventresult, \ndisabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json index cbc0a2e60c3..6f45b405d8a 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionCiscoMeraki')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionCiscoMeraki", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionCiscoMeraki", - "query": "let EventResultDetailsLookup = datatable(reason: string, EventResultDetails: string)\n [\n \"0\", \"Unknown\",\n \"1\", \"Unknown\",\n \"2\", \"Timeout\",\n \"3\", \"Terminated\",\n \"4\", \"Timeout\",\n \"5\", \"Transient error\",\n \"6\", \"Invalid Tunnel\",\n \"7\", \"Invalid Tunnel\",\n \"8\", \"Terminated\",\n \"9\", \"Invalid Tunnel\",\n \"10\", \"Unknown\",\n \"11\", \"Invalid TCP\",\n \"12\", \"Unknown\",\n \"13\", \"Invalid TCP\",\n \"14\", \"Invalid Tunnel\",\n \"15\", \"Invalid TCP\",\n \"16\", \"Timeout\",\n \"17\", \"Invalid Tunnel\",\n \"18\", \"Invalid TCP\",\n \"19\", \"Invalid TCP\",\n \"20\", \"Invalid TCP\",\n \"21\", \"Unknown\",\n \"22\", \"Invalid TCP\",\n \"23\", \"Invalid Tunnel\",\n \"24\", \"Invalid Tunnel\",\n \"32\", \"Unknown\",\n \"33\", \"Invalid TCP\",\n \"34\", \"Invalid TCP\",\n \"35\", \"Invalid TCP\",\n \"36\", \"Unknown\",\n \"37\", \"Unknown\",\n \"38\", \"Unknown\",\n \"39\", \"Timeout\",\n \"40\", \"Invalid TCP\",\n \"98\", \"Unknown\",\n \"99\", \"Unknown\"\n];\nlet NetworkIcmpTypeLookup = datatable(\n NetworkIcmpCode_lookup: int,\n NetworkIcmpType_lookup: string\n)\n [\n 0, \"Reserved\",\n 1, \"Destination Unreachable\",\n 2, \"Packet Too Big\",\n 3, \"Time Exceeded\",\n 4, \"Parameter Problem\",\n 100, \"Private experimentation\",\n 101, \"Private experimentation\",\n 127, \"Reserved for expansion of ICMPv6 error messages\",\n 128, \"Echo Request\",\n 129, \"Echo Reply\",\n 130, \"Multicast Listener Query\",\n 131, \"Multicast Listener Report\",\n 132, \"Multicast Listener Done\",\n 133, \"Router Solicitation\",\n 134, \"Router Advertisement\",\n 135, \"Neighbor Solicitation\",\n 136, \"Neighbor Advertisement\",\n 137, \"Redirect Message\",\n 138, \"Router Renumbering\",\n 139, \"ICMP Node Information Query\",\n 140, \"ICMP Node Information Response\",\n 141, \"Inverse Neighbor Discovery Solicitation Message\",\n 142, \"Inverse Neighbor Discovery Advertisement Message\",\n 143, \"Version 2 Multicast Listener Report\",\n 144, \"Home Agent Address Discovery Request Message\",\n 145, \"Home Agent Address Discovery Reply Message\",\n 146, \"Mobile Prefix Solicitation\",\n 147, \"Mobile Prefix Advertisement\",\n 148, \"Certification Path Solicitation Message\",\n 149, \"Certification Path Advertisement Message\",\n 150, \"ICMP messages utilized by experimental mobility protocols such as Seamoby\",\n 151, \"Multicast Router Advertisement\",\n 152, \"Multicast Router Solicitation\",\n 153, \"Multicast Router Termination\",\n 154, \"FMIPv6 Messages\",\n 155, \"RPL Control Message\",\n 156, \"ILNPv6 Locator Update Message\",\n 157, \"Duplicate Address Request\",\n 158, \"Duplicate Address Confirmation\",\n 159, \"MPL Control Message\",\n 160, \"Extended Echo Request\",\n 161, \"Extended Echo Reply\",\n 200, \"Private experimentation\",\n 201, \"Private experimentation\",\n 255, \"Reserved for expansion of ICMPv6 informational messages\"\n];\nlet NetworkProtocolLookup = datatable(\n protocol: string,\n NetworkProtocol_lookup: string,\n NetworkProtocolVersion: string\n)[\n \"tcp\", \"TCP\", \"\",\n \"tcp/ip\", \"TCP\", \"\",\n \"udp\", \"UDP\", \"\",\n \"udp/ip\", \"UDP\", \"\",\n \"icmp\", \"ICMP\", \"IPV4\",\n \"icmp6\", \"ICMP\", \"IPV6\",\n];\nlet EventSeverityPriorityLookup = datatable(priority: string, EventSeverity: string)[\n \"1\", \"High\",\n \"2\", \"Medium\",\n \"3\", \"Low\",\n \"4\", \"Informational\"\n];\nlet EventSeverityDvcActionLookup = datatable(DvcAction: string, EventSeverity: string)[\n \"Allow\", \"Informational\",\n \"Deny\", \"Low\"\n];\nlet NetworkDirectionLookup = datatable(direction: string, NetworkDirection: string)[\n \"ingress\", \"Inbound\",\n \"egress\", \"Outbound\",\n \"Unknown\", \"NA\"\n];\nlet DvcActionLookup = datatable(pattern: string, DvcAction: string, EventResult: string)[\n \"allow\", \"Allow\", \"Success\",\n \"deny\", \"Deny\", \"Failure\",\n \"0\", \"Allow\", \"Success\",\n \"1\", \"Deny\", \"Failure\",\n \"Blocked\", \"Deny\", \"Failure\"\n];\nlet EventResultLookup = datatable(LogSubType: string, EventResult_type: string)[\n \"association\", \"Success\",\n \"disassociation\", \"Failure\",\n \"Virtual router collision\", \"Failure\",\n];\nlet parser=(disabled: bool=false, \n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventresult: string='*', \n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n dstipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]), \n hostname_has_any: dynamic=dynamic([]),\n dstportnumber: int=int(null),\n dvcaction: dynamic=dynamic([])\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let allData = (\n meraki_CL\n | project-rename LogMessage = Message\n );\n let PreFilteredData = allData\n | where not(disabled) and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) and (LogMessage has_any(\"flows\", \"firewall\", \"ids-alerts\") or LogMessage has_all(\"security_event\", \"ids-alerted\") or (LogMessage has \"events\" and (LogMessage has_any (\"Blocked DHCP server response\", \"association\") or (LogMessage has \"VRRP packet\" and not(LogMessage has_any (\"VRRP passive\", \"VRRP active\"))) or (LogMessage has \"disassociation\" and not(LogMessage has_any (\"auth_neg_failed\", \"dhcp\"))))) or (LogMessage has \"airmarshal_events\" and LogMessage has_any(\"ssid_spoofing_detected\", \"rogue_ssid_detected\")))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3]),\n Device = tostring(Parser[1])\n | parse Substring with * \"timestamp=\" timestamp: string \" \" *\n | extend\n Epoch = iff(isnotempty(timestamp), timestamp, tostring(Parser[0]))\n | extend\n EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | where (array_length(hostname_has_any) == 0)\n and ((isnull(dstportnumber)) or Substring has tostring(dstportnumber))\n and (array_length(dvcaction) == 0 or LogMessage has_any (dvcaction));\n let FlowsFirewallData = PreFilteredData\n | where LogType in (\"flows\", \"firewall\", \"cellular_firewall\", \"vpn_firewall\")\n | parse-kv Substring as(src: string, dst: string, mac: string, sport: string, dport: string, protocol: string, type: int) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | parse Substring with pattern1: string \" src=\" temp_restmessage: string\n | parse Substring with * \"pattern: \" pattern2: string \" \" temp_restmessage: string\n | extend NetworkIcmpCode_lookup = iff(protocol == 'icmp6', type, int(null))\n | extend type_icmp4 = iff(protocol == 'icmp', type, int(null))\n | lookup NetworkIcmpTypeLookup on NetworkIcmpCode_lookup\n | invoke _ASIM_ResolveICMPType('type_icmp4')\n | extend NetworkIcmpCode = coalesce(NetworkIcmpCode_lookup, NetworkIcmpCode)\n | extend NetworkIcmpType = iff(isnotempty(NetworkIcmpCode), coalesce(NetworkIcmpType_lookup, NetworkIcmpType), \"\")\n | extend pattern = coalesce(trim(\"'\", pattern1), trim(\"'\", pattern2))\n | extend pattern = trim('\"', pattern)\n | extend direction = case(pattern has_any ('0','1'), 'ingress', pattern has_any ('allow','deny'), 'egress', 'unknown')\n | lookup NetworkDirectionLookup on direction\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | extend\n SrcMacAddr = trim('\"', mac),\n EventType = \"Flow\";\n let IDSAlertData = PreFilteredData\n | where LogType in (\"ids-alerts\", \"security_event\")\n | parse LogMessage with * \"security_event \" LogSubType: string \" \" * \"message: \" message: string \n | where LogType == \"security_event\" and LogSubType == \"ids-alerted\" or LogType == \"ids-alerts\"\n | parse-kv Substring as(priority: string, direction: string, protocol: string, src: string, dst: string, signature: string, dhost: string, shost: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend EventResult = \"Success\"\n | extend\n priority = trim('\"', priority),\n direction = trim('\"', direction)\n | lookup EventSeverityPriorityLookup on priority\n | lookup NetworkDirectionLookup on direction\n | extend AdditionalFields = bag_pack(\n \"signature\", trim('\"', signature)\n )\n | extend\n SrcMacAddr = trim('\"', shost),\n DstMacAddr = trim('\"', dhost)\n | extend EventMessage = trim(\"'\", message);\n let AirmarshalEvents = PreFilteredData\n | where LogType in (\"airmarshal_events\")\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | where LogSubType in (\"ssid_spoofing_detected\", \"rogue_ssid_detected\")\n | parse-kv temp_message as(src: string, dst: string, wired_mac: string, vlan_id: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend\n SrcMacAddr = trim('\"', src),\n DstMacAddr = trim('\"', dst),\n DvcMacAddr = trim('\"', wired_mac)\n | extend\n EventResult = \"Success\",\n EventSeverity = \"High\";\n let EventsData = PreFilteredData\n | where LogType == \"events\";\n let EventsData_associ = EventsData\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | where LogSubType == \"association\" or (LogSubType == \"disassociation\" and not(Substring has_any (\"auth_neg_failed\", \"dhcp\")))\n | parse-kv Substring as (last_known_client_ip: string, client_mac: string, identity: string, aid: string, duration: string, ip_src: string, dns_server: string, reason: string, rssi: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend AdditionalFields = bag_pack(\n \"aid\", aid,\n \"rssi\", rssi\n )\n | extend SrcMacAddr = trim('\"', client_mac)\n | lookup EventResultLookup on LogSubType\n | extend EventResult = EventResult_type\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff((toint(reason) >= 25 and toint(reason) <= 31) or (toint(reason) >= 25 and toint(reason) <= 31), \"Unknown\", EventResultDetails);\n let EventsData_space = EventsData\n | where Substring has \"Blocked DHCP server response\" or (Substring has \"VRRP packet\" and not(Substring in~ (\"VRRP passive\", \"VRRP active\"))) \n | parse Substring with LogSubType1: string \" from\" temp_addr1: string \" on VLAN \" vlan_id1: string \" \" restmessage\n | parse Substring with LogSubType2: string \" from\" temp_addr2: string \" on VLAN \" vlan_id2: string\n | extend LogSubType = coalesce(LogSubType1, LogSubType2)\n | extend LogSubType = iff(LogSubType has \"VRRP Packet\", \"Virtual router collision\", LogSubType)\n | extend pattern = iff(Substring has \"Blocked\", \"Blocked\", \"\")\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | lookup EventResultLookup on LogSubType\n | extend EventResult = coalesce(EventResult, EventResult_type)\n | extend temp_addr = coalesce(trim('\"', temp_addr1), trim('\"', temp_addr2))\n | extend vlan_id = coalesce(trim('\"', vlan_id1), trim('\"', vlan_id2))\n | extend SrcMacAddr = iff(temp_addr matches regex \"(([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}))\", temp_addr, \"\")\n | parse temp_addr with * \"[\" temp_ip: string \"]:\" temp_port: string \n | extend SrcIpAddr = case(\n temp_addr has \".\",\n split(temp_addr, \":\")[0],\n isnotempty(temp_ip),\n temp_ip,\n temp_addr\n )\n | extend SrcPortNumber = toint(case(\n isnotempty(temp_port),\n temp_port,\n temp_addr has \".\",\n split(temp_addr, \":\")[1],\n \"\"\n )\n )\n | extend\n SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr),\n EventMessage = Substring;\n union\n FlowsFirewallData,\n IDSAlertData,\n EventsData_associ,\n EventsData_space,\n AirmarshalEvents\n | where (array_length(dvcaction) == 0 or DvcAction has_any (dvcaction))\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n | extend protocol = trim('\"', protocol)\n | lookup NetworkProtocolLookup on protocol\n | invoke _ASIM_ResolveNetworkProtocol('protocol')\n | extend NetworkProtocol = iff(isempty(NetworkProtocolNumber), NetworkProtocol_lookup, NetworkProtocol)\n | extend temp_srcipport = trim('\"', coalesce(src, ip_src, last_known_client_ip))\n | parse temp_srcipport with * \"[\" temp_srcip: string \"]:\" temp_srcport: string \n | extend SrcIpAddr = case( \n isnotempty(SrcIpAddr),\n SrcIpAddr,\n temp_srcipport has \".\",\n split(temp_srcipport, \":\")[0],\n coalesce(temp_srcip, temp_srcipport)\n )\n | extend SrcPortNumber = iff(isempty(SrcPortNumber), toint(coalesce(sport, temp_srcport)), SrcPortNumber)\n | extend SrcPortNumber = toint(iff(isempty(SrcPortNumber) and SrcIpAddr has \".\", split(temp_srcipport, \":\")[1], SrcPortNumber))\n | extend temp_dstipport = trim('\"', coalesce(dst, dns_server))\n | parse temp_dstipport with * \"[\" temp_dstip \"]:\" temp_dstport\n | extend DstIpAddr = iff(temp_dstipport has \".\", split(temp_dstipport, \":\")[0], coalesce(temp_dstip, temp_dstipport))\n | extend DstPortNumber = toint(coalesce(dport, temp_dstport))\n | extend DstPortNumber = toint(iff(isempty(DstPortNumber) and DstIpAddr has \".\", split(temp_dstipport, \":\")[1], DstPortNumber))\n | extend SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr)\n | extend DstIpAddr = iff(DstIpAddr == DstMacAddr, \"\", DstIpAddr)\n | where (isnull(dstportnumber) or dstportnumber == DstPortNumber)\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(SrcIpAddr, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(DstIpAddr, dst_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend\n SrcUsername = trim('\"', identity),\n SrcVlanId = trim('\"', vlan_id)\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend NetworkIcmpType = iff((protocol == 'icmp6' and isnotempty(NetworkIcmpCode)) and (NetworkIcmpCode between (5 .. 99) or NetworkIcmpCode between (102 .. 126) or NetworkIcmpCode between(162 .. 199) or NetworkIcmpCode between (202 .. 254)), \"Unassigned\", NetworkIcmpType)\n | extend\n EventSeverity = case(\n isnotempty(EventSeverity),\n EventSeverity,\n EventResult == \"Failure\",\n \"Low\",\n \"Informational\"\n ),\n EventType = iff(isnotempty(EventType), EventType, \"NetworkSession\"),\n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\")\n | extend\n Dvc = DvcHostname,\n Src = coalesce(SrcIpAddr, SrcMacAddr),\n Dst = coalesce(DstIpAddr, DstMacAddr),\n NetworkDuration = toint(todouble(trim('\"', duration)) * 1000)\n | project-rename\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType\n | extend\n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n InnerVlanId = SrcVlanId,\n EventUid = _ResourceId\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n protocol,\n priority,\n reason,\n direction,\n duration,\n src,\n dst,\n dns_server,\n sport,\n dport,\n *_lookup,\n type*,\n pattern*,\n last_known_client_ip,\n ip_src,\n client_mac,\n mac,\n shost,\n dhost,\n wired_mac,\n identity,\n temp*,\n vlan_id*,\n LogSubType1,\n LogSubType2,\n restmessage*,\n message,\n rssi,\n aid,\n signature,\n timestamp,\n EventResult_type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,ManagementGroupName,NetworkProtocolNumber\n};\nparser(\n disabled=disabled,\n starttime=starttime, \n endtime=endtime,\n eventresult=eventresult,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix,\n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n hostname_has_any=hostname_has_any,\n dstportnumber=dstportnumber,\n dvcaction=dvcaction\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionCiscoMeraki", + "query": "let EventResultDetailsLookup = datatable(reason: string, EventResultDetails: string)\n [\n \"0\", \"Unknown\",\n \"1\", \"Unknown\",\n \"2\", \"Timeout\",\n \"3\", \"Terminated\",\n \"4\", \"Timeout\",\n \"5\", \"Transient error\",\n \"6\", \"Invalid Tunnel\",\n \"7\", \"Invalid Tunnel\",\n \"8\", \"Terminated\",\n \"9\", \"Invalid Tunnel\",\n \"10\", \"Unknown\",\n \"11\", \"Invalid TCP\",\n \"12\", \"Unknown\",\n \"13\", \"Invalid TCP\",\n \"14\", \"Invalid Tunnel\",\n \"15\", \"Invalid TCP\",\n \"16\", \"Timeout\",\n \"17\", \"Invalid Tunnel\",\n \"18\", \"Invalid TCP\",\n \"19\", \"Invalid TCP\",\n \"20\", \"Invalid TCP\",\n \"21\", \"Unknown\",\n \"22\", \"Invalid TCP\",\n \"23\", \"Invalid Tunnel\",\n \"24\", \"Invalid Tunnel\",\n \"32\", \"Unknown\",\n \"33\", \"Invalid TCP\",\n \"34\", \"Invalid TCP\",\n \"35\", \"Invalid TCP\",\n \"36\", \"Unknown\",\n \"37\", \"Unknown\",\n \"38\", \"Unknown\",\n \"39\", \"Timeout\",\n \"40\", \"Invalid TCP\",\n \"98\", \"Unknown\",\n \"99\", \"Unknown\"\n];\nlet NetworkIcmpTypeLookup = datatable(\n NetworkIcmpCode_lookup: int,\n NetworkIcmpType_lookup: string\n)\n [\n 0, \"Reserved\",\n 1, \"Destination Unreachable\",\n 2, \"Packet Too Big\",\n 3, \"Time Exceeded\",\n 4, \"Parameter Problem\",\n 100, \"Private experimentation\",\n 101, \"Private experimentation\",\n 127, \"Reserved for expansion of ICMPv6 error messages\",\n 128, \"Echo Request\",\n 129, \"Echo Reply\",\n 130, \"Multicast Listener Query\",\n 131, \"Multicast Listener Report\",\n 132, \"Multicast Listener Done\",\n 133, \"Router Solicitation\",\n 134, \"Router Advertisement\",\n 135, \"Neighbor Solicitation\",\n 136, \"Neighbor Advertisement\",\n 137, \"Redirect Message\",\n 138, \"Router Renumbering\",\n 139, \"ICMP Node Information Query\",\n 140, \"ICMP Node Information Response\",\n 141, \"Inverse Neighbor Discovery Solicitation Message\",\n 142, \"Inverse Neighbor Discovery Advertisement Message\",\n 143, \"Version 2 Multicast Listener Report\",\n 144, \"Home Agent Address Discovery Request Message\",\n 145, \"Home Agent Address Discovery Reply Message\",\n 146, \"Mobile Prefix Solicitation\",\n 147, \"Mobile Prefix Advertisement\",\n 148, \"Certification Path Solicitation Message\",\n 149, \"Certification Path Advertisement Message\",\n 150, \"ICMP messages utilized by experimental mobility protocols such as Seamoby\",\n 151, \"Multicast Router Advertisement\",\n 152, \"Multicast Router Solicitation\",\n 153, \"Multicast Router Termination\",\n 154, \"FMIPv6 Messages\",\n 155, \"RPL Control Message\",\n 156, \"ILNPv6 Locator Update Message\",\n 157, \"Duplicate Address Request\",\n 158, \"Duplicate Address Confirmation\",\n 159, \"MPL Control Message\",\n 160, \"Extended Echo Request\",\n 161, \"Extended Echo Reply\",\n 200, \"Private experimentation\",\n 201, \"Private experimentation\",\n 255, \"Reserved for expansion of ICMPv6 informational messages\"\n];\nlet NetworkProtocolLookup = datatable(\n protocol: string,\n NetworkProtocol_lookup: string,\n NetworkProtocolVersion: string\n)[\n \"tcp\", \"TCP\", \"\",\n \"tcp/ip\", \"TCP\", \"\",\n \"udp\", \"UDP\", \"\",\n \"udp/ip\", \"UDP\", \"\",\n \"icmp\", \"ICMP\", \"IPV4\",\n \"icmp6\", \"ICMP\", \"IPV6\",\n];\nlet EventSeverityPriorityLookup = datatable(priority: string, EventSeverity: string)[\n \"1\", \"High\",\n \"2\", \"Medium\",\n \"3\", \"Low\",\n \"4\", \"Informational\"\n];\nlet EventSeverityDvcActionLookup = datatable(DvcAction: string, EventSeverity: string)[\n \"Allow\", \"Informational\",\n \"Deny\", \"Low\"\n];\nlet NetworkDirectionLookup = datatable(direction: string, NetworkDirection: string)[\n \"ingress\", \"Inbound\",\n \"egress\", \"Outbound\",\n \"Unknown\", \"NA\"\n];\nlet DvcActionLookup = datatable(pattern: string, DvcAction: string, EventResult: string)[\n \"allow\", \"Allow\", \"Success\",\n \"deny\", \"Deny\", \"Failure\",\n \"0\", \"Allow\", \"Success\",\n \"1\", \"Deny\", \"Failure\",\n \"Blocked\", \"Deny\", \"Failure\"\n];\nlet EventResultLookup = datatable(LogSubType: string, EventResult_type: string)[\n \"association\", \"Success\",\n \"disassociation\", \"Failure\",\n \"Virtual router collision\", \"Failure\",\n];\nlet parser=(disabled: bool=false, \n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventresult: string='*', \n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n dstipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]), \n hostname_has_any: dynamic=dynamic([]),\n dstportnumber: int=int(null),\n dvcaction: dynamic=dynamic([])\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let allData = (\n meraki_CL\n | project-rename LogMessage = Message\n );\n let PreFilteredData = allData\n | where not(disabled) and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) and (LogMessage has_any(\"flows\", \"firewall\", \"ids-alerts\") or LogMessage has_all(\"security_event\", \"ids-alerted\") or (LogMessage has \"events\" and (LogMessage has_any (\"Blocked DHCP server response\", \"association\") or (LogMessage has \"VRRP packet\" and not(LogMessage has_any (\"VRRP passive\", \"VRRP active\"))) or (LogMessage has \"disassociation\" and not(LogMessage has_any (\"auth_neg_failed\", \"dhcp\"))))) or (LogMessage has \"airmarshal_events\" and LogMessage has_any(\"ssid_spoofing_detected\", \"rogue_ssid_detected\")))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3]),\n Device = tostring(Parser[1])\n | parse Substring with * \"timestamp=\" timestamp: string \" \" *\n | extend\n Epoch = iff(isnotempty(timestamp), timestamp, tostring(Parser[0]))\n | extend\n EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | where (array_length(hostname_has_any) == 0)\n and ((isnull(dstportnumber)) or Substring has tostring(dstportnumber))\n and (array_length(dvcaction) == 0 or LogMessage has_any (dvcaction));\n let FlowsFirewallData = PreFilteredData\n | where LogType in (\"flows\", \"firewall\", \"cellular_firewall\", \"vpn_firewall\")\n | parse-kv Substring as(src: string, dst: string, mac: string, sport: string, dport: string, protocol: string, type: int) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | parse Substring with pattern1: string \" src=\" temp_restmessage: string\n | parse Substring with * \"pattern: \" pattern2: string \" \" temp_restmessage: string\n | extend NetworkIcmpCode_lookup = iff(protocol == 'icmp6', type, int(null))\n | extend type_icmp4 = iff(protocol == 'icmp', type, int(null))\n | lookup NetworkIcmpTypeLookup on NetworkIcmpCode_lookup\n | invoke _ASIM_ResolveICMPType('type_icmp4')\n | extend NetworkIcmpCode = coalesce(NetworkIcmpCode_lookup, NetworkIcmpCode)\n | extend NetworkIcmpType = iff(isnotempty(NetworkIcmpCode), coalesce(NetworkIcmpType_lookup, NetworkIcmpType), \"\")\n | extend pattern = coalesce(trim(\"'\", pattern1), trim(\"'\", pattern2))\n | extend pattern = trim('\"', pattern)\n | extend direction = case(pattern has_any ('0','1'), 'ingress', pattern has_any ('allow','deny'), 'egress', 'unknown')\n | lookup NetworkDirectionLookup on direction\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | extend\n SrcMacAddr = trim('\"', mac),\n EventType = \"Flow\";\n let IDSAlertData = PreFilteredData\n | where LogType in (\"ids-alerts\", \"security_event\")\n | parse LogMessage with * \"security_event \" LogSubType: string \" \" * \"message: \" message: string \n | where LogType == \"security_event\" and LogSubType == \"ids-alerted\" or LogType == \"ids-alerts\"\n | parse-kv Substring as(priority: string, direction: string, protocol: string, src: string, dst: string, signature: string, dhost: string, shost: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend EventResult = \"Success\"\n | extend\n priority = trim('\"', priority),\n direction = trim('\"', direction)\n | lookup EventSeverityPriorityLookup on priority\n | lookup NetworkDirectionLookup on direction\n | extend AdditionalFields = bag_pack(\n \"signature\", trim('\"', signature)\n )\n | extend\n SrcMacAddr = trim('\"', shost),\n DstMacAddr = trim('\"', dhost)\n | extend EventMessage = trim(\"'\", message);\n let AirmarshalEvents = PreFilteredData\n | where LogType in (\"airmarshal_events\")\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | where LogSubType in (\"ssid_spoofing_detected\", \"rogue_ssid_detected\")\n | parse-kv temp_message as(src: string, dst: string, wired_mac: string, vlan_id: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend\n SrcMacAddr = trim('\"', src),\n DstMacAddr = trim('\"', dst),\n DvcMacAddr = trim('\"', wired_mac)\n | extend\n EventResult = \"Success\",\n EventSeverity = \"High\";\n let EventsData = PreFilteredData\n | where LogType == \"events\";\n let EventsData_associ = EventsData\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | where LogSubType == \"association\" or (LogSubType == \"disassociation\" and not(Substring has_any (\"auth_neg_failed\", \"dhcp\")))\n | parse-kv Substring as (last_known_client_ip: string, client_mac: string, identity: string, aid: string, duration: string, ip_src: string, dns_server: string, reason: string, rssi: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend AdditionalFields = bag_pack(\n \"aid\", aid,\n \"rssi\", rssi\n )\n | extend SrcMacAddr = trim('\"', client_mac)\n | lookup EventResultLookup on LogSubType\n | extend EventResult = EventResult_type\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff((toint(reason) >= 25 and toint(reason) <= 31) or (toint(reason) >= 25 and toint(reason) <= 31), \"Unknown\", EventResultDetails);\n let EventsData_space = EventsData\n | where Substring has \"Blocked DHCP server response\" or (Substring has \"VRRP packet\" and not(Substring in~ (\"VRRP passive\", \"VRRP active\"))) \n | parse Substring with LogSubType1: string \" from\" temp_addr1: string \" on VLAN \" vlan_id1: string \" \" restmessage\n | parse Substring with LogSubType2: string \" from\" temp_addr2: string \" on VLAN \" vlan_id2: string\n | extend LogSubType = coalesce(LogSubType1, LogSubType2)\n | extend LogSubType = iff(LogSubType has \"VRRP Packet\", \"Virtual router collision\", LogSubType)\n | extend pattern = iff(Substring has \"Blocked\", \"Blocked\", \"\")\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | lookup EventResultLookup on LogSubType\n | extend EventResult = coalesce(EventResult, EventResult_type)\n | extend temp_addr = coalesce(trim('\"', temp_addr1), trim('\"', temp_addr2))\n | extend vlan_id = coalesce(trim('\"', vlan_id1), trim('\"', vlan_id2))\n | extend SrcMacAddr = iff(temp_addr matches regex \"(([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}))\", temp_addr, \"\")\n | parse temp_addr with * \"[\" temp_ip: string \"]:\" temp_port: string \n | extend SrcIpAddr = case(\n temp_addr has \".\",\n split(temp_addr, \":\")[0],\n isnotempty(temp_ip),\n temp_ip,\n temp_addr\n )\n | extend SrcPortNumber = toint(case(\n isnotempty(temp_port),\n temp_port,\n temp_addr has \".\",\n split(temp_addr, \":\")[1],\n \"\"\n )\n )\n | extend\n SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr),\n EventMessage = Substring;\n union\n FlowsFirewallData,\n IDSAlertData,\n EventsData_associ,\n EventsData_space,\n AirmarshalEvents\n | where (array_length(dvcaction) == 0 or DvcAction has_any (dvcaction))\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n | extend protocol = trim('\"', protocol)\n | lookup NetworkProtocolLookup on protocol\n | invoke _ASIM_ResolveNetworkProtocol('protocol')\n | extend NetworkProtocol = iff(isempty(NetworkProtocolNumber), NetworkProtocol_lookup, NetworkProtocol)\n | extend temp_srcipport = trim('\"', coalesce(src, ip_src, last_known_client_ip))\n | parse temp_srcipport with * \"[\" temp_srcip: string \"]:\" temp_srcport: string \n | extend SrcIpAddr = case( \n isnotempty(SrcIpAddr),\n SrcIpAddr,\n temp_srcipport has \".\",\n split(temp_srcipport, \":\")[0],\n coalesce(temp_srcip, temp_srcipport)\n )\n | extend SrcPortNumber = iff(isempty(SrcPortNumber), toint(coalesce(sport, temp_srcport)), SrcPortNumber)\n | extend SrcPortNumber = toint(iff(isempty(SrcPortNumber) and SrcIpAddr has \".\", split(temp_srcipport, \":\")[1], SrcPortNumber))\n | extend temp_dstipport = trim('\"', coalesce(dst, dns_server))\n | parse temp_dstipport with * \"[\" temp_dstip \"]:\" temp_dstport\n | extend DstIpAddr = iff(temp_dstipport has \".\", split(temp_dstipport, \":\")[0], coalesce(temp_dstip, temp_dstipport))\n | extend DstPortNumber = toint(coalesce(dport, temp_dstport))\n | extend DstPortNumber = toint(iff(isempty(DstPortNumber) and DstIpAddr has \".\", split(temp_dstipport, \":\")[1], DstPortNumber))\n | extend SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr)\n | extend DstIpAddr = iff(DstIpAddr == DstMacAddr, \"\", DstIpAddr)\n | where (isnull(dstportnumber) or dstportnumber == DstPortNumber)\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(SrcIpAddr, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(DstIpAddr, dst_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend\n SrcUsername = trim('\"', identity),\n SrcVlanId = trim('\"', vlan_id)\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend NetworkIcmpType = iff((protocol == 'icmp6' and isnotempty(NetworkIcmpCode)) and (NetworkIcmpCode between (5 .. 99) or NetworkIcmpCode between (102 .. 126) or NetworkIcmpCode between(162 .. 199) or NetworkIcmpCode between (202 .. 254)), \"Unassigned\", NetworkIcmpType)\n | extend\n EventSeverity = case(\n isnotempty(EventSeverity),\n EventSeverity,\n EventResult == \"Failure\",\n \"Low\",\n \"Informational\"\n ),\n EventType = iff(isnotempty(EventType), EventType, \"NetworkSession\"),\n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\")\n | extend\n Dvc = DvcHostname,\n Src = coalesce(SrcIpAddr, SrcMacAddr),\n Dst = coalesce(DstIpAddr, DstMacAddr),\n NetworkDuration = toint(todouble(trim('\"', duration)) * 1000)\n | project-rename\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType\n | extend\n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n InnerVlanId = SrcVlanId,\n EventUid = _ResourceId\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n protocol,\n priority,\n reason,\n direction,\n duration,\n src,\n dst,\n dns_server,\n sport,\n dport,\n *_lookup,\n type*,\n pattern*,\n last_known_client_ip,\n ip_src,\n client_mac,\n mac,\n shost,\n dhost,\n wired_mac,\n identity,\n temp*,\n vlan_id*,\n LogSubType1,\n LogSubType2,\n restmessage*,\n message,\n rssi,\n aid,\n signature,\n timestamp,\n EventResult_type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,ManagementGroupName,NetworkProtocolNumber\n};\nparser(\n disabled=disabled,\n starttime=starttime, \n endtime=endtime,\n eventresult=eventresult,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix,\n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n hostname_has_any=hostname_has_any,\n dstportnumber=dstportnumber,\n dvcaction=dvcaction\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMerakiSyslog/vimNetworkSessionCiscoMerakiSyslog.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMerakiSyslog/vimNetworkSessionCiscoMerakiSyslog.json index 7f872137385..7ebe916fb76 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMerakiSyslog/vimNetworkSessionCiscoMerakiSyslog.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMerakiSyslog/vimNetworkSessionCiscoMerakiSyslog.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionCiscoMerakiSyslog')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionCiscoMerakiSyslog", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionCiscoMerakiSyslog", - "query": "let EventResultDetailsLookup = datatable(reason: string, EventResultDetails: string)\n [\n \"0\", \"Unknown\",\n \"1\", \"Unknown\",\n \"2\", \"Timeout\",\n \"3\", \"Terminated\",\n \"4\", \"Timeout\",\n \"5\", \"Transient error\",\n \"6\", \"Invalid Tunnel\",\n \"7\", \"Invalid Tunnel\",\n \"8\", \"Terminated\",\n \"9\", \"Invalid Tunnel\",\n \"10\", \"Unknown\",\n \"11\", \"Invalid TCP\",\n \"12\", \"Unknown\",\n \"13\", \"Invalid TCP\",\n \"14\", \"Invalid Tunnel\",\n \"15\", \"Invalid TCP\",\n \"16\", \"Timeout\",\n \"17\", \"Invalid Tunnel\",\n \"18\", \"Invalid TCP\",\n \"19\", \"Invalid TCP\",\n \"20\", \"Invalid TCP\",\n \"21\", \"Unknown\",\n \"22\", \"Invalid TCP\",\n \"23\", \"Invalid Tunnel\",\n \"24\", \"Invalid Tunnel\",\n \"32\", \"Unknown\",\n \"33\", \"Invalid TCP\",\n \"34\", \"Invalid TCP\",\n \"35\", \"Invalid TCP\",\n \"36\", \"Unknown\",\n \"37\", \"Unknown\",\n \"38\", \"Unknown\",\n \"39\", \"Timeout\",\n \"40\", \"Invalid TCP\",\n \"98\", \"Unknown\",\n \"99\", \"Unknown\"\n];\nlet NetworkIcmpTypeLookup = datatable(\n NetworkIcmpCode_lookup: int,\n NetworkIcmpType_lookup: string\n)\n [\n 0, \"Reserved\",\n 1, \"Destination Unreachable\",\n 2, \"Packet Too Big\",\n 3, \"Time Exceeded\",\n 4, \"Parameter Problem\",\n 100, \"Private experimentation\",\n 101, \"Private experimentation\",\n 127, \"Reserved for expansion of ICMPv6 error messages\",\n 128, \"Echo Request\",\n 129, \"Echo Reply\",\n 130, \"Multicast Listener Query\",\n 131, \"Multicast Listener Report\",\n 132, \"Multicast Listener Done\",\n 133, \"Router Solicitation\",\n 134, \"Router Advertisement\",\n 135, \"Neighbor Solicitation\",\n 136, \"Neighbor Advertisement\",\n 137, \"Redirect Message\",\n 138, \"Router Renumbering\",\n 139, \"ICMP Node Information Query\",\n 140, \"ICMP Node Information Response\",\n 141, \"Inverse Neighbor Discovery Solicitation Message\",\n 142, \"Inverse Neighbor Discovery Advertisement Message\",\n 143, \"Version 2 Multicast Listener Report\",\n 144, \"Home Agent Address Discovery Request Message\",\n 145, \"Home Agent Address Discovery Reply Message\",\n 146, \"Mobile Prefix Solicitation\",\n 147, \"Mobile Prefix Advertisement\",\n 148, \"Certification Path Solicitation Message\",\n 149, \"Certification Path Advertisement Message\",\n 150, \"ICMP messages utilized by experimental mobility protocols such as Seamoby\",\n 151, \"Multicast Router Advertisement\",\n 152, \"Multicast Router Solicitation\",\n 153, \"Multicast Router Termination\",\n 154, \"FMIPv6 Messages\",\n 155, \"RPL Control Message\",\n 156, \"ILNPv6 Locator Update Message\",\n 157, \"Duplicate Address Request\",\n 158, \"Duplicate Address Confirmation\",\n 159, \"MPL Control Message\",\n 160, \"Extended Echo Request\",\n 161, \"Extended Echo Reply\",\n 200, \"Private experimentation\",\n 201, \"Private experimentation\",\n 255, \"Reserved for expansion of ICMPv6 informational messages\"\n];\nlet NetworkProtocolLookup = datatable(\n protocol: string,\n NetworkProtocol_lookup: string,\n NetworkProtocolVersion: string\n)[\n \"tcp\", \"TCP\", \"\",\n \"tcp/ip\", \"TCP\", \"\",\n \"udp\", \"UDP\", \"\",\n \"udp/ip\", \"UDP\", \"\",\n \"icmp\", \"ICMP\", \"IPV4\",\n \"icmp6\", \"ICMP\", \"IPV6\",\n];\nlet EventSeverityPriorityLookup = datatable(priority: string, EventSeverity: string)[\n \"1\", \"High\",\n \"2\", \"Medium\",\n \"3\", \"Low\",\n \"4\", \"Informational\"\n];\nlet EventSeverityDvcActionLookup = datatable(DvcAction: string, EventSeverity: string)[\n \"Allow\", \"Informational\",\n \"Deny\", \"Low\"\n];\nlet NetworkDirectionLookup = datatable(direction: string, NetworkDirection: string)[\n \"ingress\", \"Inbound\",\n \"egress\", \"Outbound\",\n \"Unknown\", \"NA\"\n];\nlet DvcActionLookup = datatable(pattern: string, DvcAction: string, EventResult: string)[\n \"allow\", \"Allow\", \"Success\",\n \"deny\", \"Deny\", \"Failure\",\n \"Blocked\", \"Deny\", \"Failure\"\n];\nlet EventResultLookup = datatable(LogSubType: string, EventResult_type: string)[\n \"association\", \"Success\",\n \"disassociation\", \"Failure\",\n \"Virtual router collision\", \"Failure\",\n];\nlet parser=(disabled: bool=false, \n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventresult: string='*', \n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n dstipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]), \n hostname_has_any: dynamic=dynamic([]),\n dstportnumber: int=int(null),\n dvcaction: dynamic=dynamic([])\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let allData = (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\n let PreFilteredData = allData\n | where not(disabled) and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) and (LogMessage has_any(\"flows\", \"firewall\", \"ids-alerts\") or LogMessage has_all(\"security_event\", \"ids-alerted\") or (LogMessage has \"events\" and (LogMessage has_any (\"Blocked DHCP server response\", \"association\") or (LogMessage has \"VRRP packet\" and not(LogMessage has_any (\"VRRP passive\", \"VRRP active\"))) or (LogMessage has \"disassociation\" and not(LogMessage has_any (\"auth_neg_failed\", \"dhcp\"))))) or (LogMessage has \"airmarshal_events\" and LogMessage has_any(\"ssid_spoofing_detected\", \"rogue_ssid_detected\")))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3]),\n Device = tostring(Parser[1])\n | parse Substring with * \"timestamp=\" timestamp: string \" \" *\n | extend\n Epoch = iff(isnotempty(timestamp), timestamp, tostring(Parser[0]))\n | extend\n EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | where (array_length(hostname_has_any) == 0)\n and ((isnull(dstportnumber)) or Substring has tostring(dstportnumber))\n and (array_length(dvcaction) == 0 or LogMessage has_any (dvcaction));\n let FlowsFirewallData = PreFilteredData\n | where LogType in (\"flows\", \"firewall\", \"cellular_firewall\", \"vpn_firewall\")\n | parse-kv Substring as(src: string, dst: string, mac: string, sport: string, dport: string, protocol: string, type: int) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | parse Substring with pattern1: string \" src=\" temp_restmessage: string\n | parse Substring with * \"pattern: \" pattern2: string \" \" temp_restmessage: string\n | extend NetworkIcmpCode_lookup = iff(protocol == 'icmp6', type, int(null))\n | extend type_icmp4 = iff(protocol == 'icmp', type, int(null))\n | lookup NetworkIcmpTypeLookup on NetworkIcmpCode_lookup\n | invoke _ASIM_ResolveICMPType('type_icmp4')\n | extend NetworkIcmpCode = coalesce(NetworkIcmpCode_lookup, NetworkIcmpCode)\n | extend NetworkIcmpType = iff(isnotempty(NetworkIcmpCode), coalesce(NetworkIcmpType_lookup, NetworkIcmpType), \"\")\n | extend pattern = coalesce(trim(\"'\", pattern1), trim(\"'\", pattern2))\n | extend pattern = trim('\"', pattern)\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | extend\n SrcMacAddr = trim('\"', mac),\n EventType = \"Flow\";\n let IDSAlertData = PreFilteredData\n | where LogType in (\"ids-alerts\", \"security_event\")\n | parse LogMessage with * \"security_event \" LogSubType: string \" \" * \"message: \" message: string \n | where LogType == \"security_event\" and LogSubType == \"ids-alerted\" or LogType == \"ids-alerts\"\n | parse-kv Substring as(priority: string, direction: string, protocol: string, src: string, dst: string, signature: string, dhost: string, shost: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend EventResult = \"Success\"\n | extend\n priority = trim('\"', priority),\n direction = trim('\"', direction)\n | lookup EventSeverityPriorityLookup on priority\n | lookup NetworkDirectionLookup on direction\n | extend AdditionalFields = bag_pack(\n \"signature\", trim('\"', signature)\n )\n | extend\n SrcMacAddr = trim('\"', shost),\n DstMacAddr = trim('\"', dhost)\n | extend EventMessage = trim(\"'\", message);\n let AirmarshalEvents = PreFilteredData\n | where LogType in (\"airmarshal_events\")\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | where LogSubType in (\"ssid_spoofing_detected\", \"rogue_ssid_detected\")\n | parse-kv temp_message as(src: string, dst: string, wired_mac: string, vlan_id: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend\n SrcMacAddr = trim('\"', src),\n DstMacAddr = trim('\"', dst),\n DvcMacAddr = trim('\"', wired_mac)\n | extend\n EventResult = \"Success\",\n EventSeverity = \"High\";\n let EventsData = PreFilteredData\n | where LogType == \"events\";\n let EventsData_associ = EventsData\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | where LogSubType == \"association\" or (LogSubType == \"disassociation\" and not(Substring has_any (\"auth_neg_failed\", \"dhcp\")))\n | parse-kv Substring as (last_known_client_ip: string, client_mac: string, identity: string, aid: string, duration: string, ip_src: string, dns_server: string, reason: string, rssi: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend AdditionalFields = bag_pack(\n \"aid\", aid,\n \"rssi\", rssi\n )\n | extend SrcMacAddr = trim('\"', client_mac)\n | lookup EventResultLookup on LogSubType\n | extend EventResult = EventResult_type\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff((toint(reason) >= 25 and toint(reason) <= 31) or (toint(reason) >= 25 and toint(reason) <= 31), \"Unknown\", EventResultDetails);\n let EventsData_space = EventsData\n | where Substring has \"Blocked DHCP server response\" or (Substring has \"VRRP packet\" and not(Substring in~ (\"VRRP passive\", \"VRRP active\"))) \n | parse Substring with LogSubType1: string \" from\" temp_addr1: string \" on VLAN \" vlan_id1: string \" \" restmessage\n | parse Substring with LogSubType2: string \" from\" temp_addr2: string \" on VLAN \" vlan_id2: string\n | extend LogSubType = coalesce(LogSubType1, LogSubType2)\n | extend LogSubType = iff(LogSubType has \"VRRP Packet\", \"Virtual router collision\", LogSubType)\n | extend pattern = iff(Substring has \"Blocked\", \"Blocked\", \"\")\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | lookup EventResultLookup on LogSubType\n | extend EventResult = coalesce(EventResult, EventResult_type)\n | extend temp_addr = coalesce(trim('\"', temp_addr1), trim('\"', temp_addr2))\n | extend vlan_id = coalesce(trim('\"', vlan_id1), trim('\"', vlan_id2))\n | extend SrcMacAddr = iff(temp_addr matches regex \"(([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}))\", temp_addr, \"\")\n | parse temp_addr with * \"[\" temp_ip: string \"]:\" temp_port: string \n | extend SrcIpAddr = case(\n temp_addr has \".\",\n split(temp_addr, \":\")[0],\n isnotempty(temp_ip),\n temp_ip,\n temp_addr\n )\n | extend SrcPortNumber = toint(case(\n isnotempty(temp_port),\n temp_port,\n temp_addr has \".\",\n split(temp_addr, \":\")[1],\n \"\"\n )\n )\n | extend\n SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr),\n EventMessage = Substring;\n union\n FlowsFirewallData,\n IDSAlertData,\n EventsData_associ,\n EventsData_space,\n AirmarshalEvents\n | where (array_length(dvcaction) == 0 or DvcAction has_any (dvcaction))\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n | extend protocol = trim('\"', protocol)\n | lookup NetworkProtocolLookup on protocol\n | invoke _ASIM_ResolveNetworkProtocol('protocol')\n | extend NetworkProtocol = iff(isempty(NetworkProtocolNumber), NetworkProtocol_lookup, NetworkProtocol)\n | extend temp_srcipport = trim('\"', coalesce(src, ip_src, last_known_client_ip))\n | parse temp_srcipport with * \"[\" temp_srcip: string \"]:\" temp_srcport: string \n | extend SrcIpAddr = case( \n isnotempty(SrcIpAddr),\n SrcIpAddr,\n temp_srcipport has \".\",\n split(temp_srcipport, \":\")[0],\n coalesce(temp_srcip, temp_srcipport)\n )\n | extend SrcPortNumber = iff(isempty(SrcPortNumber), toint(coalesce(sport, temp_srcport)), SrcPortNumber)\n | extend SrcPortNumber = toint(iff(isempty(SrcPortNumber) and SrcIpAddr has \".\", split(temp_srcipport, \":\")[1], SrcPortNumber))\n | extend temp_dstipport = trim('\"', coalesce(dst, dns_server))\n | parse temp_dstipport with * \"[\" temp_dstip \"]:\" temp_dstport\n | extend DstIpAddr = iff(temp_dstipport has \".\", split(temp_dstipport, \":\")[0], coalesce(temp_dstip, temp_dstipport))\n | extend DstPortNumber = toint(coalesce(dport, temp_dstport))\n | extend DstPortNumber = toint(iff(isempty(DstPortNumber) and DstIpAddr has \".\", split(temp_dstipport, \":\")[1], DstPortNumber))\n | extend SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr)\n | extend DstIpAddr = iff(DstIpAddr == DstMacAddr, \"\", DstIpAddr)\n | where (isnull(dstportnumber) or dstportnumber == DstPortNumber)\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(SrcIpAddr, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(DstIpAddr, dst_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend\n SrcUsername = trim('\"', identity),\n SrcVlanId = trim('\"', vlan_id)\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend NetworkIcmpType = iff((protocol == 'icmp6' and isnotempty(NetworkIcmpCode)) and (NetworkIcmpCode between (5 .. 99) or NetworkIcmpCode between (102 .. 126) or NetworkIcmpCode between(162 .. 199) or NetworkIcmpCode between (202 .. 254)), \"Unassigned\", NetworkIcmpType)\n | extend\n EventSeverity = case(\n isnotempty(EventSeverity),\n EventSeverity,\n EventResult == \"Failure\",\n \"Low\",\n \"Informational\"\n ),\n EventType = iff(isnotempty(EventType), EventType, \"NetworkSession\"),\n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\")\n | extend\n Dvc = DvcHostname,\n Src = coalesce(SrcIpAddr, SrcMacAddr),\n Dst = coalesce(DstIpAddr, DstMacAddr),\n NetworkDuration = toint(todouble(trim('\"', duration)) * 1000)\n | project-rename\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType\n | extend\n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n InnerVlanId = SrcVlanId,\n EventUid = _ResourceId\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n protocol,\n priority,\n reason,\n direction,\n duration,\n src,\n dst,\n dns_server,\n sport,\n dport,\n *_lookup,\n type*,\n pattern*,\n last_known_client_ip,\n ip_src,\n client_mac,\n mac,\n shost,\n dhost,\n wired_mac,\n identity,\n temp*,\n vlan_id*,\n LogSubType1,\n LogSubType2,\n restmessage*,\n message,\n rssi,\n aid,\n signature,\n timestamp,\n EventResult_type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName,CollectorHostName,NetworkProtocolNumber\n};\nparser(\n disabled=disabled,\n starttime=starttime, \n endtime=endtime,\n eventresult=eventresult,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix,\n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n hostname_has_any=hostname_has_any,\n dstportnumber=dstportnumber,\n dvcaction=dvcaction\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionCiscoMerakiSyslog", + "query": "let EventResultDetailsLookup = datatable(reason: string, EventResultDetails: string)\n [\n \"0\", \"Unknown\",\n \"1\", \"Unknown\",\n \"2\", \"Timeout\",\n \"3\", \"Terminated\",\n \"4\", \"Timeout\",\n \"5\", \"Transient error\",\n \"6\", \"Invalid Tunnel\",\n \"7\", \"Invalid Tunnel\",\n \"8\", \"Terminated\",\n \"9\", \"Invalid Tunnel\",\n \"10\", \"Unknown\",\n \"11\", \"Invalid TCP\",\n \"12\", \"Unknown\",\n \"13\", \"Invalid TCP\",\n \"14\", \"Invalid Tunnel\",\n \"15\", \"Invalid TCP\",\n \"16\", \"Timeout\",\n \"17\", \"Invalid Tunnel\",\n \"18\", \"Invalid TCP\",\n \"19\", \"Invalid TCP\",\n \"20\", \"Invalid TCP\",\n \"21\", \"Unknown\",\n \"22\", \"Invalid TCP\",\n \"23\", \"Invalid Tunnel\",\n \"24\", \"Invalid Tunnel\",\n \"32\", \"Unknown\",\n \"33\", \"Invalid TCP\",\n \"34\", \"Invalid TCP\",\n \"35\", \"Invalid TCP\",\n \"36\", \"Unknown\",\n \"37\", \"Unknown\",\n \"38\", \"Unknown\",\n \"39\", \"Timeout\",\n \"40\", \"Invalid TCP\",\n \"98\", \"Unknown\",\n \"99\", \"Unknown\"\n];\nlet NetworkIcmpTypeLookup = datatable(\n NetworkIcmpCode_lookup: int,\n NetworkIcmpType_lookup: string\n)\n [\n 0, \"Reserved\",\n 1, \"Destination Unreachable\",\n 2, \"Packet Too Big\",\n 3, \"Time Exceeded\",\n 4, \"Parameter Problem\",\n 100, \"Private experimentation\",\n 101, \"Private experimentation\",\n 127, \"Reserved for expansion of ICMPv6 error messages\",\n 128, \"Echo Request\",\n 129, \"Echo Reply\",\n 130, \"Multicast Listener Query\",\n 131, \"Multicast Listener Report\",\n 132, \"Multicast Listener Done\",\n 133, \"Router Solicitation\",\n 134, \"Router Advertisement\",\n 135, \"Neighbor Solicitation\",\n 136, \"Neighbor Advertisement\",\n 137, \"Redirect Message\",\n 138, \"Router Renumbering\",\n 139, \"ICMP Node Information Query\",\n 140, \"ICMP Node Information Response\",\n 141, \"Inverse Neighbor Discovery Solicitation Message\",\n 142, \"Inverse Neighbor Discovery Advertisement Message\",\n 143, \"Version 2 Multicast Listener Report\",\n 144, \"Home Agent Address Discovery Request Message\",\n 145, \"Home Agent Address Discovery Reply Message\",\n 146, \"Mobile Prefix Solicitation\",\n 147, \"Mobile Prefix Advertisement\",\n 148, \"Certification Path Solicitation Message\",\n 149, \"Certification Path Advertisement Message\",\n 150, \"ICMP messages utilized by experimental mobility protocols such as Seamoby\",\n 151, \"Multicast Router Advertisement\",\n 152, \"Multicast Router Solicitation\",\n 153, \"Multicast Router Termination\",\n 154, \"FMIPv6 Messages\",\n 155, \"RPL Control Message\",\n 156, \"ILNPv6 Locator Update Message\",\n 157, \"Duplicate Address Request\",\n 158, \"Duplicate Address Confirmation\",\n 159, \"MPL Control Message\",\n 160, \"Extended Echo Request\",\n 161, \"Extended Echo Reply\",\n 200, \"Private experimentation\",\n 201, \"Private experimentation\",\n 255, \"Reserved for expansion of ICMPv6 informational messages\"\n];\nlet NetworkProtocolLookup = datatable(\n protocol: string,\n NetworkProtocol_lookup: string,\n NetworkProtocolVersion: string\n)[\n \"tcp\", \"TCP\", \"\",\n \"tcp/ip\", \"TCP\", \"\",\n \"udp\", \"UDP\", \"\",\n \"udp/ip\", \"UDP\", \"\",\n \"icmp\", \"ICMP\", \"IPV4\",\n \"icmp6\", \"ICMP\", \"IPV6\",\n];\nlet EventSeverityPriorityLookup = datatable(priority: string, EventSeverity: string)[\n \"1\", \"High\",\n \"2\", \"Medium\",\n \"3\", \"Low\",\n \"4\", \"Informational\"\n];\nlet EventSeverityDvcActionLookup = datatable(DvcAction: string, EventSeverity: string)[\n \"Allow\", \"Informational\",\n \"Deny\", \"Low\"\n];\nlet NetworkDirectionLookup = datatable(direction: string, NetworkDirection: string)[\n \"ingress\", \"Inbound\",\n \"egress\", \"Outbound\",\n \"Unknown\", \"NA\"\n];\nlet DvcActionLookup = datatable(pattern: string, DvcAction: string, EventResult: string)[\n \"allow\", \"Allow\", \"Success\",\n \"deny\", \"Deny\", \"Failure\",\n \"Blocked\", \"Deny\", \"Failure\"\n];\nlet EventResultLookup = datatable(LogSubType: string, EventResult_type: string)[\n \"association\", \"Success\",\n \"disassociation\", \"Failure\",\n \"Virtual router collision\", \"Failure\",\n];\nlet parser=(disabled: bool=false, \n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventresult: string='*', \n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n dstipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]), \n hostname_has_any: dynamic=dynamic([]),\n dstportnumber: int=int(null),\n dvcaction: dynamic=dynamic([])\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let allData = (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\n let PreFilteredData = allData\n | where not(disabled) and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) and (LogMessage has_any(\"flows\", \"firewall\", \"ids-alerts\") or LogMessage has_all(\"security_event\", \"ids-alerted\") or (LogMessage has \"events\" and (LogMessage has_any (\"Blocked DHCP server response\", \"association\") or (LogMessage has \"VRRP packet\" and not(LogMessage has_any (\"VRRP passive\", \"VRRP active\"))) or (LogMessage has \"disassociation\" and not(LogMessage has_any (\"auth_neg_failed\", \"dhcp\"))))) or (LogMessage has \"airmarshal_events\" and LogMessage has_any(\"ssid_spoofing_detected\", \"rogue_ssid_detected\")))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3]),\n Device = tostring(Parser[1])\n | parse Substring with * \"timestamp=\" timestamp: string \" \" *\n | extend\n Epoch = iff(isnotempty(timestamp), timestamp, tostring(Parser[0]))\n | extend\n EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | where (array_length(hostname_has_any) == 0)\n and ((isnull(dstportnumber)) or Substring has tostring(dstportnumber))\n and (array_length(dvcaction) == 0 or LogMessage has_any (dvcaction));\n let FlowsFirewallData = PreFilteredData\n | where LogType in (\"flows\", \"firewall\", \"cellular_firewall\", \"vpn_firewall\")\n | parse-kv Substring as(src: string, dst: string, mac: string, sport: string, dport: string, protocol: string, type: int) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | parse Substring with pattern1: string \" src=\" temp_restmessage: string\n | parse Substring with * \"pattern: \" pattern2: string \" \" temp_restmessage: string\n | extend NetworkIcmpCode_lookup = iff(protocol == 'icmp6', type, int(null))\n | extend type_icmp4 = iff(protocol == 'icmp', type, int(null))\n | lookup NetworkIcmpTypeLookup on NetworkIcmpCode_lookup\n | invoke _ASIM_ResolveICMPType('type_icmp4')\n | extend NetworkIcmpCode = coalesce(NetworkIcmpCode_lookup, NetworkIcmpCode)\n | extend NetworkIcmpType = iff(isnotempty(NetworkIcmpCode), coalesce(NetworkIcmpType_lookup, NetworkIcmpType), \"\")\n | extend pattern = coalesce(trim(\"'\", pattern1), trim(\"'\", pattern2))\n | extend pattern = trim('\"', pattern)\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | extend\n SrcMacAddr = trim('\"', mac),\n EventType = \"Flow\";\n let IDSAlertData = PreFilteredData\n | where LogType in (\"ids-alerts\", \"security_event\")\n | parse LogMessage with * \"security_event \" LogSubType: string \" \" * \"message: \" message: string \n | where LogType == \"security_event\" and LogSubType == \"ids-alerted\" or LogType == \"ids-alerts\"\n | parse-kv Substring as(priority: string, direction: string, protocol: string, src: string, dst: string, signature: string, dhost: string, shost: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend EventResult = \"Success\"\n | extend\n priority = trim('\"', priority),\n direction = trim('\"', direction)\n | lookup EventSeverityPriorityLookup on priority\n | lookup NetworkDirectionLookup on direction\n | extend AdditionalFields = bag_pack(\n \"signature\", trim('\"', signature)\n )\n | extend\n SrcMacAddr = trim('\"', shost),\n DstMacAddr = trim('\"', dhost)\n | extend EventMessage = trim(\"'\", message);\n let AirmarshalEvents = PreFilteredData\n | where LogType in (\"airmarshal_events\")\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | where LogSubType in (\"ssid_spoofing_detected\", \"rogue_ssid_detected\")\n | parse-kv temp_message as(src: string, dst: string, wired_mac: string, vlan_id: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend\n SrcMacAddr = trim('\"', src),\n DstMacAddr = trim('\"', dst),\n DvcMacAddr = trim('\"', wired_mac)\n | extend\n EventResult = \"Success\",\n EventSeverity = \"High\";\n let EventsData = PreFilteredData\n | where LogType == \"events\";\n let EventsData_associ = EventsData\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | where LogSubType == \"association\" or (LogSubType == \"disassociation\" and not(Substring has_any (\"auth_neg_failed\", \"dhcp\")))\n | parse-kv Substring as (last_known_client_ip: string, client_mac: string, identity: string, aid: string, duration: string, ip_src: string, dns_server: string, reason: string, rssi: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend AdditionalFields = bag_pack(\n \"aid\", aid,\n \"rssi\", rssi\n )\n | extend SrcMacAddr = trim('\"', client_mac)\n | lookup EventResultLookup on LogSubType\n | extend EventResult = EventResult_type\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff((toint(reason) >= 25 and toint(reason) <= 31) or (toint(reason) >= 25 and toint(reason) <= 31), \"Unknown\", EventResultDetails);\n let EventsData_space = EventsData\n | where Substring has \"Blocked DHCP server response\" or (Substring has \"VRRP packet\" and not(Substring in~ (\"VRRP passive\", \"VRRP active\"))) \n | parse Substring with LogSubType1: string \" from\" temp_addr1: string \" on VLAN \" vlan_id1: string \" \" restmessage\n | parse Substring with LogSubType2: string \" from\" temp_addr2: string \" on VLAN \" vlan_id2: string\n | extend LogSubType = coalesce(LogSubType1, LogSubType2)\n | extend LogSubType = iff(LogSubType has \"VRRP Packet\", \"Virtual router collision\", LogSubType)\n | extend pattern = iff(Substring has \"Blocked\", \"Blocked\", \"\")\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | lookup EventResultLookup on LogSubType\n | extend EventResult = coalesce(EventResult, EventResult_type)\n | extend temp_addr = coalesce(trim('\"', temp_addr1), trim('\"', temp_addr2))\n | extend vlan_id = coalesce(trim('\"', vlan_id1), trim('\"', vlan_id2))\n | extend SrcMacAddr = iff(temp_addr matches regex \"(([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}))\", temp_addr, \"\")\n | parse temp_addr with * \"[\" temp_ip: string \"]:\" temp_port: string \n | extend SrcIpAddr = case(\n temp_addr has \".\",\n split(temp_addr, \":\")[0],\n isnotempty(temp_ip),\n temp_ip,\n temp_addr\n )\n | extend SrcPortNumber = toint(case(\n isnotempty(temp_port),\n temp_port,\n temp_addr has \".\",\n split(temp_addr, \":\")[1],\n \"\"\n )\n )\n | extend\n SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr),\n EventMessage = Substring;\n union\n FlowsFirewallData,\n IDSAlertData,\n EventsData_associ,\n EventsData_space,\n AirmarshalEvents\n | where (array_length(dvcaction) == 0 or DvcAction has_any (dvcaction))\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n | extend protocol = trim('\"', protocol)\n | lookup NetworkProtocolLookup on protocol\n | invoke _ASIM_ResolveNetworkProtocol('protocol')\n | extend NetworkProtocol = iff(isempty(NetworkProtocolNumber), NetworkProtocol_lookup, NetworkProtocol)\n | extend temp_srcipport = trim('\"', coalesce(src, ip_src, last_known_client_ip))\n | parse temp_srcipport with * \"[\" temp_srcip: string \"]:\" temp_srcport: string \n | extend SrcIpAddr = case( \n isnotempty(SrcIpAddr),\n SrcIpAddr,\n temp_srcipport has \".\",\n split(temp_srcipport, \":\")[0],\n coalesce(temp_srcip, temp_srcipport)\n )\n | extend SrcPortNumber = iff(isempty(SrcPortNumber), toint(coalesce(sport, temp_srcport)), SrcPortNumber)\n | extend SrcPortNumber = toint(iff(isempty(SrcPortNumber) and SrcIpAddr has \".\", split(temp_srcipport, \":\")[1], SrcPortNumber))\n | extend temp_dstipport = trim('\"', coalesce(dst, dns_server))\n | parse temp_dstipport with * \"[\" temp_dstip \"]:\" temp_dstport\n | extend DstIpAddr = iff(temp_dstipport has \".\", split(temp_dstipport, \":\")[0], coalesce(temp_dstip, temp_dstipport))\n | extend DstPortNumber = toint(coalesce(dport, temp_dstport))\n | extend DstPortNumber = toint(iff(isempty(DstPortNumber) and DstIpAddr has \".\", split(temp_dstipport, \":\")[1], DstPortNumber))\n | extend SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr)\n | extend DstIpAddr = iff(DstIpAddr == DstMacAddr, \"\", DstIpAddr)\n | where (isnull(dstportnumber) or dstportnumber == DstPortNumber)\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(SrcIpAddr, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(DstIpAddr, dst_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend\n SrcUsername = trim('\"', identity),\n SrcVlanId = trim('\"', vlan_id)\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend NetworkIcmpType = iff((protocol == 'icmp6' and isnotempty(NetworkIcmpCode)) and (NetworkIcmpCode between (5 .. 99) or NetworkIcmpCode between (102 .. 126) or NetworkIcmpCode between(162 .. 199) or NetworkIcmpCode between (202 .. 254)), \"Unassigned\", NetworkIcmpType)\n | extend\n EventSeverity = case(\n isnotempty(EventSeverity),\n EventSeverity,\n EventResult == \"Failure\",\n \"Low\",\n \"Informational\"\n ),\n EventType = iff(isnotempty(EventType), EventType, \"NetworkSession\"),\n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\")\n | extend\n Dvc = DvcHostname,\n Src = coalesce(SrcIpAddr, SrcMacAddr),\n Dst = coalesce(DstIpAddr, DstMacAddr),\n NetworkDuration = toint(todouble(trim('\"', duration)) * 1000)\n | project-rename\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType\n | extend\n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n InnerVlanId = SrcVlanId,\n EventUid = _ResourceId\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n protocol,\n priority,\n reason,\n direction,\n duration,\n src,\n dst,\n dns_server,\n sport,\n dport,\n *_lookup,\n type*,\n pattern*,\n last_known_client_ip,\n ip_src,\n client_mac,\n mac,\n shost,\n dhost,\n wired_mac,\n identity,\n temp*,\n vlan_id*,\n LogSubType1,\n LogSubType2,\n restmessage*,\n message,\n rssi,\n aid,\n signature,\n timestamp,\n EventResult_type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName,CollectorHostName,NetworkProtocolNumber\n};\nparser(\n disabled=disabled,\n starttime=starttime, \n endtime=endtime,\n eventresult=eventresult,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix,\n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n hostname_has_any=hostname_has_any,\n dstportnumber=dstportnumber,\n dvcaction=dvcaction\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCorelightZeek/vimNetworkSessionCorelightZeek.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCorelightZeek/vimNetworkSessionCorelightZeek.json index 2fbcb856480..dea11980926 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCorelightZeek/vimNetworkSessionCorelightZeek.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCorelightZeek/vimNetworkSessionCorelightZeek.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionCorelightZeek')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionCorelightZeek", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Corelight Zeek", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionCorelightZeek", - "query": "let NetworkDirectionLookup = datatable(local_orig: bool, local_resp: bool, NetworkDirection: string)\n[\n false, true, 'Inbound',\n true, false, 'Outbound',\n true, true, 'Local',\n false, false, 'Local'\n];\nlet ResultLookup = datatable (conn_state:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string, EventSeverity:string)\n[ \n 'S0', 'Success', '', 'Connection attempt seen, no reply', 'Informational',\n 'S1', 'Success', '', 'Connection established, not terminated', 'Informational',\n 'SF', 'Success', 'Terminated', 'Normal establishment and termination', 'Informational', // Note that this is the same symbol as for state S1. You can tell the two apart because for S1 there will not be any byte counts in the summary, while for SF there will be.\n 'REJ', 'Failure', 'Rejeced', 'Connection attempt rejected', 'Low',\n 'S2', 'Failure', 'Terminated', 'Connection established and close attempt by originator seen (but no reply from responder)', 'Low',\n 'S3', 'Failure', 'Terminated', 'Connection established and close attempt by responder seen (but no reply from originator)', 'Low',\n 'RSTO', 'Failure', 'Reset', 'Connection established, originator aborted (sent a RST)', 'Low',\n 'RSTR', 'Failure', 'Reset', 'Responder sent a RST', 'Low',\n 'RSTOS0', 'Failure', 'Reset', 'Originator sent a SYN followed by a RST, no SYN-ACK from the responder','Low',\n 'RSTRH', 'Failure', 'Reset', 'Responder sent a SYN ACK followed by a RST, no SYN from the originator','Low',\n 'SH', 'Failure', 'Timeout', 'Originator sent a SYN followed by a FIN, no SYN ACK from the responder', 'Low',\n 'SHR', 'Failure', 'Timeout', 'Responder sent a SYN ACK followed by a FIN, no SYN from the originator', 'Low',\n 'OTH', 'Success', '', 'No SYN seen, just midstream traffic', 'Informational'\n];\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false\n) \n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n Corelight_CL \n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n and not(disabled)\n and (array_length(hostname_has_any) == 0)\n and (array_length(dvcaction) == 0)\n and (Message has '\"_path\":\"conn\"' or Message has '\"conn_red\"')\n and (array_length(ip_any)==0 or has_any_ipv4_prefix(Message,ip_any)) \n and (isnull(dstportnumber) or Message has (strcat('\"id.resp_p\":', tostring(dstportnumber)))) \n | project Message\n | parse Message with * '\"conn_state\":\"' conn_state '\",' *\n | lookup ResultLookup on conn_state\n | where (eventresult == \"*\" or eventresult == EventResult)\n | parse-kv Message as (\n ['\"_system_name\"']:string,\n ['\"_write_ts\"']:datetime,\n ['\"ts\"']:datetime,\n ['\"uid\"']:string,\n ['\"id.orig_h\"']:string,\n ['\"id.orig_p\"']:int,\n ['\"id.resp_h\"']:string,\n ['\"id.resp_p\"']:int,\n ['\"proto\"']:string,\n ['\"service\"']:string,\n ['\"duration\"']:int,\n ['\"orig_bytes\"']:long,\n ['\"resp_bytes\"']:long,\n ['\"local_orig\"']:bool,\n ['\"local_resp\"']:bool,\n ['\"missed_bytes\"']:long,\n ['\"history\"']:string,\n ['\"orig_pkts\"']:long,\n ['\"resp_pkts\"']:long,\n ['\"orig_l2_addr\"']:string,\n ['\"resp_l2_addr\"']:string,\n ['\"community_id']:string,\n ['\"vlan\"']:string,\n ['\"inner_vlan\"']:string\n ) \n with (quote = '\"')\n | extend \n EventCount=int(1),\n EventProduct=\"Zeek\",\n EventVendor=\"Corelight\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.4\",\n EventType=\"Flow\"\n | project-rename\n EventStartTime= ['\"ts\"'],\n EventEndTime = ['\"_write_ts\"'],\n EventOriginalUid = ['\"uid\"'],\n SrcIpAddr = ['\"id.orig_h\"'],\n SrcPortNumber = ['\"id.orig_p\"'],\n DstIpAddr = ['\"id.resp_h\"'],\n DstPortNumber = ['\"id.resp_p\"'],\n NetworkProtocol = ['\"proto\"'],\n NetworkApplicationProtocol = ['\"service\"'],\n NetworkDuration = ['\"duration\"'],\n SrcBytes = ['\"orig_bytes\"'],\n DstBytes = ['\"resp_bytes\"'],\n local_orig = ['\"local_orig\"'],\n local_resp = ['\"local_resp\"'],\n FlowMissedBytes = ['\"missed_bytes\"'],\n SrcPackets = ['\"orig_pkts\"'],\n DstPackets = ['\"resp_pkts\"'],\n SrcMacAddr = ['\"orig_l2_addr\"'],\n DstMacAddr = ['\"resp_l2_addr\"'],\n DstVlanId = ['\"vlan\"'],\n SrcVlanId = ['\"inner_vlan\"'],\n FlowHistory = ['\"history\"'],\n NetworkSessionId = ['\"community_id'],\n Dvc = ['\"_system_name\"']\n | extend \n temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | project-away temp*\n | where ASimMatchingIpAddr != \"No match\"\n | lookup NetworkDirectionLookup on local_orig, local_resp\n | extend\n NetworkBytes = SrcBytes + DstBytes,\n NetworkPackets = SrcPackets + DstPackets,\n NetworkProtocol = toupper(NetworkProtocol)\n // Aliases\n | extend \n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Duration=NetworkDuration,\n SessionId = NetworkSessionId,\n InnerVlanId = SrcVlanId,\n OuterVlanId = DstVlanId,\n Dst=DstIpAddr\n | project-away Message, local_orig, local_resp, conn_state\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled) ", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Corelight Zeek", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionCorelightZeek", + "query": "let NetworkDirectionLookup = datatable(local_orig: bool, local_resp: bool, NetworkDirection: string)\n[\n false, true, 'Inbound',\n true, false, 'Outbound',\n true, true, 'Local',\n false, false, 'Local'\n];\nlet ResultLookup = datatable (conn_state:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string, EventSeverity:string)\n[ \n 'S0', 'Success', '', 'Connection attempt seen, no reply', 'Informational',\n 'S1', 'Success', '', 'Connection established, not terminated', 'Informational',\n 'SF', 'Success', 'Terminated', 'Normal establishment and termination', 'Informational', // Note that this is the same symbol as for state S1. You can tell the two apart because for S1 there will not be any byte counts in the summary, while for SF there will be.\n 'REJ', 'Failure', 'Rejeced', 'Connection attempt rejected', 'Low',\n 'S2', 'Failure', 'Terminated', 'Connection established and close attempt by originator seen (but no reply from responder)', 'Low',\n 'S3', 'Failure', 'Terminated', 'Connection established and close attempt by responder seen (but no reply from originator)', 'Low',\n 'RSTO', 'Failure', 'Reset', 'Connection established, originator aborted (sent a RST)', 'Low',\n 'RSTR', 'Failure', 'Reset', 'Responder sent a RST', 'Low',\n 'RSTOS0', 'Failure', 'Reset', 'Originator sent a SYN followed by a RST, no SYN-ACK from the responder','Low',\n 'RSTRH', 'Failure', 'Reset', 'Responder sent a SYN ACK followed by a RST, no SYN from the originator','Low',\n 'SH', 'Failure', 'Timeout', 'Originator sent a SYN followed by a FIN, no SYN ACK from the responder', 'Low',\n 'SHR', 'Failure', 'Timeout', 'Responder sent a SYN ACK followed by a FIN, no SYN from the originator', 'Low',\n 'OTH', 'Success', '', 'No SYN seen, just midstream traffic', 'Informational'\n];\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false\n) \n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n Corelight_CL \n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n and not(disabled)\n and (array_length(hostname_has_any) == 0)\n and (array_length(dvcaction) == 0)\n and (Message has '\"_path\":\"conn\"' or Message has '\"conn_red\"')\n and (array_length(ip_any)==0 or has_any_ipv4_prefix(Message,ip_any)) \n and (isnull(dstportnumber) or Message has (strcat('\"id.resp_p\":', tostring(dstportnumber)))) \n | project Message\n | parse Message with * '\"conn_state\":\"' conn_state '\",' *\n | lookup ResultLookup on conn_state\n | where (eventresult == \"*\" or eventresult == EventResult)\n | parse-kv Message as (\n ['\"_system_name\"']:string,\n ['\"_write_ts\"']:datetime,\n ['\"ts\"']:datetime,\n ['\"uid\"']:string,\n ['\"id.orig_h\"']:string,\n ['\"id.orig_p\"']:int,\n ['\"id.resp_h\"']:string,\n ['\"id.resp_p\"']:int,\n ['\"proto\"']:string,\n ['\"service\"']:string,\n ['\"duration\"']:int,\n ['\"orig_bytes\"']:long,\n ['\"resp_bytes\"']:long,\n ['\"local_orig\"']:bool,\n ['\"local_resp\"']:bool,\n ['\"missed_bytes\"']:long,\n ['\"history\"']:string,\n ['\"orig_pkts\"']:long,\n ['\"resp_pkts\"']:long,\n ['\"orig_l2_addr\"']:string,\n ['\"resp_l2_addr\"']:string,\n ['\"community_id']:string,\n ['\"vlan\"']:string,\n ['\"inner_vlan\"']:string\n ) \n with (quote = '\"')\n | extend \n EventCount=int(1),\n EventProduct=\"Zeek\",\n EventVendor=\"Corelight\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.4\",\n EventType=\"Flow\"\n | project-rename\n EventStartTime= ['\"ts\"'],\n EventEndTime = ['\"_write_ts\"'],\n EventOriginalUid = ['\"uid\"'],\n SrcIpAddr = ['\"id.orig_h\"'],\n SrcPortNumber = ['\"id.orig_p\"'],\n DstIpAddr = ['\"id.resp_h\"'],\n DstPortNumber = ['\"id.resp_p\"'],\n NetworkProtocol = ['\"proto\"'],\n NetworkApplicationProtocol = ['\"service\"'],\n NetworkDuration = ['\"duration\"'],\n SrcBytes = ['\"orig_bytes\"'],\n DstBytes = ['\"resp_bytes\"'],\n local_orig = ['\"local_orig\"'],\n local_resp = ['\"local_resp\"'],\n FlowMissedBytes = ['\"missed_bytes\"'],\n SrcPackets = ['\"orig_pkts\"'],\n DstPackets = ['\"resp_pkts\"'],\n SrcMacAddr = ['\"orig_l2_addr\"'],\n DstMacAddr = ['\"resp_l2_addr\"'],\n DstVlanId = ['\"vlan\"'],\n SrcVlanId = ['\"inner_vlan\"'],\n FlowHistory = ['\"history\"'],\n NetworkSessionId = ['\"community_id'],\n Dvc = ['\"_system_name\"']\n | extend \n temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | project-away temp*\n | where ASimMatchingIpAddr != \"No match\"\n | lookup NetworkDirectionLookup on local_orig, local_resp\n | extend\n NetworkBytes = SrcBytes + DstBytes,\n NetworkPackets = SrcPackets + DstPackets,\n NetworkProtocol = toupper(NetworkProtocol)\n // Aliases\n | extend \n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Duration=NetworkDuration,\n SessionId = NetworkSessionId,\n InnerVlanId = SrcVlanId,\n OuterVlanId = DstVlanId,\n Dst=DstIpAddr\n | project-away Message, local_orig, local_resp, conn_state\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled) ", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCrowdStrikeFalconHost/vimNetworkSessionCrowdStrikeFalconHost.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCrowdStrikeFalconHost/vimNetworkSessionCrowdStrikeFalconHost.json index 8a4ad88fbe6..a546418acdf 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCrowdStrikeFalconHost/vimNetworkSessionCrowdStrikeFalconHost.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCrowdStrikeFalconHost/vimNetworkSessionCrowdStrikeFalconHost.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionCrowdStrikeFalconHost')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionCrowdStrikeFalconHost", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "NetworkSession ASIM Parser for CrowdStrike Falcon Endpoint Protection", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionCrowdStrikeFalconHost", - "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet EventFieldsLookup = datatable (\n ruleAction: int,\n DvcOriginalAction: string,\n DvcAction: string,\n EventResult: string\n)\n[\n 0, \"invalid\", \"Deny\", \"Failure\",\n 1, \"allowed\", \"Allow\", \"Success\",\n 2, \"blocked\", \"Deny\", \"Failure\"\n];\n//ActionLokkup is prepapred by considering facts as below:\n//Response bit: KILL PROCESS, modifier bit: '', DvcAction: Deny\n//Response bit: KILL PROCESS, modifier bit: POLICY_DISABLED, DvcAction: Allow as here process would have been killed or blocked if policy was enabled so current event is not killed.\nlet ActionLookup = datatable (\n EventOutcome: string,\n DvcOriginalAction: string,\n DvcAction: string,\n EventResult: string\n)\n[\n \"0\", \"Detection\", \"Allow\", \"Success\",\n \"2\", \"Detection\", \"Allow\", \"Success\",\n \"16\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"128\", \"Quarantine\", \"Allow\", \"Success\",\n \"144\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"272\", \"Detection\", \"Allow\", \"Success\",\n \"400\", \"Detection-quarantine\", \"Allow\", \"Success\",\n \"512\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"640\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"768\", \"Detection\", \"Allow\", \"Success\", \n \"1024\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"1040\", \"Prevention-killed,blocked\", \"Deny\", \"Failure\",\n \"1152\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"1168\", \"Prevention-killed,blocked,quarnatine\", \"Deny\", \"Failure\",\n \"1280\", \"Detection\", \"Allow\", \"Success\",\n \"1296\", \"Detection\", \"Allow\", \"Success\",\n \"2048\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"2176\", \"Prevention-quarantine,blocked \", \"Deny\", \"Failure\",\n \"2304\", \"Detection\", \"Allow\", \"Success\",\n \"2432\", \"Detection-quarantine\", \"Allow\", \"Success\",\n \"4096\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"4112\", \"Prevention-blocked,killed\", \"Deny\", \"Failure\",\n \"4224\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"4240\", \"Prevention-killed,blocked,quarantine\", \"Deny\", \"Failure\",\n \"4352\", \"Detection\", \"Allow\", \"Success\",\n \"4368\", \"Detection\", \"Allow\", \"Success\",\n \"4638\", \"Detection\", \"Allow\", \"Success\",\n \"5120\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"8192\", \"Disabled\", \"Allow\", \"Success\",\n \"8208\", \"Detection\", \"Allow\", \"Success\",\n \"8320\", \"Detection-quarnatine\", \"Allow\", \"Success\",\n \"8704\", \"Detection\", \"Allow\", \"Success\",\n \"9216\", \"Detection\", \"Allow\", \"Success\",\n \"10240\", \"Detection\", \"Allow\", \"Success\",\n \"12304\", \"Detection\", \"Allow\", \"Success\",\n \"16400\", \"Killed\", \"Deny\", \"Failure\",\n \"32768\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"32896\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"33024\", \"Detection\", \"Allow\", \"Success\",\n \"65536\", \"Downgraded\", \"Allow\", \"Success\",\n \"65552\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"65792\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"65808\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"73728\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"73744\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"131088\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"131216\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"131584\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"131712\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"2099200\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"2099328\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"4196352\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"4196480\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"1048576\", \"Prevention-suspend\", \"Deny\", \"Failure\",\n \"524288\", \"Prevention-suspend\", \"Deny\", \"Failure\",\n \"262144\", \"Blocking Disabled\", \"Allow\", \"Success\",\n \"16384\", \"Safeguard Enabled\", \"Allow\", \"Success\",\n \"131072\", \"Kill Failed\", \"Deny\", \"Failure\",\n \"256\", \"Policy Disabled\", \"Allow\", \"Success\",\n \"2097152\", \"Response Action Already Applied\", \"Deny\", \"Failure\",\n \"4194304\", \"Response Failed\", \"Deny\", \"Failure\"\n];\nlet parser = (starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n dstipaddr_has_any_prefix: dynamic=dynamic([]), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n dstportnumber: int=int(null), \n hostname_has_any: dynamic=dynamic([]), \n dvcaction: dynamic=dynamic([]), \n eventresult: string='*', \n disabled: bool=false) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let alldata = CommonSecurityLog\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\"\n | where DeviceEventClassID in (\"Network Access In A Detection Summary Event\", \"FirewallMatchEvent\")\n | where (array_length(hostname_has_any) == 0 or DestinationHostName has_any (hostname_has_any))\n and (isnull(dstportnumber) or (DestinationPort == dstportnumber) or (AdditionalExtensions has tostring(dstportnumber)))\n ;\n let firewalldata = alldata\n | where DeviceEventClassID == \"FirewallMatchEvent\"\n | parse-kv AdditionalExtensions as (deviceId: string, cmdLine: string, connectionDirection: int, eventType: string, hostName: string, icmpCode: int, icmpType: string, localAddress: string, localPort: int, matchCount: int, networkProfile: string, protocol: int, remoteAddress: string, remotePort: int, ruleAction: int, ruleDescription: string, ruleGroupName: string, ruleName: string, status: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | lookup EventFieldsLookup on ruleAction\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend\n EventCount = matchCount,\n EventStartTime = unixtime_milliseconds_todatetime(tolong(ReceiptTime)),\n NetworkDirection = case(\n connectionDirection == 1, \"Inbound\",\n connectionDirection == 2, \"Outbound\",\n \"\"\n ),\n SrcIpAddr = case(\n connectionDirection == 1, remoteAddress,\n connectionDirection == 2, localAddress,\n \"\"\n ),\n SrcPortNumber = case(\n connectionDirection == 1, remotePort,\n connectionDirection == 2, localPort,\n int(null)\n ),\n DstIpAddr = case(\n connectionDirection == 1, remoteAddress,\n connectionDirection == 2, localAddress,\n \"\"\n ),\n DstPortNumber = case(\n connectionDirection == 1, localPort,\n connectionDirection == 2, remotePort,\n int(null)\n )\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend\n temp_isSrcMatch = has_any_ipv4_prefix(SrcIpAddr, src_or_any), \n temp_isDstMatch = has_any_ipv4_prefix(DstIpAddr, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\", \n (temp_isSrcMatch and temp_isDstMatch),\n \"Both\", \n temp_isSrcMatch,\n \"SrcIpAddr\",\n temp_isDstMatch,\n \"DstIpAddr\",\n \"No match\" \n ) \n | where ASimMatchingIpAddr != \"No match\"\n | extend deviceIp = iff(hostName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", hostName, \"\")\n | extend \n hostName = iff(isempty(deviceIp), hostName, \"\"),\n AdditionalFields = bag_pack(\n \"networkProfile\", networkProfile,\n \"ruleDescription\", ruleDescription,\n \"ruleGroupName\", ruleGroupName,\n \"cmdLine\", cmdLine\n ),\n NetworkIcmpCode = icmpCode\n | invoke _ASIM_ResolveDvcFQDN('hostName')\n | invoke _ASIM_ResolveNetworkProtocol('protocol')\n | extend NetworkIcmpType = _ASIM_LookupICMPType('icmpType')\n | project-rename\n DvcId = deviceId,\n DvcIpAddr = deviceIp,\n EventOriginalSubType = eventType,\n NetworkRuleName = ruleName\n | extend\n Rule = NetworkRuleName,\n Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr);\n let networkaccessdata = alldata\n | where DeviceEventClassID has \"Network Access In A Detection Summary Event\"\n | lookup ActionLookup on EventOutcome\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend\n temp_isSrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any), \n temp_isDstMatch = has_any_ipv4_prefix(DestinationIP, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\", \n (temp_isSrcMatch and temp_isDstMatch),\n \"Both\", \n temp_isSrcMatch,\n \"SrcIpAddr\",\n temp_isDstMatch,\n \"DstIpAddr\",\n \"No match\" \n ) \n | where ASimMatchingIpAddr != \"No match\"\n | parse-kv AdditionalExtensions as (CSMTRPatternDisposition: string, tactic: string, technique: string, objective: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | invoke _ASIM_ResolveSrcFQDN('DestinationHostName')\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0,\n \"-\",\n SrcHostname has_any (hostname_has_any),\n \"SrcHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | extend\n EventStartTime = todatetime(DeviceCustomDate1),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n EventCount = int(1),\n SrcDomain = coalesce(SrcDomain, DestinationNTDomain),\n EventOriginalResultDetails = CSMTRPatternDisposition,\n SrcProcessId = tostring(FieldDeviceCustomNumber2),\n SrcDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", SrcDomainType),\n AdditionalFields = bag_pack(\n \"CSMTRPatternDisposition\", CSMTRPatternDisposition, \n \"Tactic\", coalesce(tactic, Activity),\n \"Technique\", coalesce(technique, DeviceAction),\n \"Objective\", coalesce(objective, Reason),\n DeviceCustomString6Label, DeviceCustomString6\n )\n | project-rename\n DvcId = ExtID,\n DstPortNumber = DestinationPort,\n SrcPortNumber = SourcePort,\n SrcMacAddr = SourceMACAddress,\n SrcUsername = DestinationUserName,\n SrcProcessName = FileName\n | extend\n Dvc = DvcId,\n Hostname = SrcHostname,\n User = SrcUsername,\n SrcAppId = SrcProcessId,\n SrcAppName = SrcProcessName,\n SrcAppType = \"Process\",\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername);\n union firewalldata, networkaccessdata\n | lookup EventSeverityLookup on LogSeverity\n | extend NetworkProtocolVersion = case(\n DstIpAddr contains \".\", \"IPv4\",\n DstIpAddr contains \":\", \"IPv6\",\n \"\"\n )\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"CrowdStrike\",\n EventProduct = \"FalconHost\",\n EventType = \"EndpointNetworkSession\"\n | project-rename\n EventOriginalType = DeviceEventClassID,\n EventProductVersion = DeviceVersion,\n EventUid = _ItemId,\n EventOriginalSeverity= LogSeverity\n | extend\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\n IpAddr = SrcIpAddr,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\")\n | project-away \n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n Activity,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message,\n EventOutcome,\n IndicatorThreatType,\n cmdLine,\n connectionDirection,\n hostName,\n matchCount,\n networkProfile,\n protocol,\n ruleAction,\n ruleDescription,\n ruleGroupName,\n icmpCode,\n icmpType,\n status,\n CSMTRPatternDisposition,\n temp_*,\n NetworkProtocolNumber,\n localAddress,\n localPort,\n remoteAddress,\n remotePort\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction, \n eventresult=eventresult, \n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "NetworkSession ASIM Parser for CrowdStrike Falcon Endpoint Protection", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionCrowdStrikeFalconHost", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet EventFieldsLookup = datatable (\n ruleAction: int,\n DvcOriginalAction: string,\n DvcAction: string,\n EventResult: string\n)\n[\n 0, \"invalid\", \"Deny\", \"Failure\",\n 1, \"allowed\", \"Allow\", \"Success\",\n 2, \"blocked\", \"Deny\", \"Failure\"\n];\n//ActionLokkup is prepapred by considering facts as below:\n//Response bit: KILL PROCESS, modifier bit: '', DvcAction: Deny\n//Response bit: KILL PROCESS, modifier bit: POLICY_DISABLED, DvcAction: Allow as here process would have been killed or blocked if policy was enabled so current event is not killed.\nlet ActionLookup = datatable (\n EventOutcome: string,\n DvcOriginalAction: string,\n DvcAction: string,\n EventResult: string\n)\n[\n \"0\", \"Detection\", \"Allow\", \"Success\",\n \"2\", \"Detection\", \"Allow\", \"Success\",\n \"16\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"128\", \"Quarantine\", \"Allow\", \"Success\",\n \"144\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"272\", \"Detection\", \"Allow\", \"Success\",\n \"400\", \"Detection-quarantine\", \"Allow\", \"Success\",\n \"512\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"640\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"768\", \"Detection\", \"Allow\", \"Success\", \n \"1024\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"1040\", \"Prevention-killed,blocked\", \"Deny\", \"Failure\",\n \"1152\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"1168\", \"Prevention-killed,blocked,quarnatine\", \"Deny\", \"Failure\",\n \"1280\", \"Detection\", \"Allow\", \"Success\",\n \"1296\", \"Detection\", \"Allow\", \"Success\",\n \"2048\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"2176\", \"Prevention-quarantine,blocked \", \"Deny\", \"Failure\",\n \"2304\", \"Detection\", \"Allow\", \"Success\",\n \"2432\", \"Detection-quarantine\", \"Allow\", \"Success\",\n \"4096\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"4112\", \"Prevention-blocked,killed\", \"Deny\", \"Failure\",\n \"4224\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"4240\", \"Prevention-killed,blocked,quarantine\", \"Deny\", \"Failure\",\n \"4352\", \"Detection\", \"Allow\", \"Success\",\n \"4368\", \"Detection\", \"Allow\", \"Success\",\n \"4638\", \"Detection\", \"Allow\", \"Success\",\n \"5120\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"8192\", \"Disabled\", \"Allow\", \"Success\",\n \"8208\", \"Detection\", \"Allow\", \"Success\",\n \"8320\", \"Detection-quarnatine\", \"Allow\", \"Success\",\n \"8704\", \"Detection\", \"Allow\", \"Success\",\n \"9216\", \"Detection\", \"Allow\", \"Success\",\n \"10240\", \"Detection\", \"Allow\", \"Success\",\n \"12304\", \"Detection\", \"Allow\", \"Success\",\n \"16400\", \"Killed\", \"Deny\", \"Failure\",\n \"32768\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"32896\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"33024\", \"Detection\", \"Allow\", \"Success\",\n \"65536\", \"Downgraded\", \"Allow\", \"Success\",\n \"65552\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"65792\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"65808\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"73728\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"73744\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"131088\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"131216\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"131584\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"131712\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"2099200\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"2099328\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"4196352\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"4196480\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"1048576\", \"Prevention-suspend\", \"Deny\", \"Failure\",\n \"524288\", \"Prevention-suspend\", \"Deny\", \"Failure\",\n \"262144\", \"Blocking Disabled\", \"Allow\", \"Success\",\n \"16384\", \"Safeguard Enabled\", \"Allow\", \"Success\",\n \"131072\", \"Kill Failed\", \"Deny\", \"Failure\",\n \"256\", \"Policy Disabled\", \"Allow\", \"Success\",\n \"2097152\", \"Response Action Already Applied\", \"Deny\", \"Failure\",\n \"4194304\", \"Response Failed\", \"Deny\", \"Failure\"\n];\nlet parser = (starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n dstipaddr_has_any_prefix: dynamic=dynamic([]), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n dstportnumber: int=int(null), \n hostname_has_any: dynamic=dynamic([]), \n dvcaction: dynamic=dynamic([]), \n eventresult: string='*', \n disabled: bool=false) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let alldata = CommonSecurityLog\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\"\n | where DeviceEventClassID in (\"Network Access In A Detection Summary Event\", \"FirewallMatchEvent\")\n | where (array_length(hostname_has_any) == 0 or DestinationHostName has_any (hostname_has_any))\n and (isnull(dstportnumber) or (DestinationPort == dstportnumber) or (AdditionalExtensions has tostring(dstportnumber)))\n ;\n let firewalldata = alldata\n | where DeviceEventClassID == \"FirewallMatchEvent\"\n | parse-kv AdditionalExtensions as (deviceId: string, cmdLine: string, connectionDirection: int, eventType: string, hostName: string, icmpCode: int, icmpType: string, localAddress: string, localPort: int, matchCount: int, networkProfile: string, protocol: int, remoteAddress: string, remotePort: int, ruleAction: int, ruleDescription: string, ruleGroupName: string, ruleName: string, status: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | lookup EventFieldsLookup on ruleAction\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend\n EventCount = matchCount,\n EventStartTime = unixtime_milliseconds_todatetime(tolong(ReceiptTime)),\n NetworkDirection = case(\n connectionDirection == 1, \"Inbound\",\n connectionDirection == 2, \"Outbound\",\n \"\"\n ),\n SrcIpAddr = case(\n connectionDirection == 1, remoteAddress,\n connectionDirection == 2, localAddress,\n \"\"\n ),\n SrcPortNumber = case(\n connectionDirection == 1, remotePort,\n connectionDirection == 2, localPort,\n int(null)\n ),\n DstIpAddr = case(\n connectionDirection == 1, remoteAddress,\n connectionDirection == 2, localAddress,\n \"\"\n ),\n DstPortNumber = case(\n connectionDirection == 1, localPort,\n connectionDirection == 2, remotePort,\n int(null)\n )\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend\n temp_isSrcMatch = has_any_ipv4_prefix(SrcIpAddr, src_or_any), \n temp_isDstMatch = has_any_ipv4_prefix(DstIpAddr, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\", \n (temp_isSrcMatch and temp_isDstMatch),\n \"Both\", \n temp_isSrcMatch,\n \"SrcIpAddr\",\n temp_isDstMatch,\n \"DstIpAddr\",\n \"No match\" \n ) \n | where ASimMatchingIpAddr != \"No match\"\n | extend deviceIp = iff(hostName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", hostName, \"\")\n | extend \n hostName = iff(isempty(deviceIp), hostName, \"\"),\n AdditionalFields = bag_pack(\n \"networkProfile\", networkProfile,\n \"ruleDescription\", ruleDescription,\n \"ruleGroupName\", ruleGroupName,\n \"cmdLine\", cmdLine\n ),\n NetworkIcmpCode = icmpCode\n | invoke _ASIM_ResolveDvcFQDN('hostName')\n | invoke _ASIM_ResolveNetworkProtocol('protocol')\n | extend NetworkIcmpType = _ASIM_LookupICMPType('icmpType')\n | project-rename\n DvcId = deviceId,\n DvcIpAddr = deviceIp,\n EventOriginalSubType = eventType,\n NetworkRuleName = ruleName\n | extend\n Rule = NetworkRuleName,\n Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr);\n let networkaccessdata = alldata\n | where DeviceEventClassID has \"Network Access In A Detection Summary Event\"\n | lookup ActionLookup on EventOutcome\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend\n temp_isSrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any), \n temp_isDstMatch = has_any_ipv4_prefix(DestinationIP, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\", \n (temp_isSrcMatch and temp_isDstMatch),\n \"Both\", \n temp_isSrcMatch,\n \"SrcIpAddr\",\n temp_isDstMatch,\n \"DstIpAddr\",\n \"No match\" \n ) \n | where ASimMatchingIpAddr != \"No match\"\n | parse-kv AdditionalExtensions as (CSMTRPatternDisposition: string, tactic: string, technique: string, objective: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | invoke _ASIM_ResolveSrcFQDN('DestinationHostName')\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0,\n \"-\",\n SrcHostname has_any (hostname_has_any),\n \"SrcHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | extend\n EventStartTime = todatetime(DeviceCustomDate1),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n EventCount = int(1),\n SrcDomain = coalesce(SrcDomain, DestinationNTDomain),\n EventOriginalResultDetails = CSMTRPatternDisposition,\n SrcProcessId = tostring(FieldDeviceCustomNumber2),\n SrcDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", SrcDomainType),\n AdditionalFields = bag_pack(\n \"CSMTRPatternDisposition\", CSMTRPatternDisposition, \n \"Tactic\", coalesce(tactic, Activity),\n \"Technique\", coalesce(technique, DeviceAction),\n \"Objective\", coalesce(objective, Reason),\n DeviceCustomString6Label, DeviceCustomString6\n )\n | project-rename\n DvcId = ExtID,\n DstPortNumber = DestinationPort,\n SrcPortNumber = SourcePort,\n SrcMacAddr = SourceMACAddress,\n SrcUsername = DestinationUserName,\n SrcProcessName = FileName\n | extend\n Dvc = DvcId,\n Hostname = SrcHostname,\n User = SrcUsername,\n SrcAppId = SrcProcessId,\n SrcAppName = SrcProcessName,\n SrcAppType = \"Process\",\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername);\n union firewalldata, networkaccessdata\n | lookup EventSeverityLookup on LogSeverity\n | extend NetworkProtocolVersion = case(\n DstIpAddr contains \".\", \"IPv4\",\n DstIpAddr contains \":\", \"IPv6\",\n \"\"\n )\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"CrowdStrike\",\n EventProduct = \"FalconHost\",\n EventType = \"EndpointNetworkSession\"\n | project-rename\n EventOriginalType = DeviceEventClassID,\n EventProductVersion = DeviceVersion,\n EventUid = _ItemId,\n EventOriginalSeverity= LogSeverity\n | extend\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\n IpAddr = SrcIpAddr,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\")\n | project-away \n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n Activity,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message,\n EventOutcome,\n IndicatorThreatType,\n cmdLine,\n connectionDirection,\n hostName,\n matchCount,\n networkProfile,\n protocol,\n ruleAction,\n ruleDescription,\n ruleGroupName,\n icmpCode,\n icmpType,\n status,\n CSMTRPatternDisposition,\n temp_*,\n NetworkProtocolNumber,\n localAddress,\n localPort,\n remoteAddress,\n remotePort\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction, \n eventresult=eventresult, \n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json index f4941f57026..7a5d3ff897a 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionEmpty')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionEmpty", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM schema function", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionEmpty", - "query": "let parser=datatable(\n TimeGenerated:datetime\n , _ResourceId:string\n , Type:string\n // -- Event Fields\n , EventMessage:string // Optional\n , EventCount:int // Mandatory\n , EventStartTime:datetime // Mandatory\n , EventEndTime:datetime // Alias\n , EventType:string // Mandatory\n , EventSubType:string // Optional\n , EventResult:string // Mandatory\n , EventResultDetails:string // Optional\n , EventOriginalResultDetails:string // Optional\n , EventSeverity:string // Mandatory\n , EventOriginalSeverity:string // Optional\n , EventOriginalUid:string // Optional\n , EventOriginalType:string // Optional\n , EventOriginalSubType:string // Optional\n , EventProduct:string // Mandatory\n , EventProductVersion:string // Optional\n , EventVendor:string // Mandatory\n , EventSchema:string // Mandatory\n , EventSchemaVersion:string // Mandatory\n , EventReportUrl:string // Mandatory\n , Dvc:string // Alias\n , DvcIpAddr:string // Mandatory\n , DvcHostname:string // Mandatory\n , DvcDomain:string // Recommended\n , DvcDomainType:string // Recommended\n , DvcFQDN:string // Optional\n , DvcId:string // Optional\n , DvcIdType:string // Optional\n , DvcMacAddr:string // Optional\n , DvcZone:string // Optional\n , DvcDescription:string // Optional\n // -- Network Session Fields\n , Dst:string // Alias\n , DstIpAddr:string // Recommended\n , DstPortNumber:int // Optional\n , DstHostname:string // Recommended\n , Hostname:string // Alias\n , DstDescription:string // Optional\n , DstDomain:string // Recommended\n , DstDomainType:string // Recommended\n , DstFQDN:string // Optional\n , DstDvcId:string // Optional\n , DstDvcIdType:string // Optional\n , DstDeviceType:string // Optional\n , DstUserId:string // Optional\n , DstUserIdType:string // Optional\n , DstUsername:string // Optional\n , User:string // Alias\n , DstUsernameType:string // Alias\n , DstUserType:string // Optional\n , DstOriginalUserType:string // Optional\n , DstUserDomain:string // Optional\n , DstAppName:string // Optional\n , DstAppId:string // Optional\n , DstAppType:string // Optional\n , DstZone:string // Optional\n , DstInterfaceName:string // Optional\n , DstInterfaceGuid:string // Optional\n , DstMacAddr:string // Optional\n , DstGeoCountry:string // Optional\n , DstGeoRegion: string // Optional\n , DstGeoCity:string // Optional\n , DstGeoLatitude:real // Optional\n , DstGeoLongitude:real // Optional\n , Src:string // Alias\n , SrcIpAddr:string // Recommended\n , SrcPortNumber:int // Optional\n , SrcHostname:string // Recommended\n , SrcDescription:string // Optional\n , SrcDomain:string // Recommended\n , SrcDomainType:string // Recommended\n , SrcFQDN:string // Optional\n , SrcDvcId:string // Optional\n , SrcDvcIdType:string // Optional\n , SrcDeviceType:string // Optional\n , SrcUserId:string // Optional\n , SrcUserIdType:string // Optional\n , SrcUsername:string // Optional\n , SrcUsernameType:string // Alias\n , SrcUserType:string // Optional\n , SrcOriginalUserType:string // Optional\n , SrcUserDomain:string // Optional\n , SrcAppName:string // Optional\n , SrcAppId:string // Optional\n , IpAddr:string // Alias\n , SrcAppType:string // Optional\n , SrcZone:string // Optional\n , SrcInterfaceName:string // Optional\n , SrcInterfaceGuid:string // Optional\n , SrcMacAddr:string // Optional\n , SrcGeoCountry:string // Optional\n , SrcGeoCity:string // Optional\n , SrcGeoRegion: string // Optional \n , SrcGeoLatitude:real // Optional\n , SrcGeoLongitude:real // Optional\n , NetworkApplicationProtocol:string // Optional\n , NetworkProtocol:string // Optional\n , NetworkProtocolVersion:string // Optional\n , NetworkDirection:string // Optional\n , NetworkDuration:int // Optional\n , Duration:int // Alias\n , NetworkIcmpCode:int // Optional\n , NetworkIcmpType:string // Optional\n , DstBytes:long // Optional\n , SrcBytes:long // Optional\n , NetworkBytes:long // Optional\n , DstPackets:long // Optional\n , SrcPackets:long // Optional\n , NetworkPackets:long // Optional\n , NetworkSessionId:string // Optional\n , SessionId:string // Alias\n , NetworkConnectionHistory:string // Optional\n , SrcVlanId:string // Optional\n , DstVlanId:string // Alias\n , InnerVlanId:string // Optional\n , OuterVlanId: string // Alias\n // -- Intermediary device fields\n , DstNatIpAddr:string // Optional\n , DstNatPortNumber:int // Optional\n , SrcNatIpAddr:string // Optional\n , SrcNatPortNumber:int // Optional\n , DvcInboundInterface:string // Optional\n , DvcOutboundInterface:string // Optional\n , DvcInterface:string // Optional\n // -- Inspection fields\n , NetworkRuleName:string // Optional\n , NetworkRuleNumber:int // Optional\n , Rule:string // Optional\n , DvcAction:string // Optional\n , DvcOriginalAction:string // Optional\n , ThreatId:string // Optional\n , ThreatName:string // Optional\n , ThreatCategory:string // Optional\n , ThreatRiskLevel:int // Optional\n , ThreatOriginalRiskLevel:string // Optional\n , DvcSubscriptionId:string // Optional\n , SrcSubscriptionId:string // Optional\n , DstSubscriptionId:string // Optional \n )[];\nparser", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM schema function", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionEmpty", + "query": "let parser=datatable(\n TimeGenerated:datetime\n , _ResourceId:string\n , Type:string\n // -- Event Fields\n , EventMessage:string // Optional\n , EventCount:int // Mandatory\n , EventStartTime:datetime // Mandatory\n , EventEndTime:datetime // Alias\n , EventType:string // Mandatory\n , EventSubType:string // Optional\n , EventResult:string // Mandatory\n , EventResultDetails:string // Optional\n , EventOriginalResultDetails:string // Optional\n , EventSeverity:string // Mandatory\n , EventOriginalSeverity:string // Optional\n , EventOriginalUid:string // Optional\n , EventOriginalType:string // Optional\n , EventOriginalSubType:string // Optional\n , EventProduct:string // Mandatory\n , EventProductVersion:string // Optional\n , EventVendor:string // Mandatory\n , EventSchema:string // Mandatory\n , EventSchemaVersion:string // Mandatory\n , EventReportUrl:string // Mandatory\n , Dvc:string // Alias\n , DvcIpAddr:string // Mandatory\n , DvcHostname:string // Mandatory\n , DvcDomain:string // Recommended\n , DvcDomainType:string // Recommended\n , DvcFQDN:string // Optional\n , DvcId:string // Optional\n , DvcIdType:string // Optional\n , DvcMacAddr:string // Optional\n , DvcZone:string // Optional\n , DvcDescription:string // Optional\n // -- Network Session Fields\n , Dst:string // Alias\n , DstIpAddr:string // Recommended\n , DstPortNumber:int // Optional\n , DstHostname:string // Recommended\n , Hostname:string // Alias\n , DstDescription:string // Optional\n , DstDomain:string // Recommended\n , DstDomainType:string // Recommended\n , DstFQDN:string // Optional\n , DstDvcId:string // Optional\n , DstDvcIdType:string // Optional\n , DstDeviceType:string // Optional\n , DstUserId:string // Optional\n , DstUserIdType:string // Optional\n , DstUsername:string // Optional\n , User:string // Alias\n , DstUsernameType:string // Alias\n , DstUserType:string // Optional\n , DstOriginalUserType:string // Optional\n , DstUserDomain:string // Optional\n , DstAppName:string // Optional\n , DstAppId:string // Optional\n , DstAppType:string // Optional\n , DstZone:string // Optional\n , DstInterfaceName:string // Optional\n , DstInterfaceGuid:string // Optional\n , DstMacAddr:string // Optional\n , DstGeoCountry:string // Optional\n , DstGeoRegion: string // Optional\n , DstGeoCity:string // Optional\n , DstGeoLatitude:real // Optional\n , DstGeoLongitude:real // Optional\n , Src:string // Alias\n , SrcIpAddr:string // Recommended\n , SrcPortNumber:int // Optional\n , SrcHostname:string // Recommended\n , SrcDescription:string // Optional\n , SrcDomain:string // Recommended\n , SrcDomainType:string // Recommended\n , SrcFQDN:string // Optional\n , SrcDvcId:string // Optional\n , SrcDvcIdType:string // Optional\n , SrcDeviceType:string // Optional\n , SrcUserId:string // Optional\n , SrcUserIdType:string // Optional\n , SrcUsername:string // Optional\n , SrcUsernameType:string // Alias\n , SrcUserType:string // Optional\n , SrcOriginalUserType:string // Optional\n , SrcUserDomain:string // Optional\n , SrcAppName:string // Optional\n , SrcAppId:string // Optional\n , IpAddr:string // Alias\n , SrcAppType:string // Optional\n , SrcZone:string // Optional\n , SrcInterfaceName:string // Optional\n , SrcInterfaceGuid:string // Optional\n , SrcMacAddr:string // Optional\n , SrcGeoCountry:string // Optional\n , SrcGeoCity:string // Optional\n , SrcGeoRegion: string // Optional \n , SrcGeoLatitude:real // Optional\n , SrcGeoLongitude:real // Optional\n , NetworkApplicationProtocol:string // Optional\n , NetworkProtocol:string // Optional\n , NetworkProtocolVersion:string // Optional\n , NetworkDirection:string // Optional\n , NetworkDuration:int // Optional\n , Duration:int // Alias\n , NetworkIcmpCode:int // Optional\n , NetworkIcmpType:string // Optional\n , DstBytes:long // Optional\n , SrcBytes:long // Optional\n , NetworkBytes:long // Optional\n , DstPackets:long // Optional\n , SrcPackets:long // Optional\n , NetworkPackets:long // Optional\n , NetworkSessionId:string // Optional\n , SessionId:string // Alias\n , NetworkConnectionHistory:string // Optional\n , SrcVlanId:string // Optional\n , DstVlanId:string // Alias\n , InnerVlanId:string // Optional\n , OuterVlanId: string // Alias\n // -- Intermediary device fields\n , DstNatIpAddr:string // Optional\n , DstNatPortNumber:int // Optional\n , SrcNatIpAddr:string // Optional\n , SrcNatPortNumber:int // Optional\n , DvcInboundInterface:string // Optional\n , DvcOutboundInterface:string // Optional\n , DvcInterface:string // Optional\n // -- Inspection fields\n , NetworkRuleName:string // Optional\n , NetworkRuleNumber:int // Optional\n , Rule:string // Optional\n , DvcAction:string // Optional\n , DvcOriginalAction:string // Optional\n , ThreatId:string // Optional\n , ThreatName:string // Optional\n , ThreatCategory:string // Optional\n , ThreatRiskLevel:int // Optional\n , ThreatOriginalRiskLevel:string // Optional\n , DvcSubscriptionId:string // Optional\n , SrcSubscriptionId:string // Optional\n , DstSubscriptionId:string // Optional \n )[];\nparser", + "version": 1 + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionForcePointFirewall/vimNetworkSessionForcePointFirewall.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionForcePointFirewall/vimNetworkSessionForcePointFirewall.json index ccee34440ae..ba857324972 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionForcePointFirewall/vimNetworkSessionForcePointFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionForcePointFirewall/vimNetworkSessionForcePointFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionForcePointFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionForcePointFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Force Point Firewall", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionForcePointFirewall", - "query": "let ApplicationProtocolLookup=datatable(ApplicationProtocol:string,NetworkApplicationProtocol:string)\n [\n \"HTTPS\",\"HTTPS\",\n \"HTTP-Over-QUIC\",\"HTTP\",\n \"HTTP\",\"HTTP\",\n \"DNS Over TLS\",\"DNS\",\n \"HTTP proxy\",\"HTTP\",\n \"IMAPS\",\"IMAPS\",\n \"SMTP\",\"SMTP\",\n \"IMAP\",\"IMAP\",\n \"POP3S\",\"POP3\",\n \"SMTP Submission Service\",\"SMTP\",\n \"X11\",\"X11\",\n \"RTSP\",\"RTSP\",\n \"Telnet\",\"TELNET\",\n \"NNTP\",\"NNTP\",\n \"ISAKMP\",\"ISAKMP\",\"ISAKMP\",\"ISAKMP\",\n \"POP3\",\"POP3\",\n \"BGP\",\"BGP\",\n \"FTP\",\"FTP\",\n \"RIP\",\"RIP\",\n \"Squid HTTP proxy\",\"HTTP\",\n \"TFTP\",\"TFTP\",\n \"QOTD\",\"QOTD\",\n \"SCCP\",\"SCCP\",\n \"Modbus\",\"MODBUS\",\n \"SVN\",\"SVN\",\n \"RADIUS (Accounting)\",\"RADIUS\",\n \"Kerberos\",\"KERBEROS\",\n \"GRE\",\"GRE\",\n \"UUCP-rlogin\",\"UUCP\",\n \"GTP User Data Tunneling\",\"GTP\",\n \"NNTPS\",\"NNTP\",\n \"GTP Control\",\"GTP\",\n \"IRC-default\",\"IRC\",\n \"FTPS (Control)\",\"FTPS\",\n \"ICCP\",\"ICCP\",\n \"IRCS\",\"IRC\",\n \"Telnets\",\"TELNET\",\n \"Finger\",\"FINGER\",\n \"ESP\",\"ESP\",\n \"Rlogin\",\"RLP\",\n \"IMAP3\",\"IMAP\",\n \"MGCP\",\"MGCP\",\n \"RADIUS Accounting (Old)\",\"RADIUS\",\n \"RADIUS (Old)\",\"RADIUS\",\n \"CVS\",\"CVS\",\n \"Ident\",\"IDENT\",\n \"Gopher\",\"GOPHER\",\n \"BGMP\",\"BGMP\",\n \"FTPS (Data)\",\"FTPS\",\n \"POP2\",\"POP\",\n \"TLISRV\",\"TLISRV\",\n \"INGRES-NET\",\"INGRES-NET\",\n \"IPIP\",\"IPIP\",\n \"XTP\",\"XTP\",\n \"UUCP\",\"UUCP\",\n \"IRC\",\"IRC\",\n \"Photuris (ICMP)\",\"ICMP\",\n \"TACACS-DS\",\"TACACS-DS\",\n \"WESP\",\"WESP\",\n \"EGP\",\"EGP\",\n \"WSN\",\"WSN\",\n \"XDMCP\",\"XDMCP\",\n \"Kerberos IV\",\"KERBEROS\",\n \"IRTP\",\"IRTP\",\n \"TTP\",\"TTP\",\n \"IRC-SERV\",\"IRC\",\n \"I-NLSP\",\"NLSP\",\n \"SNP\",\"SNP\",\n \"XNS-IDP\",\"XNS\",\n \"SECURE-VMTP\",\"VMTP\",\n \"VMTP\",\"VMTP\",\n \"IPLT\",\"IPLT\",\n \"GGP\",\"GGP\",\n \"MFE-NSP\",\"NSP\",\n \"HIP\",\"HIP\",\n \"MERIT-NSP\",\"NSP\",\n \"NSFNET-IGP\",\"IGP\",\n \"DCN-MEAS\",\"DCN\",\n \"STP\",\"STP\",\n \"SRP\",\"SRP\",\n \"HMP\",\"HMP\",\n \"XNET\",\"XNET\",\n \"VRRP\",\"VRRP\",\n \"ENCAP\",\"ENCAP\",\n \"CPNX\",\"CPNX\",\n \"PTP\",\"PTP\",\n \"SKIP\",\"SKIP\",\n \"SCPS\",\"SCPS\",\n \"Sprite-RPC\",\"RPC\",\n \"IPv6 ICMP\",\"ICMP\",\n \"MUX\",\"MUX\",\n \"CHAOS\",\"CHAOS\",\n \"SSCOPMCE\",\"SSCOPMCE\",\n \"CBT\",\"CBT\",\n \"SPS\",\"SPS\",\n \"ETHERIP\",\"ETHERIP\",\n \"MTP\",\"MTP\",\n \"ROHC\",\"ROHC\",\n \"CRTP\",\"CRTP\",\n \"PNNI\",\"PNNI\",\n \"NETBLT\",\"NETBLT\",\n \"TLSP\",\"TLSP\",\n \"IDPR\",\"IDPR\",\n \"DDX\",\"DDX\",\n \"PUP\",\"PUP\",\n \"DSR\",\"DSR\",\n \"NARP\",\"NARP\",\n \"CPHB\",\"CPHB\",\n \"SMP\",\"SMP\",\n \"L2TP\",\"L2TP\",\n \"IPv6 ICMP/143/0\",\"ICMP\",\n \"MICP\",\"MICP\",\n \"GMTP\",\"GMTP\",\n \"LARP\",\"LARP\",\n \"IFMP\",\"IFMP\",\n \"IGP\",\"IGP\",\n \"CFTP\",\"CFTP\",\n \"PGM\",\"PGM\",\n \"DDP\",\"DDP\",\n \"PIPE\",\"PIPE\",\n \"IATP\",\"IATP\",\n \"IGMP\",\"IGMP\",\n \"3PC\",\"3PC\",\n \"DGP\",\"DGP\",\n \"TCF\",\"TCF\",\n \"UTI\",\"UTI\",\n \"DCCP\",\"DCCP\",\n \"SWIPE\",\"SWIPE\",\n \"EMCON\",\"EMCON\",\n \"PIM\",\"PIM\",\n \"RVD\",\"RVD\",\n ];\n let ActionLookup=datatable(DeviceAction:string,DvcAction_ActionLookup:string,EventResult_ActionLookup:string,EventSeverity_ActionLookup:string)\n [\n \"Allow\",\"Allow\",\"Success\",\"Informational\", \n \"Discard\",\"Drop\",\"Failure\",\"Low\",\n \"Permit\",\"Allow\",\"Success\",\"Informational\", \n \"Refuse\",\"Deny\",\"Failure\",\"Low\",\n \"Terminate\",\"Reset Source\",\"Failure\",\"Low\", \n \"Terminate (failed)\",\"\",\"Failure\",\"Low\",\n \"Terminate (passive)\",\"Reset Destination\",\"Failure\",\"Low\", \n \"Terminate (reset)\",\"Reset\",\"Failure\",\"Low\",\n \"Wait for Authentication\",\"\",\"Success\",\"Informational\",\n \"Wait for Further Actions\",\"\",\"Success\",\"Informational\", \n \"Wait for RPC Reply\",\"\",\"Success\",\"Informational\"\n ];\n let DeviceEventClassIDLookup_Packet=datatable(DeviceEventClassID:string,EventSubType:string,DvcAction_DeviceEventClassIDLookup:string,EventResult_DeviceEventClassIDLookup:string,EventSeverity_DeviceEventClassIDLookup:string) //Add more codes if needed\n [\n \"70018\",\"Start\",\"Allow\",\"Success\",\"Informational\", // Connection_Allowed\n \"70019\",\"End\",\"Deny\",\"Failure\",\"Low\", // Connection_Discarded\n \"70021\",\"End\",\"Reset\",\"Failure\",\"Low\", // Connection_Closed\n \"70022\",\"End\",\"Reset\",\"Failure\",\"Low\", // Connection_Closed-Abnormally\n \"70026\",\"\",\"\",\"Success\",\"Informational\", // Connection_Progress\n ];\n let DeviceEventClassIDLookup_File=datatable(DeviceEventClassID:string,DvcAction_DeviceEventClassIDLookup:string,EventResult_DeviceEventClassIDLookup:string,EventSeverity_DeviceEventClassIDLookup:string)\n [\n \"76506\",\"Allow\",\"Success\",\"Informational\", // File_Allowed\n \"76508\",\"Deny\",\"Failure\",\"Low\", // File_Malware-Blocked\n \"76509\",\"\",\"Failure\",\"Low\" // File_Malware-Detected\n ];\n let MessageLookup = datatable (Message:string, DvcAction_MessageLookup:string, EventResult_MessageLookup:string, EventResultDetails:string, EventOriginalResultDetails:string) \n [\n \"Connection dropped\", \"Drop\", \"Failure\",\"Terminated\", \"Connection dropped\",\n \"Connection removed because NGFW Engine is low on memory.\",\"Drop\", \"Failure\",\"Terminated\",\"Connection removed because NGFW Engine is low on memory.\",\n \"Connection timeout in state TCP_CLOSE_WAIT\", \"\", \"Success\", \"Timeout\",\t\"One end of the Connection waits for the FIN packet (passive close).\",\n \"Connection timeout in state TCP_CLOSE_WAIT_ACK\", \"\", \"Success\", \"Timeout\", \"One end of the Connection waits for the FIN packet (passive close)\",\n \"Connection timeout in state TCP_CLOSING\", \"\", \"Success\", \"Timeout\", \"Closing packet (FIN) sent by one end of the Connection (simultaneous).\",\n \"Connection timeout in state TCP_CLOSING_ACK\", \"\", \"Success\", \"Timeout\", \"Waiting for ACK for the FIN before going to closing status (active close).\",\n \"Connection timeout in state TCP_ESTABLISHED\", \"\", \"Failure\", \"Timeout\", \"Normal status of TCP Connections for data transfer.\",\n \"Connection timeout in state TCP_FIN_WAIT_1\", \"\", \"Success\", \"Timeout\",\t\"One end of the Connection waits for sending the FIN packet (active close).\",\n \"Connection timeout in state TCP_FIN_WAIT_2\", \"\", \"Success\", \"Timeout\", \"One end of the Connection waits for receiving ACK packet.\",\n \"Connection timeout in state TCP_LAST_ACK\", \"\",\t\"Success\", \"Timeout\", \"One end of the Connection sent a FIN packet (passive close).\",\n \"Connection timeout in state TCP_LAST_ACK_WAIT\", \"\", \"Failure\",\t\"Timeout\", \"Waiting for the FIN packet to be acknowledged.\",\n \"Connection timeout in state TCP_SYN_ACK_SEEN\", \"\", \"Failure\",\t\"Timeout\", \"Second phase of the TCP three-way handshake, the server has replied to client sent SYN with SYN+ACK, next status will be established.\",\n \"Connection timeout in state TCP_SYN_FIN_SEEN\", \"\",\t\"Success\", \"Timeout\", \"T/TCP (Transactional TCP) Connection, RFC 1644.\",\n \"Connection timeout in state TCP_SYN_RETURN\", \"\", \"Failure\", \"Timeout\", \"Received simultaneous SYN from the other end (simultaneous open).\",\n \"Connection timeout in state TCP_SYN_SEEN\", \"\", \"Failure\", \"Timeout\", \"First packet sent by one end of the Connection.\",\n \"Connection timeout in state TCP_TIME_WAIT\", \"\", \"Success\", \"Timeout\", \"One end of the Connection acknowledged closing packet (FIN).\",\n \"Connection timeout in state TCP_TIME_WAIT_ACK\", \"\", \"Failure\",\t\"Timeout\", \"Waiting for ACK for the FIN status before going to time wait status (active close).\",\n \"Connection timeout in state ICMP_ECHO\", \"\", \"Failure\", \"Timeout\", \"Ping reply is expected.\",\n \"Connection timeout in state ICMP_REPLY_WAIT\", \"\", \"Failure\", \"Timeout\", \"Other ICMP request or reply types.\",\n \"Connection was reset by client\", \"Reset Source\", \"Failure\",\"Reset\", \"\",\n \"Connection was reset by server\", \"Reset Destination\", \"Failure\",\"Reset\", \"\",\n \"invalid packet (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [A] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [FA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [FPA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [PA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [RA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [SA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"TCP state violation\",\"Deny\",\"Failure\", \"Invalid TCP\", \"\",\n \"TCP state violation: Connection end-point replied with ACK to SYN-packet. Connection refused.\", \"Deny\", \"Failure\", \"Invalid TCP\", \"\",\n \"TSC error: Query timed out\", \"\", \"Failure\", \"Timeout\", \"\"\n ];\n let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let prefilter = (T:(DestinationPort:int,ApplicationProtocol:string,SourceIP:string,DestinationIP:string,AdditionalExtensions:string)) {\n T\n | where (isnull(dstportnumber) or (DestinationPort == dstportnumber) or (ApplicationProtocol has tostring(dstportnumber)))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | where array_length(hostname_has_any) == 0 or AdditionalExtensions has_any (hostname_has_any)\n };\n let ForcePointNetwork = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor==\"FORCEPOINT\" and DeviceProduct==\"Firewall\"\n | where DeviceFacility in~ (\"Inspection\",\"Packet Filtering\",\"File Filtering\") and isnotempty(DeviceEventClassID) and DeviceEventClassID != \"0\"\n ;\n let PacketFilteringData = ForcePointNetwork\n | where DeviceFacility == \"Packet Filtering\" and DeviceEventClassID !in (\"70383\",\"70393\",\"70734\",\"71009\",\"71040\")\n | invoke prefilter()\n | lookup DeviceEventClassIDLookup_Packet on DeviceEventClassID\n | lookup MessageLookup on Message\n | extend DvcAction = coalesce(DvcAction_MessageLookup, DvcAction_DeviceEventClassIDLookup), \n EventResult = case (Message startswith \"Referred connection not known\", \"Failure\",\n coalesce(EventResult_MessageLookup, EventResult_DeviceEventClassIDLookup)), \n EventSeverity = case(Message startswith \"Referred connection not known\", \"Low\",\n EventSeverity_DeviceEventClassIDLookup),\n EventOriginalResultDetails = case(Message startswith \"Referred connection not known\", Message,\n EventOriginalResultDetails),\n EventType = \"NetworkSession\"\n | project-away DvcAction_*, EventResult_*, EventSeverity_DeviceEventClassIDLookup;\n let FileFilteringData = ForcePointNetwork\n | where DeviceFacility == \"File Filtering\"\n | invoke prefilter()\n | lookup DeviceEventClassIDLookup_File on DeviceEventClassID\n | extend ThreatName = case (DeviceEventClassID in (\"76508\", \"76509\"), Activity,\n \"\")\n | project-rename DvcAction = DvcAction_DeviceEventClassIDLookup\n | extend EventResult = case(isnotempty(Message), \"Failure\",\n EventResult_DeviceEventClassIDLookup), \n EventSeverity = case(isnotempty(Message), \"Low\",\n EventSeverity_DeviceEventClassIDLookup),\n EventOriginalResultDetails = case(isnotempty(Message), Message,\n \"\"),\n EventType = \"NetworkSession\"\n | project-away *_DeviceEventClassIDLookup;\n let InspectionData = ForcePointNetwork\n | where DeviceFacility == \"Inspection\" or DeviceEventClassID == \"70734\"\n | invoke prefilter()\n | extend MessageCode = toint(DeviceEventClassID)\n | extend EventSeverity = case (DeviceAction in~ (\"Allow\",\"Permit\"), \"Informational\",\n MessageCode >= 200000, \"High\",\n MessageCode < 200000, \"Low\",\n \"\"),\n EventType = case (MessageCode < 80000, \"NetworkSession\",\n \"IDS\")\n | extend ThreatName = Activity\n | project-away MessageCode;\n union PacketFilteringData, FileFilteringData, InspectionData\n | extend NetworkProtocol = _ASIM_LookupNetworkProtocol(Protocol)\n | lookup ActionLookup on DeviceAction\n | extend DvcAction = coalesce(DvcAction,DvcAction_ActionLookup), \n EventResult = coalesce(EventResult,EventResult_ActionLookup), \n EventSeverity = coalesce(EventSeverity, EventSeverity_ActionLookup)\n | project-away *_ActionLookup\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or (EventResult == eventresult))\n | lookup ApplicationProtocolLookup on ApplicationProtocol\n | extend \n EventCount = toint(1),\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"Forcepoint\",\n EventProduct = \"Firewall\"\n | parse AdditionalExtensions with * \"requestURL=\" requestURL \n | project-rename\n EventOriginalType = DeviceEventClassID,\n DstPortNumber = DestinationPort,\n DstIpAddr = DestinationIP,\n SrcPortNumber = SourcePort,\n SrcIpAddr = SourceIP,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n EventProductVersion = DeviceVersion,\n EventMessage = Message,\n DvcOriginalAction = DeviceAction,\n SrcBytes = SentBytes,\n DstBytes = ReceivedBytes,\n EventOriginalSubType = DeviceFacility,\n DvcId = DeviceExternalID,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n DvcIpAddr = DeviceAddress,\n EventOriginalSeverity = LogSeverity,\n ThreatId = DeviceCustomString3\n | invoke _ASIM_ResolveDvcFQDN('Computer')\n | extend\n ThreatCategory = column_ifexists(\"DeviceEventCategory\",\"\"),\n EventStartTime = todatetime(ReceiptTime),\n EventEndTime = todatetime(ReceiptTime),\n ipv6_parts = extract_all (@'^\\[(.+)\\](?:\\:(\\d+))?$',requestURL)[0],\n ipv4_parts = extract_all (@'^(\\d+\\.\\d+\\.\\d+\\.\\d+)(?:\\:(\\d+))?$',requestURL)[0],\n host_parts = extract_all (@'^([^\\\\\\d:]+)(?:\\:(\\d+))?$',requestURL)[0]\n | extend \n NetworkRuleName = case(isnotempty(DeviceCustomString2), strcat(DeviceCustomString1,',',DeviceCustomString2),\n DeviceCustomString1),\n DstDomainPart = tostring(host_parts[0]),\n DstIpAddr = coalesce(DstIpAddr, tostring(ipv4_parts[0]), tostring(ipv6_parts[0])),\n DstPortNumber = coalesce(DstPortNumber, toint(host_parts[1]), toint(ipv4_parts[1]), toint(ipv6_parts[1]))\n | invoke _ASIM_ResolveDstFQDN('DstDomainPart')\n | extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,\"-\",\n DstHostname has_any (hostname_has_any), \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | extend\n DvcIdType = case(isnotempty(DvcId), \"ForcepointId\",\n \"\"),\n DstPortNumber = case(\n isnotempty(DstPortNumber), DstPortNumber,\n ApplicationProtocol startswith \"TCP\", toint(split(ApplicationProtocol,'/')[1]),\n ApplicationProtocol startswith \"UDP\", toint(split(ApplicationProtocol,'/')[1]),\n int(null)),\n AdditionalFields = pack(iff(isnotempty(RequestMethod) and RequestMethod != \"UNKNOWN\", \"RequestMethod\", \"\"),RequestMethod,\n iff(isnotempty(DeviceCustomString4),\"VirusId\",\"\"),DeviceCustomString4),\n DstAppName = case(DestinationServiceName in~ (\"Generic-Web-HTTP\",\"Application-Unknown\",\"Unknown-Encrypted-Application\"), \"\",\n DestinationServiceName),\n DvcIpAddr = coalesce(DvcIpAddr,DeviceName)\n | extend\n Dvc = DvcIpAddr,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n DvcInterface = DvcInboundInterface,\n Hostname = DstHostname\n | project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, Protocol, ReceiptTime, Remote*, ReportReferenceLink, Request*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, ExtID, EventOutcome, FieldDevice*, Reason, ApplicationProtocol, Activity, requestURL, Computer, DstDomainPart, host_parts, ipv4_parts, ipv6_parts, temp_*\n };\n parser(starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction, \n eventresult=eventresult, \n disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Force Point Firewall", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionForcePointFirewall", + "query": "let ApplicationProtocolLookup=datatable(ApplicationProtocol:string,NetworkApplicationProtocol:string)\n [\n \"HTTPS\",\"HTTPS\",\n \"HTTP-Over-QUIC\",\"HTTP\",\n \"HTTP\",\"HTTP\",\n \"DNS Over TLS\",\"DNS\",\n \"HTTP proxy\",\"HTTP\",\n \"IMAPS\",\"IMAPS\",\n \"SMTP\",\"SMTP\",\n \"IMAP\",\"IMAP\",\n \"POP3S\",\"POP3\",\n \"SMTP Submission Service\",\"SMTP\",\n \"X11\",\"X11\",\n \"RTSP\",\"RTSP\",\n \"Telnet\",\"TELNET\",\n \"NNTP\",\"NNTP\",\n \"ISAKMP\",\"ISAKMP\",\"ISAKMP\",\"ISAKMP\",\n \"POP3\",\"POP3\",\n \"BGP\",\"BGP\",\n \"FTP\",\"FTP\",\n \"RIP\",\"RIP\",\n \"Squid HTTP proxy\",\"HTTP\",\n \"TFTP\",\"TFTP\",\n \"QOTD\",\"QOTD\",\n \"SCCP\",\"SCCP\",\n \"Modbus\",\"MODBUS\",\n \"SVN\",\"SVN\",\n \"RADIUS (Accounting)\",\"RADIUS\",\n \"Kerberos\",\"KERBEROS\",\n \"GRE\",\"GRE\",\n \"UUCP-rlogin\",\"UUCP\",\n \"GTP User Data Tunneling\",\"GTP\",\n \"NNTPS\",\"NNTP\",\n \"GTP Control\",\"GTP\",\n \"IRC-default\",\"IRC\",\n \"FTPS (Control)\",\"FTPS\",\n \"ICCP\",\"ICCP\",\n \"IRCS\",\"IRC\",\n \"Telnets\",\"TELNET\",\n \"Finger\",\"FINGER\",\n \"ESP\",\"ESP\",\n \"Rlogin\",\"RLP\",\n \"IMAP3\",\"IMAP\",\n \"MGCP\",\"MGCP\",\n \"RADIUS Accounting (Old)\",\"RADIUS\",\n \"RADIUS (Old)\",\"RADIUS\",\n \"CVS\",\"CVS\",\n \"Ident\",\"IDENT\",\n \"Gopher\",\"GOPHER\",\n \"BGMP\",\"BGMP\",\n \"FTPS (Data)\",\"FTPS\",\n \"POP2\",\"POP\",\n \"TLISRV\",\"TLISRV\",\n \"INGRES-NET\",\"INGRES-NET\",\n \"IPIP\",\"IPIP\",\n \"XTP\",\"XTP\",\n \"UUCP\",\"UUCP\",\n \"IRC\",\"IRC\",\n \"Photuris (ICMP)\",\"ICMP\",\n \"TACACS-DS\",\"TACACS-DS\",\n \"WESP\",\"WESP\",\n \"EGP\",\"EGP\",\n \"WSN\",\"WSN\",\n \"XDMCP\",\"XDMCP\",\n \"Kerberos IV\",\"KERBEROS\",\n \"IRTP\",\"IRTP\",\n \"TTP\",\"TTP\",\n \"IRC-SERV\",\"IRC\",\n \"I-NLSP\",\"NLSP\",\n \"SNP\",\"SNP\",\n \"XNS-IDP\",\"XNS\",\n \"SECURE-VMTP\",\"VMTP\",\n \"VMTP\",\"VMTP\",\n \"IPLT\",\"IPLT\",\n \"GGP\",\"GGP\",\n \"MFE-NSP\",\"NSP\",\n \"HIP\",\"HIP\",\n \"MERIT-NSP\",\"NSP\",\n \"NSFNET-IGP\",\"IGP\",\n \"DCN-MEAS\",\"DCN\",\n \"STP\",\"STP\",\n \"SRP\",\"SRP\",\n \"HMP\",\"HMP\",\n \"XNET\",\"XNET\",\n \"VRRP\",\"VRRP\",\n \"ENCAP\",\"ENCAP\",\n \"CPNX\",\"CPNX\",\n \"PTP\",\"PTP\",\n \"SKIP\",\"SKIP\",\n \"SCPS\",\"SCPS\",\n \"Sprite-RPC\",\"RPC\",\n \"IPv6 ICMP\",\"ICMP\",\n \"MUX\",\"MUX\",\n \"CHAOS\",\"CHAOS\",\n \"SSCOPMCE\",\"SSCOPMCE\",\n \"CBT\",\"CBT\",\n \"SPS\",\"SPS\",\n \"ETHERIP\",\"ETHERIP\",\n \"MTP\",\"MTP\",\n \"ROHC\",\"ROHC\",\n \"CRTP\",\"CRTP\",\n \"PNNI\",\"PNNI\",\n \"NETBLT\",\"NETBLT\",\n \"TLSP\",\"TLSP\",\n \"IDPR\",\"IDPR\",\n \"DDX\",\"DDX\",\n \"PUP\",\"PUP\",\n \"DSR\",\"DSR\",\n \"NARP\",\"NARP\",\n \"CPHB\",\"CPHB\",\n \"SMP\",\"SMP\",\n \"L2TP\",\"L2TP\",\n \"IPv6 ICMP/143/0\",\"ICMP\",\n \"MICP\",\"MICP\",\n \"GMTP\",\"GMTP\",\n \"LARP\",\"LARP\",\n \"IFMP\",\"IFMP\",\n \"IGP\",\"IGP\",\n \"CFTP\",\"CFTP\",\n \"PGM\",\"PGM\",\n \"DDP\",\"DDP\",\n \"PIPE\",\"PIPE\",\n \"IATP\",\"IATP\",\n \"IGMP\",\"IGMP\",\n \"3PC\",\"3PC\",\n \"DGP\",\"DGP\",\n \"TCF\",\"TCF\",\n \"UTI\",\"UTI\",\n \"DCCP\",\"DCCP\",\n \"SWIPE\",\"SWIPE\",\n \"EMCON\",\"EMCON\",\n \"PIM\",\"PIM\",\n \"RVD\",\"RVD\",\n ];\n let ActionLookup=datatable(DeviceAction:string,DvcAction_ActionLookup:string,EventResult_ActionLookup:string,EventSeverity_ActionLookup:string)\n [\n \"Allow\",\"Allow\",\"Success\",\"Informational\", \n \"Discard\",\"Drop\",\"Failure\",\"Low\",\n \"Permit\",\"Allow\",\"Success\",\"Informational\", \n \"Refuse\",\"Deny\",\"Failure\",\"Low\",\n \"Terminate\",\"Reset Source\",\"Failure\",\"Low\", \n \"Terminate (failed)\",\"\",\"Failure\",\"Low\",\n \"Terminate (passive)\",\"Reset Destination\",\"Failure\",\"Low\", \n \"Terminate (reset)\",\"Reset\",\"Failure\",\"Low\",\n \"Wait for Authentication\",\"\",\"Success\",\"Informational\",\n \"Wait for Further Actions\",\"\",\"Success\",\"Informational\", \n \"Wait for RPC Reply\",\"\",\"Success\",\"Informational\"\n ];\n let DeviceEventClassIDLookup_Packet=datatable(DeviceEventClassID:string,EventSubType:string,DvcAction_DeviceEventClassIDLookup:string,EventResult_DeviceEventClassIDLookup:string,EventSeverity_DeviceEventClassIDLookup:string) //Add more codes if needed\n [\n \"70018\",\"Start\",\"Allow\",\"Success\",\"Informational\", // Connection_Allowed\n \"70019\",\"End\",\"Deny\",\"Failure\",\"Low\", // Connection_Discarded\n \"70021\",\"End\",\"Reset\",\"Failure\",\"Low\", // Connection_Closed\n \"70022\",\"End\",\"Reset\",\"Failure\",\"Low\", // Connection_Closed-Abnormally\n \"70026\",\"\",\"\",\"Success\",\"Informational\", // Connection_Progress\n ];\n let DeviceEventClassIDLookup_File=datatable(DeviceEventClassID:string,DvcAction_DeviceEventClassIDLookup:string,EventResult_DeviceEventClassIDLookup:string,EventSeverity_DeviceEventClassIDLookup:string)\n [\n \"76506\",\"Allow\",\"Success\",\"Informational\", // File_Allowed\n \"76508\",\"Deny\",\"Failure\",\"Low\", // File_Malware-Blocked\n \"76509\",\"\",\"Failure\",\"Low\" // File_Malware-Detected\n ];\n let MessageLookup = datatable (Message:string, DvcAction_MessageLookup:string, EventResult_MessageLookup:string, EventResultDetails:string, EventOriginalResultDetails:string) \n [\n \"Connection dropped\", \"Drop\", \"Failure\",\"Terminated\", \"Connection dropped\",\n \"Connection removed because NGFW Engine is low on memory.\",\"Drop\", \"Failure\",\"Terminated\",\"Connection removed because NGFW Engine is low on memory.\",\n \"Connection timeout in state TCP_CLOSE_WAIT\", \"\", \"Success\", \"Timeout\",\t\"One end of the Connection waits for the FIN packet (passive close).\",\n \"Connection timeout in state TCP_CLOSE_WAIT_ACK\", \"\", \"Success\", \"Timeout\", \"One end of the Connection waits for the FIN packet (passive close)\",\n \"Connection timeout in state TCP_CLOSING\", \"\", \"Success\", \"Timeout\", \"Closing packet (FIN) sent by one end of the Connection (simultaneous).\",\n \"Connection timeout in state TCP_CLOSING_ACK\", \"\", \"Success\", \"Timeout\", \"Waiting for ACK for the FIN before going to closing status (active close).\",\n \"Connection timeout in state TCP_ESTABLISHED\", \"\", \"Failure\", \"Timeout\", \"Normal status of TCP Connections for data transfer.\",\n \"Connection timeout in state TCP_FIN_WAIT_1\", \"\", \"Success\", \"Timeout\",\t\"One end of the Connection waits for sending the FIN packet (active close).\",\n \"Connection timeout in state TCP_FIN_WAIT_2\", \"\", \"Success\", \"Timeout\", \"One end of the Connection waits for receiving ACK packet.\",\n \"Connection timeout in state TCP_LAST_ACK\", \"\",\t\"Success\", \"Timeout\", \"One end of the Connection sent a FIN packet (passive close).\",\n \"Connection timeout in state TCP_LAST_ACK_WAIT\", \"\", \"Failure\",\t\"Timeout\", \"Waiting for the FIN packet to be acknowledged.\",\n \"Connection timeout in state TCP_SYN_ACK_SEEN\", \"\", \"Failure\",\t\"Timeout\", \"Second phase of the TCP three-way handshake, the server has replied to client sent SYN with SYN+ACK, next status will be established.\",\n \"Connection timeout in state TCP_SYN_FIN_SEEN\", \"\",\t\"Success\", \"Timeout\", \"T/TCP (Transactional TCP) Connection, RFC 1644.\",\n \"Connection timeout in state TCP_SYN_RETURN\", \"\", \"Failure\", \"Timeout\", \"Received simultaneous SYN from the other end (simultaneous open).\",\n \"Connection timeout in state TCP_SYN_SEEN\", \"\", \"Failure\", \"Timeout\", \"First packet sent by one end of the Connection.\",\n \"Connection timeout in state TCP_TIME_WAIT\", \"\", \"Success\", \"Timeout\", \"One end of the Connection acknowledged closing packet (FIN).\",\n \"Connection timeout in state TCP_TIME_WAIT_ACK\", \"\", \"Failure\",\t\"Timeout\", \"Waiting for ACK for the FIN status before going to time wait status (active close).\",\n \"Connection timeout in state ICMP_ECHO\", \"\", \"Failure\", \"Timeout\", \"Ping reply is expected.\",\n \"Connection timeout in state ICMP_REPLY_WAIT\", \"\", \"Failure\", \"Timeout\", \"Other ICMP request or reply types.\",\n \"Connection was reset by client\", \"Reset Source\", \"Failure\",\"Reset\", \"\",\n \"Connection was reset by server\", \"Reset Destination\", \"Failure\",\"Reset\", \"\",\n \"invalid packet (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [A] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [FA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [FPA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [PA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [RA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [SA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"TCP state violation\",\"Deny\",\"Failure\", \"Invalid TCP\", \"\",\n \"TCP state violation: Connection end-point replied with ACK to SYN-packet. Connection refused.\", \"Deny\", \"Failure\", \"Invalid TCP\", \"\",\n \"TSC error: Query timed out\", \"\", \"Failure\", \"Timeout\", \"\"\n ];\n let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let prefilter = (T:(DestinationPort:int,ApplicationProtocol:string,SourceIP:string,DestinationIP:string,AdditionalExtensions:string)) {\n T\n | where (isnull(dstportnumber) or (DestinationPort == dstportnumber) or (ApplicationProtocol has tostring(dstportnumber)))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | where array_length(hostname_has_any) == 0 or AdditionalExtensions has_any (hostname_has_any)\n };\n let ForcePointNetwork = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor==\"FORCEPOINT\" and DeviceProduct==\"Firewall\"\n | where DeviceFacility in~ (\"Inspection\",\"Packet Filtering\",\"File Filtering\") and isnotempty(DeviceEventClassID) and DeviceEventClassID != \"0\"\n ;\n let PacketFilteringData = ForcePointNetwork\n | where DeviceFacility == \"Packet Filtering\" and DeviceEventClassID !in (\"70383\",\"70393\",\"70734\",\"71009\",\"71040\")\n | invoke prefilter()\n | lookup DeviceEventClassIDLookup_Packet on DeviceEventClassID\n | lookup MessageLookup on Message\n | extend DvcAction = coalesce(DvcAction_MessageLookup, DvcAction_DeviceEventClassIDLookup), \n EventResult = case (Message startswith \"Referred connection not known\", \"Failure\",\n coalesce(EventResult_MessageLookup, EventResult_DeviceEventClassIDLookup)), \n EventSeverity = case(Message startswith \"Referred connection not known\", \"Low\",\n EventSeverity_DeviceEventClassIDLookup),\n EventOriginalResultDetails = case(Message startswith \"Referred connection not known\", Message,\n EventOriginalResultDetails),\n EventType = \"NetworkSession\"\n | project-away DvcAction_*, EventResult_*, EventSeverity_DeviceEventClassIDLookup;\n let FileFilteringData = ForcePointNetwork\n | where DeviceFacility == \"File Filtering\"\n | invoke prefilter()\n | lookup DeviceEventClassIDLookup_File on DeviceEventClassID\n | extend ThreatName = case (DeviceEventClassID in (\"76508\", \"76509\"), Activity,\n \"\")\n | project-rename DvcAction = DvcAction_DeviceEventClassIDLookup\n | extend EventResult = case(isnotempty(Message), \"Failure\",\n EventResult_DeviceEventClassIDLookup), \n EventSeverity = case(isnotempty(Message), \"Low\",\n EventSeverity_DeviceEventClassIDLookup),\n EventOriginalResultDetails = case(isnotempty(Message), Message,\n \"\"),\n EventType = \"NetworkSession\"\n | project-away *_DeviceEventClassIDLookup;\n let InspectionData = ForcePointNetwork\n | where DeviceFacility == \"Inspection\" or DeviceEventClassID == \"70734\"\n | invoke prefilter()\n | extend MessageCode = toint(DeviceEventClassID)\n | extend EventSeverity = case (DeviceAction in~ (\"Allow\",\"Permit\"), \"Informational\",\n MessageCode >= 200000, \"High\",\n MessageCode < 200000, \"Low\",\n \"\"),\n EventType = case (MessageCode < 80000, \"NetworkSession\",\n \"IDS\")\n | extend ThreatName = Activity\n | project-away MessageCode;\n union PacketFilteringData, FileFilteringData, InspectionData\n | extend NetworkProtocol = _ASIM_LookupNetworkProtocol(Protocol)\n | lookup ActionLookup on DeviceAction\n | extend DvcAction = coalesce(DvcAction,DvcAction_ActionLookup), \n EventResult = coalesce(EventResult,EventResult_ActionLookup), \n EventSeverity = coalesce(EventSeverity, EventSeverity_ActionLookup)\n | project-away *_ActionLookup\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or (EventResult == eventresult))\n | lookup ApplicationProtocolLookup on ApplicationProtocol\n | extend \n EventCount = toint(1),\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"Forcepoint\",\n EventProduct = \"Firewall\"\n | parse AdditionalExtensions with * \"requestURL=\" requestURL \n | project-rename\n EventOriginalType = DeviceEventClassID,\n DstPortNumber = DestinationPort,\n DstIpAddr = DestinationIP,\n SrcPortNumber = SourcePort,\n SrcIpAddr = SourceIP,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n EventProductVersion = DeviceVersion,\n EventMessage = Message,\n DvcOriginalAction = DeviceAction,\n SrcBytes = SentBytes,\n DstBytes = ReceivedBytes,\n EventOriginalSubType = DeviceFacility,\n DvcId = DeviceExternalID,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n DvcIpAddr = DeviceAddress,\n EventOriginalSeverity = LogSeverity,\n ThreatId = DeviceCustomString3\n | invoke _ASIM_ResolveDvcFQDN('Computer')\n | extend\n ThreatCategory = column_ifexists(\"DeviceEventCategory\",\"\"),\n EventStartTime = todatetime(ReceiptTime),\n EventEndTime = todatetime(ReceiptTime),\n ipv6_parts = extract_all (@'^\\[(.+)\\](?:\\:(\\d+))?$',requestURL)[0],\n ipv4_parts = extract_all (@'^(\\d+\\.\\d+\\.\\d+\\.\\d+)(?:\\:(\\d+))?$',requestURL)[0],\n host_parts = extract_all (@'^([^\\\\\\d:]+)(?:\\:(\\d+))?$',requestURL)[0]\n | extend \n NetworkRuleName = case(isnotempty(DeviceCustomString2), strcat(DeviceCustomString1,',',DeviceCustomString2),\n DeviceCustomString1),\n DstDomainPart = tostring(host_parts[0]),\n DstIpAddr = coalesce(DstIpAddr, tostring(ipv4_parts[0]), tostring(ipv6_parts[0])),\n DstPortNumber = coalesce(DstPortNumber, toint(host_parts[1]), toint(ipv4_parts[1]), toint(ipv6_parts[1]))\n | invoke _ASIM_ResolveDstFQDN('DstDomainPart')\n | extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,\"-\",\n DstHostname has_any (hostname_has_any), \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | extend\n DvcIdType = case(isnotempty(DvcId), \"ForcepointId\",\n \"\"),\n DstPortNumber = case(\n isnotempty(DstPortNumber), DstPortNumber,\n ApplicationProtocol startswith \"TCP\", toint(split(ApplicationProtocol,'/')[1]),\n ApplicationProtocol startswith \"UDP\", toint(split(ApplicationProtocol,'/')[1]),\n int(null)),\n AdditionalFields = pack(iff(isnotempty(RequestMethod) and RequestMethod != \"UNKNOWN\", \"RequestMethod\", \"\"),RequestMethod,\n iff(isnotempty(DeviceCustomString4),\"VirusId\",\"\"),DeviceCustomString4),\n DstAppName = case(DestinationServiceName in~ (\"Generic-Web-HTTP\",\"Application-Unknown\",\"Unknown-Encrypted-Application\"), \"\",\n DestinationServiceName),\n DvcIpAddr = coalesce(DvcIpAddr,DeviceName)\n | extend\n Dvc = DvcIpAddr,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n DvcInterface = DvcInboundInterface,\n Hostname = DstHostname\n | project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, Protocol, ReceiptTime, Remote*, ReportReferenceLink, Request*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, ExtID, EventOutcome, FieldDevice*, Reason, ApplicationProtocol, Activity, requestURL, Computer, DstDomainPart, host_parts, ipv4_parts, ipv6_parts, temp_*\n };\n parser(starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction, \n eventresult=eventresult, \n disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionFortinetFortiGate/vimNetworkSessionFortinetFortiGate.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionFortinetFortiGate/vimNetworkSessionFortinetFortiGate.json index 0a27dfc50b8..3a086215c44 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionFortinetFortiGate/vimNetworkSessionFortinetFortiGate.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionFortinetFortiGate/vimNetworkSessionFortinetFortiGate.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionFortinetFortiGate')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionFortinetFortiGate", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Fortinet FortiGate", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionFortinetFortiGate", - "query": "let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string,EventResultDetails:string)\n [\n \"accept\",\"Allow\",\"Success\",\"\"\n , \"client-rst\",\"Reset Source\",\"Failure\",\"\"\n , \"close\",\"\",\"Success\",\"\"\n , \"deny\",\"Deny\",\"Failure\",\"\"\n , \"ip-conn\",\"\",\"Failure\",\"IP connection error\"\n , \"server-rst\",\"Reset Destination\",\"Failure\",\"\"\n , \"timeout\",\"\",\"Failure\",\"\"\n ];\n // -- See https://docs.fortinet.com/document/fortigate/7.2.4/fortios-log-message-reference/671442/cef-priority-levels\n let SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n [\n \"1\", \"Informational\", // Debug\n \"2\", \"Informational\", // Information\n \"3\", \"Informational\", // Notification\n \"4\", \"Low\", // Warning\n \"5\", \"Low\", // Error\n \"6\", \"Critical\", // High\n \"7\", \"Alert\", // Medium\n \"8\", \"High\" // Emergency\n ];\n let Parser=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false){\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime)\n | where DeviceVendor == \"Fortinet\" and DeviceProduct startswith \"FortiGate\" and (column_ifexists(\"DeviceEventCategory\",\"\") has \"traffic\" or AdditionalExtensions has \"cat=traffic\")\n | where DeviceAction != \"dns\" and Activity !has \"dns\" \n | where (array_length(hostname_has_any)==0)\n | where (isnull(dstportnumber) or DestinationPort==dstportnumber)\n | extend temp_ResultMatch = case (\n eventresult==\"*\", true,\n (eventresult == \"Success\") and (DeviceAction in (\"accept\", \"close\") or Activity has_any (\"accept\", \"close\")), true,\n (eventresult == \"Failure\") and (DeviceAction !in (\"accept\", \"close\") and not(Activity has_any (\"accept\", \"close\"))), true,\n false\n )\n | where temp_ResultMatch\n | extend temp_SrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | parse Activity with \"traffic:forward \" temp_DeviceAction:string \n | extend DeviceAction = coalesce(DeviceAction, temp_DeviceAction) \n | lookup EventLookup on DeviceAction \n | where (array_length(dvcaction)==0 or DvcAction has_any (dvcaction))\n | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, EventResultDetails, ASimMatchingIpAddr, DvcAction\n | project-rename DstBytes = ReceivedBytes\n , DstInterfaceName = DeviceOutboundInterface\n , DstIpAddr = DestinationIP\n , DstPortNumber = DestinationPort\n , Dvc = Computer\n , EventMessage = Activity\n , EventOriginalSeverity = LogSeverity\n , EventProduct = DeviceProduct\n , EventProductVersion = DeviceVersion\n , SrcBytes = SentBytes\n , SrcInterfaceName = DeviceInboundInterface\n , SrcIpAddr = SourceIP\n , SrcPortNumber = SourcePort\n , DvcId = DeviceExternalID\n , EventUid = _ItemId\n | invoke _ASIM_ResolveNetworkProtocol ('Protocol')\n | project-rename DvcOriginalAction = DeviceAction\n | parse-kv AdditionalExtensions as (\n FortinetFortiGatestart:datetime,\n FortinetFortiGatesrcintfrole:string,\n FortinetFortiGatedstintfrole:string,\n FortinetFortiGateexternalID:string,\n FortinetFortiGatepolicyid:int,\n FortinetFortiGatedstcountry:string,\n FortinetFortiGatesrccountry:string,\n FortinetFortiGatecrscore:string,\n FortinetFortiGateduration:int,\n FortinetFortiGatesentpkt:long,\n FortinetFortiGatercvdpkt:long\n ) with (pair_delimiter=';', kv_delimiter='=')\n | project-rename\n EventStartTime = FortinetFortiGatestart,\n SrcZone = FortinetFortiGatesrcintfrole,\n DstZone = FortinetFortiGatedstintfrole,\n NetworkSessionId = FortinetFortiGateexternalID,\n NetworkRuleNumber = FortinetFortiGatepolicyid,\n NetworkDuration = FortinetFortiGateduration,\n DstGeoCountry = FortinetFortiGatedstcountry,\n SrcGeoCountry = FortinetFortiGatesrccountry,\n ThreatOriginalRiskLevel = FortinetFortiGatecrscore,\n SrcPackets = FortinetFortiGatesentpkt,\n DstPackets = FortinetFortiGatercvdpkt\n | extend EventCount = int(1)\n , EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.3\"\n , EventType = \"NetworkSession\"\n , EventVendor = \"Fortinet\"\n , DvcIdType = \"Other\"\n , NetworkBytes = DstBytes + SrcBytes\n , EventEndTime = TimeGenerated\n , EventStartTime = coalesce(EventStartTime, TimeGenerated)\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkPackets = DstPackets + SrcPackets\n | lookup SeverityLookup on EventOriginalSeverity\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Duration = NetworkDuration,\n Rule = tostring(NetworkRuleNumber)\n | project-away Protocol, AdditionalExtensions, NetworkProtocolNumber\n };\n Parser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Fortinet FortiGate", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionFortinetFortiGate", + "query": "let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string,EventResultDetails:string)\n [\n \"accept\",\"Allow\",\"Success\",\"\"\n , \"client-rst\",\"Reset Source\",\"Failure\",\"\"\n , \"close\",\"\",\"Success\",\"\"\n , \"deny\",\"Deny\",\"Failure\",\"\"\n , \"ip-conn\",\"\",\"Failure\",\"IP connection error\"\n , \"server-rst\",\"Reset Destination\",\"Failure\",\"\"\n , \"timeout\",\"\",\"Failure\",\"\"\n ];\n // -- See https://docs.fortinet.com/document/fortigate/7.2.4/fortios-log-message-reference/671442/cef-priority-levels\n let SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n [\n \"1\", \"Informational\", // Debug\n \"2\", \"Informational\", // Information\n \"3\", \"Informational\", // Notification\n \"4\", \"Low\", // Warning\n \"5\", \"Low\", // Error\n \"6\", \"Critical\", // High\n \"7\", \"Alert\", // Medium\n \"8\", \"High\" // Emergency\n ];\n let Parser=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false){\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime)\n | where DeviceVendor == \"Fortinet\" and DeviceProduct startswith \"FortiGate\" and (column_ifexists(\"DeviceEventCategory\",\"\") has \"traffic\" or AdditionalExtensions has \"cat=traffic\")\n | where DeviceAction != \"dns\" and Activity !has \"dns\" \n | where (array_length(hostname_has_any)==0)\n | where (isnull(dstportnumber) or DestinationPort==dstportnumber)\n | extend temp_ResultMatch = case (\n eventresult==\"*\", true,\n (eventresult == \"Success\") and (DeviceAction in (\"accept\", \"close\") or Activity has_any (\"accept\", \"close\")), true,\n (eventresult == \"Failure\") and (DeviceAction !in (\"accept\", \"close\") and not(Activity has_any (\"accept\", \"close\"))), true,\n false\n )\n | where temp_ResultMatch\n | extend temp_SrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | parse Activity with \"traffic:forward \" temp_DeviceAction:string \n | extend DeviceAction = coalesce(DeviceAction, temp_DeviceAction) \n | lookup EventLookup on DeviceAction \n | where (array_length(dvcaction)==0 or DvcAction has_any (dvcaction))\n | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, EventResultDetails, ASimMatchingIpAddr, DvcAction\n | project-rename DstBytes = ReceivedBytes\n , DstInterfaceName = DeviceOutboundInterface\n , DstIpAddr = DestinationIP\n , DstPortNumber = DestinationPort\n , Dvc = Computer\n , EventMessage = Activity\n , EventOriginalSeverity = LogSeverity\n , EventProduct = DeviceProduct\n , EventProductVersion = DeviceVersion\n , SrcBytes = SentBytes\n , SrcInterfaceName = DeviceInboundInterface\n , SrcIpAddr = SourceIP\n , SrcPortNumber = SourcePort\n , DvcId = DeviceExternalID\n , EventUid = _ItemId\n | invoke _ASIM_ResolveNetworkProtocol ('Protocol')\n | project-rename DvcOriginalAction = DeviceAction\n | parse-kv AdditionalExtensions as (\n FortinetFortiGatestart:datetime,\n FortinetFortiGatesrcintfrole:string,\n FortinetFortiGatedstintfrole:string,\n FortinetFortiGateexternalID:string,\n FortinetFortiGatepolicyid:int,\n FortinetFortiGatedstcountry:string,\n FortinetFortiGatesrccountry:string,\n FortinetFortiGatecrscore:string,\n FortinetFortiGateduration:int,\n FortinetFortiGatesentpkt:long,\n FortinetFortiGatercvdpkt:long\n ) with (pair_delimiter=';', kv_delimiter='=')\n | project-rename\n EventStartTime = FortinetFortiGatestart,\n SrcZone = FortinetFortiGatesrcintfrole,\n DstZone = FortinetFortiGatedstintfrole,\n NetworkSessionId = FortinetFortiGateexternalID,\n NetworkRuleNumber = FortinetFortiGatepolicyid,\n NetworkDuration = FortinetFortiGateduration,\n DstGeoCountry = FortinetFortiGatedstcountry,\n SrcGeoCountry = FortinetFortiGatesrccountry,\n ThreatOriginalRiskLevel = FortinetFortiGatecrscore,\n SrcPackets = FortinetFortiGatesentpkt,\n DstPackets = FortinetFortiGatercvdpkt\n | extend EventCount = int(1)\n , EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.3\"\n , EventType = \"NetworkSession\"\n , EventVendor = \"Fortinet\"\n , DvcIdType = \"Other\"\n , NetworkBytes = DstBytes + SrcBytes\n , EventEndTime = TimeGenerated\n , EventStartTime = coalesce(EventStartTime, TimeGenerated)\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkPackets = DstPackets + SrcPackets\n | lookup SeverityLookup on EventOriginalSeverity\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Duration = NetworkDuration,\n Rule = tostring(NetworkRuleNumber)\n | project-away Protocol, AdditionalExtensions, NetworkProtocolNumber\n };\n Parser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionIllumioSaaSCore/README.md b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionIllumioSaaSCore/README.md new file mode 100644 index 00000000000..874cb484eb3 --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionIllumioSaaSCore/README.md @@ -0,0 +1,18 @@ +# Illumio SaaS Core ASIM NetworkSession Normalization Parser + +ARM template for ASIM NetworkSession schema parser for Illumio SaaS Core. + +This ASIM parser supports normalizing Illumio SaaS Core logs to the ASIM Network Session normalized schema. These events are captured through Illumio Sentinel Integration data connector. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionIllumioSaaSCore%2FvimNetworkSessionIllumioSaaSCore.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionIllumioSaaSCore%2FvimNetworkSessionIllumioSaaSCore.json) diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionIllumioSaaSCore/vimNetworkSessionIllumioSaaSCore.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionIllumioSaaSCore/vimNetworkSessionIllumioSaaSCore.json new file mode 100644 index 00000000000..a7193048c13 --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionIllumioSaaSCore/vimNetworkSessionIllumioSaaSCore.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionIllumioSaaSCore')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "NetworkSession ASIM Parser for Illumio SaaS Core", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionIllumioSaaSCore", + "query": "let ProtocolLookup = datatable(proto:int, NetworkProtocol:string) [\n 0,\"HOPOPT\",\n 1,\"ICMP\",\n 2,\"IGMP\",\n 3,\"GGP\",\n 4,\"IPv4\",\n 5,\"ST\",\n 6,\"TCP\",\n 7,\"CBT\",\n 8,\"EGP\",\n 9,\"IGP\",\n 10,\"BBN-RCC-MON\",\n 11,\"NVP-II\",\n 12,\"PUP\",\n 13,\"ARGUS (deprecated)\",\n 14,\"EMCON\",\n 15,\"XNET\",\n 16,\"CHAOS\",\n 17,\"UDP\",\n 18,\"MUX\",\n 19,\"DCN-MEAS\",\n 20,\"HMP\",\n 21,\"PRM\",\n 22,\"XNS-IDP\",\n 23,\"TRUNK-1\",\n 24,\"TRUNK-2\",\n 25,\"LEAF-1\",\n 26,\"LEAF-2\",\n 27,\"RDP\",\n 28,\"IRTP\",\n 29,\"ISO-TP4\",\n 30,\"NETBLT\",\n 31,\"MFE-NSP\",\n 32,\"MERIT-INP\",\n 33,\"DCCP\",\n 34,\"3PC\",\n 35,\"IDPR\",\n 36,\"XTP\",\n 37,\"DDP\",\n 38,\"IDPR-CMTP\",\n 39,\"TP++\",\n 40,\"IL\",\n 41,\"IPv6\",\n 42,\"SDRP\",\n 43,\"IPv6-Route\",\n 44,\"IPv6-Frag\",\n 45,\"IDRP\",\n 46,\"RSVP\",\n 47,\"GRE\",\n 48,\"DSR\",\n 49,\"BNA\",\n 50,\"ESP\",\n 51,\"AH\",\n 52,\"I-NLSP\",\n 53,\"SWIPE (deprecated)\",\n 54,\"NARP\",\n 55,\"MOBILE\",\n 56,\"TLSP\",\n 57,\"SKIP\",\n 58,\"IPv6-ICMP\",\n 59,\"IPv6-NoNxt\",\n 60,\"IPv6-Opts\",\n 61,\"\",\n 62,\"CFTP\",\n 63,\"\",\n 64,\"SAT-EXPAK\",\n 65,\"KRYPTOLAN\",\n 66,\"RVD\",\n 67,\"IPPC\",\n 68,\"\",\n 69,\"SAT-MON\",\n 70,\"VISA\",\n 71,\"IPCV\",\n 72,\"CPNX\",\n 73,\"CPHB\",\n 74,\"WSN\",\n 75,\"PVP\",\n 76,\"BR-SAT-MON\",\n 77,\"SUN-ND\",\n 78,\"WB-MON\",\n 79,\"WB-EXPAK\",\n 80,\"ISO-IP\",\n 81,\"VMTP\",\n 82,\"SECURE-VMTP\",\n 83,\"VINES\",\n 84,\"TTP\",\n 84,\"IPTM\",\n 85,\"NSFNET-IGP\",\n 86,\"DGP\",\n 87,\"TCF\",\n 88,\"EIGRP\",\n 89,\"OSPFIGP\",\n 90,\"Sprite-RPC\",\n 91,\"LARP\",\n 92,\"MTP\",\n 93,\"AX.25\",\n 94,\"IPIP\",\n 95,\"MICP (deprecated)\",\n 96,\"SCC-SP\",\n 97,\"ETHERIP\",\n 98,\"ENCAP\",\n 99,\"\",\n 100,\"GMTP\",\n 101,\"IFMP\",\n 102,\"PNNI\",\n 103,\"PIM\",\n 104,\"ARIS\",\n 105,\"SCPS\",\n 106,\"QNX\",\n 107,\"A/N\",\n 108,\"IPComp\",\n 109,\"SNP\",\n 110,\"Compaq-Peer\",\n 111,\"IPX-in-IP\",\n 112,\"VRRP\",\n 113,\"PGM\",\n 114,\"\",\n 115,\"L2TP\",\n 116,\"DDX\",\n 117,\"IATP\",\n 118,\"STP\",\n 119,\"SRP\",\n 120,\"UTI\",\n 121,\"SMP\",\n 122,\"SM (deprecated)\",\n 123,\"PTP\",\n 124,\"ISIS over IPv4\",\n 125,\"FIRE\",\n 126,\"CRTP\",\n 127,\"CRUDP\",\n 128,\"SSCOPMCE\",\n 129,\"IPLT\",\n 130,\"SPS\",\n 131,\"PIPE\",\n 132,\"SCTP\",\n 133,\"FC\",\n 134,\"RSVP-E2E-IGNORE\",\n 135,\"Mobility Header\",\n 136,\"UDPLite\",\n 137,\"MPLS-in-IP\",\n 138,\"manet\",\n 139,\"HIP\",\n 140,\"Shim6\",\n 141,\"WESP\",\n 142,\"ROHC\",\n 143,\"Ethernet\",\n 253,\"\",\n 254,\"\",\n 255,\"Reserved\"\n ];\nlet NetworkProtocolVersionLookup = datatable(version: int, NetworkProtocolVersion: string)\n[\n 4,\"IPv4\",\n 6,\"IPv6\"\n];\nlet EventResultLookup = datatable(DvcAction: string, EventResult: string)\n[\n \"Deny\", \"Failure\",\n \"Allow\", \"Success\"\n];\nlet DvcActionLookup = datatable(pd: int, DvcAction: string)\n[\n// - Allow\n// - Deny\n// - Drop\n// - Drop ICMP\n// - Reset\n// - Reset Source\n// - Reset Destination\n// - Encrypt\n// - Decrypt\n// - VPNroute\n 2, \"Deny\",\n 1, \"Allow\",\n 0, \"Allow\"\n];\nlet ClassLookup = datatable(class: string, ClassDetail: string)\n[\n\"M\", \"Multicast\",\n\"B\", \"Broadcast\",\n\"U\", \"Unicast\"\n];\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n Illumio_Flow_Events_CL \n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime)\n // ***** parser filter params *****\n | where\n (isnull(dstportnumber) or (dst_port == dstportnumber)) \n | extend temp_isSrcMatch=has_any_ipv4_prefix(src_ip,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(dst_ip,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | extend temp_is_MatchSrcHostname = src_hostname has_any (hostname_has_any)\n , temp_is_MatchDstHostname = dst_hostname has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,\"-\",\n temp_is_MatchSrcHostname and temp_is_MatchDstHostname, \"Both\",\n temp_is_MatchSrcHostname, \"SrcHostname\",\n temp_is_MatchDstHostname, \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\" \n | project-away temp_*\n // ***** parser filter params *****\n | lookup ProtocolLookup on proto\n | lookup NetworkProtocolVersionLookup on version\n | lookup DvcActionLookup on pd //set DvcAction\n | extend EventResult = iff(DvcAction == \"Deny\", \"Failure\", \"Success\")\n | lookup ClassLookup on class\n // ***** parser filter params *****\n | where (array_length(dvcaction) == 0 or DvcAction in (dvcaction)) \n and eventresult=='*' or (eventresult == EventResult) \n and (array_length(hostname_has_any)==0 or dst_hostname has_any (hostname_has_any) or src_hostname has_any(hostname_has_any))\n // ***** parser filter params ***** \n | extend\n EventCount = flow_count,\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventType = 'Flow',\n EventProduct = 'Core',\n EventVendor = 'Illumio',\n EventSchemaVersion = '0.2.6',\n EventSchema = 'NetworkSession',\n Dvc = pce_fqdn \n | extend NetworkDirection = case(\n dir=='I', 'Inbound',\n dir=='O', 'Outbound',\n 'Unknown'\n ),\n NetworkDuration = interval_sec,\n DstBytes = tolong(dst_dbo),\n SrcBytes = tolong(dst_dbi),\n DstIpAddr = dst_ip,\n SrcIpAddr = src_ip,\n DstPortNumber = dst_port,\n DstHostname = dst_hostname,\n SrcHostname = src_hostname,\n EventSeverity = case( \n DvcAction=='Deny', 'Low',\n 'Informational' \n )\n | extend \n SrcProcessName = iif(dir=='O', pn, ''),\n DstProcessName = iif(dir=='I', pn, ''),\n SrcUsername = iif(dir=='O', un, ''),\n DstUsername = iif(dir=='I', un, '')\n | extend\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername) \n //Aliases\n | extend \n DvcIpAddr = SrcIpAddr,\n DvcHostname = SrcHostname\n | extend\n AdditionalFields = bag_pack(\"Class\", ClassDetail,\n \"Network\",network,\n \"Source_Labels\", src_labels,\n \"Dest_Labels\", dst_labels,\n \"Src_href\", src_href, // can this be stored in SrcId instead?\n \"Dst_href\", dst_href // can this be stored in DvcId instead?\n )\n // aliases \n | extend\n Duration = NetworkDuration,\n User = DstUsername,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n EventUid = _ItemId\n | project-away \n pce_fqdn,\n icmp_type,\n TenantId,\n proto,\n dst_port,\n src_ip,\n dst_ip,\n code,\n dst_dbi,\n dst_dbo,\n dst_tbi,\n dst_tbo, \n dst_hostname,\n src_hostname,\n dir,\n flow_count,\n src_href,\n dst_href,\n src_labels,\n dst_labels,\n network,\n class,\n org_id,\n state, // decide how to use this\n pd_qualifier, //decide how to use this\n interval_sec,\n version,\n ddms, // not needed\n tdms, // not needed\n pn, \n un,\n pd,\n ClassDetail\n}; \nparser(starttime=starttime, \nendtime=endtime, \nsrcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \ndstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \nipaddr_has_any_prefix=ipaddr_has_any_prefix,\ndstportnumber=dstportnumber,\nhostname_has_any=hostname_has_any, \ndvcaction=dvcaction,\neventresult=eventresult, \ndisabled=disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTAgent/vimNetworkSessionMD4IoTAgent.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTAgent/vimNetworkSessionMD4IoTAgent.json index 779ae1148f3..8925cd81f0d 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTAgent/vimNetworkSessionMD4IoTAgent.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTAgent/vimNetworkSessionMD4IoTAgent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionMD4IoTAgent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionMD4IoTAgent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Microsoft Defender for IoT micro agent", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionMD4IoTAgent", - "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let ip_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix, srcipaddr_has_any_prefix); \n let DirectionNetworkEvents =\n SecurityIoTRawEvent \n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime)\n | where not(disabled)\n | where RawEventName == \"NetworkActivity\"\n // *************** Prefilterring *****************************************************************\n |where (eventresult=='*' or eventresult=='Success')\n and (array_length(hostname_has_any)==0) \n and (array_length(dvcaction) ==0 ) /// if filtered by action return nothing\n and EventDetails has tostring(dstportnumber)\n and (array_length (ip_any)==0 or has_any_ipv4_prefix(EventDetails,ip_any))\n // *************** Prefilterring *****************************************************************\n | parse EventDetails with * ',\"LocalPort\":' LocalPort:int ',\"RemotePort\":' RemotePort:int ',' *\n | extend outbound = LocalPort > RemotePort\n | where (isnull(dstportnumber) or (not(outbound) and dstportnumber == LocalPort) or (outbound and dstportnumber == RemotePort) ) \n ;\n let parser = (T: (EventDetails: string)) {\n T \n | parse EventDetails with \n '{\"LocalAddress\":\"' LocalAddress:string '\",'\n '\"RemoteAddress\":\"' RemoteAddress:string '\",'\n *\n '\"BytesIn\":' BytesIn:long ','\n '\"BytesOut\":' BytesOut:long ','\n '\"Protocol\":\"' Protocol:string '\",'\n '\"ProcessId\":' ProcessId:string ','\n '\"UserId\":' UserId:string ','\n '\"ApplicationProtocol\":\"' ApplicationProtocol:string '\",'\n * // '\"AzureResourceId\":\"' AzureResourceId:string '\",'\n '\"DeviceId\":\"' DeviceId:string '\",'\n '\"MessageSource\":\"' MessageSource:string '\",'\n '\"OriginalEventId\":\"' OriginalEventId:string '\",'\n '\"TimestampUTC\":\"' TimestampUTC:datetime '\",'\n *\n }\n ; \n let OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or dstportnumber==LocalPort)\n // *************** Postfilterring *****************************************************************\n | invoke parser ()\n | extend temp_isSrcMatch=has_any_ipv4_prefix(LocalAddress,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(RemoteAddress,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n ) \n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*\n | project-rename\n SrcBytes = BytesOut,\n DstBytes = BytesIn,\n SrcPortNumber = LocalPort,\n DstIpAddr = RemoteAddress,\n DstPortNumber = RemotePort,\n SrcProcessId = ProcessId\n | extend\n SrcIpAddr = LocalAddress,\n SrcDvcIdType = \"MD4IoTid\",\n SrcUserId = UserId,\n SrcUserIdType = \"UID\",\n SrcDvcId = DeviceId,\n Process = SrcProcessId, // alias\n SrcDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n ;\n let InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or dstportnumber==RemotePort)\n // *************** Postfilterring *****************************************************************\n | invoke parser ()\n | extend temp_isSrcMatch=( // only one of each pair has_any_ipv4_prefix is calculated\n has_any_ipv4_prefix(RemoteAddress,src_or_any)\n ) \n , temp_isDstMatch=(\n has_any_ipv4_prefix(LocalAddress,dst_or_any) \n ) \n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n ) \n | project-away temp_*\n | where ASimMatchingIpAddr != \"No match\"\n | project-rename\n DstBytes = BytesOut,\n SrcBytes = BytesIn,\n DstPortNumber = LocalPort,\n SrcIpAddr = RemoteAddress,\n SrcPortNumber = RemotePort,\n DstProcessId = ProcessId\n | extend\n DstIpAddr = LocalAddress,\n DstDvcIdType = \"MD4IoTid\",\n DstUserId = UserId,\n DstUserIdType = \"UID\",\n DstDvcId = DeviceId,\n Process = DstProcessId, // alias\n DstDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n ;\n let NetworkSessionMD4IoT = \n union InboundNetworkEvents, OutboundNetworkEvents\n | extend\n EventCount = int(1),\n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.3',\n EventSchema = \"NetworkSession\", \n EventType = 'NetworkSession',\n EventStartTime = TimeGenerated, \n EventEndTime = TimeGenerated, \n EventResult = 'Success',\n EventSeverity = 'Informational'\n | project-rename\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId, \n EventOriginalUid = OriginalEventId, // OK pending question\n DvcOs = MessageSource,\n NetworkProtocol = Protocol,\n NetworkApplicationProtocol = ApplicationProtocol,\n DvcId = DeviceId,\n DvcIpAddr = LocalAddress\n | project-away outbound\n | extend\n Dvc = DvcId,\n DvcIdType = \"MD4IoTid\",\n User = UserId,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n ;\n NetworkSessionMD4IoT};\n parser(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Microsoft Defender for IoT micro agent", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionMD4IoTAgent", + "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let ip_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix, srcipaddr_has_any_prefix); \n let DirectionNetworkEvents =\n SecurityIoTRawEvent \n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime)\n | where not(disabled)\n | where RawEventName == \"NetworkActivity\"\n // *************** Prefilterring *****************************************************************\n |where (eventresult=='*' or eventresult=='Success')\n and (array_length(hostname_has_any)==0) \n and (array_length(dvcaction) ==0 ) /// if filtered by action return nothing\n and EventDetails has tostring(dstportnumber)\n and (array_length (ip_any)==0 or has_any_ipv4_prefix(EventDetails,ip_any))\n // *************** Prefilterring *****************************************************************\n | parse EventDetails with * ',\"LocalPort\":' LocalPort:int ',\"RemotePort\":' RemotePort:int ',' *\n | extend outbound = LocalPort > RemotePort\n | where (isnull(dstportnumber) or (not(outbound) and dstportnumber == LocalPort) or (outbound and dstportnumber == RemotePort) ) \n ;\n let parser = (T: (EventDetails: string)) {\n T \n | parse EventDetails with \n '{\"LocalAddress\":\"' LocalAddress:string '\",'\n '\"RemoteAddress\":\"' RemoteAddress:string '\",'\n *\n '\"BytesIn\":' BytesIn:long ','\n '\"BytesOut\":' BytesOut:long ','\n '\"Protocol\":\"' Protocol:string '\",'\n '\"ProcessId\":' ProcessId:string ','\n '\"UserId\":' UserId:string ','\n '\"ApplicationProtocol\":\"' ApplicationProtocol:string '\",'\n * // '\"AzureResourceId\":\"' AzureResourceId:string '\",'\n '\"DeviceId\":\"' DeviceId:string '\",'\n '\"MessageSource\":\"' MessageSource:string '\",'\n '\"OriginalEventId\":\"' OriginalEventId:string '\",'\n '\"TimestampUTC\":\"' TimestampUTC:datetime '\",'\n *\n }\n ; \n let OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or dstportnumber==LocalPort)\n // *************** Postfilterring *****************************************************************\n | invoke parser ()\n | extend temp_isSrcMatch=has_any_ipv4_prefix(LocalAddress,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(RemoteAddress,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n ) \n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*\n | project-rename\n SrcBytes = BytesOut,\n DstBytes = BytesIn,\n SrcPortNumber = LocalPort,\n DstIpAddr = RemoteAddress,\n DstPortNumber = RemotePort,\n SrcProcessId = ProcessId\n | extend\n SrcIpAddr = LocalAddress,\n SrcDvcIdType = \"MD4IoTid\",\n SrcUserId = UserId,\n SrcUserIdType = \"UID\",\n SrcDvcId = DeviceId,\n Process = SrcProcessId, // alias\n SrcDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n ;\n let InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or dstportnumber==RemotePort)\n // *************** Postfilterring *****************************************************************\n | invoke parser ()\n | extend temp_isSrcMatch=( // only one of each pair has_any_ipv4_prefix is calculated\n has_any_ipv4_prefix(RemoteAddress,src_or_any)\n ) \n , temp_isDstMatch=(\n has_any_ipv4_prefix(LocalAddress,dst_or_any) \n ) \n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n ) \n | project-away temp_*\n | where ASimMatchingIpAddr != \"No match\"\n | project-rename\n DstBytes = BytesOut,\n SrcBytes = BytesIn,\n DstPortNumber = LocalPort,\n SrcIpAddr = RemoteAddress,\n SrcPortNumber = RemotePort,\n DstProcessId = ProcessId\n | extend\n DstIpAddr = LocalAddress,\n DstDvcIdType = \"MD4IoTid\",\n DstUserId = UserId,\n DstUserIdType = \"UID\",\n DstDvcId = DeviceId,\n Process = DstProcessId, // alias\n DstDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n ;\n let NetworkSessionMD4IoT = \n union InboundNetworkEvents, OutboundNetworkEvents\n | extend\n EventCount = int(1),\n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.3',\n EventSchema = \"NetworkSession\", \n EventType = 'NetworkSession',\n EventStartTime = TimeGenerated, \n EventEndTime = TimeGenerated, \n EventResult = 'Success',\n EventSeverity = 'Informational'\n | project-rename\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId, \n EventOriginalUid = OriginalEventId, // OK pending question\n DvcOs = MessageSource,\n NetworkProtocol = Protocol,\n NetworkApplicationProtocol = ApplicationProtocol,\n DvcId = DeviceId,\n DvcIpAddr = LocalAddress\n | project-away outbound\n | extend\n Dvc = DvcId,\n DvcIdType = \"MD4IoTid\",\n User = UserId,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n ;\n NetworkSessionMD4IoT};\n parser(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTSensor/vimNetworkSessionMD4IoTSensor.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTSensor/vimNetworkSessionMD4IoTSensor.json index 6d4e4916c3e..55a8f122183 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTSensor/vimNetworkSessionMD4IoTSensor.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTSensor/vimNetworkSessionMD4IoTSensor.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionMD4IoTSensor')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionMD4IoTSensor", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Microsoft Defender for IoT sensor logs", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionMD4IoTSensor", - "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n DefenderIoTRawEvent\n | where RawEventName == \"NetworkConnectionData\"\n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n and not(disabled)\n and (array_length(dvcaction) == 0)\n and (array_length(hostname_has_any) == 0)\n and (eventresult in (\"*\",\"Success\"))\n | extend\n DstIpAddr = tostring(EventDetails.Destination.IPAddress),\n SrcIpAddr = tostring(EventDetails.Source.IPAddress)\n | extend temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | extend\n DstPortNumber = toint(EventDetails.Destination.Port)\n | where (isnull(dstportnumber) or DstPortNumber==dstportnumber)\n | project-rename \n DvcSubscriptionId = AzureSubscriptionId\n | extend \n Dvc = tostring(EventDetails.SourceId),\n DstDvcId = tostring(EventDetails.Destination.DeviceId),\n DstMacAddr = tostring(EventDetails.Destination.MacAddress),\n DstDescription = tostring(EventDetails.Destination.DeviceName),\n SrcDvcId = tostring(EventDetails.Source.DeviceId),\n SrcMacAddr = tostring(EventDetails.Source.MacAddress),\n SrcPortNumber = toint(EventDetails.Source.Port),\n SrcDescription = tostring(EventDetails.Source.DeviceName),\n EventOriginalUid = tostring(EventDetails.Id),\n EventEndTime = todatetime(EventDetails.LastSeen),\n EventStartTime = todatetime(EventDetails.StartTime),\n NetworkProtocol = tostring(EventDetails.TransportProtocol)\n | extend\n EventProduct = 'Defender for IoT',\n EventResult = 'Success',\n EventSchema = 'NetworkSession',\n EventSchemaVersion='0.2.4',\n EventCount = toint(1),\n EventSeverity = 'Informational',\n EventType = iff(DstIpAddr=='' and SrcIpAddr == '','L2NetworkSession','NetworkSession'),\n NetworkDirection = iff(tobool(EventDetails.IsInternal), 'Local',''),\n EventVendor = 'Microsoft',\n DstDvcIdType = 'MD4IoTid',\n SrcDvcIdType = 'MD4IoTid'\n | extend // -- Aliases\n Dst = coalesce(DstIpAddr,DstMacAddr),\n Src = coalesce(SrcIpAddr,SrcMacAddr),\n IpAddr = SrcIpAddr,\n EventStartTime = EventEndTime\n | project-away \n RawEventCategory, RawEventName, RawEventType, SourceSystem, TenantId, AgentVersion, IoTRawEventId, IsEmpty, AgentId, DeviceId, TimeStamp\n | project-away EventDetails, AssociatedResourceId\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Microsoft Defender for IoT sensor logs", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionMD4IoTSensor", + "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n DefenderIoTRawEvent\n | where RawEventName == \"NetworkConnectionData\"\n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n and not(disabled)\n and (array_length(dvcaction) == 0)\n and (array_length(hostname_has_any) == 0)\n and (eventresult in (\"*\",\"Success\"))\n | extend\n DstIpAddr = tostring(EventDetails.Destination.IPAddress),\n SrcIpAddr = tostring(EventDetails.Source.IPAddress)\n | extend temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | extend\n DstPortNumber = toint(EventDetails.Destination.Port)\n | where (isnull(dstportnumber) or DstPortNumber==dstportnumber)\n | project-rename \n DvcSubscriptionId = AzureSubscriptionId\n | extend \n Dvc = tostring(EventDetails.SourceId),\n DstDvcId = tostring(EventDetails.Destination.DeviceId),\n DstMacAddr = tostring(EventDetails.Destination.MacAddress),\n DstDescription = tostring(EventDetails.Destination.DeviceName),\n SrcDvcId = tostring(EventDetails.Source.DeviceId),\n SrcMacAddr = tostring(EventDetails.Source.MacAddress),\n SrcPortNumber = toint(EventDetails.Source.Port),\n SrcDescription = tostring(EventDetails.Source.DeviceName),\n EventOriginalUid = tostring(EventDetails.Id),\n EventEndTime = todatetime(EventDetails.LastSeen),\n EventStartTime = todatetime(EventDetails.StartTime),\n NetworkProtocol = tostring(EventDetails.TransportProtocol)\n | extend\n EventProduct = 'Defender for IoT',\n EventResult = 'Success',\n EventSchema = 'NetworkSession',\n EventSchemaVersion='0.2.4',\n EventCount = toint(1),\n EventSeverity = 'Informational',\n EventType = iff(DstIpAddr=='' and SrcIpAddr == '','L2NetworkSession','NetworkSession'),\n NetworkDirection = iff(tobool(EventDetails.IsInternal), 'Local',''),\n EventVendor = 'Microsoft',\n DstDvcIdType = 'MD4IoTid',\n SrcDvcIdType = 'MD4IoTid'\n | extend // -- Aliases\n Dst = coalesce(DstIpAddr,DstMacAddr),\n Src = coalesce(SrcIpAddr,SrcMacAddr),\n IpAddr = SrcIpAddr,\n EventStartTime = EventEndTime\n | project-away \n RawEventCategory, RawEventName, RawEventType, SourceSystem, TenantId, AgentVersion, IoTRawEventId, IsEmpty, AgentId, DeviceId, TimeStamp\n | project-away EventDetails, AssociatedResourceId\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json index 45542d94910..8673d8717b4 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionMicrosoft365Defender')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionMicrosoft365Defender", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for M365 Defender for Endpoint", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionMicrosoft365Defender", - "query": "let M365Defender=\n (starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr_has_any_prefix:dynamic=dynamic([])\n , dstipaddr_has_any_prefix:dynamic=dynamic([])\n , ipaddr_has_any_prefix:dynamic=dynamic([])\n , dstportnumber:int=int(null)\n , hostname_has_any:dynamic=dynamic([])\n , dvcaction:dynamic=dynamic([])\n , eventresult:string='*'\n , disabled:bool=false\n ){\nlet DirectionLookup=datatable(ActionType:string,NetworkDirection:string,Outbound:boolean)[\n 'ConnectionSuccess','Outbound', true\n ,'ConnectionFailed', 'Outbound', true\n ,'ConnectionRequest','Outbound', true\n ,'InboundConnectionAccepted', 'Inbound', false\n ,'ConnectionFound', 'Unknown', false\n ,'ListeningConnectionCreated', 'Listen', false \n];\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n// -- Common preprocessing to both input and outbound events\nlet RawNetworkEvents = (select_outbound:boolean) {\n DeviceNetworkEvents \n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n | where not(disabled)\n | lookup DirectionLookup on ActionType\n | where Outbound == select_outbound\n | project-away AppGuardContainerId, LocalIPType, MachineGroup, RemoteIPType, Timestamp // , SourceSystem, TenantId, \n // -- Pre-filtering\n |where (array_length(dvcaction)==0 ) /// if filtered by action return nothing\n and (isnull(dstportnumber) or dstportnumber == LocalPort or dstportnumber == RemotePort)\n and (array_length(hostname_has_any)==0 \n or RemoteUrl has_any(hostname_has_any) or DeviceName has_any(hostname_has_any)\n )\n | extend temp_isSrcMatch=( // only one of each pair has_any_ipv4_prefix is calculated\n (Outbound and has_any_ipv4_prefix(LocalIP,src_or_any))\n or\n (not(Outbound) and has_any_ipv4_prefix(RemoteIP,src_or_any))\n ) \n , temp_isDstMatch=(\n (not(Outbound) and has_any_ipv4_prefix(LocalIP,dst_or_any))\n or\n (Outbound and has_any_ipv4_prefix(RemoteIP,dst_or_any))\n ) \n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n ) \n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*\n | extend EventResult = iff(ActionType=='ConnectionFailed','Failure','Success')\n | where (eventresult=='*' or EventResult==eventresult)\n // -- End of pre-filtering\n | extend\n // Event\n EventOriginalUid = tostring(ReportId),\n EventCount = int(1),\n EventProduct = 'M365 Defender for Endpoint',\n EventVendor = 'Microsoft',\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.2.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'NetworkSession',\n EventSeverity = \"Informational\",\n DvcIdType = 'MDEid'\n | project-away \n ReportId, Outbound\n | project-rename \n EventOriginalResultDetails = ActionType\n | extend\n RemoteUrl = extract (@\"(?:https?://)?(.*)\", 1, RemoteUrl)\n | extend\n User = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\n UsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\n SplitHostname = split(DeviceName,\".\"),\n SplitUrl = split(RemoteUrl,\".\"),\n NetworkProtocol = case (\n Protocol startswith \"Tcp\", \"TCP\",\n Protocol == \"Unknown\", \"\",\n toupper(Protocol)\n )\n | project-away Protocol\n | extend \n DvcHostname = tostring(SplitHostname[0]),\n DvcDomain = tostring(strcat_array(array_slice(SplitHostname, 1, -1), '.')),\n DvcFQDN = iif (DeviceName contains \".\", DeviceName, \"\"),\n UrlHostname = tostring(SplitUrl[0]),\n UrlDomain = tostring(strcat_array(array_slice(SplitUrl, 1, -1), '.')),\n UrlFQDN = iif(RemoteUrl contains \".\", RemoteUrl, \"\")\n | project-away RemoteUrl, DeviceName\n | extend\n DvcDomainType = iif(DvcFQDN != \"\", \"FQDN\", \"\"),\n UrlDomainType = iff(UrlFQDN != \"\", \"FQDN\", \"\"),\n DvcIpAddr = LocalIP\n | extend\n Dvc = DvcHostname \n | project-rename\n DvcId = DeviceId\n | project-away SplitUrl, SplitHostname\n};\nlet OutboundNetworkEvents = \n RawNetworkEvents (true)\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or dstportnumber==RemotePort)\n // *************** /Postfilterring *****************************************************************\n | extend temp_isMatchSrcHostname=DvcHostname has_any(hostname_has_any)\n , temp_isMatchDstHostname=UrlHostname has_any(hostname_has_any)\n |extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,\"-\",\n temp_isMatchDstHostname and temp_isMatchSrcHostname, \"Both\",\n temp_isMatchDstHostname, \"DstHostname\",\n temp_isMatchSrcHostname, \"SrcHostname\",\n \"No match\"\n )\n | project-away temp*\n | where ASimMatchingHostname != \"No match\"\n | project-rename\n DstIpAddr = RemoteIP,\n SrcIpAddr = LocalIP,\n DstPortNumber = RemotePort,\n SrcPortNumber = LocalPort,\n SrcUsernameType = UsernameType,\n SrcUserAadId = InitiatingProcessAccountObjectId,\n SrcUserId = InitiatingProcessAccountSid,\n SrcUserUpn = InitiatingProcessAccountUpn\n | extend\n SrcUsername = User,\n SrcDvcId = DvcId,\n SrcDvcIdType = 'MDEid',\n SrcUserIdType = iff (SrcUserId <> \"S-1-0-0\", \"SID\", \"\"),\n SrcUserId = iff (SrcUserId <> \"S-1-0-0\", SrcUserId, \"\"),\n DstHostname = UrlHostname\n | project-rename\n DstDomain = UrlDomain,\n DstFQDN = UrlFQDN,\n DstDomainType = UrlDomainType\n | extend \n SrcHostname = DvcHostname,\n SrcDomain = DvcDomain,\n SrcFQDN = DvcFQDN,\n SrcDomainType = DvcDomainType\n // Processes\n | extend\n SrcProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n SrcProcessName = InitiatingProcessFileName,\n SrcProcessCommandLine = InitiatingProcessCommandLine,\n SrcProcessCreationTime = InitiatingProcessCreationTime,\n SrcProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n SrcProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n | extend\n Process = SrcProcessName,\n ProcessId = SrcProcessId,\n SrcAppName = SrcProcessName,\n SrcAppType = \"Process\"\n;\nlet InboundNetworkEvents = \n RawNetworkEvents (false)\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or dstportnumber==LocalPort)\n // *************** /Postfilterring *****************************************************************\n |extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,\"\",\n UrlHostname has_any(hostname_has_any), \"SrcHostname\",\n DvcHostname has_any(hostname_has_any), \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-rename\n SrcIpAddr = RemoteIP,\n DstIpAddr = LocalIP,\n SrcPortNumber = RemotePort,\n DstPortNumber = LocalPort,\n DstUsernameType = UsernameType,\n DstUserAadId = InitiatingProcessAccountObjectId,\n DstUserId = InitiatingProcessAccountSid,\n DstUserUpn = InitiatingProcessAccountUpn,\n SrcDomain = UrlDomain,\n SrcFQDN = UrlFQDN,\n SrcDomainType = UrlDomainType\n | extend\n DstUsername = User,\n DstDvcId = DvcId,\n DstDvcIdType = 'MDEid',\n DstUserIdType = 'SID',\n SrcHostname = UrlHostname\n | extend \n DstHostname = DvcHostname,\n DstDomain = DvcDomain,\n DstFQDN = DvcFQDN\n // Processes\n | extend\n DstProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n DstProcessName = InitiatingProcessFileName,\n DstProcessCommandLine = InitiatingProcessCommandLine,\n DstProcessCreationTime = InitiatingProcessCreationTime,\n DstProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n DstProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n | extend\n Process = DstProcessName,\n DstAppName = DstProcessName,\n DstAppType = \"Process\"\n;\nunion InboundNetworkEvents, OutboundNetworkEvents\n| project-rename \n Hostname = UrlHostname\n| extend // aliases\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr \n};\nM365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for M365 Defender for Endpoint", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionMicrosoft365Defender", + "query": "let M365Defender=\n (starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr_has_any_prefix:dynamic=dynamic([])\n , dstipaddr_has_any_prefix:dynamic=dynamic([])\n , ipaddr_has_any_prefix:dynamic=dynamic([])\n , dstportnumber:int=int(null)\n , hostname_has_any:dynamic=dynamic([])\n , dvcaction:dynamic=dynamic([])\n , eventresult:string='*'\n , disabled:bool=false\n ){\nlet DirectionLookup=datatable(ActionType:string,NetworkDirection:string,Outbound:boolean)[\n 'ConnectionSuccess','Outbound', true\n ,'ConnectionFailed', 'Outbound', true\n ,'ConnectionRequest','Outbound', true\n ,'InboundConnectionAccepted', 'Inbound', false\n ,'ConnectionFound', 'Unknown', false\n ,'ListeningConnectionCreated', 'Listen', false \n];\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n// -- Common preprocessing to both input and outbound events\nlet RawNetworkEvents = (select_outbound:boolean) {\n DeviceNetworkEvents \n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n | where not(disabled)\n | lookup DirectionLookup on ActionType\n | where Outbound == select_outbound\n | project-away AppGuardContainerId, LocalIPType, MachineGroup, RemoteIPType, Timestamp // , SourceSystem, TenantId, \n // -- Pre-filtering\n |where (array_length(dvcaction)==0 ) /// if filtered by action return nothing\n and (isnull(dstportnumber) or dstportnumber == LocalPort or dstportnumber == RemotePort)\n and (array_length(hostname_has_any)==0 \n or RemoteUrl has_any(hostname_has_any) or DeviceName has_any(hostname_has_any)\n )\n | extend temp_isSrcMatch=( // only one of each pair has_any_ipv4_prefix is calculated\n (Outbound and has_any_ipv4_prefix(LocalIP,src_or_any))\n or\n (not(Outbound) and has_any_ipv4_prefix(RemoteIP,src_or_any))\n ) \n , temp_isDstMatch=(\n (not(Outbound) and has_any_ipv4_prefix(LocalIP,dst_or_any))\n or\n (Outbound and has_any_ipv4_prefix(RemoteIP,dst_or_any))\n ) \n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n ) \n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*\n | extend EventResult = iff(ActionType=='ConnectionFailed','Failure','Success')\n | where (eventresult=='*' or EventResult==eventresult)\n // -- End of pre-filtering\n | extend\n // Event\n EventOriginalUid = tostring(ReportId),\n EventCount = int(1),\n EventProduct = 'M365 Defender for Endpoint',\n EventVendor = 'Microsoft',\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.2.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'NetworkSession',\n EventSeverity = \"Informational\",\n DvcIdType = 'MDEid'\n | project-away \n ReportId, Outbound\n | project-rename \n EventOriginalResultDetails = ActionType\n | extend\n RemoteUrl = extract (@\"(?:https?://)?(.*)\", 1, RemoteUrl)\n | extend\n User = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\n UsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\n SplitHostname = split(DeviceName,\".\"),\n SplitUrl = split(RemoteUrl,\".\"),\n NetworkProtocol = case (\n Protocol startswith \"Tcp\", \"TCP\",\n Protocol == \"Unknown\", \"\",\n toupper(Protocol)\n )\n | project-away Protocol\n | extend \n DvcHostname = tostring(SplitHostname[0]),\n DvcDomain = tostring(strcat_array(array_slice(SplitHostname, 1, -1), '.')),\n DvcFQDN = iif (DeviceName contains \".\", DeviceName, \"\"),\n UrlHostname = tostring(SplitUrl[0]),\n UrlDomain = tostring(strcat_array(array_slice(SplitUrl, 1, -1), '.')),\n UrlFQDN = iif(RemoteUrl contains \".\", RemoteUrl, \"\")\n | project-away RemoteUrl, DeviceName\n | extend\n DvcDomainType = iif(DvcFQDN != \"\", \"FQDN\", \"\"),\n UrlDomainType = iff(UrlFQDN != \"\", \"FQDN\", \"\"),\n DvcIpAddr = LocalIP\n | extend\n Dvc = DvcHostname \n | project-rename\n DvcId = DeviceId\n | project-away SplitUrl, SplitHostname\n};\nlet OutboundNetworkEvents = \n RawNetworkEvents (true)\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or dstportnumber==RemotePort)\n // *************** /Postfilterring *****************************************************************\n | extend temp_isMatchSrcHostname=DvcHostname has_any(hostname_has_any)\n , temp_isMatchDstHostname=UrlHostname has_any(hostname_has_any)\n |extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,\"-\",\n temp_isMatchDstHostname and temp_isMatchSrcHostname, \"Both\",\n temp_isMatchDstHostname, \"DstHostname\",\n temp_isMatchSrcHostname, \"SrcHostname\",\n \"No match\"\n )\n | project-away temp*\n | where ASimMatchingHostname != \"No match\"\n | project-rename\n DstIpAddr = RemoteIP,\n SrcIpAddr = LocalIP,\n DstPortNumber = RemotePort,\n SrcPortNumber = LocalPort,\n SrcUsernameType = UsernameType,\n SrcUserAadId = InitiatingProcessAccountObjectId,\n SrcUserId = InitiatingProcessAccountSid,\n SrcUserUpn = InitiatingProcessAccountUpn\n | extend\n SrcUsername = User,\n SrcDvcId = DvcId,\n SrcDvcIdType = 'MDEid',\n SrcUserIdType = iff (SrcUserId <> \"S-1-0-0\", \"SID\", \"\"),\n SrcUserId = iff (SrcUserId <> \"S-1-0-0\", SrcUserId, \"\"),\n DstHostname = UrlHostname\n | project-rename\n DstDomain = UrlDomain,\n DstFQDN = UrlFQDN,\n DstDomainType = UrlDomainType\n | extend \n SrcHostname = DvcHostname,\n SrcDomain = DvcDomain,\n SrcFQDN = DvcFQDN,\n SrcDomainType = DvcDomainType\n // Processes\n | extend\n SrcProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n SrcProcessName = InitiatingProcessFileName,\n SrcProcessCommandLine = InitiatingProcessCommandLine,\n SrcProcessCreationTime = InitiatingProcessCreationTime,\n SrcProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n SrcProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n | extend\n Process = SrcProcessName,\n ProcessId = SrcProcessId,\n SrcAppName = SrcProcessName,\n SrcAppType = \"Process\"\n;\nlet InboundNetworkEvents = \n RawNetworkEvents (false)\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or dstportnumber==LocalPort)\n // *************** /Postfilterring *****************************************************************\n |extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,\"\",\n UrlHostname has_any(hostname_has_any), \"SrcHostname\",\n DvcHostname has_any(hostname_has_any), \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-rename\n SrcIpAddr = RemoteIP,\n DstIpAddr = LocalIP,\n SrcPortNumber = RemotePort,\n DstPortNumber = LocalPort,\n DstUsernameType = UsernameType,\n DstUserAadId = InitiatingProcessAccountObjectId,\n DstUserId = InitiatingProcessAccountSid,\n DstUserUpn = InitiatingProcessAccountUpn,\n SrcDomain = UrlDomain,\n SrcFQDN = UrlFQDN,\n SrcDomainType = UrlDomainType\n | extend\n DstUsername = User,\n DstDvcId = DvcId,\n DstDvcIdType = 'MDEid',\n DstUserIdType = 'SID',\n SrcHostname = UrlHostname\n | extend \n DstHostname = DvcHostname,\n DstDomain = DvcDomain,\n DstFQDN = DvcFQDN\n // Processes\n | extend\n DstProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n DstProcessName = InitiatingProcessFileName,\n DstProcessCommandLine = InitiatingProcessCommandLine,\n DstProcessCreationTime = InitiatingProcessCreationTime,\n DstProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n DstProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n | extend\n Process = DstProcessName,\n DstAppName = DstProcessName,\n DstAppType = \"Process\"\n;\nunion InboundNetworkEvents, OutboundNetworkEvents\n| project-rename \n Hostname = UrlHostname\n| extend // aliases\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr \n};\nM365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json index 9db0e2bb7d4..f0cdaf3bd64 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionLinuxSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionLinuxSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Sysmon for Linux", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionLinuxSysmon", - "query": "let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet DirectionNetworkEvents =\n Syslog \n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n | where not(disabled)\n | project SyslogMessage, TimeGenerated, HostIP\n | where SyslogMessage has_all ('3')\n // *************** Prefilterring *****************************************************************\n | where \n (eventresult=='*' or eventresult=='Success')\n and (array_length(dvcaction) ==0 ) /// if filtered by action return nothing\n and (array_length(ip_any)==0 \n or has_any_ipv4_prefix(SyslogMessage,ip_any)\n ) \n and (array_length(hostname_has_any)==0 \n or SyslogMessage has_any(hostname_has_any)) \n and (isnull(dstportnumber) or SyslogMessage has (tostring(dstportnumber))) \n // *************** / Prefilterring ***************************************************************\n | parse SyslogMessage with * '' SrcIpAddr:string '' *\n | where (array_length(srcipaddr_has_any_prefix)==0 \n or has_any_ipv4_prefix(SrcIpAddr,srcipaddr_has_any_prefix)\n ) \n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\n;\nlet parser = (T: (SyslogMessage: string)) {\n T \n | parse SyslogMessage with \n *\n '' EventOriginalUid:string ''\n *\n '' SysmonComputer:string ''\n *\n '' RuleName:string ''\n '' EventEndTime:datetime ''\n '{' ProcessGuid:string '}'\n '' ProcessId:string ''\n '' Process:string ''\n '' User:string ''\n '' Protocol:string '' // -- source is lowercase\n '' Initiated:bool '' \n '' SourceIsIpv6:bool ''\t\t\n '' * ''\n '' SrcHostname:string ''\n '' SrcPortNumber:int ''\n '' SrcPortName:string ''\n '' DestinationIsIpv6:bool ''\n '' DstIpAddr:string ''\n '' DstHostname:string ''\n '' DstPortNumber:int ''\n '' DstPortName:string ''\n *\n | project-away DstPortName, DestinationIsIpv6, Initiated, SourceIsIpv6, SrcPortName, RuleName\n};\nlet OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | extend \n temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any) \n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n| extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n)\n | where ASimMatchingIpAddr != \"No match\"\n | extend temp_isSrcHostMatch= (SrcHostname has_any (hostname_has_any))\n , temp_isDstHostMatch = (DstHostname has_any (hostname_has_any))\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcHostMatch and temp_isDstHostMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcHostMatch, \"SrcHostname\"\n , temp_isDstHostMatch, \"DstHostname\"\n , \"No match\"\n)\n | where ASimMatchingHostname != \"No match\"\n | project-away temp_*\n | extend\n SrcUsernameType = 'Simple',\n SrcUsername = User,\n SrcAppType = 'Process'\n | project-rename\n SrcProcessId = ProcessId, \n SrcProcessGuid = ProcessGuid,\n SrcProcessName = Process\n | extend\n SrcAppName = SrcProcessName\n | project-away SyslogMessage\n;\nlet InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n // *************** Postfilterring ***************************************************************\n | where (array_length(hostname_has_any)==0 or DstHostname has_any (hostname_has_any)or SrcHostname has_any (hostname_has_any) )\n and (isnull(dstportnumber) or DstPortNumber ==dstportnumber)\n // *************** Postfilterring ***************************************************************\n | extend \n temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any) \n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | project-away temp_*\n | where ASimMatchingIpAddr != \"No match\"\n | extend\n DstUsernameType = 'Simple',\n DstAppType = 'Process' \n | project-rename\n DstUsername = User,\n DstProcessId = ProcessId, \n DstProcessGuid = ProcessGuid,\n DstProcessName = Process\n | extend\n DstAppName = DstProcessName\n | project-away SyslogMessage\n;\nlet SysmonForLinuxNetwork=\n union OutboundNetworkEvents, InboundNetworkEvents\n | extend \n EventType = 'NetworkSession',\n EventStartTime = EventEndTime,\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.3',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon for Linux',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Linux',\n NetworkProtocol = toupper(Protocol),\n NetworkDirection = iff(outbound, \"Outbound\", \"Inbound\"),\n EventOriginalType = '3' // Set with a constant value to avoid parsing\n | project-away outbound, Protocol\n | project-rename \n DvcIpAddr = HostIP,\n DvcHostname = SysmonComputer\n | extend // aliases\n Dvc = DvcHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n;\nSysmonForLinuxNetwork ", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Sysmon for Linux", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionLinuxSysmon", + "query": "let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet DirectionNetworkEvents =\n Syslog \n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n | where not(disabled)\n | project SyslogMessage, TimeGenerated, HostIP\n | where SyslogMessage has_all ('3')\n // *************** Prefilterring *****************************************************************\n | where \n (eventresult=='*' or eventresult=='Success')\n and (array_length(dvcaction) ==0 ) /// if filtered by action return nothing\n and (array_length(ip_any)==0 \n or has_any_ipv4_prefix(SyslogMessage,ip_any)\n ) \n and (array_length(hostname_has_any)==0 \n or SyslogMessage has_any(hostname_has_any)) \n and (isnull(dstportnumber) or SyslogMessage has (tostring(dstportnumber))) \n // *************** / Prefilterring ***************************************************************\n | parse SyslogMessage with * '' SrcIpAddr:string '' *\n | where (array_length(srcipaddr_has_any_prefix)==0 \n or has_any_ipv4_prefix(SrcIpAddr,srcipaddr_has_any_prefix)\n ) \n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\n;\nlet parser = (T: (SyslogMessage: string)) {\n T \n | parse SyslogMessage with \n *\n '' EventOriginalUid:string ''\n *\n '' SysmonComputer:string ''\n *\n '' RuleName:string ''\n '' EventEndTime:datetime ''\n '{' ProcessGuid:string '}'\n '' ProcessId:string ''\n '' Process:string ''\n '' User:string ''\n '' Protocol:string '' // -- source is lowercase\n '' Initiated:bool '' \n '' SourceIsIpv6:bool ''\t\t\n '' * ''\n '' SrcHostname:string ''\n '' SrcPortNumber:int ''\n '' SrcPortName:string ''\n '' DestinationIsIpv6:bool ''\n '' DstIpAddr:string ''\n '' DstHostname:string ''\n '' DstPortNumber:int ''\n '' DstPortName:string ''\n *\n | project-away DstPortName, DestinationIsIpv6, Initiated, SourceIsIpv6, SrcPortName, RuleName\n};\nlet OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | extend \n temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any) \n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n| extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n)\n | where ASimMatchingIpAddr != \"No match\"\n | extend temp_isSrcHostMatch= (SrcHostname has_any (hostname_has_any))\n , temp_isDstHostMatch = (DstHostname has_any (hostname_has_any))\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcHostMatch and temp_isDstHostMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcHostMatch, \"SrcHostname\"\n , temp_isDstHostMatch, \"DstHostname\"\n , \"No match\"\n)\n | where ASimMatchingHostname != \"No match\"\n | project-away temp_*\n | extend\n SrcUsernameType = 'Simple',\n SrcUsername = User,\n SrcAppType = 'Process'\n | project-rename\n SrcProcessId = ProcessId, \n SrcProcessGuid = ProcessGuid,\n SrcProcessName = Process\n | extend\n SrcAppName = SrcProcessName\n | project-away SyslogMessage\n;\nlet InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n // *************** Postfilterring ***************************************************************\n | where (array_length(hostname_has_any)==0 or DstHostname has_any (hostname_has_any)or SrcHostname has_any (hostname_has_any) )\n and (isnull(dstportnumber) or DstPortNumber ==dstportnumber)\n // *************** Postfilterring ***************************************************************\n | extend \n temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any) \n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | project-away temp_*\n | where ASimMatchingIpAddr != \"No match\"\n | extend\n DstUsernameType = 'Simple',\n DstAppType = 'Process' \n | project-rename\n DstUsername = User,\n DstProcessId = ProcessId, \n DstProcessGuid = ProcessGuid,\n DstProcessName = Process\n | extend\n DstAppName = DstProcessName\n | project-away SyslogMessage\n;\nlet SysmonForLinuxNetwork=\n union OutboundNetworkEvents, InboundNetworkEvents\n | extend \n EventType = 'NetworkSession',\n EventStartTime = EventEndTime,\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.3',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon for Linux',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Linux',\n NetworkProtocol = toupper(Protocol),\n NetworkDirection = iff(outbound, \"Outbound\", \"Inbound\"),\n EventOriginalType = '3' // Set with a constant value to avoid parsing\n | project-away outbound, Protocol\n | project-rename \n DvcIpAddr = HostIP,\n DvcHostname = SysmonComputer\n | extend // aliases\n Dvc = DvcHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n;\nSysmonForLinuxNetwork ", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSecurityEventFirewall/vimNetworkSessionMicrosoftSecurityEventFirewall.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSecurityEventFirewall/vimNetworkSessionMicrosoftSecurityEventFirewall.json index 4a114a7d84b..b0c8ada05ca 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSecurityEventFirewall/vimNetworkSessionMicrosoftSecurityEventFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSecurityEventFirewall/vimNetworkSessionMicrosoftSecurityEventFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionMicrosoftSecurityEventFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionMicrosoftSecurityEventFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Microsoft Windows Firewall", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionMicrosoftSecurityEventFirewall", - "query": "let LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\n '%%14596', 'IP Packet',\n '%%14597', 'Transport',\n '%%14598', 'Forward',\n '%%14599', 'Stream',\n '%%14600', 'Datagram Data',\n '%%14601', 'ICMP Error',\n '%%14602', 'MAC 802.3',\n '%%14603', 'MAC Native',\n '%%14604', 'vSwitch',\n '%%14608', 'Resource Assignment',\n '%%14609', 'Listen',\n '%%14610', 'Receive/Accept',\n '%%14611', 'Connect',\n '%%14612', 'Flow Established',\n '%%14614', 'Resource Release',\n '%%14615', 'Endpoint Closure',\n '%%14616', 'Connect Redirect',\n '%%14617', 'Bind Redirect',\n '%%14624', 'Stream Packet'];\nlet ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\n 1, 'ICMP',\n 3, 'GGP',\n 6, 'TCP',\n 8, 'EGP',\n 12, 'PUP',\n 17, 'UDP',\n 20, 'HMP',\n 27, 'RDP',\n 46, 'RSVP',\n 47, 'PPTP data over GRE',\n 50, 'ESP',\n 51, 'AH',\n 66, 'RVD',\n 88, 'IGMP',\n 89, 'OSPF'];\nlet Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\n '%%14592', 'Inbound', false,\n '%%14593', 'Outbound', true,\n '%%14594', 'Forward',false,\n '%%14595', 'Bidirectional', false,\n '%%14609', 'Listen', false];\n///////////////////////////////////////////////////////\n// this query extract data fields from EventData column from SecurityEvent table\n///////////////////////////////////////////////////////\nlet parser = (starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n, srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null)\n, hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]),eventresult:string='*', disabled:bool=false\n) { \n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let SecurityEventProjected =\n SecurityEvent\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\n ;\n // Event IDs between (5151 .. 5159)\n // will be extracting Event specific fields from 'EventData' field\n let SecurityEvent_5152 = \n SecurityEventProjected \n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n | where EventID==5152\n // *************** Prefilterring *****************************************************************\n |where (isnull(dstportnumber) or EventData has tostring(dstportnumber) ) \n and (array_length(ip_any)==0 \n or has_any_ipv4_prefix(EventData ,ip_any)\n ) \n and (array_length(dvcaction)==0 or (dvcaction=='Deny') ) \n and (array_length(hostname_has_any)==0 )\n and (eventresult=='*' or eventresult=='Failure')\n // *************** / Prefilterring *****************************************************************\n | extend EventResult = \"Failure\"\n | parse EventData with * \n ''ProcessId:string''\n '\\x0d\\x0a 'Application''\n '\\x0d\\x0a 'DirectionCode''\n '\\x0d\\x0a 'SrcIpAddr:string''\n '\\x0d\\x0a 'SrcPortNumber:int''\n '\\x0d\\x0a 'DstIpAddr''\n '\\x0d\\x0a 'DstPortNumber:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber:int''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''*\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*, EventData\n ;\n let SecurityEvent_5154_5155_5158_5159 =\n SecurityEventProjected \n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n | where EventID in (5154, 5155, 5158, 5159)\n // *************** Prefilterring *****************************************************************\n |where (array_length(dstipaddr_has_any_prefix)==0 ) \n and (array_length(hostname_has_any)==0 ) \n and (isnull(dstportnumber) ) \n and (array_length(ip_any)==0 \n or has_any_ipv4_prefix(EventData ,ip_any)\n ) \n and (array_length(dvcaction)==0 \n or (dvcaction=='Allow' and EventID in (5154,5158)) \n or (dvcaction=='Deny' and EventID !in (5154,5158))\n ) \n | extend EventResult = iff(EventID in (5154, 5158), \"Success\", \"Failure\")\n | where (eventresult=='*' or EventResult==eventresult)\n // *************** / Prefilterring *****************************************************************\n | parse EventData with * ''ProcessId:string'' \n '\\x0d\\x0a 'Application:string''\n '\\x0d\\x0a 'SrcIpAddr:string''\n '\\x0d\\x0a 'SrcPortNumber:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber:int''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''*\n | extend DirectionCode = \"%%14609\"\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_isDstMatch=false\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_* , EventData\n ;\n let SecurityEvent_5156_5157 =\n SecurityEventProjected\n | where not(disabled) \n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n | where EventID in (5156, 5157)\n | extend EventResult = iff(EventID == 5156, \"Success\", \"Failure\")\n // *************** Prefilterring *****************************************************************\n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n and (array_length(ip_any)==0 \n or has_any_ipv4_prefix(EventData ,ip_any)\n ) \n and (isnull(dstportnumber) or EventData has tostring(dstportnumber) ) \n and (array_length(dvcaction)==0 \n or (dvcaction=='Allow' and EventID == 5156) \n or (dvcaction=='Deny' and EventID <> 5156)\n )\n and (array_length(hostname_has_any)==0 )\n and (eventresult=='*' or EventResult==eventresult) \n // *************** / Prefilterring *****************************************************************\n | parse EventData with * ''ProcessId:string''\n '\\x0d\\x0a 'Application:string''\n '\\x0d\\x0a 'DirectionCode:string''\n '\\x0d\\x0a 'SrcIpAddr:string''\n '\\x0d\\x0a 'SrcPortNumber:int''\n '\\x0d\\x0a 'DstIpAddr:string''\n '\\x0d\\x0a 'DstPortNumber:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber:int''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''\n '\\x0d\\x0a 'RemoteUserID:string''\n '\\x0d\\x0a 'RemoteMachineID:string''*\n | project-away EventData\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*\n ;\n union SecurityEvent_5154_5155_5158_5159, SecurityEvent_5156_5157, SecurityEvent_5152\n | lookup Directions on DirectionCode\n | project-rename DvcHostname = Computer\n | extend\n SrcAppName = iff(isOutBound, Application, \"\"),\n DstAppName = iff(not(isOutBound), Application, \"\"),\n SrcDvcId = iff(isOutBound, RemoteMachineID, \"\"),\n DstDvcId = iff(not(isOutBound), RemoteMachineID, \"\"),\n SrcProcessId = iff(isOutBound, tostring(ProcessId), \"\"),\n DstProcessId = iff(not(isOutBound), tostring(ProcessId), \"\"),\n DstUserId = iff(isOutBound, RemoteUserID, \"\"),\n SrcUserId = iff(not(isOutBound), RemoteUserID, \"\"),\n DstHostname = iff(isOutBound, \"\", DvcHostname),\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\n | project-away Application, RemoteMachineID, ProcessId, RemoteUserID\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or DstPortNumber == dstportnumber )\n // *************** / Postfilterring *****************************************************************\n | extend \n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\n DvcOs = 'Windows',\n DstAppType = \"Process\",\n SrcUserIdType = iff (SrcUserId <> \"S-1-0-0\", \"SID\", \"\"),\n SrcUserId = iff (SrcUserId <> \"S-1-0-0\", SrcUserId, \"\"),\n DstUserIdType = iff (DstUserId <> \"S-1-0-0\", \"SID\", \"\"),\n DstUserId = iff (DstUserId <> \"S-1-0-0\", DstUserId, \"\"),\n SrcAppType = \"Process\",\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.3\",\n EventCount=toint(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Windows Firewall\",\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\")\n // -- Aliases\n | extend \n Dvc = DvcHostname,\n Hostname = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = tostring(NetworkRuleNumber),\n DstDvcIdType = iff (DstDvcId != \"\", \"SID\", \"\"),\n SrcDvcIdType = iff (SrcDvcId != \"\", \"SID\", \"\")\n | lookup LayerCodeTable on LayerCode\n | lookup ProtocolTable on Protocol\n | project-away LayerCode, DirectionCode, Protocol, isOutBound, LayerName, EventID, LayerRTID,_ResourceId,_SubscriptionId\n };\n parser(starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber,\n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction,\n eventresult=eventresult, \n disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Microsoft Windows Firewall", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionMicrosoftSecurityEventFirewall", + "query": "let LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\n '%%14596', 'IP Packet',\n '%%14597', 'Transport',\n '%%14598', 'Forward',\n '%%14599', 'Stream',\n '%%14600', 'Datagram Data',\n '%%14601', 'ICMP Error',\n '%%14602', 'MAC 802.3',\n '%%14603', 'MAC Native',\n '%%14604', 'vSwitch',\n '%%14608', 'Resource Assignment',\n '%%14609', 'Listen',\n '%%14610', 'Receive/Accept',\n '%%14611', 'Connect',\n '%%14612', 'Flow Established',\n '%%14614', 'Resource Release',\n '%%14615', 'Endpoint Closure',\n '%%14616', 'Connect Redirect',\n '%%14617', 'Bind Redirect',\n '%%14624', 'Stream Packet'];\nlet ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\n 1, 'ICMP',\n 3, 'GGP',\n 6, 'TCP',\n 8, 'EGP',\n 12, 'PUP',\n 17, 'UDP',\n 20, 'HMP',\n 27, 'RDP',\n 46, 'RSVP',\n 47, 'PPTP data over GRE',\n 50, 'ESP',\n 51, 'AH',\n 66, 'RVD',\n 88, 'IGMP',\n 89, 'OSPF'];\nlet Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\n '%%14592', 'Inbound', false,\n '%%14593', 'Outbound', true,\n '%%14594', 'Forward',false,\n '%%14595', 'Bidirectional', false,\n '%%14609', 'Listen', false];\n///////////////////////////////////////////////////////\n// this query extract data fields from EventData column from SecurityEvent table\n///////////////////////////////////////////////////////\nlet parser = (starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n, srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null)\n, hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]),eventresult:string='*', disabled:bool=false\n) { \n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let SecurityEventProjected =\n SecurityEvent\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\n ;\n // Event IDs between (5151 .. 5159)\n // will be extracting Event specific fields from 'EventData' field\n let SecurityEvent_5152 = \n SecurityEventProjected \n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n | where EventID==5152\n // *************** Prefilterring *****************************************************************\n |where (isnull(dstportnumber) or EventData has tostring(dstportnumber) ) \n and (array_length(ip_any)==0 \n or has_any_ipv4_prefix(EventData ,ip_any)\n ) \n and (array_length(dvcaction)==0 or (dvcaction=='Deny') ) \n and (array_length(hostname_has_any)==0 )\n and (eventresult=='*' or eventresult=='Failure')\n // *************** / Prefilterring *****************************************************************\n | extend EventResult = \"Failure\"\n | parse EventData with * \n ''ProcessId:string''\n '\\x0d\\x0a 'Application''\n '\\x0d\\x0a 'DirectionCode''\n '\\x0d\\x0a 'SrcIpAddr:string''\n '\\x0d\\x0a 'SrcPortNumber:int''\n '\\x0d\\x0a 'DstIpAddr''\n '\\x0d\\x0a 'DstPortNumber:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber:int''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''*\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*, EventData\n ;\n let SecurityEvent_5154_5155_5158_5159 =\n SecurityEventProjected \n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n | where EventID in (5154, 5155, 5158, 5159)\n // *************** Prefilterring *****************************************************************\n |where (array_length(dstipaddr_has_any_prefix)==0 ) \n and (array_length(hostname_has_any)==0 ) \n and (isnull(dstportnumber) ) \n and (array_length(ip_any)==0 \n or has_any_ipv4_prefix(EventData ,ip_any)\n ) \n and (array_length(dvcaction)==0 \n or (dvcaction=='Allow' and EventID in (5154,5158)) \n or (dvcaction=='Deny' and EventID !in (5154,5158))\n ) \n | extend EventResult = iff(EventID in (5154, 5158), \"Success\", \"Failure\")\n | where (eventresult=='*' or EventResult==eventresult)\n // *************** / Prefilterring *****************************************************************\n | parse EventData with * ''ProcessId:string'' \n '\\x0d\\x0a 'Application:string''\n '\\x0d\\x0a 'SrcIpAddr:string''\n '\\x0d\\x0a 'SrcPortNumber:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber:int''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''*\n | extend DirectionCode = \"%%14609\"\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_isDstMatch=false\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_* , EventData\n ;\n let SecurityEvent_5156_5157 =\n SecurityEventProjected\n | where not(disabled) \n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n | where EventID in (5156, 5157)\n | extend EventResult = iff(EventID == 5156, \"Success\", \"Failure\")\n // *************** Prefilterring *****************************************************************\n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n and (array_length(ip_any)==0 \n or has_any_ipv4_prefix(EventData ,ip_any)\n ) \n and (isnull(dstportnumber) or EventData has tostring(dstportnumber) ) \n and (array_length(dvcaction)==0 \n or (dvcaction=='Allow' and EventID == 5156) \n or (dvcaction=='Deny' and EventID <> 5156)\n )\n and (array_length(hostname_has_any)==0 )\n and (eventresult=='*' or EventResult==eventresult) \n // *************** / Prefilterring *****************************************************************\n | parse EventData with * ''ProcessId:string''\n '\\x0d\\x0a 'Application:string''\n '\\x0d\\x0a 'DirectionCode:string''\n '\\x0d\\x0a 'SrcIpAddr:string''\n '\\x0d\\x0a 'SrcPortNumber:int''\n '\\x0d\\x0a 'DstIpAddr:string''\n '\\x0d\\x0a 'DstPortNumber:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber:int''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''\n '\\x0d\\x0a 'RemoteUserID:string''\n '\\x0d\\x0a 'RemoteMachineID:string''*\n | project-away EventData\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*\n ;\n union SecurityEvent_5154_5155_5158_5159, SecurityEvent_5156_5157, SecurityEvent_5152\n | lookup Directions on DirectionCode\n | project-rename DvcHostname = Computer\n | extend\n SrcAppName = iff(isOutBound, Application, \"\"),\n DstAppName = iff(not(isOutBound), Application, \"\"),\n SrcDvcId = iff(isOutBound, RemoteMachineID, \"\"),\n DstDvcId = iff(not(isOutBound), RemoteMachineID, \"\"),\n SrcProcessId = iff(isOutBound, tostring(ProcessId), \"\"),\n DstProcessId = iff(not(isOutBound), tostring(ProcessId), \"\"),\n DstUserId = iff(isOutBound, RemoteUserID, \"\"),\n SrcUserId = iff(not(isOutBound), RemoteUserID, \"\"),\n DstHostname = iff(isOutBound, \"\", DvcHostname),\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\n | project-away Application, RemoteMachineID, ProcessId, RemoteUserID\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or DstPortNumber == dstportnumber )\n // *************** / Postfilterring *****************************************************************\n | extend \n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\n DvcOs = 'Windows',\n DstAppType = \"Process\",\n SrcUserIdType = iff (SrcUserId <> \"S-1-0-0\", \"SID\", \"\"),\n SrcUserId = iff (SrcUserId <> \"S-1-0-0\", SrcUserId, \"\"),\n DstUserIdType = iff (DstUserId <> \"S-1-0-0\", \"SID\", \"\"),\n DstUserId = iff (DstUserId <> \"S-1-0-0\", DstUserId, \"\"),\n SrcAppType = \"Process\",\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.3\",\n EventCount=toint(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Windows Firewall\",\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\")\n // -- Aliases\n | extend \n Dvc = DvcHostname,\n Hostname = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = tostring(NetworkRuleNumber),\n DstDvcIdType = iff (DstDvcId != \"\", \"SID\", \"\"),\n SrcDvcIdType = iff (SrcDvcId != \"\", \"SID\", \"\")\n | lookup LayerCodeTable on LayerCode\n | lookup ProtocolTable on Protocol\n | project-away LayerCode, DirectionCode, Protocol, isOutBound, LayerName, EventID, LayerRTID,_ResourceId,_SubscriptionId\n };\n parser(starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber,\n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction,\n eventresult=eventresult, \n disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmon/vimNetworkSessionMicrosoftSysmon.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmon/vimNetworkSessionMicrosoftSysmon.json index 89f417af727..874a35dc85d 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmon/vimNetworkSessionMicrosoftSysmon.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmon/vimNetworkSessionMicrosoftSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionMicrosoftSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionMicrosoftSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session Event ASIM parser for Sysmon (Event 3)", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionMicrosoftSysmon", - "query": "let parser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null), \nsrcipaddr_has_any_prefix: dynamic=dynamic([]), \ndstipaddr_has_any_prefix: dynamic=dynamic([]), \nipaddr_has_any_prefix: dynamic=dynamic([]),\ndstportnumber: int=int(null), \nhostname_has_any: dynamic=dynamic([]), \ndvcaction: dynamic=dynamic([]), \neventresult: string='*', \ndisabled: bool=false\n) {\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\nlet Sysmon3_Event=Event\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where not(disabled)\n // -- Pre-filtering:\n | where (eventresult == '*' or eventresult == 'Success')\n and array_length(dvcaction) == 0\n // dstportnumber filter used later in the parser\n // hostname_has_any used later in the parser \n // -- End pre-filtering\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID == 3\n | parse-kv EventData as (\n SourceIp: string,\n DestinationIp: string,\n SourceHostname: string,\n DestinationHostname: string,\n Initiated: bool, // Initiated indicates the process initiated a connection (meaning outbound)\n RuleName: string,\n UtcTime: datetime,\n ProcessGuid: string,\n ProcessId: string,\n Image: string,\n User: string,\n Protocol: string,\n SourceIsIpv6: bool,\n SourcePort: int,\n SourcePortName: string,\n DestinationIsIpv6: bool,\n DestinationPort: int,\n DestinationPortName: string\n )\n with (regex=@'{?([^>]*?)}?')\n | where (array_length(ip_any) == 0 \n or has_any_ipv4_prefix(EventData, ip_any)\n ) \n and (isnull(dstportnumber)) or dstportnumber == DestinationPort\n and (array_length(hostname_has_any) == 0) or SourceHostname has_any (hostname_has_any) or DestinationHostname has_any (hostname_has_any)\n | extend\n temp_isSrcMatch=has_any_ipv4_prefix(SourceIp, src_or_any)\n ,\n temp_isDstMatch=has_any_ipv4_prefix(DestinationIp, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\" // match not requested: probably most common case\n ,\n (temp_isSrcMatch and temp_isDstMatch),\n \"Both\" // has to be checked before the individual \n ,\n temp_isSrcMatch,\n \"SrcIpAddr\"\n ,\n temp_isDstMatch,\n \"DstIpAddr\"\n ,\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away EventData\n | project-rename\n SrcHostname = SourceHostname,\n DstHostname = DestinationHostname\n | project-away\n Source,\n EventLog,\n EventCategory,\n UserName,\n Message,\n ParameterXml,\n RenderedDescription,\n MG,\n AzureDeploymentID,\n Role; \nSysmon3_Event\n| extend\n AppName = tostring(split(Image, \"\\\\\")[-1])\n| extend\n SrcUsernameType = iff(not(Initiated), \"Windows\", \"\"),\n SrcUsername = iff(not(Initiated), tostring(User), \"\"),\n SrcProcessId = iff(not(Initiated), tostring(ProcessId), \"\"),\n SrcProcessGuid = iff(not(Initiated), ProcessGuid, \"\"),\n SrcProcessName = iff(not(Initiated), tostring(Image), \"\"),\n SrcAppName = iff(not(Initiated), AppName, \"\"),\n SrcAppType = iff(not(Initiated), 'Process', \"\"),\n DstUsernameType = iff(Initiated, \"Windows\", \"\"),\n DstUsername = iff(Initiated, tostring(User), \"\"),\n DstProcessId = iff(Initiated, tostring(ProcessId), \"\"),\n DstProcessGuid = iff(Initiated, ProcessGuid, \"\"),\n DstProcessName = iff(Initiated, tostring(Image), \"\"),\n DstAppName = iff(Initiated, AppName, \"\"),\n DstAppType = iff(Initiated, 'Process', \"\")\n| project-away ProcessId, ProcessGuid, Image, AppName\n| project-rename \n EventStartTime = UtcTime,\n Dvc = Computer,\n SrcIpAddr = SourceIp,\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort,\n SrcPortNumber = SourcePort,\n NetworkRuleName = RuleName\n| extend \n EventEndTime = EventStartTime,\n Hostname = case(\n Initiated,\n DstHostname,\n not(Initiated),\n SrcHostname,\n Dvc\n ),\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n DvcIpAddr = iff(Initiated, SrcIpAddr, DstIpAddr),\n IpAddr = SrcIpAddr,\n EventType = 'EndpointNetworkSession',\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.5',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Windows',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing \n| extend\n DvcHostname = Hostname\n| extend\n SrcHostname = iff(SrcHostname == \"-\", \"\", SrcHostname),\n DvcHostname = iff(DvcHostname == \"-\", \"\", DvcHostname),\n DstHostname = iff(DstHostname == \"-\", \"\", DstHostname) // let's make empty values actually empty\n| project-rename\n TmpSrcHostname = SrcHostname,\n TmpDvcHostname = DvcHostname,\n TmpDstHostname = DstHostname\n| invoke \n _ASIM_ResolveSrcFQDN('TmpSrcHostname')\n| invoke \n _ASIM_ResolveDvcFQDN('TmpDvcHostname')\n| invoke \n _ASIM_ResolveDstFQDN('TmpDstHostname')\n| project-away\n TmpSrcHostname,\n TmpDvcHostname,\n TmpDstHostname\n| extend \n NetworkProtocolVersion = iff((DestinationIsIpv6) or (SourceIsIpv6), \"IPV6\", \"IPV4\"),\n NetworkProtocol = toupper(Protocol)\n| project-away \n Destination*,\n Initiated,\n ManagementGroupName,\n TenantId,\n Protocol,\n Source*,\n EventID,\n EventLevelName,\n EventLevel,\n _ResourceId\n};\n parser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix,dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session Event ASIM parser for Sysmon (Event 3)", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionMicrosoftSysmon", + "query": "let parser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null), \nsrcipaddr_has_any_prefix: dynamic=dynamic([]), \ndstipaddr_has_any_prefix: dynamic=dynamic([]), \nipaddr_has_any_prefix: dynamic=dynamic([]),\ndstportnumber: int=int(null), \nhostname_has_any: dynamic=dynamic([]), \ndvcaction: dynamic=dynamic([]), \neventresult: string='*', \ndisabled: bool=false\n) {\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\nlet Sysmon3_Event=Event\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where not(disabled)\n // -- Pre-filtering:\n | where (eventresult == '*' or eventresult == 'Success')\n and array_length(dvcaction) == 0\n // dstportnumber filter used later in the parser\n // hostname_has_any used later in the parser \n // -- End pre-filtering\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID == 3\n | parse-kv EventData as (\n SourceIp: string,\n DestinationIp: string,\n SourceHostname: string,\n DestinationHostname: string,\n Initiated: bool, // Initiated indicates the process initiated a connection (meaning outbound)\n RuleName: string,\n UtcTime: datetime,\n ProcessGuid: string,\n ProcessId: string,\n Image: string,\n User: string,\n Protocol: string,\n SourceIsIpv6: bool,\n SourcePort: int,\n SourcePortName: string,\n DestinationIsIpv6: bool,\n DestinationPort: int,\n DestinationPortName: string\n )\n with (regex=@'{?([^>]*?)}?')\n | where (array_length(ip_any) == 0 \n or has_any_ipv4_prefix(EventData, ip_any)\n ) \n and (isnull(dstportnumber)) or dstportnumber == DestinationPort\n and (array_length(hostname_has_any) == 0) or SourceHostname has_any (hostname_has_any) or DestinationHostname has_any (hostname_has_any)\n | extend\n temp_isSrcMatch=has_any_ipv4_prefix(SourceIp, src_or_any)\n ,\n temp_isDstMatch=has_any_ipv4_prefix(DestinationIp, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\" // match not requested: probably most common case\n ,\n (temp_isSrcMatch and temp_isDstMatch),\n \"Both\" // has to be checked before the individual \n ,\n temp_isSrcMatch,\n \"SrcIpAddr\"\n ,\n temp_isDstMatch,\n \"DstIpAddr\"\n ,\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away EventData\n | project-rename\n SrcHostname = SourceHostname,\n DstHostname = DestinationHostname\n | project-away\n Source,\n EventLog,\n EventCategory,\n UserName,\n Message,\n ParameterXml,\n RenderedDescription,\n MG,\n AzureDeploymentID,\n Role; \nSysmon3_Event\n| extend\n AppName = tostring(split(Image, \"\\\\\")[-1])\n| extend\n SrcUsernameType = iff(not(Initiated), \"Windows\", \"\"),\n SrcUsername = iff(not(Initiated), tostring(User), \"\"),\n SrcProcessId = iff(not(Initiated), tostring(ProcessId), \"\"),\n SrcProcessGuid = iff(not(Initiated), ProcessGuid, \"\"),\n SrcProcessName = iff(not(Initiated), tostring(Image), \"\"),\n SrcAppName = iff(not(Initiated), AppName, \"\"),\n SrcAppType = iff(not(Initiated), 'Process', \"\"),\n DstUsernameType = iff(Initiated, \"Windows\", \"\"),\n DstUsername = iff(Initiated, tostring(User), \"\"),\n DstProcessId = iff(Initiated, tostring(ProcessId), \"\"),\n DstProcessGuid = iff(Initiated, ProcessGuid, \"\"),\n DstProcessName = iff(Initiated, tostring(Image), \"\"),\n DstAppName = iff(Initiated, AppName, \"\"),\n DstAppType = iff(Initiated, 'Process', \"\")\n| project-away ProcessId, ProcessGuid, Image, AppName\n| project-rename \n EventStartTime = UtcTime,\n Dvc = Computer,\n SrcIpAddr = SourceIp,\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort,\n SrcPortNumber = SourcePort,\n NetworkRuleName = RuleName\n| extend \n EventEndTime = EventStartTime,\n Hostname = case(\n Initiated,\n DstHostname,\n not(Initiated),\n SrcHostname,\n Dvc\n ),\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n DvcIpAddr = iff(Initiated, SrcIpAddr, DstIpAddr),\n IpAddr = SrcIpAddr,\n EventType = 'EndpointNetworkSession',\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.5',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Windows',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing \n| extend\n DvcHostname = Hostname\n| extend\n SrcHostname = iff(SrcHostname == \"-\", \"\", SrcHostname),\n DvcHostname = iff(DvcHostname == \"-\", \"\", DvcHostname),\n DstHostname = iff(DstHostname == \"-\", \"\", DstHostname) // let's make empty values actually empty\n| project-rename\n TmpSrcHostname = SrcHostname,\n TmpDvcHostname = DvcHostname,\n TmpDstHostname = DstHostname\n| invoke \n _ASIM_ResolveSrcFQDN('TmpSrcHostname')\n| invoke \n _ASIM_ResolveDvcFQDN('TmpDvcHostname')\n| invoke \n _ASIM_ResolveDstFQDN('TmpDstHostname')\n| project-away\n TmpSrcHostname,\n TmpDvcHostname,\n TmpDstHostname\n| extend \n NetworkProtocolVersion = iff((DestinationIsIpv6) or (SourceIsIpv6), \"IPV6\", \"IPV4\"),\n NetworkProtocol = toupper(Protocol)\n| project-away \n Destination*,\n Initiated,\n ManagementGroupName,\n TenantId,\n Protocol,\n Source*,\n EventID,\n EventLevelName,\n EventLevel,\n _ResourceId\n};\n parser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix,dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmonWindowsEvent/vimNetworkSessionMicrosoftSysmonWindowsEvent.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmonWindowsEvent/vimNetworkSessionMicrosoftSysmonWindowsEvent.json index 37eef261dfd..49666efc4b6 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmonWindowsEvent/vimNetworkSessionMicrosoftSysmonWindowsEvent.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmonWindowsEvent/vimNetworkSessionMicrosoftSysmonWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionMicrosoftSysmonWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionMicrosoftSysmonWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session Event ASIM parser for Sysmon (Event 3)", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionMicrosoftSysmonWindowsEvent", - "query": "let parser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null), \nsrcipaddr_has_any_prefix: dynamic=dynamic([]), \ndstipaddr_has_any_prefix: dynamic=dynamic([]), \nipaddr_has_any_prefix: dynamic=dynamic([]),\ndstportnumber: int=int(null), \nhostname_has_any: dynamic=dynamic([]), \ndvcaction: dynamic=dynamic([]), \neventresult: string='*', \ndisabled: bool=false\n) {\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\nlet Sysmon3_WindowsEvent=WindowsEvent\n | where not(disabled) \n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n // -- Pre-filtering:\n | where (eventresult == '*' or eventresult == 'Success') \n and array_length(dvcaction) == 0\n // dstportnumber filter used later in the parser\n // hostname_has_any used later in the parser \n // -- End pre-filtering\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 3\n | extend\n SourceIp = tostring(EventData.SourceIp),\n DestinationIp = tostring(EventData.DestinationIp),\n DstHostname = tostring(EventData.DestinationHostname),\n SrcHostname = tostring(EventData.SrcHostname),\n RuleName = tostring(EventData.RuleName),\n UtcTime = todatetime(EventData.UtcTime),\n ProcessId = tostring(EventData.ProcessId),\n Image = tostring(EventData.Image),\n User = tostring(EventData.User),\n Protocol = tostring(EventData.Protocol),\n Initiated = tobool(EventData.Initiated), // Initiated indicates the process initiated a connection (meaning outbound)\n SourceIsIpv6 = tobool(EventData.SourceIsIpv6),\n SourcePort = toint(EventData.SourcePort),\n SourcePortName = tostring(EventData.SourcePortName),\n DestinationIsIpv6 = tobool(EventData.DestinationIsIpv6),\n DestinationPort = toint(EventData.DestinationPort),\n DestinationPortName = tostring(EventData.DestinationPortName)\n | where (array_length(ip_any) == 0 \n or has_any_ipv4_prefix(EventData, ip_any)\n ) \n and (isnull(dstportnumber)) or dstportnumber == DestinationPort\n and (array_length(hostname_has_any) == 0) or SrcHostname has_any (hostname_has_any) or DstHostname has_any (hostname_has_any)\n | extend\n temp_isSrcMatch=has_any_ipv4_prefix(SourceIp, src_or_any)\n ,\n temp_isDstMatch=has_any_ipv4_prefix(DestinationIp, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\" // match not requested: probably most common case\n ,\n (temp_isSrcMatch and temp_isDstMatch),\n \"Both\" // has to be checked before the individual \n ,\n temp_isSrcMatch,\n \"SrcIpAddr\"\n ,\n temp_isDstMatch,\n \"DstIpAddr\"\n ,\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse EventData.ProcessGuid with \"{\" ProcessGuid \"}\"\n | project-away EventData\n | project-away\n Provider,\n Channel,\n Task,\n Data,\n RawEventData,\n EventOriginId;\nSysmon3_WindowsEvent\n| extend\n AppName = tostring(split(Image, \"\\\\\")[-1])\n| extend\n SrcUsernameType = iff(not(Initiated), \"Windows\", \"\"),\n SrcUsername = iff(not(Initiated), tostring(User), \"\"),\n SrcProcessId = iff(not(Initiated), tostring(ProcessId), \"\"),\n SrcProcessGuid = iff(not(Initiated), ProcessGuid, \"\"),\n SrcProcessName = iff(not(Initiated), tostring(Image), \"\"),\n SrcAppName = iff(not(Initiated), AppName, \"\"),\n SrcAppType = iff(not(Initiated), 'Process', \"\"),\n DstUsernameType = iff(Initiated, \"Windows\", \"\"),\n DstUsername = iff(Initiated, tostring(User), \"\"),\n DstProcessId = iff(Initiated, tostring(ProcessId), \"\"),\n DstProcessGuid = iff(Initiated, ProcessGuid, \"\"),\n DstProcessName = iff(Initiated, tostring(Image), \"\"),\n DstAppName = iff(Initiated, AppName, \"\"),\n DstAppType = iff(Initiated, 'Process', \"\")\n| project-away ProcessId, ProcessGuid, Image, AppName\n| project-rename \n EventStartTime = UtcTime,\n Dvc = Computer,\n SrcIpAddr = SourceIp,\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort,\n SrcPortNumber = SourcePort,\n NetworkRuleName = RuleName \n| extend \n EventEndTime = EventStartTime,\n Hostname = case(\n Initiated,\n DstHostname,\n not(Initiated),\n SrcHostname,\n Dvc\n ),\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n DvcIpAddr = iff(Initiated, SrcIpAddr, DstIpAddr),\n IpAddr = SrcIpAddr,\n EventType = 'EndpointNetworkSession',\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.5',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Windows',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing \n| extend\n DvcHostname = Hostname\n| extend\n SrcHostname = iff(SrcHostname == \"-\", \"\", SrcHostname),\n DvcHostname = iff(DvcHostname == \"-\", \"\", DvcHostname),\n DstHostname = iff(DstHostname == \"-\", \"\", DstHostname) // let's make empty values actually empty\n| project-rename\n TmpSrcHostname = SrcHostname,\n TmpDvcHostname = DvcHostname,\n TmpDstHostname = DstHostname\n| invoke \n _ASIM_ResolveSrcFQDN('TmpSrcHostname')\n| invoke \n _ASIM_ResolveDvcFQDN('TmpDvcHostname')\n| invoke \n _ASIM_ResolveDstFQDN('TmpDstHostname')\n| project-away\n TmpSrcHostname,\n TmpDvcHostname,\n TmpDstHostname\n| extend \n NetworkProtocolVersion = iff((DestinationIsIpv6) or (SourceIsIpv6), \"IPV6\", \"IPV4\"),\n NetworkProtocol = toupper(Protocol)\n| project-away \n Destination*,\n Initiated,\n ManagementGroupName,\n TenantId,\n Protocol,\n Source*,\n EventID,\n EventLevelName,\n EventLevel,\n Correlation,\n EventRecordId,\n Keywords,\n Opcode,\n SystemProcessId,\n SystemThreadId,\n SystemUserId,\n TimeCreated,\n _ResourceId,\n Version\n};\n parser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix,dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session Event ASIM parser for Sysmon (Event 3)", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionMicrosoftSysmonWindowsEvent", + "query": "let parser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null), \nsrcipaddr_has_any_prefix: dynamic=dynamic([]), \ndstipaddr_has_any_prefix: dynamic=dynamic([]), \nipaddr_has_any_prefix: dynamic=dynamic([]),\ndstportnumber: int=int(null), \nhostname_has_any: dynamic=dynamic([]), \ndvcaction: dynamic=dynamic([]), \neventresult: string='*', \ndisabled: bool=false\n) {\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\nlet Sysmon3_WindowsEvent=WindowsEvent\n | where not(disabled) \n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n // -- Pre-filtering:\n | where (eventresult == '*' or eventresult == 'Success') \n and array_length(dvcaction) == 0\n // dstportnumber filter used later in the parser\n // hostname_has_any used later in the parser \n // -- End pre-filtering\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 3\n | extend\n SourceIp = tostring(EventData.SourceIp),\n DestinationIp = tostring(EventData.DestinationIp),\n DstHostname = tostring(EventData.DestinationHostname),\n SrcHostname = tostring(EventData.SrcHostname),\n RuleName = tostring(EventData.RuleName),\n UtcTime = todatetime(EventData.UtcTime),\n ProcessId = tostring(EventData.ProcessId),\n Image = tostring(EventData.Image),\n User = tostring(EventData.User),\n Protocol = tostring(EventData.Protocol),\n Initiated = tobool(EventData.Initiated), // Initiated indicates the process initiated a connection (meaning outbound)\n SourceIsIpv6 = tobool(EventData.SourceIsIpv6),\n SourcePort = toint(EventData.SourcePort),\n SourcePortName = tostring(EventData.SourcePortName),\n DestinationIsIpv6 = tobool(EventData.DestinationIsIpv6),\n DestinationPort = toint(EventData.DestinationPort),\n DestinationPortName = tostring(EventData.DestinationPortName)\n | where (array_length(ip_any) == 0 \n or has_any_ipv4_prefix(EventData, ip_any)\n ) \n and (isnull(dstportnumber)) or dstportnumber == DestinationPort\n and (array_length(hostname_has_any) == 0) or SrcHostname has_any (hostname_has_any) or DstHostname has_any (hostname_has_any)\n | extend\n temp_isSrcMatch=has_any_ipv4_prefix(SourceIp, src_or_any)\n ,\n temp_isDstMatch=has_any_ipv4_prefix(DestinationIp, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\" // match not requested: probably most common case\n ,\n (temp_isSrcMatch and temp_isDstMatch),\n \"Both\" // has to be checked before the individual \n ,\n temp_isSrcMatch,\n \"SrcIpAddr\"\n ,\n temp_isDstMatch,\n \"DstIpAddr\"\n ,\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse EventData.ProcessGuid with \"{\" ProcessGuid \"}\"\n | project-away EventData\n | project-away\n Provider,\n Channel,\n Task,\n Data,\n RawEventData,\n EventOriginId;\nSysmon3_WindowsEvent\n| extend\n AppName = tostring(split(Image, \"\\\\\")[-1])\n| extend\n SrcUsernameType = iff(not(Initiated), \"Windows\", \"\"),\n SrcUsername = iff(not(Initiated), tostring(User), \"\"),\n SrcProcessId = iff(not(Initiated), tostring(ProcessId), \"\"),\n SrcProcessGuid = iff(not(Initiated), ProcessGuid, \"\"),\n SrcProcessName = iff(not(Initiated), tostring(Image), \"\"),\n SrcAppName = iff(not(Initiated), AppName, \"\"),\n SrcAppType = iff(not(Initiated), 'Process', \"\"),\n DstUsernameType = iff(Initiated, \"Windows\", \"\"),\n DstUsername = iff(Initiated, tostring(User), \"\"),\n DstProcessId = iff(Initiated, tostring(ProcessId), \"\"),\n DstProcessGuid = iff(Initiated, ProcessGuid, \"\"),\n DstProcessName = iff(Initiated, tostring(Image), \"\"),\n DstAppName = iff(Initiated, AppName, \"\"),\n DstAppType = iff(Initiated, 'Process', \"\")\n| project-away ProcessId, ProcessGuid, Image, AppName\n| project-rename \n EventStartTime = UtcTime,\n Dvc = Computer,\n SrcIpAddr = SourceIp,\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort,\n SrcPortNumber = SourcePort,\n NetworkRuleName = RuleName \n| extend \n EventEndTime = EventStartTime,\n Hostname = case(\n Initiated,\n DstHostname,\n not(Initiated),\n SrcHostname,\n Dvc\n ),\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n DvcIpAddr = iff(Initiated, SrcIpAddr, DstIpAddr),\n IpAddr = SrcIpAddr,\n EventType = 'EndpointNetworkSession',\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.5',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Windows',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing \n| extend\n DvcHostname = Hostname\n| extend\n SrcHostname = iff(SrcHostname == \"-\", \"\", SrcHostname),\n DvcHostname = iff(DvcHostname == \"-\", \"\", DvcHostname),\n DstHostname = iff(DstHostname == \"-\", \"\", DstHostname) // let's make empty values actually empty\n| project-rename\n TmpSrcHostname = SrcHostname,\n TmpDvcHostname = DvcHostname,\n TmpDstHostname = DstHostname\n| invoke \n _ASIM_ResolveSrcFQDN('TmpSrcHostname')\n| invoke \n _ASIM_ResolveDvcFQDN('TmpDvcHostname')\n| invoke \n _ASIM_ResolveDstFQDN('TmpDstHostname')\n| project-away\n TmpSrcHostname,\n TmpDvcHostname,\n TmpDstHostname\n| extend \n NetworkProtocolVersion = iff((DestinationIsIpv6) or (SourceIsIpv6), \"IPV6\", \"IPV4\"),\n NetworkProtocol = toupper(Protocol)\n| project-away \n Destination*,\n Initiated,\n ManagementGroupName,\n TenantId,\n Protocol,\n Source*,\n EventID,\n EventLevelName,\n EventLevel,\n Correlation,\n EventRecordId,\n Keywords,\n Opcode,\n SystemProcessId,\n SystemThreadId,\n SystemUserId,\n TimeCreated,\n _ResourceId,\n Version\n};\n parser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix,dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json index cb60e79f89b..49edb72a4ef 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionMicrosoftWindowsEventFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionMicrosoftWindowsEventFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Microsoft Windows Firewall", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionMicrosoftWindowsEventFirewall", - "query": "// Data tables for mapping raw values into string\nlet LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\n '%%14596', 'IP Packet',\n '%%14597', 'Transport',\n '%%14598', 'Forward',\n '%%14599', 'Stream',\n '%%14600', 'Datagram Data',\n '%%14601', 'ICMP Error',\n '%%14602', 'MAC 802.3',\n '%%14603', 'MAC Native',\n '%%14604', 'vSwitch',\n '%%14608', 'Resource Assignment',\n '%%14609', 'Listen',\n '%%14610', 'Receive/Accept',\n '%%14611', 'Connect',\n '%%14612', 'Flow Established',\n '%%14614', 'Resource Release',\n '%%14615', 'Endpoint Closure',\n '%%14616', 'Connect Redirect',\n '%%14617', 'Bind Redirect',\n '%%14624', 'Stream Packet'];\nlet ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\n 1, 'ICMP',\n 3, 'GGP',\n 6, 'TCP',\n 8, 'EGP',\n 12, 'PUP',\n 17, 'UDP',\n 20, 'HMP',\n 27, 'RDP',\n 46, 'RSVP',\n 47, 'PPTP data over GRE',\n 50, 'ESP',\n 51, 'AH',\n 66, 'RVD',\n 88, 'IGMP',\n 89, 'OSPF'];\nlet Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\n '%%14592', 'Inbound', false,\n '%%14593', 'Outbound', true,\n '%%14594', 'Forward',false,\n '%%14595', 'Bidirectional', false,\n '%%14609', 'Listen', false];\n//////////////////////////////////////////////////////\n// this query extract the data from WindowsEvent table\n//////////////////////////////////////////////////////\nlet parser = (starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n, srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null)\n, hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]),eventresult:string='*', disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n WindowsEvent \n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n |where not(disabled)\n | where EventID between (5150 .. 5159)\n | extend EventResult = iff(EventID in (5154, 5156, 5158), \"Success\", \"Failure\")\n // *************** Prefilterring *******************\n | where (isnull(dstportnumber) or EventData has tostring(dstportnumber)) \n and (array_length(ip_any)==0 \n or has_any_ipv4_prefix(EventData,ip_any)) \n and (array_length(hostname_has_any)==0 ) \n and (array_length(dvcaction)==0 ) \n and (eventresult=='*' or EventResult==eventresult)\n // *************** Prefilterring *****************************************************************\n | extend SrcIpAddr = tostring(EventData.SourceAddress)\n , DstIpAddr = tostring(EventData.DestAddress)\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*\n | extend \n EventSeverity=tostring(EventData.Severity),\n LayerCode = tostring(EventData.LayerName),\n NetworkRuleNumber = toint(EventData.FilterRTID),\n Protocol = toint(EventData.Protocol),\n DirectionCode = iff(EventID in (5154, 5155, 5158, 5159), \"%%14609\",tostring(EventData.Direction))\n | lookup Directions on DirectionCode \n | project-rename DvcHostname = Computer\n | extend SrcAppName = iff(isOutBound, tostring(EventData.Application), \"\"),\n DstAppName = iff(not(isOutBound), tostring(EventData.Application), \"\"),\n SrcDvcId = iff(isOutBound, tostring(EventData.RemoteMachineID), \"\"),\n DstDvcId = iff(not(isOutBound), tostring(EventData.RemoteMachineID), \"\"),\n SrcPortNumber = toint(EventData.SourcePort),\n DstPortNumber = toint(EventData.DestPort),\n SrcProcessId = iff(isOutBound, tostring(EventData.ProcessId), \"\"),\n DstProcessId = iff(not(isOutBound), tostring(EventData.ProcessId), \"\"),\n DstUserId = iff(isOutBound, tostring(EventData.RemoteUserID), \"\"),\n SrcUserId = iff(not(isOutBound), tostring(EventData.RemoteUserID), \"\"),\n DstHostname = iff(isOutBound, \"\", DvcHostname),\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\n | project-away EventData\n | where (isnull(dstportnumber) or DstPortNumber == dstportnumber )\n | extend \n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\n DvcOs = 'Windows',\n DstAppType = \"Process\",\n SrcUserIdType = iff (SrcUserId <> \"S-1-0-0\", \"SID\", \"\"),\n SrcUserId = iff (SrcUserId <> \"S-1-0-0\", SrcUserId, \"\"),\n DstUserIdType = iff (DstUserId <> \"S-1-0-0\", \"SID\", \"\"),\n DstUserId = iff (DstUserId <> \"S-1-0-0\", DstUserId, \"\"),\n SrcAppType = \"Process\",\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.3\",\n EventCount=toint(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Windows Firewall\",\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\")\n // -- Aliases\n | extend \n Dvc = DvcHostname,\n Hostname = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = tostring(NetworkRuleNumber),\n DstDvcIdType = iff (DstDvcId != \"\", \"SID\", \"\"),\n SrcDvcIdType = iff (SrcDvcId != \"\", \"SID\", \"\")\n | lookup LayerCodeTable on LayerCode\n | lookup ProtocolTable on Protocol\n | project-away LayerCode, DirectionCode, Protocol, isOutBound, LayerName, EventID,_ResourceId,_SubscriptionId\n };\n parser(\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber,\n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction,\n eventresult=eventresult, \n disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Microsoft Windows Firewall", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionMicrosoftWindowsEventFirewall", + "query": "// Data tables for mapping raw values into string\nlet LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\n '%%14596', 'IP Packet',\n '%%14597', 'Transport',\n '%%14598', 'Forward',\n '%%14599', 'Stream',\n '%%14600', 'Datagram Data',\n '%%14601', 'ICMP Error',\n '%%14602', 'MAC 802.3',\n '%%14603', 'MAC Native',\n '%%14604', 'vSwitch',\n '%%14608', 'Resource Assignment',\n '%%14609', 'Listen',\n '%%14610', 'Receive/Accept',\n '%%14611', 'Connect',\n '%%14612', 'Flow Established',\n '%%14614', 'Resource Release',\n '%%14615', 'Endpoint Closure',\n '%%14616', 'Connect Redirect',\n '%%14617', 'Bind Redirect',\n '%%14624', 'Stream Packet'];\nlet ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\n 1, 'ICMP',\n 3, 'GGP',\n 6, 'TCP',\n 8, 'EGP',\n 12, 'PUP',\n 17, 'UDP',\n 20, 'HMP',\n 27, 'RDP',\n 46, 'RSVP',\n 47, 'PPTP data over GRE',\n 50, 'ESP',\n 51, 'AH',\n 66, 'RVD',\n 88, 'IGMP',\n 89, 'OSPF'];\nlet Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\n '%%14592', 'Inbound', false,\n '%%14593', 'Outbound', true,\n '%%14594', 'Forward',false,\n '%%14595', 'Bidirectional', false,\n '%%14609', 'Listen', false];\n//////////////////////////////////////////////////////\n// this query extract the data from WindowsEvent table\n//////////////////////////////////////////////////////\nlet parser = (starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n, srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null)\n, hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]),eventresult:string='*', disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n WindowsEvent \n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n |where not(disabled)\n | where EventID between (5150 .. 5159)\n | extend EventResult = iff(EventID in (5154, 5156, 5158), \"Success\", \"Failure\")\n // *************** Prefilterring *******************\n | where (isnull(dstportnumber) or EventData has tostring(dstportnumber)) \n and (array_length(ip_any)==0 \n or has_any_ipv4_prefix(EventData,ip_any)) \n and (array_length(hostname_has_any)==0 ) \n and (array_length(dvcaction)==0 ) \n and (eventresult=='*' or EventResult==eventresult)\n // *************** Prefilterring *****************************************************************\n | extend SrcIpAddr = tostring(EventData.SourceAddress)\n , DstIpAddr = tostring(EventData.DestAddress)\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*\n | extend \n EventSeverity=tostring(EventData.Severity),\n LayerCode = tostring(EventData.LayerName),\n NetworkRuleNumber = toint(EventData.FilterRTID),\n Protocol = toint(EventData.Protocol),\n DirectionCode = iff(EventID in (5154, 5155, 5158, 5159), \"%%14609\",tostring(EventData.Direction))\n | lookup Directions on DirectionCode \n | project-rename DvcHostname = Computer\n | extend SrcAppName = iff(isOutBound, tostring(EventData.Application), \"\"),\n DstAppName = iff(not(isOutBound), tostring(EventData.Application), \"\"),\n SrcDvcId = iff(isOutBound, tostring(EventData.RemoteMachineID), \"\"),\n DstDvcId = iff(not(isOutBound), tostring(EventData.RemoteMachineID), \"\"),\n SrcPortNumber = toint(EventData.SourcePort),\n DstPortNumber = toint(EventData.DestPort),\n SrcProcessId = iff(isOutBound, tostring(EventData.ProcessId), \"\"),\n DstProcessId = iff(not(isOutBound), tostring(EventData.ProcessId), \"\"),\n DstUserId = iff(isOutBound, tostring(EventData.RemoteUserID), \"\"),\n SrcUserId = iff(not(isOutBound), tostring(EventData.RemoteUserID), \"\"),\n DstHostname = iff(isOutBound, \"\", DvcHostname),\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\n | project-away EventData\n | where (isnull(dstportnumber) or DstPortNumber == dstportnumber )\n | extend \n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\n DvcOs = 'Windows',\n DstAppType = \"Process\",\n SrcUserIdType = iff (SrcUserId <> \"S-1-0-0\", \"SID\", \"\"),\n SrcUserId = iff (SrcUserId <> \"S-1-0-0\", SrcUserId, \"\"),\n DstUserIdType = iff (DstUserId <> \"S-1-0-0\", \"SID\", \"\"),\n DstUserId = iff (DstUserId <> \"S-1-0-0\", DstUserId, \"\"),\n SrcAppType = \"Process\",\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.3\",\n EventCount=toint(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Windows Firewall\",\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\")\n // -- Aliases\n | extend \n Dvc = DvcHostname,\n Hostname = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = tostring(NetworkRuleNumber),\n DstDvcIdType = iff (DstDvcId != \"\", \"SID\", \"\"),\n SrcDvcIdType = iff (SrcDvcId != \"\", \"SID\", \"\")\n | lookup LayerCodeTable on LayerCode\n | lookup ProtocolTable on Protocol\n | project-away LayerCode, DirectionCode, Protocol, isOutBound, LayerName, EventID,_ResourceId,_SubscriptionId\n };\n parser(\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber,\n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction,\n eventresult=eventresult, \n disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionNative/vimNetworkSessionNative.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionNative/vimNetworkSessionNative.json index 8eff404a343..76cc5af26db 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionNative/vimNetworkSessionNative.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionNative/vimNetworkSessionNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Microsoft Sentinel native Network Session table", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionNative", - "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]), \n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n ASimNetworkSessionLogs \n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n and not(disabled)\n and (isnull(dstportnumber) or DstPortNumber==dstportnumber)\n and (array_length(dvcaction) == 0 or DvcAction in (dvcaction))\n and (eventresult == \"*\" or eventresult==EventResult)\n | extend temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n |extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0 ,\"\",\n SrcHostname has_any(hostname_has_any), \"SrcHostname\",\n DstHostname has_any(hostname_has_any), \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"NetworkSession\",\n DvcScopeId = iff(isempty(DvcSubscriptionId), _SubscriptionId, DvcSubscriptionId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = case(EventType == 'L2NetworkSession',\n coalesce (DvcFQDN, DvcHostname, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct)),\n coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct))\n ),\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n DvcInterface = iff(isempty(DvcInterface), coalesce(DvcInboundInterface, DvcOutboundInterface), DvcInterface),\n Hostname = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), SrcHostname, DstHostname),\n IpAddr = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), DstIpAddr, SrcIpAddr),\n Rule = coalesce(NetworkRuleName, tostring(NetworkRuleNumber)),\n Duration = NetworkDuration,\n SessionId = NetworkSessionId,\n User = DstUsername,\n InnerVlanId = SrcVlanId,\n OuterVlanId = DstVlanId\n | project-away\n TenantId, SourceSystem, DvcSubscriptionId, _SubscriptionId, _ResourceId\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Microsoft Sentinel native Network Session table", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionNative", + "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]), \n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n ASimNetworkSessionLogs \n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n and not(disabled)\n and (isnull(dstportnumber) or DstPortNumber==dstportnumber)\n and (array_length(dvcaction) == 0 or DvcAction in (dvcaction))\n and (eventresult == \"*\" or eventresult==EventResult)\n | extend temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n |extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0 ,\"\",\n SrcHostname has_any(hostname_has_any), \"SrcHostname\",\n DstHostname has_any(hostname_has_any), \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"NetworkSession\",\n DvcScopeId = iff(isempty(DvcSubscriptionId), _SubscriptionId, DvcSubscriptionId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = case(EventType == 'L2NetworkSession',\n coalesce (DvcFQDN, DvcHostname, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct)),\n coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct))\n ),\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n DvcInterface = iff(isempty(DvcInterface), coalesce(DvcInboundInterface, DvcOutboundInterface), DvcInterface),\n Hostname = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), SrcHostname, DstHostname),\n IpAddr = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), DstIpAddr, SrcIpAddr),\n Rule = coalesce(NetworkRuleName, tostring(NetworkRuleNumber)),\n Duration = NetworkDuration,\n SessionId = NetworkSessionId,\n User = DstUsername,\n InnerVlanId = SrcVlanId,\n OuterVlanId = DstVlanId\n | project-away\n TenantId, SourceSystem, DvcSubscriptionId, _SubscriptionId, _ResourceId\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCEF/vimNetworkSessionPaloAltoCEF.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCEF/vimNetworkSessionPaloAltoCEF.json index 5522d220ca4..41068b9fe31 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCEF/vimNetworkSessionPaloAltoCEF.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCEF/vimNetworkSessionPaloAltoCEF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionPaloAltoCEF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionPaloAltoCEF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Palo Alto PanOS", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionPaloAltoCEF", - "query": "let Actions=datatable(DeviceAction:string,DvcAction:string)\n[ \"reset client\",\"Reset Source\"\n, \"reset server\",\"Reset Destination\"\n, \"reset both\", \"Reset\"\n, \"allow\",\"Allow\"\n, \"deny\",\"Deny\"\n, \"drop\", \"Drop\"\n, \"drop ICMP\", \"Drop ICMP\"\n, \"reset-client\",\"Reset Source\"\n, \"reset-server\",\"Reset Destination\"\n, \"reset-both\", \"Reset\"\n, \"drop-icmp\", \"Drop ICMP\"];\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet NWParser=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false){\nCommonSecurityLog \n| where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n| where not(disabled)\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"PAN-OS\" and Activity == \"TRAFFIC\"\n| where (isnull(dstportnumber) or DestinationPort==dstportnumber)\n and (array_length(hostname_has_any)==0)\n // dvcaction - post filterring\n and (eventresult==\"*\" or (DeviceAction==\"allow\" and eventresult==\"Success\") or (eventresult==\"Failure\" and DeviceAction!=\"allow\"))\n| extend temp_SrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n| extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n| parse AdditionalExtensions with \"PanOSPacketsReceived=\" DstPackets:long * \"PanOSPacketsSent=\" SrcPackets:long *\n // -- Adjustment to support both old and new CSL fields.\n| extend \n EventStartTime = coalesce(\n todatetime(StartTime), \n extract(@'start=(.*?)(?:;|$)',1, AdditionalExtensions,typeof(datetime)),\n datetime(null)\n ),\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string)),\n \"\"\n )\n| project-rename \n EventProductVersion=DeviceVersion // Not Documented\n , Dvc=DeviceName \n , NetworkApplicationProtocol=ApplicationProtocol\n , SrcZone=DeviceCustomString4 \n , DstZone=DeviceCustomString5\n , NetworkRuleName=DeviceCustomString1\n , SrcUsername=SourceUserName \n , DstUsername=DestinationUserName \n , EventOriginalSeverity=LogSeverity\n , SrcNatIpAddr=SourceTranslatedAddress\n , DstNatIpAddr=DestinationTranslatedAddress\n , PaloAltoFlags=FlexString1 // Flags\n| extend\n EventVendor=\"Palo Alto\"\n ,EventProduct=\"PanOS\"\n , DstBytes=tolong(ReceivedBytes) \n , SrcBytes=tolong(SentBytes) \n , NetworkProtocol=toupper(Protocol)\n , NetworkBytes=tolong(FlexNumber1)\n , SrcUsernameType=case(isempty(SrcUsername), \"\", SrcUsername contains \"@\", \"UPN\", \"Simple\")\n , DstUsernameType=case(isempty(DstUsername), \"\", DstUsername contains \"@\", \"UPN\", \"Simple\")\n , EventType=\"NetworkSession\"\n , EventCount=toint(1)\n , EventResult=case(DeviceAction==\"allow\",\"Success\",\"Failure\")\n // -- Adjustment to support both old and new CSL fields.\n , NetworkPackets = coalesce(\n tolong(column_ifexists(\"FieldDeviceCustomNumber2\", long(null))),\n tolong(column_ifexists(\"DeviceCustomNumber2\",long(null)))\n )\n , NetworkSessionId = coalesce(\n tostring(column_ifexists(\"FieldDeviceCustomNumber1\", long(null))),\n tostring(column_ifexists(\"DeviceCustomNumber1\",long(null)))\n )\n , NetworkDuration= coalesce(\n toint(1000*column_ifexists(\"FieldDeviceCustomNumber3\", 0)),\n toint(1000*column_ifexists(\"DeviceCustomNumber3\",0)),\n int(null)\n )\n , EventSchemaVersion=\"0.2.3\"\n , EventSchema=\"NetworkSession\"\n , EventSeverity = \"Informational\"\n | extend hostelements=split(Dvc,'.')\n | extend DvcHostname=tostring(hostelements[0])\n , DvcDomain=strcat_array( array_slice(hostelements,1,-1), '.')\n | extend DvcFQDN = iff(Dvc contains \".\",Dvc,\"\" )\n , DvcDomainType=iff(Dvc contains \".\",\"FQDN\",\"\" )\n| project-away hostelements\n| lookup Actions on DeviceAction\n// Action post filtering\n| where (array_length(dvcaction)==0 or DvcAction has_any (dvcaction))\n| project-rename\n DstMacAddr=DestinationMACAddress\n , SrcMacAddr=SourceMACAddress\n , DstIpAddr=DestinationIP\n , DstPortNumber=DestinationPort\n , DstNatPortNumber=DestinationTranslatedPort\n , SrcPortNumber=SourcePort\n , SrcIpAddr=SourceIP\n , SrcNatPortNumber=SourceTranslatedPort\n , DvcOutboundInterface=DeviceOutboundInterface\n , DvcInboundInterface=DeviceInboundInterface\n , EventMessage=Message\n , DvcOriginalAction=DeviceAction\n// -- Aliases\n| extend\n IpAddr = SrcIpAddr,\n Rule=NetworkRuleName,\n Dst=DstIpAddr,\n // Host=DstHostname,\n User=DstUsername,\n Duration=NetworkDuration,\n SessionId=NetworkSessionId,\n EventEndTime =EventStartTime,\n Src=SrcIpAddr\n | project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, Activity, Computer, OriginalLogSeverity, PaloAltoFlags, Protocol\n};\nNWParser(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Palo Alto PanOS", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionPaloAltoCEF", + "query": "let Actions=datatable(DeviceAction:string,DvcAction:string)\n[ \"reset client\",\"Reset Source\"\n, \"reset server\",\"Reset Destination\"\n, \"reset both\", \"Reset\"\n, \"allow\",\"Allow\"\n, \"deny\",\"Deny\"\n, \"drop\", \"Drop\"\n, \"drop ICMP\", \"Drop ICMP\"\n, \"reset-client\",\"Reset Source\"\n, \"reset-server\",\"Reset Destination\"\n, \"reset-both\", \"Reset\"\n, \"drop-icmp\", \"Drop ICMP\"];\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet NWParser=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false){\nCommonSecurityLog \n| where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n| where not(disabled)\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"PAN-OS\" and Activity == \"TRAFFIC\"\n| where (isnull(dstportnumber) or DestinationPort==dstportnumber)\n and (array_length(hostname_has_any)==0)\n // dvcaction - post filterring\n and (eventresult==\"*\" or (DeviceAction==\"allow\" and eventresult==\"Success\") or (eventresult==\"Failure\" and DeviceAction!=\"allow\"))\n| extend temp_SrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n| extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n| parse AdditionalExtensions with \"PanOSPacketsReceived=\" DstPackets:long * \"PanOSPacketsSent=\" SrcPackets:long *\n // -- Adjustment to support both old and new CSL fields.\n| extend \n EventStartTime = coalesce(\n todatetime(StartTime), \n extract(@'start=(.*?)(?:;|$)',1, AdditionalExtensions,typeof(datetime)),\n datetime(null)\n ),\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string)),\n \"\"\n )\n| project-rename \n EventProductVersion=DeviceVersion // Not Documented\n , Dvc=DeviceName \n , NetworkApplicationProtocol=ApplicationProtocol\n , SrcZone=DeviceCustomString4 \n , DstZone=DeviceCustomString5\n , NetworkRuleName=DeviceCustomString1\n , SrcUsername=SourceUserName \n , DstUsername=DestinationUserName \n , EventOriginalSeverity=LogSeverity\n , SrcNatIpAddr=SourceTranslatedAddress\n , DstNatIpAddr=DestinationTranslatedAddress\n , PaloAltoFlags=FlexString1 // Flags\n| extend\n EventVendor=\"Palo Alto\"\n ,EventProduct=\"PanOS\"\n , DstBytes=tolong(ReceivedBytes) \n , SrcBytes=tolong(SentBytes) \n , NetworkProtocol=toupper(Protocol)\n , NetworkBytes=tolong(FlexNumber1)\n , SrcUsernameType=case(isempty(SrcUsername), \"\", SrcUsername contains \"@\", \"UPN\", \"Simple\")\n , DstUsernameType=case(isempty(DstUsername), \"\", DstUsername contains \"@\", \"UPN\", \"Simple\")\n , EventType=\"NetworkSession\"\n , EventCount=toint(1)\n , EventResult=case(DeviceAction==\"allow\",\"Success\",\"Failure\")\n // -- Adjustment to support both old and new CSL fields.\n , NetworkPackets = coalesce(\n tolong(column_ifexists(\"FieldDeviceCustomNumber2\", long(null))),\n tolong(column_ifexists(\"DeviceCustomNumber2\",long(null)))\n )\n , NetworkSessionId = coalesce(\n tostring(column_ifexists(\"FieldDeviceCustomNumber1\", long(null))),\n tostring(column_ifexists(\"DeviceCustomNumber1\",long(null)))\n )\n , NetworkDuration= coalesce(\n toint(1000*column_ifexists(\"FieldDeviceCustomNumber3\", 0)),\n toint(1000*column_ifexists(\"DeviceCustomNumber3\",0)),\n int(null)\n )\n , EventSchemaVersion=\"0.2.3\"\n , EventSchema=\"NetworkSession\"\n , EventSeverity = \"Informational\"\n | extend hostelements=split(Dvc,'.')\n | extend DvcHostname=tostring(hostelements[0])\n , DvcDomain=strcat_array( array_slice(hostelements,1,-1), '.')\n | extend DvcFQDN = iff(Dvc contains \".\",Dvc,\"\" )\n , DvcDomainType=iff(Dvc contains \".\",\"FQDN\",\"\" )\n| project-away hostelements\n| lookup Actions on DeviceAction\n// Action post filtering\n| where (array_length(dvcaction)==0 or DvcAction has_any (dvcaction))\n| project-rename\n DstMacAddr=DestinationMACAddress\n , SrcMacAddr=SourceMACAddress\n , DstIpAddr=DestinationIP\n , DstPortNumber=DestinationPort\n , DstNatPortNumber=DestinationTranslatedPort\n , SrcPortNumber=SourcePort\n , SrcIpAddr=SourceIP\n , SrcNatPortNumber=SourceTranslatedPort\n , DvcOutboundInterface=DeviceOutboundInterface\n , DvcInboundInterface=DeviceInboundInterface\n , EventMessage=Message\n , DvcOriginalAction=DeviceAction\n// -- Aliases\n| extend\n IpAddr = SrcIpAddr,\n Rule=NetworkRuleName,\n Dst=DstIpAddr,\n // Host=DstHostname,\n User=DstUsername,\n Duration=NetworkDuration,\n SessionId=NetworkSessionId,\n EventEndTime =EventStartTime,\n Src=SrcIpAddr\n | project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, Activity, Computer, OriginalLogSeverity, PaloAltoFlags, Protocol\n};\nNWParser(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCortexDataLake/vimNetworkSessionPaloAltoCortexDataLake.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCortexDataLake/vimNetworkSessionPaloAltoCortexDataLake.json index acaf82d60ea..b9b4284ad1d 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCortexDataLake/vimNetworkSessionPaloAltoCortexDataLake.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCortexDataLake/vimNetworkSessionPaloAltoCortexDataLake.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionPaloAltoCortexDataLake')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionPaloAltoCortexDataLake", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Palo Alto Cortex Data Lake", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionPaloAltoCortexDataLake", - "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventResultDvcActionLookup = datatable (\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"allow\", \"Allow\", \"Success\",\n \"deny\", \"Deny\", \"Failure\",\n \"reset client\", \"Reset Source\", \"Failure\",\n \"reset server\", \"Reset Destination\", \"Failure\",\n \"reset both\", \"Reset\", \"Failure\",\n \"drop\", \"Drop\", \"Failure\",\n \"drop ICMP\", \"Drop ICMP\", \"Failure\",\n \"reset-both\", \"Reset\", \"Failure\"\n];\nlet EventResultDetailsLookup = datatable(Reason: string, EventResultDetails: string)[\n \"threat\", \"Reset\",\n \"policy-deny\", \"Unknown\",\n \"decrypt-cert-validation\", \"Terminated\",\n \"decrypt-unsupport-param\", \"Terminated\",\n \"decrypt-error\", \"Terminated\",\n \"tcp-rst-from-client\", \"Reset\",\n \"tcp-rst-from-server\", \"Reset\",\n \"resources-unavailable\", \"Unknown\",\n \"tcp-fin\", \"Unknown\",\n \"tcp-reuse\", \"Unknown\",\n \"decoder\", \"Unknown\",\n \"aged-out\", \"Unknown\",\n \"unknown\", \"Unknown\",\n \"n/a\", \"NA\",\n];\nlet ThreatRiskLevelLookup = datatable(PanOSApplicationRisk: string, ThreatRiskLevel: int)\n[\n \"1\", 20,\n \"2\", 40,\n \"3\", 60,\n \"4\", 80,\n \"5\", 100\n];\nlet parser=(\n disabled: bool=false, \n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventresult: string='*', \n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n dstipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]), \n hostname_has_any: dynamic=dynamic([]),\n dstportnumber: int=int(null),\n dvcaction: dynamic=dynamic([])\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n CommonSecurityLog\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"TRAFFIC\"\n and (array_length(hostname_has_any) == 0 or AdditionalExtensions has_any (hostname_has_any))\n and (isnull(dstportnumber) or toint(DestinationPort) == dstportnumber)\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(coalesce(DeviceCustomIPv6Address2, SourceIP), src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(coalesce(DeviceCustomIPv6Address3, DestinationIP), dst_or_any)\n | extend \n ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse-kv AdditionalExtensions as (PanOSSessionStartTime: string, PanOSDestinationDeviceHost: string, PanOSSourceDeviceHost: string, PanOSDestinationUUID: string, PanOSDestinationLocation: string, PanOSSourceUUID: string, PanOSDestinationDeviceMac: string, PanOsBytes: long, PanOSIsClienttoServer: string, PanOSSourceLocation: string, PanOSSourceDeviceMac: string, PanOSPacketsReceived: long, PanOSPacketsSent: long, PanOSRuleUUID: int, PanOSApplicationCategory: string, PanOSApplicationSubcategory: string, PanOSChunksReceived: string, PanOSChunksSent: string, PanOSChunksTotal: string, PanOSApplicationContainer: string, PanOSDestinationDeviceCategory: string, PanOSLinkChangeCount: string, PanOSLinkSwitches: string, PanOSLogSource: string, PanOSNSSAINetworkSliceDifferentiator: string, PanOSNSSAINetworkSliceType: string, PanOSOutboundInterfaceDetailsPort: string, PanOSOutboundInterfaceDetailsSlot: string, PanOSOutboundInterfaceDetailsType: string, PanOSOutboundInterfaceDetailsUnit: string, PanOSParentSessionID: string, PanOsRuleUUID: string, PanOSSourceDeviceOS: string, PanOSSourceDeviceOSFamily: string, PanOSSourceDeviceOSVersion: string, PanOSSourceDeviceCategory: string, PanOSVirtualSystemID: string, PanOSVirtualSystemName: string, PanOSCortexDataLakeTenantID: string, PanOSApplicationRisk: string, PanOSIsSaaSApplication: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | extend \n temp_is_MatchSrcHostname = PanOSSourceDeviceHost has_any (hostname_has_any),\n temp_is_MatchDstHostname = PanOSDestinationDeviceHost has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0,\n \"-\",\n temp_is_MatchSrcHostname and temp_is_MatchDstHostname,\n \"Both\",\n temp_is_MatchSrcHostname,\n \"SrcHostname\",\n temp_is_MatchDstHostname,\n \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveDstFQDN('PanOSDestinationDeviceHost')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | lookup EventResultDvcActionLookup on DeviceAction\n // post-filtering\n | where (eventresult == \"*\" or eventresult == EventResult)\n and (array_length(dvcaction)==0 or DvcAction has_any (dvcaction))\n | lookup EventSeverityLookup on LogSeverity\n | lookup EventResultDetailsLookup on Reason\n | lookup ThreatRiskLevelLookup on PanOSApplicationRisk\n | extend\n EventStartTime = todatetime(PanOSSessionStartTime),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n NetworkSessionId = tostring(FieldDeviceCustomNumber1),\n NetworkDuration = toint(FieldDeviceCustomNumber3),\n DstBytes = tolong(ReceivedBytes),\n SrcBytes = tolong(SentBytes),\n SrcDomain = coalesce(SourceNTDomain, SrcDomain),\n DstDomain = coalesce(DestinationNTDomain, DstDomain),\n AdditionalFields = bag_pack(\n \"urlcategory\",\n DeviceCustomString2,\n \"virtualLocation\",\n DeviceCustomString3,\n \"PanOSApplicationCategory\",\n PanOSApplicationCategory,\n \"PanOSApplicationSubcategory\",\n PanOSApplicationSubcategory,\n \"PanOSChunksReceived\",\n PanOSChunksReceived,\n \"PanOSChunksSent\",\n PanOSChunksSent,\n \"PanOSChunksTotal\",\n PanOSChunksTotal,\n \"PanOSApplicationContainer\",\n PanOSApplicationContainer,\n \"PanOSDestinationDeviceCategory\",\n PanOSDestinationDeviceCategory,\n \"PanOSIsClienttoServer\",\n PanOSIsClienttoServer,\n \"PanOSLinkChangeCount\",\n PanOSLinkChangeCount,\n \"PanOSLinkSwitches\",\n PanOSLinkSwitches,\n \"PanOSLogSource\",\n PanOSLogSource,\n \"PanOSNSSAINetworkSliceDifferentiator\",\n PanOSNSSAINetworkSliceDifferentiator,\n \"PanOSNSSAINetworkSliceType\",\n PanOSNSSAINetworkSliceType,\n \"PanOSOutboundInterfaceDetailsPort\",\n PanOSOutboundInterfaceDetailsPort,\n \"PanOSOutboundInterfaceDetailsSlot\",\n PanOSOutboundInterfaceDetailsSlot,\n \"PanOSOutboundInterfaceDetailsType\",\n PanOSOutboundInterfaceDetailsType,\n \"PanOSOutboundInterfaceDetailsUnit\",\n PanOSOutboundInterfaceDetailsUnit,\n \"PanOSParentSessionID\",\n PanOSParentSessionID,\n \"PanOsRuleUUID\",\n PanOsRuleUUID,\n \"PanOSSourceDeviceOS\",\n PanOSSourceDeviceOS,\n \"PanOSSourceDeviceOSFamily\",\n PanOSSourceDeviceOSFamily,\n \"PanOSSourceDeviceOSVersion\",\n PanOSSourceDeviceOSVersion,\n \"PanOSSourceDeviceCategory\",\n PanOSSourceDeviceCategory,\n \"PanOSVirtualSystemID\",\n PanOSVirtualSystemID,\n \"PanOSVirtualSystemName\",\n PanOSVirtualSystemName\n ),\n TcpFlagsFin = iff(Reason== \"tcp-fin\", true, false),\n TcpFlagsRst = iff(Reason in(\"tcp-rst-from-client\", \"tcp-rst-from-server\"), true, false)\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DstDvcId = PanOSDestinationUUID,\n DstGeoCountry = PanOSDestinationLocation,\n DstMacAddr = PanOSDestinationDeviceMac,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n DstPackets = PanOSPacketsReceived,\n DstPortNumber = DestinationPort,\n DstUsername = DestinationUserName,\n DvcId = DeviceExternalID,\n DvcOriginalAction = DeviceAction,\n EventOriginalSeverity = LogSeverity,\n DstZone = DeviceCustomString5,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n NetworkPackets = FieldDeviceCustomNumber2,\n NetworkRuleName = DeviceCustomString1,\n SrcDvcId = PanOSSourceUUID,\n SrcGeoCountry = PanOSSourceLocation,\n SrcMacAddr = PanOSSourceDeviceMac,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n SrcPackets = PanOSPacketsSent,\n SrcPortNumber = SourcePort,\n SrcUsername = SourceUserName,\n SrcZone = DeviceCustomString4,\n DvcScopeId = PanOSCortexDataLakeTenantID,\n EventOriginalSubType = Activity,\n EventOriginalResultDetails = Reason,\n SrcUserId = SourceUserID,\n DstUserId = DestinationUserID,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n SrcAppName = ApplicationProtocol,\n ThreatOriginalRiskLevel = PanOSApplicationRisk\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = coalesce(DstDvcId, DstHostname, DstIpAddr),\n Src = coalesce(SrcDvcId, SrcHostname, SrcIpAddr),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\"),\n NetworkProtocol = toupper(Protocol),\n NetworkBytes = SrcBytes + DstBytes,\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n ),\n NetworkDirection = iff(PanOSIsClienttoServer == \"true\", \"Outbound\", \"Inbound\"),\n Rule = NetworkRuleName,\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n SessionId = NetworkSessionId,\n User = DstUsername,\n Hostname = DstHostname,\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\"),\n DstDvcIdType = iff(isnotempty(DstDvcId), \"Other\", \"\"),\n SrcDomainType = iff(isnotempty(SourceNTDomain), \"Windows\", SrcDomainType),\n DstDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", DstDomainType),\n SrcUserIdType = iff(isnotempty(SrcUserId), \"UID\", \"\"),\n DstUserIdType = iff(isnotempty(DstUserId), \"UID\", \"\"),\n SrcAppType = case(isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"true\", \"SaaS Application\",\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"false\", \"Other\",\n \"\")\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n PanOs*,\n Protocol,\n SimplifiedDeviceAction,\n temp*,\n ExternalID,\n Message,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n StartTime,\n TenantId,\n ReportReferenceLink,\n ReceiptTime,\n Indicator*,\n _ResourceId,\n ThreatConfidence,\n ThreatDescription,\n ThreatSeverity\n};\nparser(\n disabled=disabled,\n starttime=starttime, \n endtime=endtime,\n eventresult=eventresult,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix,\n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n hostname_has_any=hostname_has_any,\n dstportnumber=dstportnumber,\n dvcaction=dvcaction\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Palo Alto Cortex Data Lake", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionPaloAltoCortexDataLake", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventResultDvcActionLookup = datatable (\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"allow\", \"Allow\", \"Success\",\n \"deny\", \"Deny\", \"Failure\",\n \"reset client\", \"Reset Source\", \"Failure\",\n \"reset server\", \"Reset Destination\", \"Failure\",\n \"reset both\", \"Reset\", \"Failure\",\n \"drop\", \"Drop\", \"Failure\",\n \"drop ICMP\", \"Drop ICMP\", \"Failure\",\n \"reset-both\", \"Reset\", \"Failure\"\n];\nlet EventResultDetailsLookup = datatable(Reason: string, EventResultDetails: string)[\n \"threat\", \"Reset\",\n \"policy-deny\", \"Unknown\",\n \"decrypt-cert-validation\", \"Terminated\",\n \"decrypt-unsupport-param\", \"Terminated\",\n \"decrypt-error\", \"Terminated\",\n \"tcp-rst-from-client\", \"Reset\",\n \"tcp-rst-from-server\", \"Reset\",\n \"resources-unavailable\", \"Unknown\",\n \"tcp-fin\", \"Unknown\",\n \"tcp-reuse\", \"Unknown\",\n \"decoder\", \"Unknown\",\n \"aged-out\", \"Unknown\",\n \"unknown\", \"Unknown\",\n \"n/a\", \"NA\",\n];\nlet ThreatRiskLevelLookup = datatable(PanOSApplicationRisk: string, ThreatRiskLevel: int)\n[\n \"1\", 20,\n \"2\", 40,\n \"3\", 60,\n \"4\", 80,\n \"5\", 100\n];\nlet parser=(\n disabled: bool=false, \n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventresult: string='*', \n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n dstipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]), \n hostname_has_any: dynamic=dynamic([]),\n dstportnumber: int=int(null),\n dvcaction: dynamic=dynamic([])\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n CommonSecurityLog\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"TRAFFIC\"\n and (array_length(hostname_has_any) == 0 or AdditionalExtensions has_any (hostname_has_any))\n and (isnull(dstportnumber) or toint(DestinationPort) == dstportnumber)\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(coalesce(DeviceCustomIPv6Address2, SourceIP), src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(coalesce(DeviceCustomIPv6Address3, DestinationIP), dst_or_any)\n | extend \n ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse-kv AdditionalExtensions as (PanOSSessionStartTime: string, PanOSDestinationDeviceHost: string, PanOSSourceDeviceHost: string, PanOSDestinationUUID: string, PanOSDestinationLocation: string, PanOSSourceUUID: string, PanOSDestinationDeviceMac: string, PanOsBytes: long, PanOSIsClienttoServer: string, PanOSSourceLocation: string, PanOSSourceDeviceMac: string, PanOSPacketsReceived: long, PanOSPacketsSent: long, PanOSRuleUUID: int, PanOSApplicationCategory: string, PanOSApplicationSubcategory: string, PanOSChunksReceived: string, PanOSChunksSent: string, PanOSChunksTotal: string, PanOSApplicationContainer: string, PanOSDestinationDeviceCategory: string, PanOSLinkChangeCount: string, PanOSLinkSwitches: string, PanOSLogSource: string, PanOSNSSAINetworkSliceDifferentiator: string, PanOSNSSAINetworkSliceType: string, PanOSOutboundInterfaceDetailsPort: string, PanOSOutboundInterfaceDetailsSlot: string, PanOSOutboundInterfaceDetailsType: string, PanOSOutboundInterfaceDetailsUnit: string, PanOSParentSessionID: string, PanOsRuleUUID: string, PanOSSourceDeviceOS: string, PanOSSourceDeviceOSFamily: string, PanOSSourceDeviceOSVersion: string, PanOSSourceDeviceCategory: string, PanOSVirtualSystemID: string, PanOSVirtualSystemName: string, PanOSCortexDataLakeTenantID: string, PanOSApplicationRisk: string, PanOSIsSaaSApplication: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | extend \n temp_is_MatchSrcHostname = PanOSSourceDeviceHost has_any (hostname_has_any),\n temp_is_MatchDstHostname = PanOSDestinationDeviceHost has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0,\n \"-\",\n temp_is_MatchSrcHostname and temp_is_MatchDstHostname,\n \"Both\",\n temp_is_MatchSrcHostname,\n \"SrcHostname\",\n temp_is_MatchDstHostname,\n \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveDstFQDN('PanOSDestinationDeviceHost')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | lookup EventResultDvcActionLookup on DeviceAction\n // post-filtering\n | where (eventresult == \"*\" or eventresult == EventResult)\n and (array_length(dvcaction)==0 or DvcAction has_any (dvcaction))\n | lookup EventSeverityLookup on LogSeverity\n | lookup EventResultDetailsLookup on Reason\n | lookup ThreatRiskLevelLookup on PanOSApplicationRisk\n | extend\n EventStartTime = todatetime(PanOSSessionStartTime),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n NetworkSessionId = tostring(FieldDeviceCustomNumber1),\n NetworkDuration = toint(FieldDeviceCustomNumber3),\n DstBytes = tolong(ReceivedBytes),\n SrcBytes = tolong(SentBytes),\n SrcDomain = coalesce(SourceNTDomain, SrcDomain),\n DstDomain = coalesce(DestinationNTDomain, DstDomain),\n AdditionalFields = bag_pack(\n \"urlcategory\",\n DeviceCustomString2,\n \"virtualLocation\",\n DeviceCustomString3,\n \"PanOSApplicationCategory\",\n PanOSApplicationCategory,\n \"PanOSApplicationSubcategory\",\n PanOSApplicationSubcategory,\n \"PanOSChunksReceived\",\n PanOSChunksReceived,\n \"PanOSChunksSent\",\n PanOSChunksSent,\n \"PanOSChunksTotal\",\n PanOSChunksTotal,\n \"PanOSApplicationContainer\",\n PanOSApplicationContainer,\n \"PanOSDestinationDeviceCategory\",\n PanOSDestinationDeviceCategory,\n \"PanOSIsClienttoServer\",\n PanOSIsClienttoServer,\n \"PanOSLinkChangeCount\",\n PanOSLinkChangeCount,\n \"PanOSLinkSwitches\",\n PanOSLinkSwitches,\n \"PanOSLogSource\",\n PanOSLogSource,\n \"PanOSNSSAINetworkSliceDifferentiator\",\n PanOSNSSAINetworkSliceDifferentiator,\n \"PanOSNSSAINetworkSliceType\",\n PanOSNSSAINetworkSliceType,\n \"PanOSOutboundInterfaceDetailsPort\",\n PanOSOutboundInterfaceDetailsPort,\n \"PanOSOutboundInterfaceDetailsSlot\",\n PanOSOutboundInterfaceDetailsSlot,\n \"PanOSOutboundInterfaceDetailsType\",\n PanOSOutboundInterfaceDetailsType,\n \"PanOSOutboundInterfaceDetailsUnit\",\n PanOSOutboundInterfaceDetailsUnit,\n \"PanOSParentSessionID\",\n PanOSParentSessionID,\n \"PanOsRuleUUID\",\n PanOsRuleUUID,\n \"PanOSSourceDeviceOS\",\n PanOSSourceDeviceOS,\n \"PanOSSourceDeviceOSFamily\",\n PanOSSourceDeviceOSFamily,\n \"PanOSSourceDeviceOSVersion\",\n PanOSSourceDeviceOSVersion,\n \"PanOSSourceDeviceCategory\",\n PanOSSourceDeviceCategory,\n \"PanOSVirtualSystemID\",\n PanOSVirtualSystemID,\n \"PanOSVirtualSystemName\",\n PanOSVirtualSystemName\n ),\n TcpFlagsFin = iff(Reason== \"tcp-fin\", true, false),\n TcpFlagsRst = iff(Reason in(\"tcp-rst-from-client\", \"tcp-rst-from-server\"), true, false)\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DstDvcId = PanOSDestinationUUID,\n DstGeoCountry = PanOSDestinationLocation,\n DstMacAddr = PanOSDestinationDeviceMac,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n DstPackets = PanOSPacketsReceived,\n DstPortNumber = DestinationPort,\n DstUsername = DestinationUserName,\n DvcId = DeviceExternalID,\n DvcOriginalAction = DeviceAction,\n EventOriginalSeverity = LogSeverity,\n DstZone = DeviceCustomString5,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n NetworkPackets = FieldDeviceCustomNumber2,\n NetworkRuleName = DeviceCustomString1,\n SrcDvcId = PanOSSourceUUID,\n SrcGeoCountry = PanOSSourceLocation,\n SrcMacAddr = PanOSSourceDeviceMac,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n SrcPackets = PanOSPacketsSent,\n SrcPortNumber = SourcePort,\n SrcUsername = SourceUserName,\n SrcZone = DeviceCustomString4,\n DvcScopeId = PanOSCortexDataLakeTenantID,\n EventOriginalSubType = Activity,\n EventOriginalResultDetails = Reason,\n SrcUserId = SourceUserID,\n DstUserId = DestinationUserID,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n SrcAppName = ApplicationProtocol,\n ThreatOriginalRiskLevel = PanOSApplicationRisk\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = coalesce(DstDvcId, DstHostname, DstIpAddr),\n Src = coalesce(SrcDvcId, SrcHostname, SrcIpAddr),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\"),\n NetworkProtocol = toupper(Protocol),\n NetworkBytes = SrcBytes + DstBytes,\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n ),\n NetworkDirection = iff(PanOSIsClienttoServer == \"true\", \"Outbound\", \"Inbound\"),\n Rule = NetworkRuleName,\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n SessionId = NetworkSessionId,\n User = DstUsername,\n Hostname = DstHostname,\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\"),\n DstDvcIdType = iff(isnotempty(DstDvcId), \"Other\", \"\"),\n SrcDomainType = iff(isnotempty(SourceNTDomain), \"Windows\", SrcDomainType),\n DstDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", DstDomainType),\n SrcUserIdType = iff(isnotempty(SrcUserId), \"UID\", \"\"),\n DstUserIdType = iff(isnotempty(DstUserId), \"UID\", \"\"),\n SrcAppType = case(isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"true\", \"SaaS Application\",\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"false\", \"Other\",\n \"\")\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n PanOs*,\n Protocol,\n SimplifiedDeviceAction,\n temp*,\n ExternalID,\n Message,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n StartTime,\n TenantId,\n ReportReferenceLink,\n ReceiptTime,\n Indicator*,\n _ResourceId,\n ThreatConfidence,\n ThreatDescription,\n ThreatSeverity\n};\nparser(\n disabled=disabled,\n starttime=starttime, \n endtime=endtime,\n eventresult=eventresult,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix,\n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n hostname_has_any=hostname_has_any,\n dstportnumber=dstportnumber,\n dvcaction=dvcaction\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSentinelOne/vimNetworkSessionSentinelOne.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSentinelOne/vimNetworkSessionSentinelOne.json index 65d81498eb4..3191da3f9c0 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSentinelOne/vimNetworkSessionSentinelOne.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSentinelOne/vimNetworkSessionSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionSentinelOne", - "query": "let NetworkDirectionLookup = datatable (\n alertInfo_netEventDirection_s: string, \n NetworkDirection: string\n)[\n \"OUTGOING\", \"Outbound\",\n \"INCOMING\", \"Inbound\",\n];\nlet DeviceTypeLookup = datatable (\n agentDetectionInfo_machineType_s: string,\n SrcDeviceType: string\n)\n [\n \"desktop\", \"Computer\",\n \"server\", \"Computer\",\n \"laptop\", \"Computer\",\n \"kubernetes node\", \"Other\",\n \"unknown\", \"Other\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser=(\n disabled: bool=false, \n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventresult: string='*', \n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n dstipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]), \n hostname_has_any: dynamic=dynamic([]),\n dstportnumber: int=int(null),\n dvcaction: dynamic=dynamic([])\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let alldata = SentinelOne_CL\n | where not(disabled) \n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s == \"TCPV4\"\n and (eventresult == \"*\" or eventresult == \"Success\")\n and (isnull(dstportnumber) or toint(alertInfo_dstPort_s) == dstportnumber)\n and (array_length(hostname_has_any) == 0 or agentDetectionInfo_name_s has_any (hostname_has_any))\n and (array_length(dvcaction) == 0 or dvcaction has_any (\"Allow\"))\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(alertInfo_srcIp_s, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(alertInfo_dstIp_s, dst_or_any)\n | extend \n ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n ),\n ASimMatchingHostname = \"SrcHostname\"\n | where ASimMatchingIpAddr != \"No match\";\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maliciousdata\n | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s\n | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend \n DstPortNumber = toint(alertInfo_dstPort_s),\n SrcPortNumber = toint(alertInfo_srcPort_s),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n DstIpAddr = alertInfo_dstIp_s,\n EventUid = _ItemId,\n SrcIpAddr = alertInfo_srcIp_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n SrcProcessName = sourceProcessInfo_name_s,\n SrcProcessId = sourceProcessInfo_pid_s,\n SrcUsername = sourceProcessInfo_user_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n DvcIpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n SrcHostname = DvcHostname,\n SrcDvcId = DvcId,\n IpAddr = SrcIpAddr,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n SrcDvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | extend\n Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr),\n Hostname = SrcHostname\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventResult = \"Success\",\n DvcAction = \"Allow\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventResultDetails = \"NA\",\n EventType = \"EndpointNetworkSession\",\n EventVendor = \"SentinelOne\",\n NetworkProtocol = \"TCP\",\n NetworkProtocolVersion = \"IPv4\"\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n temp*,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(\n disabled=disabled,\n starttime=starttime, \n endtime=endtime,\n eventresult=eventresult,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix,\n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n hostname_has_any=hostname_has_any,\n dstportnumber=dstportnumber,\n dvcaction=dvcaction\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionSentinelOne", + "query": "let NetworkDirectionLookup = datatable (\n alertInfo_netEventDirection_s: string, \n NetworkDirection: string\n)[\n \"OUTGOING\", \"Outbound\",\n \"INCOMING\", \"Inbound\",\n];\nlet DeviceTypeLookup = datatable (\n agentDetectionInfo_machineType_s: string,\n SrcDeviceType: string\n)\n [\n \"desktop\", \"Computer\",\n \"server\", \"Computer\",\n \"laptop\", \"Computer\",\n \"kubernetes node\", \"Other\",\n \"unknown\", \"Other\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser=(\n disabled: bool=false, \n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventresult: string='*', \n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n dstipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]), \n hostname_has_any: dynamic=dynamic([]),\n dstportnumber: int=int(null),\n dvcaction: dynamic=dynamic([])\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let alldata = SentinelOne_CL\n | where not(disabled) \n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s == \"TCPV4\"\n and (eventresult == \"*\" or eventresult == \"Success\")\n and (isnull(dstportnumber) or toint(alertInfo_dstPort_s) == dstportnumber)\n and (array_length(hostname_has_any) == 0 or agentDetectionInfo_name_s has_any (hostname_has_any))\n and (array_length(dvcaction) == 0 or dvcaction has_any (\"Allow\"))\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(alertInfo_srcIp_s, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(alertInfo_dstIp_s, dst_or_any)\n | extend \n ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n ),\n ASimMatchingHostname = \"SrcHostname\"\n | where ASimMatchingIpAddr != \"No match\";\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maliciousdata\n | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s\n | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend \n DstPortNumber = toint(alertInfo_dstPort_s),\n SrcPortNumber = toint(alertInfo_srcPort_s),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n DstIpAddr = alertInfo_dstIp_s,\n EventUid = _ItemId,\n SrcIpAddr = alertInfo_srcIp_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n SrcProcessName = sourceProcessInfo_name_s,\n SrcProcessId = sourceProcessInfo_pid_s,\n SrcUsername = sourceProcessInfo_user_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n DvcIpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n SrcHostname = DvcHostname,\n SrcDvcId = DvcId,\n IpAddr = SrcIpAddr,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n SrcDvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | extend\n Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr),\n Hostname = SrcHostname\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventResult = \"Success\",\n DvcAction = \"Allow\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventResultDetails = \"NA\",\n EventType = \"EndpointNetworkSession\",\n EventVendor = \"SentinelOne\",\n NetworkProtocol = \"TCP\",\n NetworkProtocolVersion = \"IPv4\"\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n temp*,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(\n disabled=disabled,\n starttime=starttime, \n endtime=endtime,\n eventresult=eventresult,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix,\n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n hostname_has_any=hostname_has_any,\n dstportnumber=dstportnumber,\n dvcaction=dvcaction\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSonicWallFirewall/vimNetworkSessionSonicWallFirewall.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSonicWallFirewall/vimNetworkSessionSonicWallFirewall.json index b1c8c83c648..b45506ed48b 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSonicWallFirewall/vimNetworkSessionSonicWallFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSonicWallFirewall/vimNetworkSessionSonicWallFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionSonicWallFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionSonicWallFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for SonicWall firewalls", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionSonicWallFirewall", - "query": "let Actions=datatable(fw_action:string,DvcAction:string)\n[ \"reset client\",\"Reset Source\"\n, \"reset server\",\"Reset Destination\"\n, \"reset both\", \"Reset\" \n, \"allow\",\"Allow\"\n, \"\\\"forward\\\"\",\"Allow\"\n, \"\\\"mgmt\\\"\",\"Other\"\n, \"\\\"NA\\\"\",\"Other\"\n, \"deny\",\"Deny\"\n, \"\\\"drop\\\"\", \"Drop\"\n, \"drop ICMP\", \"Drop ICMP\"];\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet Parser=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false){\nCommonSecurityLog\n| where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n| where not(disabled)\n| where DeviceVendor == \"SonicWall\"\n| where DeviceEventClassID !in (14, 97, 1382, 440, 441, 442, 646, 647, 734, 735)\n| where ( isnotempty(SourceIP) and isnotempty(DestinationIP) )\n| where (isnull(dstportnumber) or DestinationPort == dstportnumber) and (array_length(hostname_has_any) == 0)\n| parse-kv AdditionalExtensions as (['gcat']:string, ['app']:string, ['arg']:string, ['dstV6']:string, ['srcV6']:string, ['snpt']:string, ['dnpt']:string, ['susr']:string,['appName']:string, ['appcat']:string, ['appid']:string, ['sid']:string, ['catid']:string, ['ipscat']:string, ['ipspri']:string, ['spycat']:string, ['spypri']:string, ['fw_action']:string, ['dpi']:string, ['bid']:string, ['af_action']:string, ['af_polid']:string, ['af_policy']:string, ['af_type']:string, ['af_service']:string, ['af_object']:string, ['contentObject']:string, ['fileid']:string, ['uuid']:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n| extend\n SourceIP = coalesce(SourceIP, srcV6)\n , DestinationIP = coalesce(DestinationIP, dstV6)\n| where gcat in (3, 5, 6, 10) // Include only these event categories.\n| extend\n temp_SrcMatch=has_any_ipv4_prefix(SourceIP, src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(DestinationIP, dst_or_any)\n// Filter by source/dest. https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-network\n| extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 , \"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n| where ASimMatchingIpAddr != \"No match\" \n| project-away temp_*\n| extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0 , \"-\",\n DestinationHostName has_any (hostname_has_any), \"DestinationHostname\",\n \"No match\"\n )\n| extend fw_action = column_ifexists(\"fw_action\", \"\") // Firewall Action, such as drop, forward, mgmt, NA\n| lookup Actions on fw_action\n | where (array_length(dvcaction) == 0 or DvcAction has_any(dvcaction))\n// Sets the mandatory EventResult based on the DvcAction.\n| extend EventResult = case(DvcAction == \"Allow\", \"Success\",\n DvcAction == \"Management\", \"NA\",\n DvcAction == \"NA\", \"NA\",\n DvcAction == \"Other\", \"NA\",\n \"Failure\"\n )\n| where (eventresult == \"*\" or eventresult == \"\" or (eventresult has_any(\"Success\", \"Failure\", \"NA\") and EventResult has eventresult))\n| extend sosLogMsgSeverity = case(LogSeverity == 10, \"Emergency (0)\",\n LogSeverity == 9, \"Alert (1)\",\n LogSeverity == 8, \"Critical (2)\",\n LogSeverity == 7, \"Error (3)\",\n LogSeverity == 6, \"Warning (4)\",\n LogSeverity == 5, \"Notice (5)\",\n LogSeverity == 4, \"Info (6)/Debug (7)\",\n LogSeverity == 3, \"Not Mapped (3)\",\n LogSeverity == 2, \"Not Mapped (2)\",\n LogSeverity == 1, \"Not Mapped (1)\",\n \"Not Mapped\"\n )\n| extend EventSeverity = case(tolong(LogSeverity) <= 4, \"Informational\"\n , tolong(LogSeverity) <= 6, \"Low\"\n , tolong(LogSeverity) <= 8, \"Medium\"\n , tolong(LogSeverity) > 8, \"High\"\n , \"\"\n )\n| extend NetworkProtocolVersion = case(DestinationIP has \".\", \"IPv4\"\n , DestinationIP has \":\", \"IPv6\"\n , \"\"\n )\n , NetworkProtocol = toupper(iff(Protocol contains \"-\" and Protocol !contains \"/\", toupper(trim_start(@\".*-\", Protocol)), toupper(trim_end(@\"/.*\", Protocol))))\n , NetworkApplicationProtocol = tostring(toupper(trim_start(@\".*/\", Protocol)))\n , EventOriginalType = DeviceEventClassID\n| project-rename\n DstMacAddr = DestinationMACAddress\n , SrcMacAddr = SourceMACAddress\n , DstIpAddr = DestinationIP\n , SrcIpAddr = SourceIP\n , DstPortNumber = DestinationPort\n , SrcPortNumber = SourcePort\n , EventMessage = Activity\n , sosEventMessageDetail = Message\n , EventProductVersion = DeviceVersion\n , sosSerialNumber = Computer\n , DvcOutboundInterface = DeviceOutboundInterface\n , DvcInboundInterface = DeviceInboundInterface\n , sosApplicationID = ApplicationProtocol // Application ID number (when Flow Reporting is enabled).\n , sosCFSFullString = Reason // CFS Category ID and Name\n , NetworkRuleName = DeviceCustomString1 // Rule ID. Identify a policy or rule associated with an event.\n , sosSourceVPNPolicyName = DeviceCustomString2 // Displays the source VPN policy name associated with the event.\n , sosDestinationVPNPolicyName = DeviceCustomString3 // Displays the destination VPN policy name associated with the event.\n , sosLogMsgNote = DeviceCustomString6 // \"Note\" field. Additional information that is application-dependent.\n , SrcNatIpAddr = DeviceCustomString1Label // NAT'ed source IP4/IPv6 address.\n , DstNatIpAddr = DeviceCustomString2Label // NAT'ed destination IPv4/IPv6 address.\n , sosSourceZone = DeviceCustomString3Label // Source Zone on Gen7. Src Zone Type on Gen6.\n , sosDestinationZone = DeviceCustomString4Label // Destination Zone on Gen7. Dest Zone Type (Trusted/Untrusted, etc.) on Gen6.\n , sosUserSessionType = DeviceCustomString5Label // String indicating the user session type, determined by the auth mechanism.\n , sosUserSessionDuration = DeviceCustomString6Label // User session duration in seconds.\n , NetworkIcmpType = FieldDeviceCustomNumber1 // ICMP Type\n , NetworkIcmpCode = FieldDeviceCustomNumber2 // ICMP Code\n , SrcUsername = SourceUserName\n , ThreatOriginalConfidence = ThreatConfidence\n| extend sosLogMsgCategory = case(gcat == 1, \"System (1)\",\n gcat == 2, \"Log (2)\",\n gcat == 3, \"Security Services (3)\",\n gcat == 4, \"Users (4)\",\n gcat == 5, \"Firewall Settings (5)\",\n gcat == 6, \"Network (6)\",\n gcat == 7, \"VPN (7)\",\n gcat == 8, \"High Availability (8)\",\n gcat == 9, \"3G/4G, Modem, and Module (9)\",\n gcat == 10, \"Firewall (10)\",\n gcat == 11, \"Wireless (11)\",\n gcat == 12, \"VoIP (12)\",\n gcat == 13, \"SSL VPN (13)\",\n gcat == 14, \"Anti-Spam (14)\",\n gcat == 15, \"WAN Acceleration (15)\",\n gcat == 16, \"Object (16)\",\n gcat == 17, \"SD-WAN (17)\",\n gcat == 18, \"Multi-Instance (18)\",\n gcat == 19, \"Unified Policy Engine (19)\",\n \"Log Category Not Mapped\"\n )\n| extend sosLegacyMessageCategory = case(DeviceEventCategory == 0, \"None (0)\",\n DeviceEventCategory == 1, \"System Maintenance (1)\",\n DeviceEventCategory == 2, \"System Errors (2)\",\n DeviceEventCategory == 4, \"Blocked Web Sites (4)\",\n DeviceEventCategory == 8, \"Blocked Java Etc. (8)\",\n DeviceEventCategory == 16, \"User Activity (16)\",\n DeviceEventCategory == 32, \"Attacks (32)\",\n DeviceEventCategory == 64, \"Dropped TCP (64)\",\n DeviceEventCategory == 128, \"Dropped UDP (128)\",\n DeviceEventCategory == 256, \"Dropped ICMP (256)\",\n DeviceEventCategory == 512, \"Network Debug (512)\",\n DeviceEventCategory == 1024, \"Connection Closed (1024)\",\n DeviceEventCategory == 2048, \"Dropped LAN TCP (2048)\",\n DeviceEventCategory == 4096, \"Dropped LAN UDP (4096)\",\n DeviceEventCategory == 8192, \"Dropped LAN ICMP (8192)\",\n DeviceEventCategory == 32768, \"Modem Debug (32768)\",\n DeviceEventCategory == 65536, \"VPN Tunnel Status (65536)\",\n DeviceEventCategory == 131072, \"IEEE 802.11 Management (131072)\",\n DeviceEventCategory == 262144, \"Connection Opened (262144)\",\n DeviceEventCategory == 524288, \"System Environment (524288)\",\n DeviceEventCategory == 1048576, \"Expanded - VoIP Activity (1048576)\",\n DeviceEventCategory == 2097152, \"Expanded - WLAN IDS Activity (2097152)\",\n DeviceEventCategory == 4194304, \"Expanded - SonicPoint Activity (4194304)\",\n DeviceEventCategory == 8388608, \"Expanded - Unified Policy Engine (8388608)\",\n \"Legacy Category Not Mapped\"\n )\n| extend sosIPSPriority = case(ipspri == 1, \"High (1)\",\n ipspri == 2, \"Medium (2)\",\n ipspri == 3, \"Low (3)\",\n \"\"\n )\n| extend sosAntiSpywarePriority = case(spypri == 1, \"High (1)\",\n spypri == 2, \"Medium (2)\",\n spypri == 3, \"Low (3)\",\n \"\"\n )\n| extend\n EventVendor = \"SonicWall\"\n , EventProduct = \"Firewall\"\n , DvcOs = \"SonicOS\"\n , DvcOsVersion = EventProductVersion\n , DvcIdType = \"Other\"\n , Dvc = sosSerialNumber\n , DvcDescription = DeviceProduct\n , NetworkIcmpType = tostring(NetworkIcmpType)\n , NetworkIcmpCode = toint(NetworkIcmpCode)\n , Rule = NetworkRuleName\n , NetworkBytes = tolong(coalesce(toint(ReceivedBytes), 0) + coalesce(toint(SentBytes), 0))\n , sosIPSFullString = ipscat\n , ipscat = extract(@'^\"?([a-zA-Z-\\/]+)', 1, ipscat) // IPS Category/Signature\n , sosIPSSignatureName = extract(@'[ ](.*)\\S', 1, ipscat) // IPS Signature name\n , FileSize = tolong(coalesce(FileSize, long(null)))\n , sosAppControlFileName = extract(@'.*Filename: (.*)\\\"', 1, sosEventMessageDetail) // App Control Filename Logging\n , sosCaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\\. ', 1, sosEventMessageDetail)\n , sosGAVSignatureName = extract(@'Gateway Anti-Virus Alert: (.*) blocked\\.', 1, sosEventMessageDetail)\n , sosASWSignatureName = extract(@'Anti-Spyware Detection Alert: (.*)\\. ', 1, sosEventMessageDetail)\n , sosCountry = extract(@'Country Name:(.*)\\\"$', 1, sosEventMessageDetail)\n , SrcZone = sosSourceZone\n , DstZone = sosDestinationZone\n , EventOriginalSeverity = LogSeverity\n , Dst = DstIpAddr\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , sosCFSCategoryID = extract(@'(\\d+)\\s', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSCategoryName = extract(@'.*-(\"(.*))', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSPolicyName = extract(@'Policy: (.*), Info:', 1, coalesce(sosLogMsgNote, \"\"))\n , EventStartTime = coalesce(todatetime(StartTime), TimeGenerated)\n , EventEndTime = coalesce(todatetime(EndTime), TimeGenerated)\n , EventType = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.6\"\n , EventSchema = \"NetworkSession\"\n , EventCount = toint(1)\n , EventUid = _ItemId\n , EventResultDetails = \"NA\"\n , ThreatConfidence = coalesce(toint(ThreatOriginalConfidence), int(null))\n| extend\n SrcUsername = coalesce(susr, SrcUsername)\n , FileName = coalesce(FileName, sosAppControlFileName)\n , NetworkDirection = case(SrcZone == \"\" and DstZone == \"\", \"NA\"\n , SrcZone == \"WAN\" and (DstZone == \"WAN\" and DstIpAddr !has \".255\"), \"Inbound\"\n , SrcZone == \"WAN\" and DstZone == \"WAN\", \"External\"\n , SrcZone == \"WAN\" and DstZone != \"WAN\", \"Inbound\"\n , SrcZone == \"VPN\" and DstZone == \"WAN\", \"Outbound\"\n , SrcZone == \"VPN\" and DstZone != \"WAN\", \"Inbound\"\n , DstZone == \"MULTICAST\", \"NA\"\n , DstZone == \"WAN\", \"Outbound\"\n , \"Local\"\n )\n| extend\n SrcUsernameType = case(SrcUsername has \"=\", \"DN\",\n SrcUsername has \"\\\\\", \"Windows\",\n SrcUsername has \"@\", \"UPN\",\n SrcUsername == \"Unknown (external IP)\", \"\",\n SrcUsername == \"Unknown (SSO bypassed)\", \"\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"\n )\n , ThreatField = case(isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\"\n , isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\"\n , \"\"\n )\n| extend\n ThreatIpAddr = case(ThreatField == \"SrcIpAddr\", SrcIpAddr\n , ThreatField == \"DstIpAddr\", DstIpAddr\n , \"\"\n )\n| extend\n SrcGeoCountry = iff(NetworkDirection == \"Inbound\", sosCountry, \"\")\n , DstGeoCountry = iff(NetworkDirection == \"Outbound\", sosCountry, \"\")\n , SrcAppName = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , DstAppName = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , SrcAppId = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), sid, \"\")\n , DstAppId = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), sid, \"\")\n| extend\n SrcAppType = case(isempty(SrcAppName), \"\"\n , SrcAppName contains \"\\'General \" or SrcAppName contains \"\\'Service \", \"Service\", \"Other\")\n , DstAppType = case(isempty(DstAppName), \"\"\n , DstAppName contains \"\\'General \" or DstAppName contains \"\\'Service \", \"Service\", \"Other\")\n| project-rename\n sosReceivedPackets = DeviceCustomNumber1Label // DeviceCustomNumberXLabel (cnXLabel=)\n , sosSentPackets = DeviceCustomNumber2Label // DeviceCustomNumberXLabel (cnXLabel=)\n| extend\n DstPackets = case(NetworkDirection == \"Outbound\", tolong(sosReceivedPackets)\n , NetworkDirection == \"Inbound\", tolong(sosSentPackets)\n , tolong(long(null))\n )\n , SrcPackets = case(NetworkDirection == \"Outbound\", tolong(sosSentPackets)\n , NetworkDirection == \"Inbound\", tolong(sosReceivedPackets)\n , tolong(long(null))\n )\n| project-rename\n sosConnectionDuration = DeviceCustomNumber3Label // Applies to \"Connection Closed\"\n , sosUser = susr // Logged-in username associated with the log event.\n , sosAppRulePolicyId = af_polid // App Rule Policy ID.\n , sosAppRulePolicyName = af_policy // App Rule Policy Name.\n , sosAppRuleService = af_service // App Rule Service Name.\n , sosAppRuleType = af_type // App Rule Policy Type.\n , sosAppRuleObject = af_object // App Rule Object Name.\n , sosAppRuleObjectContent = contentObject // App Rule Object Content.\n , sosAppRuleAction = af_action\n , sosSourceIPv6Address = srcV6\n , sosDestinationIPv6Address = dstV6\n , sosAppFullString = appcat // The full \" -- \" string.\n , sosAppIDNumber = app // Numeric Application ID. Not the same as \"ApplicationProtocol\".\n , sosAppID = appid // Application ID from App Control\n , sosAppCategoryID = catid // Application Category ID\n , sosAppSignatureID = sid // Application Signature ID\n , sosIPSCategoryName = ipscat // IPS Category Name\n , sosAntiSpywareCategory = spycat // Anti-Spyware Category\n , sosURLPathName = arg // URL. Represents the URL path name.\n , sosFileIdentifier = fileid // File hash or URL\n , sosDPIInspectedFlow = dpi // Indicates a flow was inspected by DPI. Applies only to Connection Closed messages.\n , DstNatPortNumber = dnpt\n , SrcNatPortNumber = snpt\n , sosBladeID = bid // Blade ID\n , sosUUID = uuid\n , sosFileName = FileName\n , DvcOriginalAction = fw_action\n| extend\n ThreatName = coalesce(sosASWSignatureName, sosGAVSignatureName, sosIPSSignatureName, \"\")\n , ThreatId = coalesce(sosAppSignatureID, \"\")\n , ThreatCategory = coalesce(sosIPSCategoryName, sosAntiSpywareCategory, \"\")\n , DstNatPortNumber = toint(DstNatPortNumber)\n , SrcNatPortNumber = toint(SrcNatPortNumber)\n| extend AdditionalFields = bag_pack(\n \"AppRulePolicyId\", sosAppRulePolicyId\n , \"AppRulePolicyName\", sosAppRulePolicyName\n , \"AppRuleService\", sosAppRuleService\n , \"AppRuleType\", sosAppRuleType\n , \"AppRuleObject\", sosAppRuleObject\n , \"AppRuleObjectContent\", sosAppRuleObjectContent\n , \"AppRuleAction\", sosAppRuleAction\n , \"AppID\", sosAppID\n , \"AppCategoryID\", sosAppCategoryID\n , \"IPSCategoryName\", sosIPSCategoryName\n , \"AntiSpywareCategory\", sosAntiSpywareCategory\n , \"FileIdentifier\", sosFileIdentifier\n , \"DPIInspectedFlow\", sosDPIInspectedFlow\n , \"BladeID\", sosBladeID\n , \"UUID\", sosUUID\n , \"FileName\", sosFileName\n , \"FileSize\", FileSize\n , \"CaptureATPVerdict\", sosCaptureATPVerdict\n , \"CFSCategoryID\", sosCFSCategoryID\n , \"CFSCategoryName\", sosCFSCategoryName\n , \"CFSPolicyName\", sosCFSPolicyName\n , \"AppControlFileName\", sosAppControlFileName\n , \"IPSFullString\", sosIPSFullString\n , \"IPSSignatureName\", sosIPSSignatureName\n , \"LegacyMessageCategory\", sosLegacyMessageCategory\n , \"LogMsgCategory\", sosLogMsgCategory\n , \"LogMsgNote\", sosLogMsgNote\n , \"LogMsgSeverity\", sosLogMsgSeverity\n , \"SourceVPNPolicyName\", sosSourceVPNPolicyName\n , \"DestinationVPNPolicyName\", sosDestinationVPNPolicyName\n , \"EventMessageDetail\", sosEventMessageDetail\n , \"UserSessionType\", sosUserSessionType\n )\n| project-away\n DeviceEventCategory\n , gcat\n , RequestMethod\n , ipspri\n , spypri\n , sos*\n , RequestURL\n , Protocol\n , appName\n , AdditionalExtensions\n , Flex*\n , Indicator*\n , Malicious*\n , Field*\n , DeviceCustom*\n , Old*\n , File*\n , Source*\n , Destination*\n , Device*\n , SimplifiedDeviceAction\n , ExternalID\n , ExtID\n , TenantId\n , ProcessName\n , ProcessID\n , ExtID\n , OriginalLogSeverity\n , LogSeverity\n , EventOutcome\n , StartTime\n , EndTime\n , ReceiptTime\n , Remote*\n , ThreatDescription\n , ThreatSeverity\n , RequestContext\n , RequestCookies\n , CommunicationDirection\n , ReportReferenceLink\n , ReceivedBytes\n , SentBytes\n , _ResourceId\n , _ItemId\n| project-reorder\n TimeGenerated\n , EventVendor\n , EventProduct\n , DvcDescription\n , Dvc\n , DvcOs\n , DvcOsVersion\n};\nParser(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for SonicWall firewalls", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionSonicWallFirewall", + "query": "let Actions=datatable(fw_action:string,DvcAction:string)\n[ \"reset client\",\"Reset Source\"\n, \"reset server\",\"Reset Destination\"\n, \"reset both\", \"Reset\" \n, \"allow\",\"Allow\"\n, \"\\\"forward\\\"\",\"Allow\"\n, \"\\\"mgmt\\\"\",\"Other\"\n, \"\\\"NA\\\"\",\"Other\"\n, \"deny\",\"Deny\"\n, \"\\\"drop\\\"\", \"Drop\"\n, \"drop ICMP\", \"Drop ICMP\"];\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet Parser=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false){\nCommonSecurityLog\n| where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n| where not(disabled)\n| where DeviceVendor == \"SonicWall\"\n| where DeviceEventClassID !in (14, 97, 1382, 440, 441, 442, 646, 647, 734, 735)\n| where ( isnotempty(SourceIP) and isnotempty(DestinationIP) )\n| where (isnull(dstportnumber) or DestinationPort == dstportnumber) and (array_length(hostname_has_any) == 0)\n| parse-kv AdditionalExtensions as (['gcat']:string, ['app']:string, ['arg']:string, ['dstV6']:string, ['srcV6']:string, ['snpt']:string, ['dnpt']:string, ['susr']:string,['appName']:string, ['appcat']:string, ['appid']:string, ['sid']:string, ['catid']:string, ['ipscat']:string, ['ipspri']:string, ['spycat']:string, ['spypri']:string, ['fw_action']:string, ['dpi']:string, ['bid']:string, ['af_action']:string, ['af_polid']:string, ['af_policy']:string, ['af_type']:string, ['af_service']:string, ['af_object']:string, ['contentObject']:string, ['fileid']:string, ['uuid']:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n| extend\n SourceIP = coalesce(SourceIP, srcV6)\n , DestinationIP = coalesce(DestinationIP, dstV6)\n| where gcat in (3, 5, 6, 10) // Include only these event categories.\n| extend\n temp_SrcMatch=has_any_ipv4_prefix(SourceIP, src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(DestinationIP, dst_or_any)\n// Filter by source/dest. https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-network\n| extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 , \"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n| where ASimMatchingIpAddr != \"No match\" \n| project-away temp_*\n| extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0 , \"-\",\n DestinationHostName has_any (hostname_has_any), \"DestinationHostname\",\n \"No match\"\n )\n| extend fw_action = column_ifexists(\"fw_action\", \"\") // Firewall Action, such as drop, forward, mgmt, NA\n| lookup Actions on fw_action\n | where (array_length(dvcaction) == 0 or DvcAction has_any(dvcaction))\n// Sets the mandatory EventResult based on the DvcAction.\n| extend EventResult = case(DvcAction == \"Allow\", \"Success\",\n DvcAction == \"Management\", \"NA\",\n DvcAction == \"NA\", \"NA\",\n DvcAction == \"Other\", \"NA\",\n \"Failure\"\n )\n| where (eventresult == \"*\" or eventresult == \"\" or (eventresult has_any(\"Success\", \"Failure\", \"NA\") and EventResult has eventresult))\n| extend sosLogMsgSeverity = case(LogSeverity == 10, \"Emergency (0)\",\n LogSeverity == 9, \"Alert (1)\",\n LogSeverity == 8, \"Critical (2)\",\n LogSeverity == 7, \"Error (3)\",\n LogSeverity == 6, \"Warning (4)\",\n LogSeverity == 5, \"Notice (5)\",\n LogSeverity == 4, \"Info (6)/Debug (7)\",\n LogSeverity == 3, \"Not Mapped (3)\",\n LogSeverity == 2, \"Not Mapped (2)\",\n LogSeverity == 1, \"Not Mapped (1)\",\n \"Not Mapped\"\n )\n| extend EventSeverity = case(tolong(LogSeverity) <= 4, \"Informational\"\n , tolong(LogSeverity) <= 6, \"Low\"\n , tolong(LogSeverity) <= 8, \"Medium\"\n , tolong(LogSeverity) > 8, \"High\"\n , \"\"\n )\n| extend NetworkProtocolVersion = case(DestinationIP has \".\", \"IPv4\"\n , DestinationIP has \":\", \"IPv6\"\n , \"\"\n )\n , NetworkProtocol = toupper(iff(Protocol contains \"-\" and Protocol !contains \"/\", toupper(trim_start(@\".*-\", Protocol)), toupper(trim_end(@\"/.*\", Protocol))))\n , NetworkApplicationProtocol = tostring(toupper(trim_start(@\".*/\", Protocol)))\n , EventOriginalType = DeviceEventClassID\n| project-rename\n DstMacAddr = DestinationMACAddress\n , SrcMacAddr = SourceMACAddress\n , DstIpAddr = DestinationIP\n , SrcIpAddr = SourceIP\n , DstPortNumber = DestinationPort\n , SrcPortNumber = SourcePort\n , EventMessage = Activity\n , sosEventMessageDetail = Message\n , EventProductVersion = DeviceVersion\n , sosSerialNumber = Computer\n , DvcOutboundInterface = DeviceOutboundInterface\n , DvcInboundInterface = DeviceInboundInterface\n , sosApplicationID = ApplicationProtocol // Application ID number (when Flow Reporting is enabled).\n , sosCFSFullString = Reason // CFS Category ID and Name\n , NetworkRuleName = DeviceCustomString1 // Rule ID. Identify a policy or rule associated with an event.\n , sosSourceVPNPolicyName = DeviceCustomString2 // Displays the source VPN policy name associated with the event.\n , sosDestinationVPNPolicyName = DeviceCustomString3 // Displays the destination VPN policy name associated with the event.\n , sosLogMsgNote = DeviceCustomString6 // \"Note\" field. Additional information that is application-dependent.\n , SrcNatIpAddr = DeviceCustomString1Label // NAT'ed source IP4/IPv6 address.\n , DstNatIpAddr = DeviceCustomString2Label // NAT'ed destination IPv4/IPv6 address.\n , sosSourceZone = DeviceCustomString3Label // Source Zone on Gen7. Src Zone Type on Gen6.\n , sosDestinationZone = DeviceCustomString4Label // Destination Zone on Gen7. Dest Zone Type (Trusted/Untrusted, etc.) on Gen6.\n , sosUserSessionType = DeviceCustomString5Label // String indicating the user session type, determined by the auth mechanism.\n , sosUserSessionDuration = DeviceCustomString6Label // User session duration in seconds.\n , NetworkIcmpType = FieldDeviceCustomNumber1 // ICMP Type\n , NetworkIcmpCode = FieldDeviceCustomNumber2 // ICMP Code\n , SrcUsername = SourceUserName\n , ThreatOriginalConfidence = ThreatConfidence\n| extend sosLogMsgCategory = case(gcat == 1, \"System (1)\",\n gcat == 2, \"Log (2)\",\n gcat == 3, \"Security Services (3)\",\n gcat == 4, \"Users (4)\",\n gcat == 5, \"Firewall Settings (5)\",\n gcat == 6, \"Network (6)\",\n gcat == 7, \"VPN (7)\",\n gcat == 8, \"High Availability (8)\",\n gcat == 9, \"3G/4G, Modem, and Module (9)\",\n gcat == 10, \"Firewall (10)\",\n gcat == 11, \"Wireless (11)\",\n gcat == 12, \"VoIP (12)\",\n gcat == 13, \"SSL VPN (13)\",\n gcat == 14, \"Anti-Spam (14)\",\n gcat == 15, \"WAN Acceleration (15)\",\n gcat == 16, \"Object (16)\",\n gcat == 17, \"SD-WAN (17)\",\n gcat == 18, \"Multi-Instance (18)\",\n gcat == 19, \"Unified Policy Engine (19)\",\n \"Log Category Not Mapped\"\n )\n| extend sosLegacyMessageCategory = case(DeviceEventCategory == 0, \"None (0)\",\n DeviceEventCategory == 1, \"System Maintenance (1)\",\n DeviceEventCategory == 2, \"System Errors (2)\",\n DeviceEventCategory == 4, \"Blocked Web Sites (4)\",\n DeviceEventCategory == 8, \"Blocked Java Etc. (8)\",\n DeviceEventCategory == 16, \"User Activity (16)\",\n DeviceEventCategory == 32, \"Attacks (32)\",\n DeviceEventCategory == 64, \"Dropped TCP (64)\",\n DeviceEventCategory == 128, \"Dropped UDP (128)\",\n DeviceEventCategory == 256, \"Dropped ICMP (256)\",\n DeviceEventCategory == 512, \"Network Debug (512)\",\n DeviceEventCategory == 1024, \"Connection Closed (1024)\",\n DeviceEventCategory == 2048, \"Dropped LAN TCP (2048)\",\n DeviceEventCategory == 4096, \"Dropped LAN UDP (4096)\",\n DeviceEventCategory == 8192, \"Dropped LAN ICMP (8192)\",\n DeviceEventCategory == 32768, \"Modem Debug (32768)\",\n DeviceEventCategory == 65536, \"VPN Tunnel Status (65536)\",\n DeviceEventCategory == 131072, \"IEEE 802.11 Management (131072)\",\n DeviceEventCategory == 262144, \"Connection Opened (262144)\",\n DeviceEventCategory == 524288, \"System Environment (524288)\",\n DeviceEventCategory == 1048576, \"Expanded - VoIP Activity (1048576)\",\n DeviceEventCategory == 2097152, \"Expanded - WLAN IDS Activity (2097152)\",\n DeviceEventCategory == 4194304, \"Expanded - SonicPoint Activity (4194304)\",\n DeviceEventCategory == 8388608, \"Expanded - Unified Policy Engine (8388608)\",\n \"Legacy Category Not Mapped\"\n )\n| extend sosIPSPriority = case(ipspri == 1, \"High (1)\",\n ipspri == 2, \"Medium (2)\",\n ipspri == 3, \"Low (3)\",\n \"\"\n )\n| extend sosAntiSpywarePriority = case(spypri == 1, \"High (1)\",\n spypri == 2, \"Medium (2)\",\n spypri == 3, \"Low (3)\",\n \"\"\n )\n| extend\n EventVendor = \"SonicWall\"\n , EventProduct = \"Firewall\"\n , DvcOs = \"SonicOS\"\n , DvcOsVersion = EventProductVersion\n , DvcIdType = \"Other\"\n , Dvc = sosSerialNumber\n , DvcDescription = DeviceProduct\n , NetworkIcmpType = tostring(NetworkIcmpType)\n , NetworkIcmpCode = toint(NetworkIcmpCode)\n , Rule = NetworkRuleName\n , NetworkBytes = tolong(coalesce(toint(ReceivedBytes), 0) + coalesce(toint(SentBytes), 0))\n , sosIPSFullString = ipscat\n , ipscat = extract(@'^\"?([a-zA-Z-\\/]+)', 1, ipscat) // IPS Category/Signature\n , sosIPSSignatureName = extract(@'[ ](.*)\\S', 1, ipscat) // IPS Signature name\n , FileSize = tolong(coalesce(FileSize, long(null)))\n , sosAppControlFileName = extract(@'.*Filename: (.*)\\\"', 1, sosEventMessageDetail) // App Control Filename Logging\n , sosCaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\\. ', 1, sosEventMessageDetail)\n , sosGAVSignatureName = extract(@'Gateway Anti-Virus Alert: (.*) blocked\\.', 1, sosEventMessageDetail)\n , sosASWSignatureName = extract(@'Anti-Spyware Detection Alert: (.*)\\. ', 1, sosEventMessageDetail)\n , sosCountry = extract(@'Country Name:(.*)\\\"$', 1, sosEventMessageDetail)\n , SrcZone = sosSourceZone\n , DstZone = sosDestinationZone\n , EventOriginalSeverity = LogSeverity\n , Dst = DstIpAddr\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , sosCFSCategoryID = extract(@'(\\d+)\\s', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSCategoryName = extract(@'.*-(\"(.*))', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSPolicyName = extract(@'Policy: (.*), Info:', 1, coalesce(sosLogMsgNote, \"\"))\n , EventStartTime = coalesce(todatetime(StartTime), TimeGenerated)\n , EventEndTime = coalesce(todatetime(EndTime), TimeGenerated)\n , EventType = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.6\"\n , EventSchema = \"NetworkSession\"\n , EventCount = toint(1)\n , EventUid = _ItemId\n , EventResultDetails = \"NA\"\n , ThreatConfidence = coalesce(toint(ThreatOriginalConfidence), int(null))\n| extend\n SrcUsername = coalesce(susr, SrcUsername)\n , FileName = coalesce(FileName, sosAppControlFileName)\n , NetworkDirection = case(SrcZone == \"\" and DstZone == \"\", \"NA\"\n , SrcZone == \"WAN\" and (DstZone == \"WAN\" and DstIpAddr !has \".255\"), \"Inbound\"\n , SrcZone == \"WAN\" and DstZone == \"WAN\", \"External\"\n , SrcZone == \"WAN\" and DstZone != \"WAN\", \"Inbound\"\n , SrcZone == \"VPN\" and DstZone == \"WAN\", \"Outbound\"\n , SrcZone == \"VPN\" and DstZone != \"WAN\", \"Inbound\"\n , DstZone == \"MULTICAST\", \"NA\"\n , DstZone == \"WAN\", \"Outbound\"\n , \"Local\"\n )\n| extend\n SrcUsernameType = case(SrcUsername has \"=\", \"DN\",\n SrcUsername has \"\\\\\", \"Windows\",\n SrcUsername has \"@\", \"UPN\",\n SrcUsername == \"Unknown (external IP)\", \"\",\n SrcUsername == \"Unknown (SSO bypassed)\", \"\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"\n )\n , ThreatField = case(isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\"\n , isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\"\n , \"\"\n )\n| extend\n ThreatIpAddr = case(ThreatField == \"SrcIpAddr\", SrcIpAddr\n , ThreatField == \"DstIpAddr\", DstIpAddr\n , \"\"\n )\n| extend\n SrcGeoCountry = iff(NetworkDirection == \"Inbound\", sosCountry, \"\")\n , DstGeoCountry = iff(NetworkDirection == \"Outbound\", sosCountry, \"\")\n , SrcAppName = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , DstAppName = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , SrcAppId = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), sid, \"\")\n , DstAppId = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), sid, \"\")\n| extend\n SrcAppType = case(isempty(SrcAppName), \"\"\n , SrcAppName contains \"\\'General \" or SrcAppName contains \"\\'Service \", \"Service\", \"Other\")\n , DstAppType = case(isempty(DstAppName), \"\"\n , DstAppName contains \"\\'General \" or DstAppName contains \"\\'Service \", \"Service\", \"Other\")\n| project-rename\n sosReceivedPackets = DeviceCustomNumber1Label // DeviceCustomNumberXLabel (cnXLabel=)\n , sosSentPackets = DeviceCustomNumber2Label // DeviceCustomNumberXLabel (cnXLabel=)\n| extend\n DstPackets = case(NetworkDirection == \"Outbound\", tolong(sosReceivedPackets)\n , NetworkDirection == \"Inbound\", tolong(sosSentPackets)\n , tolong(long(null))\n )\n , SrcPackets = case(NetworkDirection == \"Outbound\", tolong(sosSentPackets)\n , NetworkDirection == \"Inbound\", tolong(sosReceivedPackets)\n , tolong(long(null))\n )\n| project-rename\n sosConnectionDuration = DeviceCustomNumber3Label // Applies to \"Connection Closed\"\n , sosUser = susr // Logged-in username associated with the log event.\n , sosAppRulePolicyId = af_polid // App Rule Policy ID.\n , sosAppRulePolicyName = af_policy // App Rule Policy Name.\n , sosAppRuleService = af_service // App Rule Service Name.\n , sosAppRuleType = af_type // App Rule Policy Type.\n , sosAppRuleObject = af_object // App Rule Object Name.\n , sosAppRuleObjectContent = contentObject // App Rule Object Content.\n , sosAppRuleAction = af_action\n , sosSourceIPv6Address = srcV6\n , sosDestinationIPv6Address = dstV6\n , sosAppFullString = appcat // The full \" -- \" string.\n , sosAppIDNumber = app // Numeric Application ID. Not the same as \"ApplicationProtocol\".\n , sosAppID = appid // Application ID from App Control\n , sosAppCategoryID = catid // Application Category ID\n , sosAppSignatureID = sid // Application Signature ID\n , sosIPSCategoryName = ipscat // IPS Category Name\n , sosAntiSpywareCategory = spycat // Anti-Spyware Category\n , sosURLPathName = arg // URL. Represents the URL path name.\n , sosFileIdentifier = fileid // File hash or URL\n , sosDPIInspectedFlow = dpi // Indicates a flow was inspected by DPI. Applies only to Connection Closed messages.\n , DstNatPortNumber = dnpt\n , SrcNatPortNumber = snpt\n , sosBladeID = bid // Blade ID\n , sosUUID = uuid\n , sosFileName = FileName\n , DvcOriginalAction = fw_action\n| extend\n ThreatName = coalesce(sosASWSignatureName, sosGAVSignatureName, sosIPSSignatureName, \"\")\n , ThreatId = coalesce(sosAppSignatureID, \"\")\n , ThreatCategory = coalesce(sosIPSCategoryName, sosAntiSpywareCategory, \"\")\n , DstNatPortNumber = toint(DstNatPortNumber)\n , SrcNatPortNumber = toint(SrcNatPortNumber)\n| extend AdditionalFields = bag_pack(\n \"AppRulePolicyId\", sosAppRulePolicyId\n , \"AppRulePolicyName\", sosAppRulePolicyName\n , \"AppRuleService\", sosAppRuleService\n , \"AppRuleType\", sosAppRuleType\n , \"AppRuleObject\", sosAppRuleObject\n , \"AppRuleObjectContent\", sosAppRuleObjectContent\n , \"AppRuleAction\", sosAppRuleAction\n , \"AppID\", sosAppID\n , \"AppCategoryID\", sosAppCategoryID\n , \"IPSCategoryName\", sosIPSCategoryName\n , \"AntiSpywareCategory\", sosAntiSpywareCategory\n , \"FileIdentifier\", sosFileIdentifier\n , \"DPIInspectedFlow\", sosDPIInspectedFlow\n , \"BladeID\", sosBladeID\n , \"UUID\", sosUUID\n , \"FileName\", sosFileName\n , \"FileSize\", FileSize\n , \"CaptureATPVerdict\", sosCaptureATPVerdict\n , \"CFSCategoryID\", sosCFSCategoryID\n , \"CFSCategoryName\", sosCFSCategoryName\n , \"CFSPolicyName\", sosCFSPolicyName\n , \"AppControlFileName\", sosAppControlFileName\n , \"IPSFullString\", sosIPSFullString\n , \"IPSSignatureName\", sosIPSSignatureName\n , \"LegacyMessageCategory\", sosLegacyMessageCategory\n , \"LogMsgCategory\", sosLogMsgCategory\n , \"LogMsgNote\", sosLogMsgNote\n , \"LogMsgSeverity\", sosLogMsgSeverity\n , \"SourceVPNPolicyName\", sosSourceVPNPolicyName\n , \"DestinationVPNPolicyName\", sosDestinationVPNPolicyName\n , \"EventMessageDetail\", sosEventMessageDetail\n , \"UserSessionType\", sosUserSessionType\n )\n| project-away\n DeviceEventCategory\n , gcat\n , RequestMethod\n , ipspri\n , spypri\n , sos*\n , RequestURL\n , Protocol\n , appName\n , AdditionalExtensions\n , Flex*\n , Indicator*\n , Malicious*\n , Field*\n , DeviceCustom*\n , Old*\n , File*\n , Source*\n , Destination*\n , Device*\n , SimplifiedDeviceAction\n , ExternalID\n , ExtID\n , TenantId\n , ProcessName\n , ProcessID\n , ExtID\n , OriginalLogSeverity\n , LogSeverity\n , EventOutcome\n , StartTime\n , EndTime\n , ReceiptTime\n , Remote*\n , ThreatDescription\n , ThreatSeverity\n , RequestContext\n , RequestCookies\n , CommunicationDirection\n , ReportReferenceLink\n , ReceivedBytes\n , SentBytes\n , _ResourceId\n , _ItemId\n| project-reorder\n TimeGenerated\n , EventVendor\n , EventProduct\n , DvcDescription\n , Dvc\n , DvcOs\n , DvcOsVersion\n};\nParser(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json index dad47deb4b4..044f4869f8e 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionVMConnection')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionVMConnection", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for VM connection information collected using the Log Analytics agent", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionVMConnection", - "query": "let SeverityLookup = datatable (EventOriginalSeverity: string, EventSeverity:string) [\n '', 'Informational', \n '0', 'Informational',\n '1', 'Low',\n '2', 'Medium',\n '3', 'High'\n];\nlet VMConnectionProjected = VMConnection | project-away AdditionalInformation, AgentId, TenantId, TLPLevel, SourceSystem, IsActive, *ReportedDateTime, LinksFailed, LinksLive, LinksTerminated, Description, Responses, ResponseTimeMin, ResponseTimeMax, RemoteClassification, RemoteDnsQuestions;\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]), \n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let outbound = \n VMConnectionProjected\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where not (disabled)\n | where array_length(hostname_has_any)==0 \n or (Computer has_any (hostname_has_any)) or ( RemoteDnsCanonicalNames has_any (hostname_has_any))\n | where Direction == \"outbound\"\n // -- Pre-filtering:\n | where\n eventresult in (\"*\", \"Success\") \n and array_length(dvcaction) == 0\n and (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend EventOriginalSeverity = tostring(Severity)\n | lookup SeverityLookup on EventOriginalSeverity\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIp,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DestinationIp,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n // -- End pre-filtering\n | invoke _ASIM_ResolveSrcFQDN (\"Computer\")\n | extend FQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\n | invoke _ASIM_ResolveDstFQDN(\"FQDN\")\n | project-away RemoteDnsCanonicalNames, Computer\n // -- post-filtering\n | extend temp_isMatchSrcHostname= SrcHostname has_any (hostname_has_any)\n , temp_isMatchDstHostname = DstHostname has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0 , \"-\"\n , (temp_isMatchSrcHostname and temp_isMatchDstHostname), \"Both\" \n , temp_isMatchSrcHostname, \"SrcHostname\"\n , temp_isMatchDstHostname, \"DstHostname\"\n , \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-away temp_*\n | extend\n SrcAppType = \"Process\",\n SrcDvcIdType = \"VMConnectionId\",\n SrcHostnameType = \"Simple\",\n DstGeoCountry = RemoteCountry,\n DstGeoLongitude = RemoteLongitude,\n DstGeoLatitude = RemoteLatitude,\n SrcAppId = Process,\n SrcAppName = ProcessName,\n SrcDvcId = Machine,\n ThreatField = iff (MaliciousIp != \"\", \"DstIpAddr\", \"\")\n | extend\n RemoteFQDN = DstFQDN,\n RemoteHostname = DstHostname,\n RemoteDomain = DstDomain,\n RemoteDomainType = DstDomainType,\n LocalFQDN = SrcFQDN,\n LocalHostname = SrcHostname,\n LocalDomain = SrcDomain,\n LocalDomainType = SrcDomainType,\n LocalIpAddr = SourceIp\n ;\n let inbound =\n VMConnectionProjected\n | where (starttime == datetime(null) or TimeGenerated >= starttime)\n and (endtime == datetime(null) or TimeGenerated <= endtime)\n | where not (disabled)\n | where Direction == \"inbound\"\n // -- Pre-filtering:\n | where\n eventresult in (\"*\", \"Success\") \n and array_length(dvcaction) == 0\n and (dstportnumber==int(null) or DestinationPort == dstportnumber)\n and (array_length(hostname_has_any)==0 \n or Computer has_any (hostname_has_any) or RemoteDnsCanonicalNames has_any (hostname_has_any)\n )\n | extend EventOriginalSeverity = tostring(Severity)\n | lookup SeverityLookup on EventOriginalSeverity\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIp,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DestinationIp,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n // -- End pre-filtering\n | invoke _ASIM_ResolveDstFQDN (\"Computer\")\n | extend FQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\n | invoke _ASIM_ResolveSrcFQDN(\"FQDN\")\n | project-away Computer, RemoteDnsCanonicalNames\n // -- post-filtering\n | extend temp_isMatchSrcHostname= SrcHostname has_any (hostname_has_any)\n , temp_isMatchDstHostname = DstHostname has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0 , \"-\"\n , (temp_isMatchSrcHostname and temp_isMatchDstHostname), \"Both\" \n , temp_isMatchSrcHostname, \"SrcHostname\"\n , temp_isMatchDstHostname, \"DstHostname\"\n , \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-away temp_*\n | extend\n DstAppType = \"Process\",\n DstDvcIdType = \"VMConnectionId\",\n SrcGeoCountry = RemoteCountry,\n SrcGeoLongitude = RemoteLongitude,\n SrcGeoLatitude = RemoteLatitude,\n DstAppId = Process,\n DstAppName = ProcessName,\n DstDvcId = Machine,\n ThreatField = iff (MaliciousIp != \"\", \"SrcIpAddr\", \"\")\n | extend\n RemoteFQDN = SrcFQDN,\n RemoteHostname = SrcHostname,\n RemoteDomain = SrcDomain,\n RemoteDomainType = SrcDomainType,\n LocalFQDN = DstFQDN,\n LocalHostname = DstHostname,\n LocalDomain = DstDomain,\n LocalDomainType = DstDomainType,\n LocalIpAddr = DestinationIp\n ;\n union outbound, inbound\n // Event fields\n | extend \n EventCount = toint(LinksEstablished), // -- prioritized over LinksLive and LinksTerminated\n EventStartTime = TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"VMConnection\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.3\",\n EventType = \"EndpointNetworkSession\",\n DvcIdType = \"VMConnectionId\",\n NetworkDirection = iff(Direction==\"inbound\", \"Inbound\", \"Outbound\"),\n EventEndTime = TimeGenerated\n | project-rename\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort, \n SrcIpAddr = SourceIp, \n NetworkSessionId = ConnectionId,\n ThreatName = IndicatorThreatType,\n RemoteGeoCountry = RemoteCountry,\n RemoteGeoLatitude = RemoteLatitude, \n RemoteGeoLongitude = RemoteLongitude,\n LocalAppId = Process,\n LocalAppName = ProcessName,\n DvcId = Machine,\n RemoteIpAddr = RemoteIp,\n EventReportUrl = ReportReferenceLink,\n ThreatIpAddr = MaliciousIp\n // -- Calculated fields\n | extend\n EventResult = \"Success\",\n LocalAppType = \"Process\",\n NetworkDuration = toint(ResponseTimeSum/LinksEstablished),\n ThreatRiskLevel = toint(Confidence),\n NetworkProtocol = toupper(Protocol),\n SrcBytes = tolong(BytesSent),\n DstBytes = tolong(BytesReceived)\n | project-away BytesSent, BytesReceived, Confidence, ResponseTimeSum, Protocol, Direction, Severity, LinksEstablished\n // -- Aliases\n | extend\n IpAddr = RemoteIpAddr,\n Src = SrcIpAddr,\n Local = LocalIpAddr,\n DvcIpAddr = LocalIpAddr,\n Dst = DstIpAddr,\n Remote = RemoteIpAddr,\n Dvc = LocalHostname,\n DvcHostname = LocalHostname,\n DvcDomain = LocalDomain,\n DvcDomainType = LocalDomainType,\n DvcFQDN = LocalFQDN,\n Hostname = RemoteHostname,\n Duration = NetworkDuration,\n SessionId = NetworkSessionId\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for VM connection information collected using the Log Analytics agent", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionVMConnection", + "query": "let SeverityLookup = datatable (EventOriginalSeverity: string, EventSeverity:string) [\n '', 'Informational', \n '0', 'Informational',\n '1', 'Low',\n '2', 'Medium',\n '3', 'High'\n];\nlet VMConnectionProjected = VMConnection | project-away AdditionalInformation, AgentId, TenantId, TLPLevel, SourceSystem, IsActive, *ReportedDateTime, LinksFailed, LinksLive, LinksTerminated, Description, Responses, ResponseTimeMin, ResponseTimeMax, RemoteClassification, RemoteDnsQuestions;\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]), \n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let outbound = \n VMConnectionProjected\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where not (disabled)\n | where array_length(hostname_has_any)==0 \n or (Computer has_any (hostname_has_any)) or ( RemoteDnsCanonicalNames has_any (hostname_has_any))\n | where Direction == \"outbound\"\n // -- Pre-filtering:\n | where\n eventresult in (\"*\", \"Success\") \n and array_length(dvcaction) == 0\n and (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend EventOriginalSeverity = tostring(Severity)\n | lookup SeverityLookup on EventOriginalSeverity\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIp,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DestinationIp,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n // -- End pre-filtering\n | invoke _ASIM_ResolveSrcFQDN (\"Computer\")\n | extend FQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\n | invoke _ASIM_ResolveDstFQDN(\"FQDN\")\n | project-away RemoteDnsCanonicalNames, Computer\n // -- post-filtering\n | extend temp_isMatchSrcHostname= SrcHostname has_any (hostname_has_any)\n , temp_isMatchDstHostname = DstHostname has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0 , \"-\"\n , (temp_isMatchSrcHostname and temp_isMatchDstHostname), \"Both\" \n , temp_isMatchSrcHostname, \"SrcHostname\"\n , temp_isMatchDstHostname, \"DstHostname\"\n , \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-away temp_*\n | extend\n SrcAppType = \"Process\",\n SrcDvcIdType = \"VMConnectionId\",\n SrcHostnameType = \"Simple\",\n DstGeoCountry = RemoteCountry,\n DstGeoLongitude = RemoteLongitude,\n DstGeoLatitude = RemoteLatitude,\n SrcAppId = Process,\n SrcAppName = ProcessName,\n SrcDvcId = Machine,\n ThreatField = iff (MaliciousIp != \"\", \"DstIpAddr\", \"\")\n | extend\n RemoteFQDN = DstFQDN,\n RemoteHostname = DstHostname,\n RemoteDomain = DstDomain,\n RemoteDomainType = DstDomainType,\n LocalFQDN = SrcFQDN,\n LocalHostname = SrcHostname,\n LocalDomain = SrcDomain,\n LocalDomainType = SrcDomainType,\n LocalIpAddr = SourceIp\n ;\n let inbound =\n VMConnectionProjected\n | where (starttime == datetime(null) or TimeGenerated >= starttime)\n and (endtime == datetime(null) or TimeGenerated <= endtime)\n | where not (disabled)\n | where Direction == \"inbound\"\n // -- Pre-filtering:\n | where\n eventresult in (\"*\", \"Success\") \n and array_length(dvcaction) == 0\n and (dstportnumber==int(null) or DestinationPort == dstportnumber)\n and (array_length(hostname_has_any)==0 \n or Computer has_any (hostname_has_any) or RemoteDnsCanonicalNames has_any (hostname_has_any)\n )\n | extend EventOriginalSeverity = tostring(Severity)\n | lookup SeverityLookup on EventOriginalSeverity\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIp,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DestinationIp,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n // -- End pre-filtering\n | invoke _ASIM_ResolveDstFQDN (\"Computer\")\n | extend FQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\n | invoke _ASIM_ResolveSrcFQDN(\"FQDN\")\n | project-away Computer, RemoteDnsCanonicalNames\n // -- post-filtering\n | extend temp_isMatchSrcHostname= SrcHostname has_any (hostname_has_any)\n , temp_isMatchDstHostname = DstHostname has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0 , \"-\"\n , (temp_isMatchSrcHostname and temp_isMatchDstHostname), \"Both\" \n , temp_isMatchSrcHostname, \"SrcHostname\"\n , temp_isMatchDstHostname, \"DstHostname\"\n , \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-away temp_*\n | extend\n DstAppType = \"Process\",\n DstDvcIdType = \"VMConnectionId\",\n SrcGeoCountry = RemoteCountry,\n SrcGeoLongitude = RemoteLongitude,\n SrcGeoLatitude = RemoteLatitude,\n DstAppId = Process,\n DstAppName = ProcessName,\n DstDvcId = Machine,\n ThreatField = iff (MaliciousIp != \"\", \"SrcIpAddr\", \"\")\n | extend\n RemoteFQDN = SrcFQDN,\n RemoteHostname = SrcHostname,\n RemoteDomain = SrcDomain,\n RemoteDomainType = SrcDomainType,\n LocalFQDN = DstFQDN,\n LocalHostname = DstHostname,\n LocalDomain = DstDomain,\n LocalDomainType = DstDomainType,\n LocalIpAddr = DestinationIp\n ;\n union outbound, inbound\n // Event fields\n | extend \n EventCount = toint(LinksEstablished), // -- prioritized over LinksLive and LinksTerminated\n EventStartTime = TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"VMConnection\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.3\",\n EventType = \"EndpointNetworkSession\",\n DvcIdType = \"VMConnectionId\",\n NetworkDirection = iff(Direction==\"inbound\", \"Inbound\", \"Outbound\"),\n EventEndTime = TimeGenerated\n | project-rename\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort, \n SrcIpAddr = SourceIp, \n NetworkSessionId = ConnectionId,\n ThreatName = IndicatorThreatType,\n RemoteGeoCountry = RemoteCountry,\n RemoteGeoLatitude = RemoteLatitude, \n RemoteGeoLongitude = RemoteLongitude,\n LocalAppId = Process,\n LocalAppName = ProcessName,\n DvcId = Machine,\n RemoteIpAddr = RemoteIp,\n EventReportUrl = ReportReferenceLink,\n ThreatIpAddr = MaliciousIp\n // -- Calculated fields\n | extend\n EventResult = \"Success\",\n LocalAppType = \"Process\",\n NetworkDuration = toint(ResponseTimeSum/LinksEstablished),\n ThreatRiskLevel = toint(Confidence),\n NetworkProtocol = toupper(Protocol),\n SrcBytes = tolong(BytesSent),\n DstBytes = tolong(BytesReceived)\n | project-away BytesSent, BytesReceived, Confidence, ResponseTimeSum, Protocol, Direction, Severity, LinksEstablished\n // -- Aliases\n | extend\n IpAddr = RemoteIpAddr,\n Src = SrcIpAddr,\n Local = LocalIpAddr,\n DvcIpAddr = LocalIpAddr,\n Dst = DstIpAddr,\n Remote = RemoteIpAddr,\n Dvc = LocalHostname,\n DvcHostname = LocalHostname,\n DvcDomain = LocalDomain,\n DvcDomainType = LocalDomainType,\n DvcFQDN = LocalFQDN,\n Hostname = RemoteHostname,\n Duration = NetworkDuration,\n SessionId = NetworkSessionId\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMwareCarbonBlackCloud/vimNetworkSessionVMwareCarbonBlackCloud.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMwareCarbonBlackCloud/vimNetworkSessionVMwareCarbonBlackCloud.json index 4b20e5efc8e..7e2ff29b9b9 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMwareCarbonBlackCloud/vimNetworkSessionVMwareCarbonBlackCloud.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMwareCarbonBlackCloud/vimNetworkSessionVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "NetworkSession ASIM Parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionVMwareCarbonBlackCloud", - "query": "let NetworkProtocolLookup = datatable (netconn_protocol_s: string, NetworkProtocol: string)\n [\n \"PROTO_TCP\", \"TCP\",\n \"PROTO_UDP\", \"UDP\"\n];\nlet DvcActionLookup = datatable (sensor_action_s: string, DvcAction: string)\n [\n \"ACTION_ALLOW\", \"Allow\",\n \"ACTION_SUSPEND\", \"Drop\",\n \"ACTION_TERMINATE\", \"Drop\",\n \"ACTION_BREAK\", \"Drop\",\n \"ACTION_BLOCK\", \"Deny\"\n];\nlet EventSeverityLookup = datatable (DvcAction: string, EventSeverity: string)\n [\n \"Allow\", \"Informational\",\n \"Drop\", \"Low\",\n \"Deny\", \"Low\"\n];\nlet ThreatConfidenceLookup = datatable (ThreatOriginalConfidence: string, ThreatConfidence: int)\n [\n \"1\", 10,\n \"2\", 20,\n \"3\", 30,\n \"4\", 40,\n \"5\", 50,\n \"6\", 60,\n \"7\", 70,\n \"8\", 80,\n \"9\", 90,\n \"10\", 100\n];\nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n dstipaddr_has_any_prefix: dynamic=dynamic([]), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n dstportnumber: int=int(null), \n hostname_has_any: dynamic=dynamic([]), \n dvcaction: dynamic=dynamic([]), \n eventresult: string='*', \n disabled: bool=false\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let CarbonBlackEventsSchema = datatable ( \n eventType_s: string,\n netconn_protocol_s: string,\n sensor_action_s: string,\n alert_id_g: string,\n device_name_s: string,\n action_s: string,\n createTime_s: string,\n netconn_domain_s: string,\n remote_ip_s: string,\n netconn_inbound_b: bool,\n process_guid_s: string,\n remote_port_d: real,\n local_port_d: real,\n process_pid_d: real,\n device_external_ip_s: string,\n local_ip_s: string,\n device_id_s: string,\n device_os_s: string,\n event_description_s: string,\n event_id_g: string,\n event_origin_s: string,\n process_path_s: string,\n process_username_s: string,\n org_key_s: string\n)[];\n let CarbonBlackNotificationsSchema = datatable (\n type_s: string,\n threatInfo_incidentId_g: string,\n threatInfo_score_d: real,\n threatInfo_summary_s: string,\n threatInfo_time_d: real,\n threatInfo_threatCause_threatCategory_s: string,\n threatInfo_threatCause_causeEventId_g: string,\n ruleName_s: string,\n deviceInfo_deviceVersion_s: string,\n threatInfo_threatCause_originSourceType_s: string,\n threatInfo_threatCause_reputation_s: string,\n threatInfo_threatCause_reason_s: string,\n id_g: string,\n primary_event_id_g: string,\n threat_id_g: string\n)[];\n let alldata = union (CarbonBlackEventsSchema), (CarbonBlackEvents_CL)\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and array_length(hostname_has_any) == 0\n and eventType_s == \"endpoint.event.netconn\"\n and (isnull(dstportnumber) or toint(remote_port_d) == dstportnumber)\n | lookup NetworkProtocolLookup on netconn_protocol_s\n | lookup DvcActionLookup on sensor_action_s\n | lookup EventSeverityLookup on DvcAction\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | extend temp_action = tostring(split(action_s, \"|\")[0])\n | extend \n EventResult = case(\n temp_action == \"ACTION_CONNECTION_CREATE_FAILED\",\n \"Failure\",\n sensor_action_s == \"ACTION_ALLOW\" or isempty(sensor_action_s),\n \"Success\",\n \"Failure\"\n ),\n temp_SrcMatch = has_any_ipv4_prefix(local_ip_s, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(remote_ip_s, dst_or_any)\n | extend \n ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n ),\n ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0,\n \"-\",\n DvcHostname has_any (hostname_has_any),\n \"SrcHostname\",\n \"No match\"\n )\n | where (eventresult == \"*\" or eventresult =~ EventResult)\n and (array_length(dvcaction) == 0 or DvcAction has_any (dvcaction))\n and ASimMatchingIpAddr != \"No match\"\n and ASimMatchingHostname != \"No match\";\n let alldatawiththreat = alldata \n | where isnotempty(alert_id_g)\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"THREAT\"\n | project\n threatInfo_incidentId_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_time_d,\n threatInfo_threatCause_threatCategory_s,\n threatInfo_threatCause_causeEventId_g,\n ruleName_s,\n deviceInfo_deviceVersion_s,\n threatInfo_threatCause_originSourceType_s,\n threatInfo_threatCause_reputation_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.threatInfo_incidentId_g\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"CB_ANALYTICS\"\n | project\n id_g,\n deviceInfo_deviceVersion_s,\n threat_id_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.id_g\n | extend \n ThreatCategory = threatInfo_threatCause_threatCategory_s,\n ThreatFirstReportedTime = unixtime_milliseconds_todatetime(threatInfo_time_d),\n RuleName = ruleName_s,\n AdditionalFields_threat = bag_pack(\n \"threatInfo_threatCause_reason\",\n coalesce(threatInfo_threatCause_reason_s, threatInfo_threatCause_reason_s1),\n \"threatInfo_threatCause_reputation\",\n threatInfo_threatCause_reputation_s,\n \"threatInfo_threatCause_originSourceType\",\n threatInfo_threatCause_originSourceType_s,\n \"threatInfo_summary\",\n coalesce(threatInfo_summary_s, threatInfo_summary_s1)\n ),\n ThreatId = threat_id_g,\n ThreatOriginalConfidence = tostring(toint(coalesce(threatInfo_score_d, threatInfo_score_d1))),\n DvcOsVersion = coalesce(deviceInfo_deviceVersion_s, deviceInfo_deviceVersion_s1)\n | lookup ThreatConfidenceLookup on ThreatOriginalConfidence;\n let alldatawithoutthreat = alldata\n | where isempty(alert_id_g);\n union alldatawiththreat, alldatawithoutthreat\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n SrcDomain = case(\n netconn_domain_s == remote_ip_s or netconn_domain_s has \":\" or netconn_domain_s !has \".\",\n \"\",\n netconn_inbound_b,\n netconn_domain_s,\n \"\"\n ),\n AdditionalFields_Common = bag_pack(\n \"Process Guid\",\n process_guid_s\n ),\n DstPortNumber = toint(remote_port_d),\n NetworkDirection = case(\n temp_action == \"ACTION_CONNECTION_LISTEN\",\n \"Listen\",\n netconn_inbound_b == true,\n \"Inbound\",\n \"Unknown\"\n ),\n SrcPortNumber = toint(local_port_d),\n SrcProcessId = tostring(toint(process_pid_d))\n | project-rename\n DstIpAddr = remote_ip_s,\n DvcIpAddr = device_external_ip_s,\n EventUid = _ItemId,\n SrcIpAddr = local_ip_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n SrcUsername = process_username_s,\n SrcProcessName = process_path_s,\n DvcScopeId = org_key_s\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"EndpointNetworkSession\",\n EventVendor = \"VMware\",\n SrcHostname = SrcIpAddr,\n DstHostname = iff(NetworkDirection == \"Inbound\", coalesce(DvcHostname, DstIpAddr), DstIpAddr),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n )\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = coalesce(DstHostname, DstIpAddr),\n Src = coalesce(SrcHostname, SrcIpAddr),\n IpAddr = SrcIpAddr,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n SrcDomainType = iff(isnotempty(SrcDomain), \"FQDN\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n AdditionalFields = bag_merge(AdditionalFields_threat, AdditionalFields_Common),\n SrcAppName = SrcProcessName,\n SrcAppId = SrcProcessId,\n SrcAppType = \"Process\",\n Hostname = DstHostname\n | project-away\n *_d,\n *_s,\n *_g,\n *_b,\n temp*,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n AdditionalFields_*\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction, \n eventresult=eventresult, \n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "NetworkSession ASIM Parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionVMwareCarbonBlackCloud", + "query": "let NetworkProtocolLookup = datatable (netconn_protocol_s: string, NetworkProtocol: string)\n [\n \"PROTO_TCP\", \"TCP\",\n \"PROTO_UDP\", \"UDP\"\n];\nlet DvcActionLookup = datatable (sensor_action_s: string, DvcAction: string)\n [\n \"ACTION_ALLOW\", \"Allow\",\n \"ACTION_SUSPEND\", \"Drop\",\n \"ACTION_TERMINATE\", \"Drop\",\n \"ACTION_BREAK\", \"Drop\",\n \"ACTION_BLOCK\", \"Deny\"\n];\nlet EventSeverityLookup = datatable (DvcAction: string, EventSeverity: string)\n [\n \"Allow\", \"Informational\",\n \"Drop\", \"Low\",\n \"Deny\", \"Low\"\n];\nlet ThreatConfidenceLookup = datatable (ThreatOriginalConfidence: string, ThreatConfidence: int)\n [\n \"1\", 10,\n \"2\", 20,\n \"3\", 30,\n \"4\", 40,\n \"5\", 50,\n \"6\", 60,\n \"7\", 70,\n \"8\", 80,\n \"9\", 90,\n \"10\", 100\n];\nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n dstipaddr_has_any_prefix: dynamic=dynamic([]), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n dstportnumber: int=int(null), \n hostname_has_any: dynamic=dynamic([]), \n dvcaction: dynamic=dynamic([]), \n eventresult: string='*', \n disabled: bool=false\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let CarbonBlackEventsSchema = datatable ( \n eventType_s: string,\n netconn_protocol_s: string,\n sensor_action_s: string,\n alert_id_g: string,\n device_name_s: string,\n action_s: string,\n createTime_s: string,\n netconn_domain_s: string,\n remote_ip_s: string,\n netconn_inbound_b: bool,\n process_guid_s: string,\n remote_port_d: real,\n local_port_d: real,\n process_pid_d: real,\n device_external_ip_s: string,\n local_ip_s: string,\n device_id_s: string,\n device_os_s: string,\n event_description_s: string,\n event_id_g: string,\n event_origin_s: string,\n process_path_s: string,\n process_username_s: string,\n org_key_s: string\n)[];\n let CarbonBlackNotificationsSchema = datatable (\n type_s: string,\n threatInfo_incidentId_g: string,\n threatInfo_score_d: real,\n threatInfo_summary_s: string,\n threatInfo_time_d: real,\n threatInfo_threatCause_threatCategory_s: string,\n threatInfo_threatCause_causeEventId_g: string,\n ruleName_s: string,\n deviceInfo_deviceVersion_s: string,\n threatInfo_threatCause_originSourceType_s: string,\n threatInfo_threatCause_reputation_s: string,\n threatInfo_threatCause_reason_s: string,\n id_g: string,\n primary_event_id_g: string,\n threat_id_g: string\n)[];\n let alldata = union (CarbonBlackEventsSchema), (CarbonBlackEvents_CL)\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and array_length(hostname_has_any) == 0\n and eventType_s == \"endpoint.event.netconn\"\n and (isnull(dstportnumber) or toint(remote_port_d) == dstportnumber)\n | lookup NetworkProtocolLookup on netconn_protocol_s\n | lookup DvcActionLookup on sensor_action_s\n | lookup EventSeverityLookup on DvcAction\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | extend temp_action = tostring(split(action_s, \"|\")[0])\n | extend \n EventResult = case(\n temp_action == \"ACTION_CONNECTION_CREATE_FAILED\",\n \"Failure\",\n sensor_action_s == \"ACTION_ALLOW\" or isempty(sensor_action_s),\n \"Success\",\n \"Failure\"\n ),\n temp_SrcMatch = has_any_ipv4_prefix(local_ip_s, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(remote_ip_s, dst_or_any)\n | extend \n ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n ),\n ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0,\n \"-\",\n DvcHostname has_any (hostname_has_any),\n \"SrcHostname\",\n \"No match\"\n )\n | where (eventresult == \"*\" or eventresult =~ EventResult)\n and (array_length(dvcaction) == 0 or DvcAction has_any (dvcaction))\n and ASimMatchingIpAddr != \"No match\"\n and ASimMatchingHostname != \"No match\";\n let alldatawiththreat = alldata \n | where isnotempty(alert_id_g)\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"THREAT\"\n | project\n threatInfo_incidentId_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_time_d,\n threatInfo_threatCause_threatCategory_s,\n threatInfo_threatCause_causeEventId_g,\n ruleName_s,\n deviceInfo_deviceVersion_s,\n threatInfo_threatCause_originSourceType_s,\n threatInfo_threatCause_reputation_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.threatInfo_incidentId_g\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"CB_ANALYTICS\"\n | project\n id_g,\n deviceInfo_deviceVersion_s,\n threat_id_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.id_g\n | extend \n ThreatCategory = threatInfo_threatCause_threatCategory_s,\n ThreatFirstReportedTime = unixtime_milliseconds_todatetime(threatInfo_time_d),\n RuleName = ruleName_s,\n AdditionalFields_threat = bag_pack(\n \"threatInfo_threatCause_reason\",\n coalesce(threatInfo_threatCause_reason_s, threatInfo_threatCause_reason_s1),\n \"threatInfo_threatCause_reputation\",\n threatInfo_threatCause_reputation_s,\n \"threatInfo_threatCause_originSourceType\",\n threatInfo_threatCause_originSourceType_s,\n \"threatInfo_summary\",\n coalesce(threatInfo_summary_s, threatInfo_summary_s1)\n ),\n ThreatId = threat_id_g,\n ThreatOriginalConfidence = tostring(toint(coalesce(threatInfo_score_d, threatInfo_score_d1))),\n DvcOsVersion = coalesce(deviceInfo_deviceVersion_s, deviceInfo_deviceVersion_s1)\n | lookup ThreatConfidenceLookup on ThreatOriginalConfidence;\n let alldatawithoutthreat = alldata\n | where isempty(alert_id_g);\n union alldatawiththreat, alldatawithoutthreat\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n SrcDomain = case(\n netconn_domain_s == remote_ip_s or netconn_domain_s has \":\" or netconn_domain_s !has \".\",\n \"\",\n netconn_inbound_b,\n netconn_domain_s,\n \"\"\n ),\n AdditionalFields_Common = bag_pack(\n \"Process Guid\",\n process_guid_s\n ),\n DstPortNumber = toint(remote_port_d),\n NetworkDirection = case(\n temp_action == \"ACTION_CONNECTION_LISTEN\",\n \"Listen\",\n netconn_inbound_b == true,\n \"Inbound\",\n \"Unknown\"\n ),\n SrcPortNumber = toint(local_port_d),\n SrcProcessId = tostring(toint(process_pid_d))\n | project-rename\n DstIpAddr = remote_ip_s,\n DvcIpAddr = device_external_ip_s,\n EventUid = _ItemId,\n SrcIpAddr = local_ip_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n SrcUsername = process_username_s,\n SrcProcessName = process_path_s,\n DvcScopeId = org_key_s\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"EndpointNetworkSession\",\n EventVendor = \"VMware\",\n SrcHostname = SrcIpAddr,\n DstHostname = iff(NetworkDirection == \"Inbound\", coalesce(DvcHostname, DstIpAddr), DstIpAddr),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n )\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = coalesce(DstHostname, DstIpAddr),\n Src = coalesce(SrcHostname, SrcIpAddr),\n IpAddr = SrcIpAddr,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n SrcDomainType = iff(isnotempty(SrcDomain), \"FQDN\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n AdditionalFields = bag_merge(AdditionalFields_threat, AdditionalFields_Common),\n SrcAppName = SrcProcessName,\n SrcAppId = SrcProcessId,\n SrcAppType = \"Process\",\n Hostname = DstHostname\n | project-away\n *_d,\n *_s,\n *_g,\n *_b,\n temp*,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n AdditionalFields_*\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction, \n eventresult=eventresult, \n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json index 9ff07625f08..a46f817f897 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionVectraAI')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionVectraAI", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Vectra AI Streams", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionVectraAI", - "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]),\n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false,\n pack:bool=false)\n{\n let NetworkDirectionLookup = datatable(local_orig_b:bool, local_resp_b:bool, NetworkDirection:string)[\n false, true, 'Inbound',\n true, false, 'Outbound',\n true, true, 'Local',\n false, false, 'External'];\n let EventSubTypeLookup = datatable(conn_state_s:string, EventSubType:string)[\n \"S1\", 'Start',\n \"SF\", 'End'];\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n VectraStream_CL\n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n | where not(disabled)\n | where metadata_type_s == 'metadata_isession'\n | project-away MG, ManagementGroupName, RawData, SourceSystem, TenantId\n | where array_length(dvcaction) == 0\n | where eventresult == \"*\"\n | where (isnull(dstportnumber) or dstportnumber==id_resp_p_d)\n and (array_length(hostname_has_any)==0 \n or resp_domain_s has_any (hostname_has_any)\n or resp_hostname_s has_any (hostname_has_any)\n or orig_hostname_s has_any (hostname_has_any)\n )\n | extend temp_SrcMatch=has_any_ipv4_prefix(id_orig_h_s,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(id_resp_h_s,dst_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | project-rename\n DstIpAddr = id_resp_h_s,\n DvcDescription = hostname_s,\n DstDescription = resp_hostname_s,\n SrcDescription = orig_hostname_s,\n // -- huid does not seem to be unique per device and not mapped for now\n // DstDvcId = resp_huid_s, \n // SrcDvcId = orig_huid_s,\n DvcId = sensor_uid_s,\n // -- community id is just a hash of addresses and ports, and not unique for the session\n // NetworkSessionId = community_id_s,\n SrcIpAddr = id_orig_h_s,\n EventUid = _ItemId\n // -- the domain field may have invalid values. Most of them are IP addresses filtered out, but a small fraction are not filtered.\n | extend resp_domain_s = iff (ipv4_is_match(resp_domain_s, \"0.0.0.0\",0), \"\", resp_domain_s)\n | extend SplitRespDomain = split(resp_domain_s,\".\")\n | extend \n DstDomain = tostring(strcat_array(array_slice(SplitRespDomain, 1, -1), '.')),\n DstFQDN = iif (array_length(SplitRespDomain) > 1, resp_domain_s, ''),\n DstDomainType = iif (array_length(SplitRespDomain) > 1, 'FQDN', '')\n | extend\n DstHostname = case (\n resp_domain_s != \"\", tostring(SplitRespDomain[0]),\n DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\",\n DstDescription)\n | project-away SplitRespDomain\n | extend\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\n NetworkApplicationProtocol = toupper(service_s),\n NetworkProtocol = toupper(protoName_s),\n NetworkProtocolVersion = toupper(id_ip_ver_s),\n Dst = DstIpAddr,\n DstBytes = tolong(resp_ip_bytes_d),\n DstPackets = tolong(resp_pkts_d),\n DstPortNumber = toint(id_resp_p_d),\n DstVlanId = tostring(toint(resp_vlan_id_d)),\n EventCount = toint(1),\n EventEndTime = unixtime_milliseconds_todatetime(ts_d),\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\n EventProduct = 'Vectra Stream',\n EventResult = 'Success',\n EventSchema = 'NetworkSession',\n EventSchemaVersion='0.2.2',\n EventSeverity = 'Informational',\n EventStartTime = unixtime_milliseconds_todatetime(session_start_time_d),\n EventType = 'NetworkSession',\n EventVendor = 'Vectra AI',\n SrcBytes = tolong(orig_ip_bytes_d),\n SrcPackets = tolong(orig_pkts_d),\n SrcPortNumber = toint(id_orig_p_d),\n SrcVlanId = tostring(toint(orig_vlan_id_d)),\n // -- No ID mapped, since huid found not to be unique\n // SrcDvcIdType = 'VectraId',\n // DstDvcIdType = 'VectraId',\n DvcIdType = 'VectraId',\n NetworkDuration = toint(duration_d)\n | extend \n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n // SessionId = NetworkSessionId,\n Src = SrcIpAddr,\n Dvc = DvcId,\n Duration = NetworkDuration,\n InnerVlanId = SrcVlanId,\n NetworkBytes = SrcBytes + DstBytes,\n NetworkPackets = SrcPackets + DstPackets,\n OuterVlanId = DstVlanId\n | lookup NetworkDirectionLookup on local_orig_b, local_resp_b\n | lookup EventSubTypeLookup on conn_state_s\n // -- preserving non-normalized important fields\n | extend AdditionalFields = iff (\n pack, \n bag_pack (\n \"first_orig_resp_data_pkt\", first_orig_resp_data_pkt_s,\n \"first_resp_orig_data_pkt\", first_resp_orig_data_pkt_s,\n \"orig_sluid\", orig_sluid_s, \n \"resp_sluid\", resp_sluid_s,\n \"orig_huid\", orig_huid_s,\n \"resp_huid\", resp_huid_s,\n \"community_id\", community_id_s,\n \"resp_multihome\", resp_multihomed_b,\n \"host_multihomed\", host_multihomed_b,\n \"first_orig_resp_data_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_data_pkt_time_d),\n \"first_orig_resp_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_pkt_time_d),\n \"first_resp_orig_data_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_data_pkt_time_d),\n \"first_resp_orig_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_pkt_time_d)\n ),\n dynamic([])\n )\n | project-away\n *_d, *_s, *_b, *_g, Computer\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled, pack=pack)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False,pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Vectra AI Streams", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionVectraAI", + "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]),\n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false,\n pack:bool=false)\n{\n let NetworkDirectionLookup = datatable(local_orig_b:bool, local_resp_b:bool, NetworkDirection:string)[\n false, true, 'Inbound',\n true, false, 'Outbound',\n true, true, 'Local',\n false, false, 'External'];\n let EventSubTypeLookup = datatable(conn_state_s:string, EventSubType:string)[\n \"S1\", 'Start',\n \"SF\", 'End'];\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n VectraStream_CL\n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n | where not(disabled)\n | where metadata_type_s == 'metadata_isession'\n | project-away MG, ManagementGroupName, RawData, SourceSystem, TenantId\n | where array_length(dvcaction) == 0\n | where eventresult == \"*\"\n | where (isnull(dstportnumber) or dstportnumber==id_resp_p_d)\n and (array_length(hostname_has_any)==0 \n or resp_domain_s has_any (hostname_has_any)\n or resp_hostname_s has_any (hostname_has_any)\n or orig_hostname_s has_any (hostname_has_any)\n )\n | extend temp_SrcMatch=has_any_ipv4_prefix(id_orig_h_s,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(id_resp_h_s,dst_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | project-rename\n DstIpAddr = id_resp_h_s,\n DvcDescription = hostname_s,\n DstDescription = resp_hostname_s,\n SrcDescription = orig_hostname_s,\n // -- huid does not seem to be unique per device and not mapped for now\n // DstDvcId = resp_huid_s, \n // SrcDvcId = orig_huid_s,\n DvcId = sensor_uid_s,\n // -- community id is just a hash of addresses and ports, and not unique for the session\n // NetworkSessionId = community_id_s,\n SrcIpAddr = id_orig_h_s,\n EventUid = _ItemId\n // -- the domain field may have invalid values. Most of them are IP addresses filtered out, but a small fraction are not filtered.\n | extend resp_domain_s = iff (ipv4_is_match(resp_domain_s, \"0.0.0.0\",0), \"\", resp_domain_s)\n | extend SplitRespDomain = split(resp_domain_s,\".\")\n | extend \n DstDomain = tostring(strcat_array(array_slice(SplitRespDomain, 1, -1), '.')),\n DstFQDN = iif (array_length(SplitRespDomain) > 1, resp_domain_s, ''),\n DstDomainType = iif (array_length(SplitRespDomain) > 1, 'FQDN', '')\n | extend\n DstHostname = case (\n resp_domain_s != \"\", tostring(SplitRespDomain[0]),\n DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\",\n DstDescription)\n | project-away SplitRespDomain\n | extend\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\n NetworkApplicationProtocol = toupper(service_s),\n NetworkProtocol = toupper(protoName_s),\n NetworkProtocolVersion = toupper(id_ip_ver_s),\n Dst = DstIpAddr,\n DstBytes = tolong(resp_ip_bytes_d),\n DstPackets = tolong(resp_pkts_d),\n DstPortNumber = toint(id_resp_p_d),\n DstVlanId = tostring(toint(resp_vlan_id_d)),\n EventCount = toint(1),\n EventEndTime = unixtime_milliseconds_todatetime(ts_d),\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\n EventProduct = 'Vectra Stream',\n EventResult = 'Success',\n EventSchema = 'NetworkSession',\n EventSchemaVersion='0.2.2',\n EventSeverity = 'Informational',\n EventStartTime = unixtime_milliseconds_todatetime(session_start_time_d),\n EventType = 'NetworkSession',\n EventVendor = 'Vectra AI',\n SrcBytes = tolong(orig_ip_bytes_d),\n SrcPackets = tolong(orig_pkts_d),\n SrcPortNumber = toint(id_orig_p_d),\n SrcVlanId = tostring(toint(orig_vlan_id_d)),\n // -- No ID mapped, since huid found not to be unique\n // SrcDvcIdType = 'VectraId',\n // DstDvcIdType = 'VectraId',\n DvcIdType = 'VectraId',\n NetworkDuration = toint(duration_d)\n | extend \n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n // SessionId = NetworkSessionId,\n Src = SrcIpAddr,\n Dvc = DvcId,\n Duration = NetworkDuration,\n InnerVlanId = SrcVlanId,\n NetworkBytes = SrcBytes + DstBytes,\n NetworkPackets = SrcPackets + DstPackets,\n OuterVlanId = DstVlanId\n | lookup NetworkDirectionLookup on local_orig_b, local_resp_b\n | lookup EventSubTypeLookup on conn_state_s\n // -- preserving non-normalized important fields\n | extend AdditionalFields = iff (\n pack, \n bag_pack (\n \"first_orig_resp_data_pkt\", first_orig_resp_data_pkt_s,\n \"first_resp_orig_data_pkt\", first_resp_orig_data_pkt_s,\n \"orig_sluid\", orig_sluid_s, \n \"resp_sluid\", resp_sluid_s,\n \"orig_huid\", orig_huid_s,\n \"resp_huid\", resp_huid_s,\n \"community_id\", community_id_s,\n \"resp_multihome\", resp_multihomed_b,\n \"host_multihomed\", host_multihomed_b,\n \"first_orig_resp_data_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_data_pkt_time_d),\n \"first_orig_resp_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_pkt_time_d),\n \"first_resp_orig_data_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_data_pkt_time_d),\n \"first_resp_orig_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_pkt_time_d)\n ),\n dynamic([])\n )\n | project-away\n *_d, *_s, *_b, *_g, Computer\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled, pack=pack)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False,pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionWatchGuardFirewareOS/vimNetworkSessionWatchGuardFirewareOS.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionWatchGuardFirewareOS/vimNetworkSessionWatchGuardFirewareOS.json index b68419222ae..9fcdcc9e9ce 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionWatchGuardFirewareOS/vimNetworkSessionWatchGuardFirewareOS.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionWatchGuardFirewareOS/vimNetworkSessionWatchGuardFirewareOS.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionWatchGuardFirewareOS')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionWatchGuardFirewareOS", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for WatchGuard Fireware OS", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionWatchGuardFirewareOS", - "query": "let Parser=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false){\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let EventLookup=datatable(DvcAction:string,EventResult:string,EventSeverity:string)\n [\n \"Allow\",\"Success\",\"Informational\"\n , \"Deny\",\"Failure\",\"Low\"\n ];\n let SyslogParser = (Syslog:(SyslogMessage:string)) {\n Syslog\n | parse-kv SyslogMessage as (geo_src:string\n , geo_dst:string\n , src_user:string\n , dst_user:string\n , duration:int\n , sent_bytes:long\n , rcvd_bytes:long\n , fqdn_src_match:string\n , fqdn_dst_match:string) with (pair_delimiter=' ', kv_delimiter='=', quote='\"')\n | project-rename SrcGeoCountry = geo_src\n , DstGeoCountry = geo_dst\n , SrcUsername = src_user\n , DstUsername = dst_user\n , NetworkDuration = duration\n , SrcBytes = sent_bytes\n , DstBytes = rcvd_bytes\n , DstDomain = fqdn_dst_match\n , SrcDomain = fqdn_src_match\n | extend DstDomainType = iif(isnotempty(DstDomain),\"FQDN\",\"\")\n | extend SrcDomainType = iif(isnotempty(SrcDomain),\"FQDN\",\"\")\n | extend NetworkProtocol = extract(@\" (tcp|udp|icmp|igmp) \", 1, SyslogMessage)\n | extend SrcUsernameType = case(isempty(SrcUsername), \"\"\n , SrcUsername contains \"@\" , \"UPN\"\n , \"Simple\"\n )\n | extend DstUsernameType = case(isempty(DstUsername), \"\"\n , DstUsername contains \"@\" , \"UPN\"\n , \"Simple\"\n )\n | parse SyslogMessage with * \"repeated \" EventCount:int \" times\" *\n | extend EventCount = iif(isnotempty(EventCount), EventCount, toint(1))\n | project-away SyslogMessage\n };\n let IPParser = (T:(SrcIpAddr:string,DstIpAddr:string)){\n T\n | extend temp_SrcMatch = has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_DstMatch = has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n };\n let HostParser = (Syslog:(SrcDomain:string,DstDomain:string)){\n Syslog\n | extend temp_SrcMatch = SrcDomain has_any(hostname_has_any)\n , temp_DstMatch= DstDomain has_any(hostname_has_any)\n | extend ASimMatchingHostname =case(\n array_length(hostname_has_any) == 0, \"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcDomain\",\n temp_DstMatch, \"DstDomain\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\" \n | project-away temp_*\n };\n let AllSyslog = \n Syslog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime)\n | where SyslogMessage has_any('msg_id=\"3000-0148\"' \n , 'msg_id=\"3000-0149\"' \n , 'msg_id=\"3000-0150\"'\n , 'msg_id=\"3000-0151\"'\n , 'msg_id=\"3000-0173\"'\n ) and SyslogMessage !has 'msg=\"DNS Forwarding\" '\n and (array_length(ip_any)==0 or has_any_ipv4_prefix(SyslogMessage,ip_any))\n and (array_length(hostname_has_any)==0 or SyslogMessage has_any(hostname_has_any))\n | where (array_length(dvcaction)==0 or SyslogMessage has_any (dvcaction))\n | extend DvcAction = extract(@'\" (Allow|Deny) ', 1, SyslogMessage)\n | lookup EventLookup on DvcAction\n | where (eventresult=='*' or EventResult == eventresult)\n | project TimeGenerated, SyslogMessage, HostName, DvcAction, EventResult, EventSeverity\n ;\n let Parse1 = \n AllSyslog\n | where SyslogMessage !has \"icmp\" and SyslogMessage !has \"igmp\" and SyslogMessage !has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} (tcp|udp) \\d{2,5} \\d{2,5} \" SrcIpAddr \" \" DstIpAddr \" \" SrcPortNumber:int @\" \" DstPortNumber:int @\" \" *\n | where (isnull(dstportnumber) or DstPortNumber==dstportnumber)\n | invoke SyslogParser()\n | invoke IPParser()\n | invoke HostParser()\n ;\n let Parse2 = \n AllSyslog\n | where SyslogMessage !has \"icmp\" and SyslogMessage !has \"igmp\" and SyslogMessage has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" (tcp|udp) \" SrcIpAddr \" \" DstIpAddr \" \" SrcPortNumber:int @\" \" DstPortNumber:int @\" \" *\n | where (isnull(dstportnumber) or DstPortNumber==dstportnumber)\n | invoke SyslogParser()\n | invoke IPParser()\n | invoke HostParser()\n ;\n let Parse3 = \n AllSyslog\n | where SyslogMessage has \"icmp\" and SyslogMessage !has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} icmp \\d{2,5} \\d{1,5} \" SrcIpAddr \" \" DstIpAddr \" \" * \n | invoke SyslogParser()\n | invoke IPParser()\n | invoke HostParser()\n ;\n let Parse4 = \n AllSyslog\n | where SyslogMessage has \"icmp\" and SyslogMessage has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" icmp \" SrcIpAddr \" \" DstIpAddr \" \" * \n | invoke SyslogParser()\n | invoke IPParser()\n | invoke HostParser()\n ;\n let Parse5 = \n AllSyslog\n | where SyslogMessage has \"igmp\" and SyslogMessage !has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} igmp \\d{2,5} \\d{1,5} \" SrcIpAddr \" \" DstIpAddr \" \" * \n | invoke SyslogParser()\n | invoke IPParser()\n | invoke HostParser()\n ;\n union isfuzzy=false Parse1, Parse2, Parse3, Parse4, Parse5\n | extend EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.4\"\n , EventVendor = \"WatchGuard\"\n , EventProduct = \"Fireware\"\n , EventType = \"NetworkSession\"\n , DvcHostname = HostName\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkProtocol = toupper(NetworkProtocol)\n , NetworkDuration = toint(NetworkDuration * toint(1000))\n , NetworkBytes = SrcBytes + DstBytes\n , EventEndTime = TimeGenerated\n , EventStartTime = TimeGenerated\n , Src = SrcIpAddr\n , Dst = DstIpAddr\n , Duration = NetworkDuration\n , User = DstUsername\n , IpAddr = SrcIpAddr\n | project-rename Dvc = HostName\n};\nParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for WatchGuard Fireware OS", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionWatchGuardFirewareOS", + "query": "let Parser=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false){\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let EventLookup=datatable(DvcAction:string,EventResult:string,EventSeverity:string)\n [\n \"Allow\",\"Success\",\"Informational\"\n , \"Deny\",\"Failure\",\"Low\"\n ];\n let SyslogParser = (Syslog:(SyslogMessage:string)) {\n Syslog\n | parse-kv SyslogMessage as (geo_src:string\n , geo_dst:string\n , src_user:string\n , dst_user:string\n , duration:int\n , sent_bytes:long\n , rcvd_bytes:long\n , fqdn_src_match:string\n , fqdn_dst_match:string) with (pair_delimiter=' ', kv_delimiter='=', quote='\"')\n | project-rename SrcGeoCountry = geo_src\n , DstGeoCountry = geo_dst\n , SrcUsername = src_user\n , DstUsername = dst_user\n , NetworkDuration = duration\n , SrcBytes = sent_bytes\n , DstBytes = rcvd_bytes\n , DstDomain = fqdn_dst_match\n , SrcDomain = fqdn_src_match\n | extend DstDomainType = iif(isnotempty(DstDomain),\"FQDN\",\"\")\n | extend SrcDomainType = iif(isnotempty(SrcDomain),\"FQDN\",\"\")\n | extend NetworkProtocol = extract(@\" (tcp|udp|icmp|igmp) \", 1, SyslogMessage)\n | extend SrcUsernameType = case(isempty(SrcUsername), \"\"\n , SrcUsername contains \"@\" , \"UPN\"\n , \"Simple\"\n )\n | extend DstUsernameType = case(isempty(DstUsername), \"\"\n , DstUsername contains \"@\" , \"UPN\"\n , \"Simple\"\n )\n | parse SyslogMessage with * \"repeated \" EventCount:int \" times\" *\n | extend EventCount = iif(isnotempty(EventCount), EventCount, toint(1))\n | project-away SyslogMessage\n };\n let IPParser = (T:(SrcIpAddr:string,DstIpAddr:string)){\n T\n | extend temp_SrcMatch = has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_DstMatch = has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n };\n let HostParser = (Syslog:(SrcDomain:string,DstDomain:string)){\n Syslog\n | extend temp_SrcMatch = SrcDomain has_any(hostname_has_any)\n , temp_DstMatch= DstDomain has_any(hostname_has_any)\n | extend ASimMatchingHostname =case(\n array_length(hostname_has_any) == 0, \"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcDomain\",\n temp_DstMatch, \"DstDomain\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\" \n | project-away temp_*\n };\n let AllSyslog = \n Syslog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime)\n | where SyslogMessage has_any('msg_id=\"3000-0148\"' \n , 'msg_id=\"3000-0149\"' \n , 'msg_id=\"3000-0150\"'\n , 'msg_id=\"3000-0151\"'\n , 'msg_id=\"3000-0173\"'\n ) and SyslogMessage !has 'msg=\"DNS Forwarding\" '\n and (array_length(ip_any)==0 or has_any_ipv4_prefix(SyslogMessage,ip_any))\n and (array_length(hostname_has_any)==0 or SyslogMessage has_any(hostname_has_any))\n | where (array_length(dvcaction)==0 or SyslogMessage has_any (dvcaction))\n | extend DvcAction = extract(@'\" (Allow|Deny) ', 1, SyslogMessage)\n | lookup EventLookup on DvcAction\n | where (eventresult=='*' or EventResult == eventresult)\n | project TimeGenerated, SyslogMessage, HostName, DvcAction, EventResult, EventSeverity\n ;\n let Parse1 = \n AllSyslog\n | where SyslogMessage !has \"icmp\" and SyslogMessage !has \"igmp\" and SyslogMessage !has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} (tcp|udp) \\d{2,5} \\d{2,5} \" SrcIpAddr \" \" DstIpAddr \" \" SrcPortNumber:int @\" \" DstPortNumber:int @\" \" *\n | where (isnull(dstportnumber) or DstPortNumber==dstportnumber)\n | invoke SyslogParser()\n | invoke IPParser()\n | invoke HostParser()\n ;\n let Parse2 = \n AllSyslog\n | where SyslogMessage !has \"icmp\" and SyslogMessage !has \"igmp\" and SyslogMessage has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" (tcp|udp) \" SrcIpAddr \" \" DstIpAddr \" \" SrcPortNumber:int @\" \" DstPortNumber:int @\" \" *\n | where (isnull(dstportnumber) or DstPortNumber==dstportnumber)\n | invoke SyslogParser()\n | invoke IPParser()\n | invoke HostParser()\n ;\n let Parse3 = \n AllSyslog\n | where SyslogMessage has \"icmp\" and SyslogMessage !has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} icmp \\d{2,5} \\d{1,5} \" SrcIpAddr \" \" DstIpAddr \" \" * \n | invoke SyslogParser()\n | invoke IPParser()\n | invoke HostParser()\n ;\n let Parse4 = \n AllSyslog\n | where SyslogMessage has \"icmp\" and SyslogMessage has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" icmp \" SrcIpAddr \" \" DstIpAddr \" \" * \n | invoke SyslogParser()\n | invoke IPParser()\n | invoke HostParser()\n ;\n let Parse5 = \n AllSyslog\n | where SyslogMessage has \"igmp\" and SyslogMessage !has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} igmp \\d{2,5} \\d{1,5} \" SrcIpAddr \" \" DstIpAddr \" \" * \n | invoke SyslogParser()\n | invoke IPParser()\n | invoke HostParser()\n ;\n union isfuzzy=false Parse1, Parse2, Parse3, Parse4, Parse5\n | extend EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.4\"\n , EventVendor = \"WatchGuard\"\n , EventProduct = \"Fireware\"\n , EventType = \"NetworkSession\"\n , DvcHostname = HostName\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkProtocol = toupper(NetworkProtocol)\n , NetworkDuration = toint(NetworkDuration * toint(1000))\n , NetworkBytes = SrcBytes + DstBytes\n , EventEndTime = TimeGenerated\n , EventStartTime = TimeGenerated\n , Src = SrcIpAddr\n , Dst = DstIpAddr\n , Duration = NetworkDuration\n , User = DstUsername\n , IpAddr = SrcIpAddr\n | project-rename Dvc = HostName\n};\nParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json index adfe70b3d72..ade8927846f 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionZscalerZIA')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionZscalerZIA", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Zscaler ZIA firewall", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionZscalerZIA", - "query": "let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\n // See https://help.zscaler.com/zia/firewall-insights-logs-filters\n 'Allow','Allow',\n 'Allow due to insufficient app data','Allow',\n 'Block/Drop','Drop',\n 'Block/ICMP','Drop ICMP',\n 'Block/Reset', 'Reset',\n 'IPS Drop', 'Drop',\n 'IPS Reset', 'Reset',\n // Observed in real world events\n 'Block ICMP', 'Drop ICMP',\n 'Drop', 'Drop'\n];\nlet parser= \n (starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr_has_any_prefix:dynamic=dynamic([])\n , dstipaddr_has_any_prefix:dynamic=dynamic([])\n , ipaddr_has_any_prefix:dynamic=dynamic([])\n , dstportnumber:int=int(null)\n , hostname_has_any:dynamic=dynamic([])\n , dvcaction:dynamic=dynamic([])\n , eventresult:string='*'\n , disabled:bool=false) {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nCommonSecurityLog \n| where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n| where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSFWlog\"\n|where\n (array_length(hostname_has_any) == 0) // No host name information, so always filter out if hostname filter used. \n and (isnull(dstportnumber) or dstportnumber == DestinationPort) \n| extend temp_SrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), temp_DstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n| extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n// -- Pre-filtering\n| where ASimMatchingIpAddr != \"No match\"\n| project-away temp_*\n| project-rename DvcOriginalAction = DeviceAction\n| lookup ActionLookup on DvcOriginalAction \n| where array_length(dvcaction) == 0 or DvcAction in (dvcaction)\n| extend EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\") \n| where (eventresult=='*' or EventResult == eventresult)\n// -- Event fields\n| extend \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Firewall\", \n EventSchema = \"NetworkSession\", \n EventSchemaVersion=\"0.2.3\", \n EventType = 'NetworkSession', \n EventSeverity = 'Informational',\n EventEndTime=TimeGenerated \n| project-rename\n DvcHostname = Computer, \n EventProductVersion = DeviceVersion, \n NetworkProtocol = Protocol, \n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n DstNatIpAddr = DestinationTranslatedAddress, \n DstNatPortNumber = DestinationTranslatedPort, \n DstAppName = DeviceCustomString3, \n NetworkApplicationProtocol = DeviceCustomString2, \n SrcIpAddr = SourceIP, \n SrcPortNumber = SourcePort, \n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress, \n SrcNatPortNumber = SourceTranslatedPort, \n SrcUserDepartment = DeviceCustomString1, // Not in standard schema\n SrcUserLocation = SourceUserPrivileges, // Not in standard schema\n ThreatName = DeviceCustomString6, \n ThreatCategory = DeviceCustomString5, \n NetworkRuleName = Activity,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message \n// -- Calculated fields\n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventCount=coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber2\", int(null))), \n toint(column_ifexists(\"DeviceCustomNumber2\",int(null)))\n ),\n NetworkDuration = coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\n SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername),\n DstBytes = tolong(ReceivedBytes), \n SrcBytes = tolong(SentBytes)\n// -- Enrichment\n| extend\n DstAppType = \"Service\", \n SrcUsernameType = \"UPN\" \n// -- Aliases\n| extend\n Dvc = DvcHostname,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = NetworkRuleName,\n Duration = NetworkDuration\n| project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ApplicationProtocol, ReportReferenceLink\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Zscaler ZIA firewall", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionZscalerZIA", + "query": "let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\n // See https://help.zscaler.com/zia/firewall-insights-logs-filters\n 'Allow','Allow',\n 'Allow due to insufficient app data','Allow',\n 'Block/Drop','Drop',\n 'Block/ICMP','Drop ICMP',\n 'Block/Reset', 'Reset',\n 'IPS Drop', 'Drop',\n 'IPS Reset', 'Reset',\n // Observed in real world events\n 'Block ICMP', 'Drop ICMP',\n 'Drop', 'Drop'\n];\nlet parser= \n (starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr_has_any_prefix:dynamic=dynamic([])\n , dstipaddr_has_any_prefix:dynamic=dynamic([])\n , ipaddr_has_any_prefix:dynamic=dynamic([])\n , dstportnumber:int=int(null)\n , hostname_has_any:dynamic=dynamic([])\n , dvcaction:dynamic=dynamic([])\n , eventresult:string='*'\n , disabled:bool=false) {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nCommonSecurityLog \n| where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n| where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSFWlog\"\n|where\n (array_length(hostname_has_any) == 0) // No host name information, so always filter out if hostname filter used. \n and (isnull(dstportnumber) or dstportnumber == DestinationPort) \n| extend temp_SrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), temp_DstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n| extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n// -- Pre-filtering\n| where ASimMatchingIpAddr != \"No match\"\n| project-away temp_*\n| project-rename DvcOriginalAction = DeviceAction\n| lookup ActionLookup on DvcOriginalAction \n| where array_length(dvcaction) == 0 or DvcAction in (dvcaction)\n| extend EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\") \n| where (eventresult=='*' or EventResult == eventresult)\n// -- Event fields\n| extend \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Firewall\", \n EventSchema = \"NetworkSession\", \n EventSchemaVersion=\"0.2.3\", \n EventType = 'NetworkSession', \n EventSeverity = 'Informational',\n EventEndTime=TimeGenerated \n| project-rename\n DvcHostname = Computer, \n EventProductVersion = DeviceVersion, \n NetworkProtocol = Protocol, \n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n DstNatIpAddr = DestinationTranslatedAddress, \n DstNatPortNumber = DestinationTranslatedPort, \n DstAppName = DeviceCustomString3, \n NetworkApplicationProtocol = DeviceCustomString2, \n SrcIpAddr = SourceIP, \n SrcPortNumber = SourcePort, \n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress, \n SrcNatPortNumber = SourceTranslatedPort, \n SrcUserDepartment = DeviceCustomString1, // Not in standard schema\n SrcUserLocation = SourceUserPrivileges, // Not in standard schema\n ThreatName = DeviceCustomString6, \n ThreatCategory = DeviceCustomString5, \n NetworkRuleName = Activity,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message \n// -- Calculated fields\n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventCount=coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber2\", int(null))), \n toint(column_ifexists(\"DeviceCustomNumber2\",int(null)))\n ),\n NetworkDuration = coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\n SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername),\n DstBytes = tolong(ReceivedBytes), \n SrcBytes = tolong(SentBytes)\n// -- Enrichment\n| extend\n DstAppType = \"Service\", \n SrcUsernameType = \"UPN\" \n// -- Aliases\n| extend\n Dvc = DvcHostname,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = NetworkRuleName,\n Duration = NetworkDuration\n| project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ApplicationProtocol, ReportReferenceLink\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml index 176aafd3daf..339a961a9ff 100644 --- a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml @@ -12,7 +12,6 @@ References: Link: https://aka.ms/ASimNetworkSessionDoc - Title: ASIM Link: https://aka.ms/AboutASIM - Description: | This ASIM parser supports normalizing Network Session logs from all supported sources to the ASIM Network Session normalized schema. ParserName: ASimNetworkSession @@ -55,12 +54,10 @@ Parsers: - _ASim_NetworkSession_PaloAltoCortexDataLake - _ASim_NetworkSession_SonicWallFirewall - _ASim_NetworkSession_IllumioSaaSCore - ParserParams: - Name: pack Type: bool Default: false - ParserQuery: | let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); let ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); @@ -68,7 +65,6 @@ ParserQuery: | union isfuzzy=true vimNetworkSessionEmpty , ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionLinuxSysmon' in (DisabledParsers) )) - , ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) )) , ASimNetworkSessionMD4IoTSensor (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTSSensor' in (DisabledParsers) )) , ASimNetworkSessionMD4IoTAgent (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTAgent' in (DisabledParsers) )) diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateLinuxSysmon/ASimProcessCreateLinuxSysmon.json b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateLinuxSysmon/ASimProcessCreateLinuxSysmon.json index b0c66877f6f..7c6c5f2c541 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateLinuxSysmon/ASimProcessCreateLinuxSysmon.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateLinuxSysmon/ASimProcessCreateLinuxSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessCreateLinuxSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessCreateLinuxSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for Sysmon for Linux", - "category": "ASIM", - "FunctionAlias": "ASimProcessCreateLinuxSysmon", - "query": "let ParsedProcessEvent=(){\n Syslog\n | where not(disabled)\n | where SyslogMessage has_all ('1')\n | parse SyslogMessage with \n *\n '' EventRecordId:int ''\n *\n '' SysmonComputer:string ''\n *\n ''RuleName // parsing the XML using the original fields name - for readability \n ''UtcTime\n '{'ProcessGuid\n '}'ProcessId:string\n ''Image\n ''FileVersion\n ''Description\n ''Product\n ''Company'' *\n | extend OriginalFileName = extract (@'\"OriginalFileName\">([^<]+)<',1,SyslogMessage) // this field exists in sysmon version 10.42 and above - using extact to avoid parsing failure\n | parse SyslogMessage with *\n ''CommandLine''\n ''CurrentDirectory\n ''User\n '{'LogonGuid\n '}'LogonId\n ''TerminalSessionId\n ''IntegrityLevel\n ''Hashes\n '{'ParentProcessGuid\n '}'ParentProcessId:string\n ''ParentImage\n ''ParentCommandLine ''*\n | parse SyslogMessage with *''ActorUsername '' *// this field appears in newer versions of Sysmon \n | extend TargetProcessSHA1=extract(@'SHA1=(\\w+)',1, tostring(Hashes)),\n TargetProcessSHA256=extract(@'SHA256=(\\w+)',1, tostring(Hashes)),\n TargetProcessIMPHASH=extract(@'IMPHASH=(\\w+)',1,tostring(Hashes)), // add to the empty schema + Excel file\n TargetProcessMD5=extract(@'MD5=(\\w+)',1, tostring(Hashes))\n // End of XML parse\n | project-away SyslogMessage, Hashes\n | extend \n EventType = \"ProcessCreated\",\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventProduct = \"Sysmon for Linux\",\n EventResult = 'Success',\n EventOriginalUid = tostring(EventRecordId),\n DvcOs = \"Linux\",\n TargetUserSessionId = tostring(LogonId) , \n TargetUsernameType = \"Simple\",\n TargetUsername = User,\n TargetProcessCommandLine = CommandLine,\n TargetProcessCurrentDirectory = CurrentDirectory,\n ActorUsernameType = \"Simple\",\n EventOriginalType = '1' // Set with a constant value to avoid parsing\n | project-rename \n // EventMessage = RenderedDescription, // field not available in Linux\n DvcHostName = SysmonComputer, // Computer may be different than HostName, in which case HostIP may be incorrect. \n DvcIpAddr = HostIP, \n TargetUserSessionGuid = LogonGuid, \n TargetProcessId = ProcessId,\n TargetProcessGuid = ProcessGuid,\n TargetProcessName = Image,\n TargetProcessIntegrityLevel = IntegrityLevel,\n TargetProcessCompany = Company,\n TargetProcessFileDescription = Description,\n TargetProcessFileVersion = FileVersion,\n TargetProcessFileProduct = Product,\n ActingProcessId = ParentProcessId,\n ActingProcessGuid = ParentProcessGuid, \n ActingProcessCommandLine = ParentCommandLine,\n ActingProcessName = ParentImage\n | extend // aliases\n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostName,\n Hash = coalesce(TargetProcessSHA256, TargetProcessSHA1, TargetProcessMD5) // which appears first - will be aliases to \"Hash\"\n | project-away\n ProcessName, ProcessID\n}; ParsedProcessEvent", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for Sysmon for Linux", + "category": "ASIM", + "FunctionAlias": "ASimProcessCreateLinuxSysmon", + "query": "let ParsedProcessEvent=(){\n Syslog\n | where not(disabled)\n | where SyslogMessage has_all ('1')\n | parse SyslogMessage with \n *\n '' EventRecordId:int ''\n *\n '' SysmonComputer:string ''\n *\n ''RuleName // parsing the XML using the original fields name - for readability \n ''UtcTime\n '{'ProcessGuid\n '}'ProcessId:string\n ''Image\n ''FileVersion\n ''Description\n ''Product\n ''Company'' *\n | extend OriginalFileName = extract (@'\"OriginalFileName\">([^<]+)<',1,SyslogMessage) // this field exists in sysmon version 10.42 and above - using extact to avoid parsing failure\n | parse SyslogMessage with *\n ''CommandLine''\n ''CurrentDirectory\n ''User\n '{'LogonGuid\n '}'LogonId\n ''TerminalSessionId\n ''IntegrityLevel\n ''Hashes\n '{'ParentProcessGuid\n '}'ParentProcessId:string\n ''ParentImage\n ''ParentCommandLine ''*\n | parse SyslogMessage with *''ActorUsername '' *// this field appears in newer versions of Sysmon \n | extend TargetProcessSHA1=extract(@'SHA1=(\\w+)',1, tostring(Hashes)),\n TargetProcessSHA256=extract(@'SHA256=(\\w+)',1, tostring(Hashes)),\n TargetProcessIMPHASH=extract(@'IMPHASH=(\\w+)',1,tostring(Hashes)), // add to the empty schema + Excel file\n TargetProcessMD5=extract(@'MD5=(\\w+)',1, tostring(Hashes))\n // End of XML parse\n | project-away SyslogMessage, Hashes\n | extend \n EventType = \"ProcessCreated\",\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventProduct = \"Sysmon for Linux\",\n EventResult = 'Success',\n EventOriginalUid = tostring(EventRecordId),\n DvcOs = \"Linux\",\n TargetUserSessionId = tostring(LogonId) , \n TargetUsernameType = \"Simple\",\n TargetUsername = User,\n TargetProcessCommandLine = CommandLine,\n TargetProcessCurrentDirectory = CurrentDirectory,\n ActorUsernameType = \"Simple\",\n EventOriginalType = '1' // Set with a constant value to avoid parsing\n | project-rename \n // EventMessage = RenderedDescription, // field not available in Linux\n DvcHostName = SysmonComputer, // Computer may be different than HostName, in which case HostIP may be incorrect. \n DvcIpAddr = HostIP, \n TargetUserSessionGuid = LogonGuid, \n TargetProcessId = ProcessId,\n TargetProcessGuid = ProcessGuid,\n TargetProcessName = Image,\n TargetProcessIntegrityLevel = IntegrityLevel,\n TargetProcessCompany = Company,\n TargetProcessFileDescription = Description,\n TargetProcessFileVersion = FileVersion,\n TargetProcessFileProduct = Product,\n ActingProcessId = ParentProcessId,\n ActingProcessGuid = ParentProcessGuid, \n ActingProcessCommandLine = ParentCommandLine,\n ActingProcessName = ParentImage\n | extend // aliases\n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostName,\n Hash = coalesce(TargetProcessSHA256, TargetProcessSHA1, TargetProcessMD5) // which appears first - will be aliases to \"Hash\"\n | project-away\n ProcessName, ProcessID\n}; ParsedProcessEvent", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftSecurityEvents/ASimProcessCreateMicrosoftSecurityEvents.json b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftSecurityEvents/ASimProcessCreateMicrosoftSecurityEvents.json index 4a9a9ccb06f..16bcabd42d6 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftSecurityEvents/ASimProcessCreateMicrosoftSecurityEvents.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftSecurityEvents/ASimProcessCreateMicrosoftSecurityEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessCreateMicrosoftSecurityEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessCreateMicrosoftSecurityEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for Windows Security Events", - "category": "ASIM", - "FunctionAlias": "ASimProcessCreateMicrosoftSecurityEvents", - "query": "let MandatoryLabelLookup = datatable (MandatoryLabel:string,MandatoryLabelRid:string, MandatoryLabelText:string, MandatoryLabelMeaning:string)\n [\n 'S-1-16-0', '0x00000000', 'SECURITY_MANDATORY_UNTRUSTED_RID', 'Untrusted',\n 'S-1-16-4096', '0x00001000', 'SECURITY_MANDATORY_LOW_RID', 'Low integrity',\n 'S-1-16-8192', '0x00002000', 'SECURITY_MANDATORY_MEDIUM_RID', 'Medium integrity',\n 'S-1-16-8448', '0x00002100', 'SECURITY_MANDATORY_MEDIUM_PLUS_RID', 'Medium high integrity',\n 'S-1-16-12288', '0X00003000', 'SECURITY_MANDATORY_HIGH_RID', 'High integrity',\n 'S-1-16-16384', '0x00004000', 'SECURITY_MANDATORY_SYSTEM_RID', 'System integrity',\n 'S-1-16-20480', '0x00005000', 'SECURITY_MANDATORY_PROTECTED_PROCESS_RID', 'Protected process'\n ];\n// Source: https://support.microsoft.com/topic/0fdcaf87-ee5e-8929-e54c-65e04235a634\nlet KnownSIDs = datatable (sid:string, username:string, type:string)\n [\n 'S-1-5-18', 'Local System', 'Simple',\n 'S-1-0-0', 'Nobody', 'Simple'\n ];\nlet UserTypeLookup = datatable (AccountType:string, ActorUserType:string)\n [\n 'User', 'Regular',\n 'Machine', 'Machine'\n ];\nlet parser=(disabled:bool=false){\nSecurityEvent\n| where not(disabled)\n// -- Filter\n| where EventID == 4688\n// -- Map\n| extend\n // Event\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Events',\n EventSchemaVersion = '0.1.3',\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessCreated',\n EventOriginalType = tostring(EventID),\n DvcOs = 'Windows'\n| lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n| extend\n ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount),\n ActorUsernameType = iff(SubjectUserName == '-',type, 'Windows')\n| lookup KnownSIDs on $left.TargetUserSid == $right.sid\n| extend\n TargetUsername = iff (TargetUserName == \"-\", username, TargetAccount),\n TargetUsernameType = iff(TargetDomainName == '-',type, 'Windows')\n| lookup UserTypeLookup on AccountType\n| extend\n ActorUserIdType = 'SID',\n TargetUserIdType = 'SID',\n // Processes\n ActingProcessId = tostring(toint(ProcessId)),\n TargetProcessId = tostring(toint(NewProcessId)),\n TargetProcessCommandLine = CommandLine\n | project-rename\n DvcId = SourceComputerId,\n DvcHostname = Computer,\n ActingProcessName = ParentProcessName,\n TargetProcessName = NewProcessName,\n ActorDomainName = SubjectDomainName,\n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n TargetUserId =TargetUserSid,\n TargetUserSessionId = TargetLogonId,\n EventOriginalUid = EventOriginId,\n TargetProcessTokenElevation = TokenElevationType\n | lookup MandatoryLabelLookup on MandatoryLabel\n // -- Aliases\n | extend\n User = TargetUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n // -- Remove potentially confusing\n | project-keep Event*, Dvc*, Actor*, Target*, Acting*, User, Dvc, Process, CommandLine, TimeGenerated, Type, _ResourceId\n | project-away\n TargetDomainName,\n TargetUserName,\n TargetAccount,\n EventID\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for Windows Security Events", + "category": "ASIM", + "FunctionAlias": "ASimProcessCreateMicrosoftSecurityEvents", + "query": "let MandatoryLabelLookup = datatable (MandatoryLabel:string,MandatoryLabelRid:string, MandatoryLabelText:string, MandatoryLabelMeaning:string)\n [\n 'S-1-16-0', '0x00000000', 'SECURITY_MANDATORY_UNTRUSTED_RID', 'Untrusted',\n 'S-1-16-4096', '0x00001000', 'SECURITY_MANDATORY_LOW_RID', 'Low integrity',\n 'S-1-16-8192', '0x00002000', 'SECURITY_MANDATORY_MEDIUM_RID', 'Medium integrity',\n 'S-1-16-8448', '0x00002100', 'SECURITY_MANDATORY_MEDIUM_PLUS_RID', 'Medium high integrity',\n 'S-1-16-12288', '0X00003000', 'SECURITY_MANDATORY_HIGH_RID', 'High integrity',\n 'S-1-16-16384', '0x00004000', 'SECURITY_MANDATORY_SYSTEM_RID', 'System integrity',\n 'S-1-16-20480', '0x00005000', 'SECURITY_MANDATORY_PROTECTED_PROCESS_RID', 'Protected process'\n ];\n// Source: https://support.microsoft.com/topic/0fdcaf87-ee5e-8929-e54c-65e04235a634\nlet KnownSIDs = datatable (sid:string, username:string, type:string)\n [\n 'S-1-5-18', 'Local System', 'Simple',\n 'S-1-0-0', 'Nobody', 'Simple'\n ];\nlet UserTypeLookup = datatable (AccountType:string, ActorUserType:string)\n [\n 'User', 'Regular',\n 'Machine', 'Machine'\n ];\nlet parser=(disabled:bool=false){\nSecurityEvent\n| where not(disabled)\n// -- Filter\n| where EventID == 4688\n// -- Map\n| extend\n // Event\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Events',\n EventSchemaVersion = '0.1.3',\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessCreated',\n EventOriginalType = tostring(EventID),\n DvcOs = 'Windows'\n| lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n| extend\n ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount),\n ActorUsernameType = iff(SubjectUserName == '-',type, 'Windows')\n| lookup KnownSIDs on $left.TargetUserSid == $right.sid\n| extend\n TargetUsername = iff (TargetUserName == \"-\", username, TargetAccount),\n TargetUsernameType = iff(TargetDomainName == '-',type, 'Windows')\n| lookup UserTypeLookup on AccountType\n| extend\n ActorUserIdType = 'SID',\n TargetUserIdType = 'SID',\n // Processes\n ActingProcessId = tostring(toint(ProcessId)),\n TargetProcessId = tostring(toint(NewProcessId)),\n TargetProcessCommandLine = CommandLine\n | project-rename\n DvcId = SourceComputerId,\n DvcHostname = Computer,\n ActingProcessName = ParentProcessName,\n TargetProcessName = NewProcessName,\n ActorDomainName = SubjectDomainName,\n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n TargetUserId =TargetUserSid,\n TargetUserSessionId = TargetLogonId,\n EventOriginalUid = EventOriginId,\n TargetProcessTokenElevation = TokenElevationType\n | lookup MandatoryLabelLookup on MandatoryLabel\n // -- Aliases\n | extend\n User = TargetUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n // -- Remove potentially confusing\n | project-keep Event*, Dvc*, Actor*, Target*, Acting*, User, Dvc, Process, CommandLine, TimeGenerated, Type, _ResourceId\n | project-away\n TargetDomainName,\n TargetUserName,\n TargetAccount,\n EventID\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftSysmon/ASimProcessCreateMicrosoftSysmon.json b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftSysmon/ASimProcessCreateMicrosoftSysmon.json index f9888a6a61b..ac94b8b9a5b 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftSysmon/ASimProcessCreateMicrosoftSysmon.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftSysmon/ASimProcessCreateMicrosoftSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessEventCreateMicrosoftSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessEventCreateMicrosoftSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for Sysmon", - "category": "ASIM", - "FunctionAlias": "ASimProcessEventCreateMicrosoftSysmon", - "query": "let parser = (disabled: bool = false) {\n // this is the parser for sysmon from Event table\n let parser_Event =\n Event \n | where not(disabled)\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID == 1\n | parse-kv EventData as (\n ProcessGuid: string, \n ProcessId: string,\n Image: string,\n FileVersion: string,\n Description: string,\n Product: string,\n Company: string,\n OriginalFileName: string,\n CommandLine: string,\n CurrentDirectory: string,\n User: string,\n LogonGuid: string, \n LogonId: string,\n IntegrityLevel: string,\n Hashes: string,\n ParentProcessGuid: string, \n ParentProcessId: string,\n ParentImage: string,\n ParentCommandLine: string,\n ParentUser: string\n ) \n with (regex=@'{?([^<]*?)}?')\n | parse-kv Hashes as (MD5: string, SHA1: string, SHA256: string, IMPHASH: string) with (quote='\"')\n | extend\n Hash = coalesce (SHA256, SHA1, IMPHASH, MD5, \"\")\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"IMPHASH\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, IMPHASH, MD5), Hash)])\n | project-rename\n TargetProcessMD5 = MD5,\n TargetProcessSHA1 = SHA1,\n TargetProcessSHA256 = SHA256,\n TargetProcessIMPHASH = IMPHASH\n | project-away Hashes\n | extend \n TargetUsername = User,\n TargetProcessCommandLine = CommandLine\n | project-rename \n DvcHostname = Computer,\n TargetUserSessionGuid = LogonGuid,\n TargetProcessId = ProcessId,\n TargetUserSessionId = LogonId, \n TargetProcessGuid = ProcessGuid,\n TargetProcessName = Image,\n TargetProcessFilename = OriginalFileName,\n TargetProcessCurrentDirectory = CurrentDirectory,\n TargetProcessIntegrityLevel = IntegrityLevel, \n TargetProcessFileCompany = Company,\n TargetProcessFileDescription = Description,\n TargetProcessFileVersion = FileVersion,\n TargetProcessFileProduct = Product, \n ActingProcessId = ParentProcessId,\n ActingProcessGuid = ParentProcessGuid, \n ActingProcessCommandLine = ParentCommandLine,\n ActingProcessName = ParentImage,\n ActorUsername = ParentUser\n | extend \n TargetUsernameType = iff(isnotempty(TargetUsername), 'Windows', ''),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n EventProduct = \"Sysmon\",\n // aliases\n Process = TargetProcessName,\n Dvc = DvcHostname,\n EventUid = _ItemId\n | project-away\n EventData,\n ParameterXml,\n AzureDeploymentID,\n EventCategory,\n EventID,\n EventLevel,\n EventLevelName,\n TenantId,\n EventLog,\n MG,\n ManagementGroupName,\n Message,\n Role,\n SourceSystem,\n Source,\n UserName,\n RenderedDescription,\n _ResourceId,\n _ItemId\n | extend \n EventType = \"ProcessCreated\",\n EventOriginalType = \"1\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventProduct = \"Sysmon\",\n EventResult = 'Success',\n DvcOs = \"Windows\",\n TargetUsernameType = \"Windows\",\n ActorUsernameType = \"Windows\"\n ;\n parser_Event \n};\nparser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for Sysmon", + "category": "ASIM", + "FunctionAlias": "ASimProcessEventCreateMicrosoftSysmon", + "query": "let parser = (disabled: bool = false) {\n // this is the parser for sysmon from Event table\n let parser_Event =\n Event \n | where not(disabled)\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID == 1\n | parse-kv EventData as (\n ProcessGuid: string, \n ProcessId: string,\n Image: string,\n FileVersion: string,\n Description: string,\n Product: string,\n Company: string,\n OriginalFileName: string,\n CommandLine: string,\n CurrentDirectory: string,\n User: string,\n LogonGuid: string, \n LogonId: string,\n IntegrityLevel: string,\n Hashes: string,\n ParentProcessGuid: string, \n ParentProcessId: string,\n ParentImage: string,\n ParentCommandLine: string,\n ParentUser: string\n ) \n with (regex=@'{?([^<]*?)}?')\n | parse-kv Hashes as (MD5: string, SHA1: string, SHA256: string, IMPHASH: string) with (quote='\"')\n | extend\n Hash = coalesce (SHA256, SHA1, IMPHASH, MD5, \"\")\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"IMPHASH\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, IMPHASH, MD5), Hash)])\n | project-rename\n TargetProcessMD5 = MD5,\n TargetProcessSHA1 = SHA1,\n TargetProcessSHA256 = SHA256,\n TargetProcessIMPHASH = IMPHASH\n | project-away Hashes\n | extend \n TargetUsername = User,\n TargetProcessCommandLine = CommandLine\n | project-rename \n DvcHostname = Computer,\n TargetUserSessionGuid = LogonGuid,\n TargetProcessId = ProcessId,\n TargetUserSessionId = LogonId, \n TargetProcessGuid = ProcessGuid,\n TargetProcessName = Image,\n TargetProcessFilename = OriginalFileName,\n TargetProcessCurrentDirectory = CurrentDirectory,\n TargetProcessIntegrityLevel = IntegrityLevel, \n TargetProcessFileCompany = Company,\n TargetProcessFileDescription = Description,\n TargetProcessFileVersion = FileVersion,\n TargetProcessFileProduct = Product, \n ActingProcessId = ParentProcessId,\n ActingProcessGuid = ParentProcessGuid, \n ActingProcessCommandLine = ParentCommandLine,\n ActingProcessName = ParentImage,\n ActorUsername = ParentUser\n | extend \n TargetUsernameType = iff(isnotempty(TargetUsername), 'Windows', ''),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n EventProduct = \"Sysmon\",\n // aliases\n Process = TargetProcessName,\n Dvc = DvcHostname,\n EventUid = _ItemId\n | project-away\n EventData,\n ParameterXml,\n AzureDeploymentID,\n EventCategory,\n EventID,\n EventLevel,\n EventLevelName,\n TenantId,\n EventLog,\n MG,\n ManagementGroupName,\n Message,\n Role,\n SourceSystem,\n Source,\n UserName,\n RenderedDescription,\n _ResourceId,\n _ItemId\n | extend \n EventType = \"ProcessCreated\",\n EventOriginalType = \"1\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventProduct = \"Sysmon\",\n EventResult = 'Success',\n DvcOs = \"Windows\",\n TargetUsernameType = \"Windows\",\n ActorUsernameType = \"Windows\"\n ;\n parser_Event \n};\nparser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftSysmonWindowsEvent/ASimProcessCreateMicrosoftSysmonWindowsEvent.json b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftSysmonWindowsEvent/ASimProcessCreateMicrosoftSysmonWindowsEvent.json index d8e53937ccc..6b417f56cb2 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftSysmonWindowsEvent/ASimProcessCreateMicrosoftSysmonWindowsEvent.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftSysmonWindowsEvent/ASimProcessCreateMicrosoftSysmonWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessEventCreateMicrosoftSysmonWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessEventCreateMicrosoftSysmonWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for Sysmon", - "category": "ASIM", - "FunctionAlias": "ASimProcessEventCreateMicrosoftSysmonWindowsEvent", - "query": "let parser = (disabled: bool = false) {\n // this is the parser for sysmon from WindowsEvent table\n let parser_WindowsEvent=\n WindowsEvent\n | where not(disabled)\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 1\n | parse-kv tostring(EventData.Hashes) as (MD5: string, SHA1: string, SHA256: string, IMPHASH: string) with (quote='\"')\n | extend\n Hash = coalesce (SHA256, SHA1, IMPHASH, MD5, \"\")\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"IMPHASH\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, IMPHASH, MD5), Hash)])\n | project-rename\n TargetProcessMD5 = MD5,\n TargetProcessSHA1 = SHA1,\n TargetProcessSHA256 = SHA256,\n TargetProcessIMPHASH = IMPHASH\n | extend \n EventOriginalType = tostring(EventID),\n TargetUserSessionId = tostring(EventData.LogonId), \n TargetUsername = tostring(EventData.User),\n TargetProcessCommandLine = tostring(EventData.CommandLine),\n TargetProcessCurrentDirectory = tostring(EventData.CurrentDirectory),\n TargetUserSessionGuid = extract ('^{(.*)}$', 1, tostring(EventData.LogonGuid), typeof(string)),\n TargetProcessId = tostring(EventData.ProcessId),\n TargetProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string)),\n TargetProcessName = tostring(EventData.Image),\n TargetProcessFilename = tostring(EventData.OriginalFileName),\n TargetProcessIntegrityLevel = tostring(EventData.IntegrityLevel),\n TargetProcessFileCompany = tostring(EventData.Company),\n TargetProcessFileDescription = tostring(EventData.Description),\n TargetProcessFileVersion = tostring(EventData.FileVersion),\n TargetProcessFileProduct = tostring(EventData.Product),\n ActingProcessId = tostring(EventData.ParentProcessId), \n ActingProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ParentProcessGuid), typeof(string)), \n ActingProcessCommandLine = tostring(EventData.ParentCommandLine),\n ActingProcessName = tostring(EventData.ParentImage),\n ActorUsername = tostring(EventData.ParentUser)\n | extend \n TargetUsernameType = iff(isnotempty(TargetUsername), 'Windows', ''),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n EventProduct = \"Security Events\"\n | project-rename\n DvcHostname = Computer,\n EventOriginalUid = EventOriginId\n | extend // aliases \n Dvc = DvcHostname,\n User = TargetUsername,\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n EventUid = _ItemId\n | project-away\n EventData,\n Provider,\n ManagementGroupName,\n RawEventData,\n SourceSystem,\n Task,\n TenantId,\n EventID,\n Data,\n Channel,\n EventLevel,\n EventLevelName,\n Correlation,\n EventRecordId,\n Keywords,\n Opcode,\n SystemProcessId,\n SystemThreadId,\n SystemUserId,\n TimeCreated,\n Version,\n _ResourceId,\n _ItemId\n | extend \n EventType = \"ProcessCreated\",\n EventOriginalType = \"1\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventProduct = \"Sysmon\",\n EventResult = 'Success',\n DvcOs = \"Windows\",\n TargetUsernameType = \"Windows\",\n ActorUsernameType = \"Windows\";\n parser_WindowsEvent\n};\nparser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for Sysmon", + "category": "ASIM", + "FunctionAlias": "ASimProcessEventCreateMicrosoftSysmonWindowsEvent", + "query": "let parser = (disabled: bool = false) {\n // this is the parser for sysmon from WindowsEvent table\n let parser_WindowsEvent=\n WindowsEvent\n | where not(disabled)\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 1\n | parse-kv tostring(EventData.Hashes) as (MD5: string, SHA1: string, SHA256: string, IMPHASH: string) with (quote='\"')\n | extend\n Hash = coalesce (SHA256, SHA1, IMPHASH, MD5, \"\")\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"IMPHASH\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, IMPHASH, MD5), Hash)])\n | project-rename\n TargetProcessMD5 = MD5,\n TargetProcessSHA1 = SHA1,\n TargetProcessSHA256 = SHA256,\n TargetProcessIMPHASH = IMPHASH\n | extend \n EventOriginalType = tostring(EventID),\n TargetUserSessionId = tostring(EventData.LogonId), \n TargetUsername = tostring(EventData.User),\n TargetProcessCommandLine = tostring(EventData.CommandLine),\n TargetProcessCurrentDirectory = tostring(EventData.CurrentDirectory),\n TargetUserSessionGuid = extract ('^{(.*)}$', 1, tostring(EventData.LogonGuid), typeof(string)),\n TargetProcessId = tostring(EventData.ProcessId),\n TargetProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string)),\n TargetProcessName = tostring(EventData.Image),\n TargetProcessFilename = tostring(EventData.OriginalFileName),\n TargetProcessIntegrityLevel = tostring(EventData.IntegrityLevel),\n TargetProcessFileCompany = tostring(EventData.Company),\n TargetProcessFileDescription = tostring(EventData.Description),\n TargetProcessFileVersion = tostring(EventData.FileVersion),\n TargetProcessFileProduct = tostring(EventData.Product),\n ActingProcessId = tostring(EventData.ParentProcessId), \n ActingProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ParentProcessGuid), typeof(string)), \n ActingProcessCommandLine = tostring(EventData.ParentCommandLine),\n ActingProcessName = tostring(EventData.ParentImage),\n ActorUsername = tostring(EventData.ParentUser)\n | extend \n TargetUsernameType = iff(isnotempty(TargetUsername), 'Windows', ''),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n EventProduct = \"Security Events\"\n | project-rename\n DvcHostname = Computer,\n EventOriginalUid = EventOriginId\n | extend // aliases \n Dvc = DvcHostname,\n User = TargetUsername,\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n EventUid = _ItemId\n | project-away\n EventData,\n Provider,\n ManagementGroupName,\n RawEventData,\n SourceSystem,\n Task,\n TenantId,\n EventID,\n Data,\n Channel,\n EventLevel,\n EventLevelName,\n Correlation,\n EventRecordId,\n Keywords,\n Opcode,\n SystemProcessId,\n SystemThreadId,\n SystemUserId,\n TimeCreated,\n Version,\n _ResourceId,\n _ItemId\n | extend \n EventType = \"ProcessCreated\",\n EventOriginalType = \"1\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventProduct = \"Sysmon\",\n EventResult = 'Success',\n DvcOs = \"Windows\",\n TargetUsernameType = \"Windows\",\n ActorUsernameType = \"Windows\";\n parser_WindowsEvent\n};\nparser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftWindowsEvents/ASimProcessCreateMicrosoftWindowsEvents.json b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftWindowsEvents/ASimProcessCreateMicrosoftWindowsEvents.json index cc5c5bf72d0..be21415d960 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftWindowsEvents/ASimProcessCreateMicrosoftWindowsEvents.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftWindowsEvents/ASimProcessCreateMicrosoftWindowsEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessCreateMicrosoftWindowsEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessCreateMicrosoftWindowsEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for WEF Security Events", - "category": "ASIM", - "FunctionAlias": "ASimProcessCreateMicrosoftWindowsEvents", - "query": "let ASIM_GetFilenamePart = (path:string) { tostring(split(path,@'\\')[-1]) };\nlet ASIM_ResolveWindowsUsername = (T:(username:string, domain:string, sid:string)) { \n T \n | extend \n type = case (\n username == \"-\", \"\",\n domain == \"-\", \"Simple\",\n \"Windows\"\n ),\n username = case (\n username == \"-\", \"\",\n domain == '-', username,\n strcat(domain, @\"\\\" , username)\n )\n};\nlet MandatoryLabelLookup = datatable (MandatoryLabel:string,MandatoryLabelRid:string, MandatoryLabelText:string, MandatoryLabelMeaning:string)\n[\n 'S-1-16-0', '0x00000000', 'SECURITY_MANDATORY_UNTRUSTED_RID', 'Untrusted',\n 'S-1-16-4096', '0x00001000', 'SECURITY_MANDATORY_LOW_RID', 'Low integrity',\n 'S-1-16-8192', '0x00002000', 'SECURITY_MANDATORY_MEDIUM_RID', 'Medium integrity',\n 'S-1-16-8448', '0x00002100', 'SECURITY_MANDATORY_MEDIUM_PLUS_RID', 'Medium high integrity',\n 'S-1-16-12288', '0X00003000', 'SECURITY_MANDATORY_HIGH_RID', 'High integrity',\n 'S-1-16-16384', '0x00004000', 'SECURITY_MANDATORY_SYSTEM_RID', 'System integrity',\n 'S-1-16-20480', '0x00005000', 'SECURITY_MANDATORY_PROTECTED_PROCESS_RID', 'Protected process'\n ];\nlet parser=(disabled:boolean=false){\nWindowsEvent\n| where not(disabled)\n| where EventID == 4688\n| project-rename\n DvcHostname = Computer\n| extend\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Events',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessCreated',\n EventOriginalType = tostring(EventID),\n DvcOs = 'Windows'\n| extend \n ActorUsername = strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), \n ActorUserId = tostring(EventData.SubjectUserSid)\n| extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\"), \n ActorUsernameType = \"Windows\",\n username = tostring(EventData.TargetUserName)\n| extend\n TargetUsername = iff(username == \"-\", ActorUsername, strcat(EventData.SubjectDomainName, @'\\', username)),\n TargetUserId = iff(username == \"-\", ActorUserId, tostring(EventData.TargetUserSid))\n| extend\n TargetUserIdType = iff (TargetUserId <> \"S-1-0-0\", \"SID\", \"\"),\n TargetUserId = iff (TargetUserId <> \"S-1-0-0\", TargetUserId, \"\"), \n TargetUsernameType = \"Windows\"\n| project-away\n username\n| extend \n TargetUserSid = TargetUserId,\n ActorUserSid = ActorUserId,\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId),\n TargetUserType = _ASIM_GetWindowsUserType(TargetUsername, TargetUserId)\n| extend\n ActorSessionId = tostring(toint(EventData.SubjectLogonId)),\n TargetUserSessionId = tostring(toint(EventData.TargetLogonId)), \n // Processes \n ActingProcessId = tostring(toint(tolong(EventData.ProcessId))),\n ActingProcessName = tostring(EventData.ParentProcessName),\n TargetProcessId = tostring(toint(tolong(EventData.NewProcessId))),\n TargetProcessName = tostring(EventData.NewProcessName),\n TargetProcessCommandLine = tostring(EventData.CommandLine),\n TargetProcessTokenElevation = tostring(EventData.TokenElevationType),\n MandatoryLabel = tostring(EventData.MandatoryLabel)\n| extend \n ActingProcessFilename = ASIM_GetFilenamePart(ActingProcessName),\n TargetProcessFilename = ASIM_GetFilenamePart(TargetProcessName)\n| lookup MandatoryLabelLookup on MandatoryLabel\n// -- Aliases\n| extend\n User = TargetUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName,\n CommandLine = TargetProcessCommandLine\n| project-away Channel, EventData, Data, EventID, EventLevelName, EventLevel, Provider, RawEventData, Task, TenantId, ManagementGroupName, SourceSystem, EventOriginId\n}; \nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for WEF Security Events", + "category": "ASIM", + "FunctionAlias": "ASimProcessCreateMicrosoftWindowsEvents", + "query": "let ASIM_GetFilenamePart = (path:string) { tostring(split(path,@'\\')[-1]) };\nlet ASIM_ResolveWindowsUsername = (T:(username:string, domain:string, sid:string)) { \n T \n | extend \n type = case (\n username == \"-\", \"\",\n domain == \"-\", \"Simple\",\n \"Windows\"\n ),\n username = case (\n username == \"-\", \"\",\n domain == '-', username,\n strcat(domain, @\"\\\" , username)\n )\n};\nlet MandatoryLabelLookup = datatable (MandatoryLabel:string,MandatoryLabelRid:string, MandatoryLabelText:string, MandatoryLabelMeaning:string)\n[\n 'S-1-16-0', '0x00000000', 'SECURITY_MANDATORY_UNTRUSTED_RID', 'Untrusted',\n 'S-1-16-4096', '0x00001000', 'SECURITY_MANDATORY_LOW_RID', 'Low integrity',\n 'S-1-16-8192', '0x00002000', 'SECURITY_MANDATORY_MEDIUM_RID', 'Medium integrity',\n 'S-1-16-8448', '0x00002100', 'SECURITY_MANDATORY_MEDIUM_PLUS_RID', 'Medium high integrity',\n 'S-1-16-12288', '0X00003000', 'SECURITY_MANDATORY_HIGH_RID', 'High integrity',\n 'S-1-16-16384', '0x00004000', 'SECURITY_MANDATORY_SYSTEM_RID', 'System integrity',\n 'S-1-16-20480', '0x00005000', 'SECURITY_MANDATORY_PROTECTED_PROCESS_RID', 'Protected process'\n ];\nlet parser=(disabled:boolean=false){\nWindowsEvent\n| where not(disabled)\n| where EventID == 4688\n| project-rename\n DvcHostname = Computer\n| extend\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Events',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessCreated',\n EventOriginalType = tostring(EventID),\n DvcOs = 'Windows'\n| extend \n ActorUsername = strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), \n ActorUserId = tostring(EventData.SubjectUserSid)\n| extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\"), \n ActorUsernameType = \"Windows\",\n username = tostring(EventData.TargetUserName)\n| extend\n TargetUsername = iff(username == \"-\", ActorUsername, strcat(EventData.SubjectDomainName, @'\\', username)),\n TargetUserId = iff(username == \"-\", ActorUserId, tostring(EventData.TargetUserSid))\n| extend\n TargetUserIdType = iff (TargetUserId <> \"S-1-0-0\", \"SID\", \"\"),\n TargetUserId = iff (TargetUserId <> \"S-1-0-0\", TargetUserId, \"\"), \n TargetUsernameType = \"Windows\"\n| project-away\n username\n| extend \n TargetUserSid = TargetUserId,\n ActorUserSid = ActorUserId,\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId),\n TargetUserType = _ASIM_GetWindowsUserType(TargetUsername, TargetUserId)\n| extend\n ActorSessionId = tostring(toint(EventData.SubjectLogonId)),\n TargetUserSessionId = tostring(toint(EventData.TargetLogonId)), \n // Processes \n ActingProcessId = tostring(toint(tolong(EventData.ProcessId))),\n ActingProcessName = tostring(EventData.ParentProcessName),\n TargetProcessId = tostring(toint(tolong(EventData.NewProcessId))),\n TargetProcessName = tostring(EventData.NewProcessName),\n TargetProcessCommandLine = tostring(EventData.CommandLine),\n TargetProcessTokenElevation = tostring(EventData.TokenElevationType),\n MandatoryLabel = tostring(EventData.MandatoryLabel)\n| extend \n ActingProcessFilename = ASIM_GetFilenamePart(ActingProcessName),\n TargetProcessFilename = ASIM_GetFilenamePart(TargetProcessName)\n| lookup MandatoryLabelLookup on MandatoryLabel\n// -- Aliases\n| extend\n User = TargetUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName,\n CommandLine = TargetProcessCommandLine\n| project-away Channel, EventData, Data, EventID, EventLevelName, EventLevel, Provider, RawEventData, Task, TenantId, ManagementGroupName, SourceSystem, EventOriginId\n}; \nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateSentinelOne/ASimProcessCreateSentinelOne.json b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateSentinelOne/ASimProcessCreateSentinelOne.json index efd3aed5945..d431d8d36b7 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateSentinelOne/ASimProcessCreateSentinelOne.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateSentinelOne/ASimProcessCreateSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessCreateSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessCreateSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create ASIM parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "ASimProcessCreateSentinelOne", - "query": "let ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n[\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n[\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n[\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (disabled: bool=false) {\n let alldata = SentinelOne_CL\n | where not(disabled) \n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s == \"PROCESSCREATION\";\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maaliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maaliciousdata\n | extend ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n DvcId = agentDetectionInfo_uuid_g,\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n TargetProcessCommandLine = targetProcessInfo_tgtProcCmdLine_s,\n TargetProcessId = targetProcessInfo_tgtProcPid_s,\n TargetProcessName = targetProcessInfo_tgtProcName_s,\n EventUid = _ItemId,\n TargetProcessCreationTime = targetProcessInfo_tgtProcessStartTime_t,\n ActingProcessName = sourceProcessInfo_name_s,\n ParentProcessName = sourceParentProcessInfo_name_s,\n ActingProcessCommandLine = sourceProcessInfo_commandline_s,\n ActingProcessGuid = sourceProcessInfo_uniqueId_g,\n ActingProcessSHA1 = sourceProcessInfo_fileHashSha1_s,\n ParentProcessSHA1 = sourceParentProcessInfo_fileHashSha1_s,\n ActingProcessSHA256 = sourceProcessInfo_fileHashSha256_s,\n ParentProcessSHA256 = sourceParentProcessInfo_fileHashSha256_s,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n TargetProcessIntegrityLevel = targetProcessInfo_tgtProcIntegrityLevel_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend\n ActingProcessId = sourceProcessInfo_pid_s,\n ActorUsername = sourceProcessInfo_user_s,\n TargetUsername = sourceProcessInfo_user_s,\n Hash = coalesce(targetProcessInfo_tgtFileHashSha256_s, targetProcessInfo_tgtFileHashSha1_s),\n ParentProcessId = sourceProcessInfo_pid_s,\n TargetProcessSHA1 = targetProcessInfo_tgtFileHashSha1_s,\n TargetProcessSHA256 = targetProcessInfo_tgtFileHashSha256_s,\n ParentProcessMD5 = replace_string(sourceParentProcessInfo_fileHashMd5_g, \"-\", \"\"),\n ActingProcessMD5 = replace_string(sourceProcessInfo_fileHashMd5_g, \"-\", \"\"),\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity)\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessCreated\",\n EventVendor = \"SentinelOne\",\n EventSchema = \"ProcessEvent\"\n | extend \n Dvc = DvcId,\n EventEndTime = EventStartTime,\n User = TargetUsername,\n ActingProcessCreationTime = EventStartTime,\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n Rule = RuleName\n | extend \n HashType = case(\n isnotempty(Hash) and isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(Hash) and isnotempty(TargetProcessSHA1),\n \"TargetProcessSHA1\",\n \"\"\n ),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\")\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create ASIM parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "ASimProcessCreateSentinelOne", + "query": "let ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n[\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n[\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n[\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (disabled: bool=false) {\n let alldata = SentinelOne_CL\n | where not(disabled) \n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s == \"PROCESSCREATION\";\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maaliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maaliciousdata\n | extend ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n DvcId = agentDetectionInfo_uuid_g,\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n TargetProcessCommandLine = targetProcessInfo_tgtProcCmdLine_s,\n TargetProcessId = targetProcessInfo_tgtProcPid_s,\n TargetProcessName = targetProcessInfo_tgtProcName_s,\n EventUid = _ItemId,\n TargetProcessCreationTime = targetProcessInfo_tgtProcessStartTime_t,\n ActingProcessName = sourceProcessInfo_name_s,\n ParentProcessName = sourceParentProcessInfo_name_s,\n ActingProcessCommandLine = sourceProcessInfo_commandline_s,\n ActingProcessGuid = sourceProcessInfo_uniqueId_g,\n ActingProcessSHA1 = sourceProcessInfo_fileHashSha1_s,\n ParentProcessSHA1 = sourceParentProcessInfo_fileHashSha1_s,\n ActingProcessSHA256 = sourceProcessInfo_fileHashSha256_s,\n ParentProcessSHA256 = sourceParentProcessInfo_fileHashSha256_s,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n TargetProcessIntegrityLevel = targetProcessInfo_tgtProcIntegrityLevel_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend\n ActingProcessId = sourceProcessInfo_pid_s,\n ActorUsername = sourceProcessInfo_user_s,\n TargetUsername = sourceProcessInfo_user_s,\n Hash = coalesce(targetProcessInfo_tgtFileHashSha256_s, targetProcessInfo_tgtFileHashSha1_s),\n ParentProcessId = sourceProcessInfo_pid_s,\n TargetProcessSHA1 = targetProcessInfo_tgtFileHashSha1_s,\n TargetProcessSHA256 = targetProcessInfo_tgtFileHashSha256_s,\n ParentProcessMD5 = replace_string(sourceParentProcessInfo_fileHashMd5_g, \"-\", \"\"),\n ActingProcessMD5 = replace_string(sourceProcessInfo_fileHashMd5_g, \"-\", \"\"),\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity)\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessCreated\",\n EventVendor = \"SentinelOne\",\n EventSchema = \"ProcessEvent\"\n | extend \n Dvc = DvcId,\n EventEndTime = EventStartTime,\n User = TargetUsername,\n ActingProcessCreationTime = EventStartTime,\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n Rule = RuleName\n | extend \n HashType = case(\n isnotempty(Hash) and isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(Hash) and isnotempty(TargetProcessSHA1),\n \"TargetProcessSHA1\",\n \"\"\n ),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\")\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateTrendMicroVisionOne/ASimProcessCreateTrendMicroVisionOne.json b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateTrendMicroVisionOne/ASimProcessCreateTrendMicroVisionOne.json index 221c8b2488a..495b9c3cb5e 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateTrendMicroVisionOne/ASimProcessCreateTrendMicroVisionOne.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateTrendMicroVisionOne/ASimProcessCreateTrendMicroVisionOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessCreateTrendMicroVisionOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessCreateTrendMicroVisionOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create ASIM parser", - "category": "ASIM", - "FunctionAlias": "ASimProcessCreateTrendMicroVisionOne", - "query": "let GetFilenamePart = (path: string) { tostring(split(path, @'\\')[-1]) };\nlet EventSeverityLookup = datatable(detail_filterRiskLevel_s: string, EventSeverity: string)[\n \"low\", \"Low\",\n \"medium\", \"Medium\",\n \"high\", \"High\",\n \"info\", \"Informational\",\n \"critical\", \"High\"\n];\nlet IntegrityLevelLookup = datatable(IntegrityLevel: real, IntegrityType: string)\n [\n 0, \"Untrusted\",\n 4096, \"Low\",\n 8192, \"Medium\",\n 12288, \"High\",\n 16384, \"System\"\n];\nlet parser = (disabled: bool=false) {\n TrendMicro_XDR_OAT_CL\n | where not(disabled)\n | where detail_eventId_s == \"TELEMETRY_PROCESS\"\n and detail_eventSubId_s has_any (\"TELEMETRY_PROCESS_CREATE\",\"TELEMETRY_PROCESS_LOAD_IMAGE\",\"TELEMETRY_PROCESS_OPEN\")\n | parse filters_s with * \"[\" filters: string \"]\"\n | parse-kv filters as (description: string, name: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | extend\n ActingProcessId = tostring(toint(detail_processPid_d)),\n TargetProcessId = tostring(toint(detail_objectPid_d)),\n ParentProcessId = tostring(toint(detail_parentPid_d)),\n TargetProcessCreationTime = unixtime_milliseconds_todatetime(detail_objectLaunchTime_d),\n ActingProcessCreationTime = unixtime_milliseconds_todatetime(detail_processLaunchTime_d),\n ActingProcessFilename = GetFilenamePart(detail_processFilePath_s),\n ParentProcessCreationTime = unixtime_milliseconds_todatetime(detail_parentLaunchTime_d),\n ParentProcessName = detail_parentName_s,\n TargetProcessFilename = GetFilenamePart(detail_objectFilePath_s),\n ActingProcessFileSize = tolong(detail_processFileSize_d),\n TargetUserSessionId = tostring(toint(detail_objectAuthId_d)),\n ActorSessionId = tostring(toint(detail_authId_d)),\n TargetProcessMD5 = replace_string(detail_objectFileHashMd5_g, \"-\", \"\"),\n ActingProcessMD5 = replace_string(detail_processFileHashMd5_g, \"-\", \"\"),\n ParentProcessMD5 = replace_string(detail_parentFileHashMd5_g, \"-\", \"\"),\n TargetProcessCommandLine = replace_string(detail_objectCmd_s, '\"', ''),\n ActingProcessCommandLine = replace_string(detail_processCmd_s, '\"', ''),\n AdditionalFields = bag_pack(\n \"name\", name,\n \"tags\", detail_tags_s\n )\n | lookup EventSeverityLookup on detail_filterRiskLevel_s\n | invoke _ASIM_ResolveDvcFQDN('detail_endpointHostName_s')\n | lookup IntegrityLevelLookup on $left.detail_parentIntegrityLevel_d == $right.IntegrityLevel\n | project-rename ParentProcessIntegrityLevel = IntegrityType\n | lookup IntegrityLevelLookup on $left.detail_objectIntegrityLevel_d == $right.IntegrityLevel\n | project-rename TargetProcessIntegrityLevel = IntegrityType\n | lookup IntegrityLevelLookup on $left.detail_integrityLevel_d == $right.IntegrityLevel\n | project-rename ActingProcessIntegrityLevel = IntegrityType\n | extend\n EventCount = int(1),\n EventProduct = \"Vision One\",\n EventResult = \"Success\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessCreated\",\n EventVendor = \"Trend Micro\",\n EventSchema = \"ProcessEvent\",\n DvcAction = \"Allowed\"\n | project-rename\n ActorUsername = detail_processUser_s,\n EventStartTime = detail_eventTimeDT_t,\n TargetProcessName = detail_objectName_s,\n TargetUsername = detail_objectUser_s,\n ActingProcessName = detail_processName_s,\n ActingProcessSHA1 = detail_processFileHashSha1_s,\n ActingProcessSHA256 = detail_processFileHashSha256_s,\n DvcId = detail_endpointGuid_g,\n DvcOs = detail_osName_s,\n DvcOsVersion = detail_osVer_s,\n EventOriginalSubType = detail_eventSubId_s,\n EventOriginalType = detail_eventId_s,\n EventOriginalUid = detail_uuid_g,\n EventOriginalSeverity = detail_filterRiskLevel_s,\n EventProductVersion = detail_pver_s,\n ParentProcessSHA1 = detail_parentFileHashSha1_s,\n ParentProcessSHA256 = detail_parentFileHashSha256_s,\n TargetProcessSHA1 = detail_objectFileHashSha1_s,\n TargetProcessSHA256 = detail_objectFileHashSha256_s,\n EventUid = _ItemId,\n EventMessage = description\n | extend \n Dvc = DvcHostname,\n EventEndTime = EventStartTime,\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = TargetUsername,\n Hash = coalesce(TargetProcessSHA256, TargetProcessSHA1, TargetProcessMD5)\n | extend\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\"),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n HashType = case(\n isnotempty(Hash) and isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(Hash) and isnotempty(TargetProcessSHA1),\n \"TargetProcessSHA1\",\n isnotempty(Hash) and isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n )\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n filters,\n name\n};\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create ASIM parser", + "category": "ASIM", + "FunctionAlias": "ASimProcessCreateTrendMicroVisionOne", + "query": "let GetFilenamePart = (path: string) { tostring(split(path, @'\\')[-1]) };\nlet EventSeverityLookup = datatable(detail_filterRiskLevel_s: string, EventSeverity: string)[\n \"low\", \"Low\",\n \"medium\", \"Medium\",\n \"high\", \"High\",\n \"info\", \"Informational\",\n \"critical\", \"High\"\n];\nlet IntegrityLevelLookup = datatable(IntegrityLevel: real, IntegrityType: string)\n [\n 0, \"Untrusted\",\n 4096, \"Low\",\n 8192, \"Medium\",\n 12288, \"High\",\n 16384, \"System\"\n];\nlet parser = (disabled: bool=false) {\n TrendMicro_XDR_OAT_CL\n | where not(disabled)\n | where detail_eventId_s == \"TELEMETRY_PROCESS\"\n and detail_eventSubId_s has_any (\"TELEMETRY_PROCESS_CREATE\",\"TELEMETRY_PROCESS_LOAD_IMAGE\",\"TELEMETRY_PROCESS_OPEN\")\n | parse filters_s with * \"[\" filters: string \"]\"\n | parse-kv filters as (description: string, name: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | extend\n ActingProcessId = tostring(toint(detail_processPid_d)),\n TargetProcessId = tostring(toint(detail_objectPid_d)),\n ParentProcessId = tostring(toint(detail_parentPid_d)),\n TargetProcessCreationTime = unixtime_milliseconds_todatetime(detail_objectLaunchTime_d),\n ActingProcessCreationTime = unixtime_milliseconds_todatetime(detail_processLaunchTime_d),\n ActingProcessFilename = GetFilenamePart(detail_processFilePath_s),\n ParentProcessCreationTime = unixtime_milliseconds_todatetime(detail_parentLaunchTime_d),\n ParentProcessName = detail_parentName_s,\n TargetProcessFilename = GetFilenamePart(detail_objectFilePath_s),\n ActingProcessFileSize = tolong(detail_processFileSize_d),\n TargetUserSessionId = tostring(toint(detail_objectAuthId_d)),\n ActorSessionId = tostring(toint(detail_authId_d)),\n TargetProcessMD5 = replace_string(detail_objectFileHashMd5_g, \"-\", \"\"),\n ActingProcessMD5 = replace_string(detail_processFileHashMd5_g, \"-\", \"\"),\n ParentProcessMD5 = replace_string(detail_parentFileHashMd5_g, \"-\", \"\"),\n TargetProcessCommandLine = replace_string(detail_objectCmd_s, '\"', ''),\n ActingProcessCommandLine = replace_string(detail_processCmd_s, '\"', ''),\n AdditionalFields = bag_pack(\n \"name\", name,\n \"tags\", detail_tags_s\n )\n | lookup EventSeverityLookup on detail_filterRiskLevel_s\n | invoke _ASIM_ResolveDvcFQDN('detail_endpointHostName_s')\n | lookup IntegrityLevelLookup on $left.detail_parentIntegrityLevel_d == $right.IntegrityLevel\n | project-rename ParentProcessIntegrityLevel = IntegrityType\n | lookup IntegrityLevelLookup on $left.detail_objectIntegrityLevel_d == $right.IntegrityLevel\n | project-rename TargetProcessIntegrityLevel = IntegrityType\n | lookup IntegrityLevelLookup on $left.detail_integrityLevel_d == $right.IntegrityLevel\n | project-rename ActingProcessIntegrityLevel = IntegrityType\n | extend\n EventCount = int(1),\n EventProduct = \"Vision One\",\n EventResult = \"Success\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessCreated\",\n EventVendor = \"Trend Micro\",\n EventSchema = \"ProcessEvent\",\n DvcAction = \"Allowed\"\n | project-rename\n ActorUsername = detail_processUser_s,\n EventStartTime = detail_eventTimeDT_t,\n TargetProcessName = detail_objectName_s,\n TargetUsername = detail_objectUser_s,\n ActingProcessName = detail_processName_s,\n ActingProcessSHA1 = detail_processFileHashSha1_s,\n ActingProcessSHA256 = detail_processFileHashSha256_s,\n DvcId = detail_endpointGuid_g,\n DvcOs = detail_osName_s,\n DvcOsVersion = detail_osVer_s,\n EventOriginalSubType = detail_eventSubId_s,\n EventOriginalType = detail_eventId_s,\n EventOriginalUid = detail_uuid_g,\n EventOriginalSeverity = detail_filterRiskLevel_s,\n EventProductVersion = detail_pver_s,\n ParentProcessSHA1 = detail_parentFileHashSha1_s,\n ParentProcessSHA256 = detail_parentFileHashSha256_s,\n TargetProcessSHA1 = detail_objectFileHashSha1_s,\n TargetProcessSHA256 = detail_objectFileHashSha256_s,\n EventUid = _ItemId,\n EventMessage = description\n | extend \n Dvc = DvcHostname,\n EventEndTime = EventStartTime,\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = TargetUsername,\n Hash = coalesce(TargetProcessSHA256, TargetProcessSHA1, TargetProcessMD5)\n | extend\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\"),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n HashType = case(\n isnotempty(Hash) and isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(Hash) and isnotempty(TargetProcessSHA1),\n \"TargetProcessSHA1\",\n isnotempty(Hash) and isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n )\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n filters,\n name\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateVMwareCarbonBlackCloud/ASimProcessCreateVMwareCarbonBlackCloud.json b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateVMwareCarbonBlackCloud/ASimProcessCreateVMwareCarbonBlackCloud.json index dd54573f70a..49fcd116b76 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateVMwareCarbonBlackCloud/ASimProcessCreateVMwareCarbonBlackCloud.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateVMwareCarbonBlackCloud/ASimProcessCreateVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessCreateVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessCreateVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create ASIM parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "ASimProcessCreateVMwareCarbonBlackCloud", - "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet ThreatConfidenceLookup = datatable (ThreatOriginalConfidence: string, ThreatConfidence: int)\n [\n \"1\", 10,\n \"2\", 20,\n \"3\", 30,\n \"4\", 40,\n \"5\", 50,\n \"6\", 60,\n \"7\", 70,\n \"8\", 80,\n \"9\", 90,\n \"10\", 100\n];\nlet parser = (disabled: bool=false) {\n let CarbonBlackEventsSchema = datatable (\n eventType_s: string,\n childproc_pid_d: real,\n process_hash_s: string,\n parent_hash_s: string,\n childproc_hash_s: string,\n sensor_action_s: string,\n alert_id_g: string,\n event_id_g: string,\n createTime_s: string,\n process_pid_d: real,\n parent_pid_d: real,\n org_key_s: string,\n parent_cmdline_s: string,\n process_reputation_s: string,\n childproc_reputation_s: string,\n parent_reputation_s: string,\n process_guid_s: string,\n childproc_guid_s: string,\n parent_guid_s: string,\n process_username_s: string,\n target_cmdline_s: string,\n childproc_name_s: string,\n childproc_username_s: string,\n device_external_ip_s: string,\n device_group_s: string,\n process_cmdline_s: string,\n process_path_s: string,\n device_id_s: string,\n device_os_s: string,\n event_description_s: string,\n action_s: string,\n event_origin_s: string,\n parent_path_s: string,\n device_name_s: string\n)[];\n let CarbonBlackNotificationsSchema = datatable (\n type_s: string,\n threatInfo_incidentId_g: string,\n threatInfo_score_d: real,\n threatInfo_summary_s: string,\n threatInfo_time_d: real,\n threatInfo_threatCause_threatCategory_s: string,\n threatInfo_threatCause_causeEventId_g: string,\n ruleName_s: string,\n deviceInfo_deviceVersion_s: string,\n threatInfo_threatCause_originSourceType_s: string,\n threatInfo_threatCause_reputation_s: string,\n threatInfo_threatCause_reason_s: string,\n id_g: string,\n primary_event_id_g: string,\n threat_id_g: string\n)[];\n let processdata = union (CarbonBlackEvents_CL), (CarbonBlackEventsSchema)\n | where not(disabled)\n | where eventType_s == \"endpoint.event.procstart\" and isnotempty(childproc_pid_d)\n | parse process_hash_s with * '[\"' ActingProcessMD5: string '\",\"' ActingProcessSHA256: string '\"]'\n | parse parent_hash_s with * '[\"' ParentProcessMD5: string '\",\"' ParentProcessSHA256: string '\"]'\n | parse childproc_hash_s with * '[\"' TargetProcessMD5: string '\",\"' TargetProcessSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s;\n let processdatawiththreat = processdata\n | where isnotempty(alert_id_g) and isnotempty(event_id_g)\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"THREAT\"\n | project\n threatInfo_incidentId_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_time_d,\n threatInfo_threatCause_threatCategory_s,\n threatInfo_threatCause_causeEventId_g,\n ruleName_s,\n deviceInfo_deviceVersion_s,\n threatInfo_threatCause_originSourceType_s,\n threatInfo_threatCause_reputation_s,\n threatInfo_threatCause_reason_s)\n on\n $left.alert_id_g == $right.threatInfo_incidentId_g,\n $left.event_id_g == $right.threatInfo_threatCause_causeEventId_g\n | join kind=leftouter (union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"CB_ANALYTICS\"\n | project\n id_g,\n primary_event_id_g,\n deviceInfo_deviceVersion_s,\n threat_id_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.id_g, $left.event_id_g == $right.primary_event_id_g\n | extend \n ThreatDescription = coalesce(threatInfo_summary_s, threatInfo_summary_s1),\n ThreatCategory = threatInfo_threatCause_threatCategory_s,\n ThreatFirstReportedTime = unixtime_milliseconds_todatetime(threatInfo_time_d),\n RuleName = ruleName_s,\n AdditionalFields_threat = bag_pack(\n \"threatInfo_threatCause_reason\",\n coalesce(threatInfo_threatCause_reason_s, threatInfo_threatCause_reason_s1),\n \"threatInfo_threatCause_reputation\",\n threatInfo_threatCause_reputation_s,\n \"threatInfo_threatCause_originSourceType\",\n threatInfo_threatCause_originSourceType_s\n ),\n ThreatId = threat_id_g,\n ThreatOriginalConfidence = tostring(toint(coalesce(threatInfo_score_d, threatInfo_score_d1))),\n DvcOsVersion = coalesce(deviceInfo_deviceVersion_s, deviceInfo_deviceVersion_s1)\n | lookup ThreatConfidenceLookup on ThreatOriginalConfidence\n | extend Rule = RuleName;\n let processdatawithoutthreat = processdata\n | where isempty(alert_id_g) or isempty(event_id_g);\n union processdatawithoutthreat, processdatawiththreat\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetProcessId = tostring(toint(childproc_pid_d)),\n ActingProcessId = tostring(toint(process_pid_d)),\n ParentProcessId = tostring(toint(parent_pid_d)),\n AdditionalFields_Common = bag_pack(\n \"org_key\",\n org_key_s,\n \"alert_id\",\n alert_id_g,\n \"parent_cmdline\",\n parent_cmdline_s,\n \"process_reputation\",\n process_reputation_s,\n \"childproc_reputation\",\n childproc_reputation_s,\n \"parent_reputation\",\n parent_reputation_s,\n \"process_guid\",\n process_guid_s,\n \"childproc_guid\",\n childproc_guid_s,\n \"parent_guid\",\n parent_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename \n ActorUsername = process_username_s,\n TargetProcessCommandLine = target_cmdline_s,\n TargetProcessName = childproc_name_s,\n TargetUsername = childproc_username_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n ActingProcessCommandLine = process_cmdline_s,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ParentProcessName = parent_path_s,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessCreated\",\n EventVendor = \"VMware\",\n EventSchema = \"ProcessEvent\",\n AdditionalFields = bag_merge(AdditionalFields_threat, AdditionalFields_Common)\n | extend \n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Hash = coalesce(TargetProcessSHA256, TargetProcessMD5),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = TargetUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n HashType = case(\n isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n ),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\")\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n AdditionalFields_*\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create ASIM parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "ASimProcessCreateVMwareCarbonBlackCloud", + "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet ThreatConfidenceLookup = datatable (ThreatOriginalConfidence: string, ThreatConfidence: int)\n [\n \"1\", 10,\n \"2\", 20,\n \"3\", 30,\n \"4\", 40,\n \"5\", 50,\n \"6\", 60,\n \"7\", 70,\n \"8\", 80,\n \"9\", 90,\n \"10\", 100\n];\nlet parser = (disabled: bool=false) {\n let CarbonBlackEventsSchema = datatable (\n eventType_s: string,\n childproc_pid_d: real,\n process_hash_s: string,\n parent_hash_s: string,\n childproc_hash_s: string,\n sensor_action_s: string,\n alert_id_g: string,\n event_id_g: string,\n createTime_s: string,\n process_pid_d: real,\n parent_pid_d: real,\n org_key_s: string,\n parent_cmdline_s: string,\n process_reputation_s: string,\n childproc_reputation_s: string,\n parent_reputation_s: string,\n process_guid_s: string,\n childproc_guid_s: string,\n parent_guid_s: string,\n process_username_s: string,\n target_cmdline_s: string,\n childproc_name_s: string,\n childproc_username_s: string,\n device_external_ip_s: string,\n device_group_s: string,\n process_cmdline_s: string,\n process_path_s: string,\n device_id_s: string,\n device_os_s: string,\n event_description_s: string,\n action_s: string,\n event_origin_s: string,\n parent_path_s: string,\n device_name_s: string\n)[];\n let CarbonBlackNotificationsSchema = datatable (\n type_s: string,\n threatInfo_incidentId_g: string,\n threatInfo_score_d: real,\n threatInfo_summary_s: string,\n threatInfo_time_d: real,\n threatInfo_threatCause_threatCategory_s: string,\n threatInfo_threatCause_causeEventId_g: string,\n ruleName_s: string,\n deviceInfo_deviceVersion_s: string,\n threatInfo_threatCause_originSourceType_s: string,\n threatInfo_threatCause_reputation_s: string,\n threatInfo_threatCause_reason_s: string,\n id_g: string,\n primary_event_id_g: string,\n threat_id_g: string\n)[];\n let processdata = union (CarbonBlackEvents_CL), (CarbonBlackEventsSchema)\n | where not(disabled)\n | where eventType_s == \"endpoint.event.procstart\" and isnotempty(childproc_pid_d)\n | parse process_hash_s with * '[\"' ActingProcessMD5: string '\",\"' ActingProcessSHA256: string '\"]'\n | parse parent_hash_s with * '[\"' ParentProcessMD5: string '\",\"' ParentProcessSHA256: string '\"]'\n | parse childproc_hash_s with * '[\"' TargetProcessMD5: string '\",\"' TargetProcessSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s;\n let processdatawiththreat = processdata\n | where isnotempty(alert_id_g) and isnotempty(event_id_g)\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"THREAT\"\n | project\n threatInfo_incidentId_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_time_d,\n threatInfo_threatCause_threatCategory_s,\n threatInfo_threatCause_causeEventId_g,\n ruleName_s,\n deviceInfo_deviceVersion_s,\n threatInfo_threatCause_originSourceType_s,\n threatInfo_threatCause_reputation_s,\n threatInfo_threatCause_reason_s)\n on\n $left.alert_id_g == $right.threatInfo_incidentId_g,\n $left.event_id_g == $right.threatInfo_threatCause_causeEventId_g\n | join kind=leftouter (union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"CB_ANALYTICS\"\n | project\n id_g,\n primary_event_id_g,\n deviceInfo_deviceVersion_s,\n threat_id_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.id_g, $left.event_id_g == $right.primary_event_id_g\n | extend \n ThreatDescription = coalesce(threatInfo_summary_s, threatInfo_summary_s1),\n ThreatCategory = threatInfo_threatCause_threatCategory_s,\n ThreatFirstReportedTime = unixtime_milliseconds_todatetime(threatInfo_time_d),\n RuleName = ruleName_s,\n AdditionalFields_threat = bag_pack(\n \"threatInfo_threatCause_reason\",\n coalesce(threatInfo_threatCause_reason_s, threatInfo_threatCause_reason_s1),\n \"threatInfo_threatCause_reputation\",\n threatInfo_threatCause_reputation_s,\n \"threatInfo_threatCause_originSourceType\",\n threatInfo_threatCause_originSourceType_s\n ),\n ThreatId = threat_id_g,\n ThreatOriginalConfidence = tostring(toint(coalesce(threatInfo_score_d, threatInfo_score_d1))),\n DvcOsVersion = coalesce(deviceInfo_deviceVersion_s, deviceInfo_deviceVersion_s1)\n | lookup ThreatConfidenceLookup on ThreatOriginalConfidence\n | extend Rule = RuleName;\n let processdatawithoutthreat = processdata\n | where isempty(alert_id_g) or isempty(event_id_g);\n union processdatawithoutthreat, processdatawiththreat\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetProcessId = tostring(toint(childproc_pid_d)),\n ActingProcessId = tostring(toint(process_pid_d)),\n ParentProcessId = tostring(toint(parent_pid_d)),\n AdditionalFields_Common = bag_pack(\n \"org_key\",\n org_key_s,\n \"alert_id\",\n alert_id_g,\n \"parent_cmdline\",\n parent_cmdline_s,\n \"process_reputation\",\n process_reputation_s,\n \"childproc_reputation\",\n childproc_reputation_s,\n \"parent_reputation\",\n parent_reputation_s,\n \"process_guid\",\n process_guid_s,\n \"childproc_guid\",\n childproc_guid_s,\n \"parent_guid\",\n parent_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename \n ActorUsername = process_username_s,\n TargetProcessCommandLine = target_cmdline_s,\n TargetProcessName = childproc_name_s,\n TargetUsername = childproc_username_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n ActingProcessCommandLine = process_cmdline_s,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ParentProcessName = parent_path_s,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessCreated\",\n EventVendor = \"VMware\",\n EventSchema = \"ProcessEvent\",\n AdditionalFields = bag_merge(AdditionalFields_threat, AdditionalFields_Common)\n | extend \n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Hash = coalesce(TargetProcessSHA256, TargetProcessMD5),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = TargetUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n HashType = case(\n isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n ),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\")\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n AdditionalFields_*\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessEvent/ASimProcessEvent.json b/Parsers/ASimProcessEvent/ARM/ASimProcessEvent/ASimProcessEvent.json index 251122161d0..cb84e1ab896 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessEvent/ASimProcessEvent.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessEvent/ASimProcessEvent.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Event ASIM parser", - "category": "ASIM", - "FunctionAlias": "ASimProcessEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimProcessEmpty,\n ASimProcessEventMicrosoft365D(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMicrosoft365D' in (DisabledParsers) )),\n ASimProcessEventCreateMicrosoftSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventCreateMicrosoftSysmon' in (DisabledParsers) )),\n ASimProcessEventCreateMicrosoftSysmonWindowsEvent(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventCreateMicrosoftSysmonWindowsEvent' in (DisabledParsers) )),\n ASimProcessEventTerminateMicrosoftSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventTerminateMicrosoftSysmon' in (DisabledParsers) )),\n ASimProcessEventTerminateMicrosoftSysmonWindowsEvent(imProcessEventBuiltInDisabled or ('ExcludeASimProcessASimProcessEventTerminateMicrosoftSysmonWindowsEvent' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) )),\n ASimProcessTerminateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) )),\n ASimProcessCreateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateLinuxSysmon' in (DisabledParsers) )),\n ASimProcessTerminateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateLinuxSysmon' in (DisabledParsers) )),\n ASimProcessTerminateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )),\n ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoTh' in (DisabledParsers) )),\n ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) )),\n ASimProcessEventNative(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventNative' in (DisabledParsers) )),\n ASimProcessCreateVMwareCarbonBlackCloud(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimProcessTerminateVMwareCarbonBlackCloud(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimProcessCreateTrendMicroVisionOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateTrendMicroVisionOne' in (DisabledParsers) ))", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Event ASIM parser", + "category": "ASIM", + "FunctionAlias": "ASimProcessEvent", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimProcessEmpty,\n ASimProcessEventMicrosoft365D(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMicrosoft365D' in (DisabledParsers) )),\n ASimProcessEventCreateMicrosoftSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventCreateMicrosoftSysmon' in (DisabledParsers) )),\n ASimProcessEventCreateMicrosoftSysmonWindowsEvent(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventCreateMicrosoftSysmonWindowsEvent' in (DisabledParsers) )),\n ASimProcessEventTerminateMicrosoftSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventTerminateMicrosoftSysmon' in (DisabledParsers) )),\n ASimProcessEventTerminateMicrosoftSysmonWindowsEvent(imProcessEventBuiltInDisabled or ('ExcludeASimProcessASimProcessEventTerminateMicrosoftSysmonWindowsEvent' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) )),\n ASimProcessTerminateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) )),\n ASimProcessCreateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateLinuxSysmon' in (DisabledParsers) )),\n ASimProcessTerminateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateLinuxSysmon' in (DisabledParsers) )),\n ASimProcessTerminateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )),\n ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoTh' in (DisabledParsers) )),\n ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) )),\n ASimProcessEventNative(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventNative' in (DisabledParsers) )),\n ASimProcessCreateVMwareCarbonBlackCloud(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimProcessTerminateVMwareCarbonBlackCloud(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimProcessCreateTrendMicroVisionOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateTrendMicroVisionOne' in (DisabledParsers) ))", + "version": 1 + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessEventCreate/ASimProcessEventCreate.json b/Parsers/ASimProcessEvent/ARM/ASimProcessEventCreate/ASimProcessEventCreate.json index f5ccbad5ed8..d50ec330c18 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessEventCreate/ASimProcessEventCreate.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessEventCreate/ASimProcessEventCreate.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessEventCreate')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessEventCreate", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create ASIM parser", - "category": "ASIM", - "FunctionAlias": "ASimProcessEventCreate", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcessEventCreate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimProcessEmpty,\n ASimProcessEventMicrosoft365D(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMicrosoft365D' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSysmon' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) )),\n ASimProcessCreateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateLinuxSysmon' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )),\n ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) )),\n ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) )),\n ASimProcessEventNative(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventNative' in (DisabledParsers) )),\n ASimProcessCreateVMwareCarbonBlackCloud(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimProcessCreateTrendMicroVisionOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateTrendMicroVisionOne' in (DisabledParsers) ))\n", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create ASIM parser", + "category": "ASIM", + "FunctionAlias": "ASimProcessEventCreate", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcessEventCreate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimProcessEmpty,\n ASimProcessEventMicrosoft365D(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMicrosoft365D' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSysmon' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) )),\n ASimProcessCreateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateLinuxSysmon' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )),\n ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) )),\n ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) )),\n ASimProcessEventNative(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventNative' in (DisabledParsers) )),\n ASimProcessCreateVMwareCarbonBlackCloud(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimProcessCreateTrendMicroVisionOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateTrendMicroVisionOne' in (DisabledParsers) ))\n", + "version": 1 + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessEventMD4IoT/ASimProcessEventMD4IoT.json b/Parsers/ASimProcessEvent/ARM/ASimProcessEventMD4IoT/ASimProcessEventMD4IoT.json index 50df8bbb1b8..49ae4618b2e 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessEventMD4IoT/ASimProcessEventMD4IoT.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessEventMD4IoT/ASimProcessEventMD4IoT.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessEventMD4IoT')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessEventMD4IoT", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for Microsoft Defender for IoT", - "category": "ASIM", - "FunctionAlias": "ASimProcessEventMD4IoT", - "query": "let ProcessEvents_MD4IoT=()\n{\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"Process\"\n | extend\n EventDetails = todynamic(EventDetails)\n | extend \n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\") // Intermediate fix\n | extend \n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventCount = toint(EventDetails.HitCount), \n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = iff (EventDetails.EventType == 'EXIT', 'ProcessTerminate', 'ProcessCreated'), \n EventSubType = tostring(EventDetails.EventType),\n EventResult = 'Success', \n TargetProcessId = tostring(EventDetails.ProcessId), \n TargetProcessCommandLine = coalesce (tostring(EventDetails.Commandline), tostring(EventDetails.Executable)), \n TargetProcessName = coalesce (tostring(EventDetails.Executable), split(EventDetails.Commandline,\" \")[0]),\n TargetUsernameType = iif (DvcOs == \"Windows\", \"Windows\", \"Simple\"), \n TargetUsername = iff (DvcOs == \"Windows\", tostring(EventDetails.UserName), \"\"), \n ActingProcessId = iff (DvcOs == \"Windows\", tostring(EventDetails.ParentProcessId), \"\") \n | project-rename\n DvcHostname = DeviceId,\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n | extend \n // -- aliases\n User = TargetUsername, \n CommandLine = TargetProcessCommandLine, \n Process = TargetProcessName, \n Dvc = DvcHostname \n };\n ProcessEvents_MD4IoT\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for Microsoft Defender for IoT", + "category": "ASIM", + "FunctionAlias": "ASimProcessEventMD4IoT", + "query": "let ProcessEvents_MD4IoT=()\n{\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"Process\"\n | extend\n EventDetails = todynamic(EventDetails)\n | extend \n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\") // Intermediate fix\n | extend \n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventCount = toint(EventDetails.HitCount), \n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = iff (EventDetails.EventType == 'EXIT', 'ProcessTerminate', 'ProcessCreated'), \n EventSubType = tostring(EventDetails.EventType),\n EventResult = 'Success', \n TargetProcessId = tostring(EventDetails.ProcessId), \n TargetProcessCommandLine = coalesce (tostring(EventDetails.Commandline), tostring(EventDetails.Executable)), \n TargetProcessName = coalesce (tostring(EventDetails.Executable), split(EventDetails.Commandline,\" \")[0]),\n TargetUsernameType = iif (DvcOs == \"Windows\", \"Windows\", \"Simple\"), \n TargetUsername = iff (DvcOs == \"Windows\", tostring(EventDetails.UserName), \"\"), \n ActingProcessId = iff (DvcOs == \"Windows\", tostring(EventDetails.ParentProcessId), \"\") \n | project-rename\n DvcHostname = DeviceId,\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n | extend \n // -- aliases\n User = TargetUsername, \n CommandLine = TargetProcessCommandLine, \n Process = TargetProcessName, \n Dvc = DvcHostname \n };\n ProcessEvents_MD4IoT\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessEventMicrosoft365D/ASimProcessEventMicrosoft365D.json b/Parsers/ASimProcessEvent/ARM/ASimProcessEventMicrosoft365D/ASimProcessEventMicrosoft365D.json index dc125667ec4..40721bc9f71 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessEventMicrosoft365D/ASimProcessEventMicrosoft365D.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessEventMicrosoft365D/ASimProcessEventMicrosoft365D.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessEventMicrosoft365D')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessEventMicrosoft365D", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for Microsoft 365 Defender for endpoint", - "category": "ASIM", - "FunctionAlias": "ASimProcessEventMicrosoft365D", - "query": "let parser=(disabled:boolean=false)\n {\n DeviceProcessEvents \n | where not(disabled)\n | extend\n EventOriginalUid = tostring(ReportId),\n EventCount = int(1),\n EventProduct = 'M365 Defender for Endpoint',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventResult = 'Success'\n | extend\n ActorUsername = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\n TargetUsername = iff (AccountDomain == '', AccountName, strcat(AccountDomain, '\\\\', AccountName)),\n TargetUsernameType = iff(AccountDomain == '','Simple', 'Windows'),\n ActorUsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\n ActorUserIdType = 'SID',\n TargetUserIdType = 'SID',\n ActorSessionId = tostring(InitiatingProcessLogonId),\n TargetUserSessionId = tostring(LogonId),\n Hash = coalesce (SHA256, SHA1, MD5, \"\"),\n TargetProcessId = tostring(ProcessId),\n ActingProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId),\n DvcOs = iff (AdditionalFields has \"ProcessPosixProcessGroupId\", \"Linux\", \"Windows\")\n | project-away InitiatingProcessAccountDomain, InitiatingProcessAccountName, AccountDomain, AccountName, ProcessId, InitiatingProcessId, InitiatingProcessParentId, LogonId, InitiatingProcessLogonId, ReportId\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, MD5),Hash)])\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | project-rename\n DvcId = DeviceId,\n EventType = ActionType,\n ActorUserId = InitiatingProcessAccountSid,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn,\n TargetUserId = AccountSid,\n TargetUserAadId = AccountObjectId,\n TargetUserUpn = AccountUpn,\n ParentProcessName = InitiatingProcessParentFileName,\n TargetProcessFilename = FileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime,\n TargetProcessName = FolderPath,\n TargetProcessCommandLine = ProcessCommandLine,\n TargetProcessMD5 = MD5,\n TargetProcessSHA1 = SHA1,\n TargetProcessSHA256 = SHA256,\n TargetProcessIntegrityLevel = ProcessIntegrityLevel,\n TargetProcessTokenElevation = ProcessTokenElevation,\n TargetProcessCreationTime = ProcessCreationTime,\n ActingProcessName = InitiatingProcessFolderPath, \n ActingProcessFilename = InitiatingProcessFileName,\n ActingProcessCommandLine = InitiatingProcessCommandLine, \n ActingProcessMD5 = InitiatingProcessMD5, \n ActingProcessSHA1 = InitiatingProcessSHA1, \n ActingProcessSHA256 = InitiatingProcessSHA256, \n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n ActingProcessTokenElevation = InitiatingProcessTokenElevation,\n ActingProcessCreationTime = InitiatingProcessCreationTime,\n MDE_MachineGroup = MachineGroup\n | extend // -- aliases\n User = coalesce(TargetUsername, ActorUsername),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n Dvc = DvcHostname\n | project-away AppGuardContainerId, Timestamp , SourceSystem, TenantId \n };\n parser (disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for Microsoft 365 Defender for endpoint", + "category": "ASIM", + "FunctionAlias": "ASimProcessEventMicrosoft365D", + "query": "let parser=(disabled:boolean=false)\n {\n DeviceProcessEvents \n | where not(disabled)\n | extend\n EventOriginalUid = tostring(ReportId),\n EventCount = int(1),\n EventProduct = 'M365 Defender for Endpoint',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventResult = 'Success'\n | extend\n ActorUsername = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\n TargetUsername = iff (AccountDomain == '', AccountName, strcat(AccountDomain, '\\\\', AccountName)),\n TargetUsernameType = iff(AccountDomain == '','Simple', 'Windows'),\n ActorUsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\n ActorUserIdType = 'SID',\n TargetUserIdType = 'SID',\n ActorSessionId = tostring(InitiatingProcessLogonId),\n TargetUserSessionId = tostring(LogonId),\n Hash = coalesce (SHA256, SHA1, MD5, \"\"),\n TargetProcessId = tostring(ProcessId),\n ActingProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId),\n DvcOs = iff (AdditionalFields has \"ProcessPosixProcessGroupId\", \"Linux\", \"Windows\")\n | project-away InitiatingProcessAccountDomain, InitiatingProcessAccountName, AccountDomain, AccountName, ProcessId, InitiatingProcessId, InitiatingProcessParentId, LogonId, InitiatingProcessLogonId, ReportId\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, MD5),Hash)])\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | project-rename\n DvcId = DeviceId,\n EventType = ActionType,\n ActorUserId = InitiatingProcessAccountSid,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn,\n TargetUserId = AccountSid,\n TargetUserAadId = AccountObjectId,\n TargetUserUpn = AccountUpn,\n ParentProcessName = InitiatingProcessParentFileName,\n TargetProcessFilename = FileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime,\n TargetProcessName = FolderPath,\n TargetProcessCommandLine = ProcessCommandLine,\n TargetProcessMD5 = MD5,\n TargetProcessSHA1 = SHA1,\n TargetProcessSHA256 = SHA256,\n TargetProcessIntegrityLevel = ProcessIntegrityLevel,\n TargetProcessTokenElevation = ProcessTokenElevation,\n TargetProcessCreationTime = ProcessCreationTime,\n ActingProcessName = InitiatingProcessFolderPath, \n ActingProcessFilename = InitiatingProcessFileName,\n ActingProcessCommandLine = InitiatingProcessCommandLine, \n ActingProcessMD5 = InitiatingProcessMD5, \n ActingProcessSHA1 = InitiatingProcessSHA1, \n ActingProcessSHA256 = InitiatingProcessSHA256, \n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n ActingProcessTokenElevation = InitiatingProcessTokenElevation,\n ActingProcessCreationTime = InitiatingProcessCreationTime,\n MDE_MachineGroup = MachineGroup\n | extend // -- aliases\n User = coalesce(TargetUsername, ActorUsername),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n Dvc = DvcHostname\n | project-away AppGuardContainerId, Timestamp , SourceSystem, TenantId \n };\n parser (disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessEventNative/ASimProcessEventNative.json b/Parsers/ASimProcessEvent/ARM/ASimProcessEventNative/ASimProcessEventNative.json index a6f2a261ce5..fa61dac4edf 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessEventNative/ASimProcessEventNative.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessEventNative/ASimProcessEventNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessEventNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessEventNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Event ASIM parser for Microsoft Sentinel native Process Event table", - "category": "ASIM", - "FunctionAlias": "ASimProcessEventNative", - "query": "let parser=(disabled: bool=false) {\n ASimProcessEventLogs \n | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"ProcessEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = TargetUsername,\n Process = TargetProcessName,\n CommandLine = TargetProcessCommandLine,\n Hash = coalesce(TargetProcessSHA512, TargetProcessSHA256, TargetProcessMD5, TargetProcessSHA1, TargetProcessIMPHASH)\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Event ASIM parser for Microsoft Sentinel native Process Event table", + "category": "ASIM", + "FunctionAlias": "ASimProcessEventNative", + "query": "let parser=(disabled: bool=false) {\n ASimProcessEventLogs \n | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"ProcessEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = TargetUsername,\n Process = TargetProcessName,\n CommandLine = TargetProcessCommandLine,\n Hash = coalesce(TargetProcessSHA512, TargetProcessSHA256, TargetProcessMD5, TargetProcessSHA1, TargetProcessIMPHASH)\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessEventTerminate/ASimProcessEventTerminate.json b/Parsers/ASimProcessEvent/ARM/ASimProcessEventTerminate/ASimProcessEventTerminate.json index 6c0f9639ea8..800f996da3d 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessEventTerminate/ASimProcessEventTerminate.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessEventTerminate/ASimProcessEventTerminate.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessEventTerminate')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessEventTerminate", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate ASIM parser", - "category": "ASIM", - "FunctionAlias": "ASimProcessEventTerminate", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\nvimProcessEmpty,\nASimProcessEventMicrosoft365D(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMicrosoft365D' in (DisabledParsers) )),\nASimProcessTerminateMicrosoftSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSysmon' in (DisabledParsers) )),\nASimProcessTerminateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) )),\nASimProcessTerminateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateLinuxSysmon' in (DisabledParsers) )),\nASimProcessTerminateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )),\nASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) )),\nASimProcessEventNative(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventNative' in (DisabledParsers) )),\nASimProcessTerminateVMwareCarbonBlackCloud(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateVMwareCarbonBlackCloud' in (DisabledParsers) ))\n", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate ASIM parser", + "category": "ASIM", + "FunctionAlias": "ASimProcessEventTerminate", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\nvimProcessEmpty,\nASimProcessEventMicrosoft365D(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMicrosoft365D' in (DisabledParsers) )),\nASimProcessTerminateMicrosoftSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSysmon' in (DisabledParsers) )),\nASimProcessTerminateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) )),\nASimProcessTerminateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateLinuxSysmon' in (DisabledParsers) )),\nASimProcessTerminateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )),\nASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) )),\nASimProcessEventNative(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventNative' in (DisabledParsers) )),\nASimProcessTerminateVMwareCarbonBlackCloud(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateVMwareCarbonBlackCloud' in (DisabledParsers) ))\n", + "version": 1 + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateLinuxSysmon/ASimProcessTerminateLinuxSysmon.json b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateLinuxSysmon/ASimProcessTerminateLinuxSysmon.json index 9ec2af8d912..c1a2c8f713f 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateLinuxSysmon/ASimProcessTerminateLinuxSysmon.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateLinuxSysmon/ASimProcessTerminateLinuxSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessTerminateLinuxSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessTerminateLinuxSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate Event ASIM parser for Sysmon for Linux", - "category": "ASIM", - "FunctionAlias": "ASimProcessTerminateLinuxSysmon", - "query": "let ParsedProcessEvent=(){\nSyslog\n| where not(disabled)\n| where SyslogMessage has_all ('5')\n| parse SyslogMessage with * ''RuleName''\n ''UtcTime''\n '{'ProcessGuid'}'\n ''ProcessId:string''\n ''Image''*\n| parse SyslogMessage with *''ActorUsername '' *\n| project-away SyslogMessage\n| extend \n EventType = \"ProcessTerminated\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventOriginalType='5',\n EventProduct = \"Sysmon\",\n EventResult = 'Success',\n DvcOs = \"Linux\"\n | project-rename\n DvcHostname = Computer,\n TargetProcessName = Image,\n TargetProcessId = ProcessId\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\n TargetProcessGuid = ProcessGuid,\n //***** Aliases ******\n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostname\n}; ParsedProcessEvent\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate Event ASIM parser for Sysmon for Linux", + "category": "ASIM", + "FunctionAlias": "ASimProcessTerminateLinuxSysmon", + "query": "let ParsedProcessEvent=(){\nSyslog\n| where not(disabled)\n| where SyslogMessage has_all ('5')\n| parse SyslogMessage with * ''RuleName''\n ''UtcTime''\n '{'ProcessGuid'}'\n ''ProcessId:string''\n ''Image''*\n| parse SyslogMessage with *''ActorUsername '' *\n| project-away SyslogMessage\n| extend \n EventType = \"ProcessTerminated\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventOriginalType='5',\n EventProduct = \"Sysmon\",\n EventResult = 'Success',\n DvcOs = \"Linux\"\n | project-rename\n DvcHostname = Computer,\n TargetProcessName = Image,\n TargetProcessId = ProcessId\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\n TargetProcessGuid = ProcessGuid,\n //***** Aliases ******\n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostname\n}; ParsedProcessEvent\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftSecurityEvents/ASimProcessTerminateMicrosoftSecurityEvents.json b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftSecurityEvents/ASimProcessTerminateMicrosoftSecurityEvents.json index f57f8be50a8..3c1985a1d61 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftSecurityEvents/ASimProcessTerminateMicrosoftSecurityEvents.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftSecurityEvents/ASimProcessTerminateMicrosoftSecurityEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessTerminateMicrosoftSecurityEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessTerminateMicrosoftSecurityEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate Event ASIM parser for Windows Security Events", - "category": "ASIM", - "FunctionAlias": "ASimProcessTerminateMicrosoftSecurityEvents", - "query": "let ProcessEvents=(){\n SecurityEvent\n | where not(disabled)\n // -- Filter\n | where EventID == 4689\n // -- Map\n | extend\n // Event\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Security Events\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = \"ProcessTerminated\",\n EventResult = 'Success',\n EventOriginalType = tostring(EventID),\n EventOriginalUid = EventOriginId,\n EventResultDetails = Status,\n EventOriginalResultDetails = Status, \n // Device\n DvcId = SourceComputerId,\n DvcHostname = Computer,\n DvcOs = \"Windows\",\n // Users\n ActorUserIdType = iff (SubjectUserSid <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (SubjectUserSid <> \"S-1-0-0\", SubjectUserSid, \"\"), \n ActorUsername = iff (SubjectDomainName == '-', SubjectUserName, SubjectAccount),\n ActorUsernameType = iff(SubjectDomainName == '-','Simple', 'Windows'),\n ActorSessionId = SubjectLogonId,\n ActorDomainName = SubjectDomainName,\n // Processes \n TargetProcessId = tostring(toint(ProcessId)),\n TargetProcessName = ProcessName,\n TargetProcessCommandLine = CommandLine,\n TargetProcessTokenElevation = TokenElevationType,\n Process = ProcessName\n // Aliases\n | extend \n User = ActorUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n }; ProcessEvents\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate Event ASIM parser for Windows Security Events", + "category": "ASIM", + "FunctionAlias": "ASimProcessTerminateMicrosoftSecurityEvents", + "query": "let ProcessEvents=(){\n SecurityEvent\n | where not(disabled)\n // -- Filter\n | where EventID == 4689\n // -- Map\n | extend\n // Event\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Security Events\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = \"ProcessTerminated\",\n EventResult = 'Success',\n EventOriginalType = tostring(EventID),\n EventOriginalUid = EventOriginId,\n EventResultDetails = Status,\n EventOriginalResultDetails = Status, \n // Device\n DvcId = SourceComputerId,\n DvcHostname = Computer,\n DvcOs = \"Windows\",\n // Users\n ActorUserIdType = iff (SubjectUserSid <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (SubjectUserSid <> \"S-1-0-0\", SubjectUserSid, \"\"), \n ActorUsername = iff (SubjectDomainName == '-', SubjectUserName, SubjectAccount),\n ActorUsernameType = iff(SubjectDomainName == '-','Simple', 'Windows'),\n ActorSessionId = SubjectLogonId,\n ActorDomainName = SubjectDomainName,\n // Processes \n TargetProcessId = tostring(toint(ProcessId)),\n TargetProcessName = ProcessName,\n TargetProcessCommandLine = CommandLine,\n TargetProcessTokenElevation = TokenElevationType,\n Process = ProcessName\n // Aliases\n | extend \n User = ActorUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n }; ProcessEvents\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftSysmon/ASimProcessTerminateMicrosoftSysmon.json b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftSysmon/ASimProcessTerminateMicrosoftSysmon.json index 5d6b263715f..9697c29b8b6 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftSysmon/ASimProcessTerminateMicrosoftSysmon.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftSysmon/ASimProcessTerminateMicrosoftSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessEventTerminateMicrosoftSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessEventTerminateMicrosoftSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate Event ASIM parser for Microsoft Windows Security Events", - "category": "ASIM", - "FunctionAlias": "ASimProcessEventTerminateMicrosoftSysmon", - "query": "let parser = (disabled: bool = false) {\n// this is the parser for sysmon from Event table\nlet parser_Event =\n Event \n | where not(disabled)\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID == 5\n | parse-kv EventData as (\n ProcessId: string,\n ProcessGuid: string,\n Image: string,\n User: string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename\n ActorUsername = User,\n DvcHostname = Computer,\n TargetProcessName = Image,\n TargetProcessGuid = ProcessGuid,\n TargetProcessId = ProcessId\n | extend \n EventProduct = \"Sysmon\"\n | project-away\n EventData,\n ParameterXml,\n RenderedDescription,\n MG,\n ManagementGroupName,\n Message,\n AzureDeploymentID,\n SourceSystem,\n EventCategory,\n EventLevelName,\n EventLevel,\n EventLog,\n Role,\n TenantId,\n UserName,\n Source,\n _ResourceId\n | extend \n EventType = \"ProcessTerminated\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventOriginalType=tostring(EventID),\n EventResult = 'Success',\n DvcOs = \"Windows\",\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n // -- Aliases \n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostname\n | project-away EventID\n;\nparser_Event\n};\nparser (disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate Event ASIM parser for Microsoft Windows Security Events", + "category": "ASIM", + "FunctionAlias": "ASimProcessEventTerminateMicrosoftSysmon", + "query": "let parser = (disabled: bool = false) {\n// this is the parser for sysmon from Event table\nlet parser_Event =\n Event \n | where not(disabled)\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID == 5\n | parse-kv EventData as (\n ProcessId: string,\n ProcessGuid: string,\n Image: string,\n User: string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename\n ActorUsername = User,\n DvcHostname = Computer,\n TargetProcessName = Image,\n TargetProcessGuid = ProcessGuid,\n TargetProcessId = ProcessId\n | extend \n EventProduct = \"Sysmon\"\n | project-away\n EventData,\n ParameterXml,\n RenderedDescription,\n MG,\n ManagementGroupName,\n Message,\n AzureDeploymentID,\n SourceSystem,\n EventCategory,\n EventLevelName,\n EventLevel,\n EventLog,\n Role,\n TenantId,\n UserName,\n Source,\n _ResourceId\n | extend \n EventType = \"ProcessTerminated\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventOriginalType=tostring(EventID),\n EventResult = 'Success',\n DvcOs = \"Windows\",\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n // -- Aliases \n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostname\n | project-away EventID\n;\nparser_Event\n};\nparser (disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftSysmonWindowsEvent/ASimProcessTerminateMicrosoftSysmonWindowsEvent.json b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftSysmonWindowsEvent/ASimProcessTerminateMicrosoftSysmonWindowsEvent.json index fe1c68753d2..476ae2ae389 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftSysmonWindowsEvent/ASimProcessTerminateMicrosoftSysmonWindowsEvent.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftSysmonWindowsEvent/ASimProcessTerminateMicrosoftSysmonWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessEventTerminateMicrosoftSysmonWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessEventTerminateMicrosoftSysmonWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate Event ASIM parser for Microsoft Windows Security Events", - "category": "ASIM", - "FunctionAlias": "ASimProcessEventTerminateMicrosoftSysmonWindowsEvent", - "query": "let parser = (disabled:bool = false) {\n let parser_WindowsEvent=\n WindowsEvent\n | where not(disabled)\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 5\n | extend\n EventProduct = \"Security Events\",\n ActorUsername = tostring(EventData.User),\n TargetProcessName = tostring(EventData.Image),\n TargetProcessId = tostring(EventData.ProcessId),\n TargetProcessGuid = tostring(EventData.ProcessGuid)\n | project-rename\n DvcHostname = Computer,\n EventOriginalUid = EventOriginId\n | project-away Channel, Data, EventData, EventLevelName, EventLevel, ManagementGroupName, Provider, RawEventData, SourceSystem, Task, TenantId,Correlation,EventRecordId,Keywords,Opcode,SystemProcessId,SystemThreadId,SystemUserId,TimeCreated,Version,_ResourceId\n | extend \n EventType = \"ProcessTerminated\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventOriginalType=tostring(EventID),\n EventResult = 'Success',\n DvcOs = \"Windows\",\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\n // -- Aliases \n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostname\n | project-away EventID\n ;\n parser_WindowsEvent\n};\nparser (disabled = disabled) ", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate Event ASIM parser for Microsoft Windows Security Events", + "category": "ASIM", + "FunctionAlias": "ASimProcessEventTerminateMicrosoftSysmonWindowsEvent", + "query": "let parser = (disabled:bool = false) {\n let parser_WindowsEvent=\n WindowsEvent\n | where not(disabled)\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 5\n | extend\n EventProduct = \"Security Events\",\n ActorUsername = tostring(EventData.User),\n TargetProcessName = tostring(EventData.Image),\n TargetProcessId = tostring(EventData.ProcessId),\n TargetProcessGuid = tostring(EventData.ProcessGuid)\n | project-rename\n DvcHostname = Computer,\n EventOriginalUid = EventOriginId\n | project-away Channel, Data, EventData, EventLevelName, EventLevel, ManagementGroupName, Provider, RawEventData, SourceSystem, Task, TenantId,Correlation,EventRecordId,Keywords,Opcode,SystemProcessId,SystemThreadId,SystemUserId,TimeCreated,Version,_ResourceId\n | extend \n EventType = \"ProcessTerminated\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventOriginalType=tostring(EventID),\n EventResult = 'Success',\n DvcOs = \"Windows\",\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\n // -- Aliases \n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostname\n | project-away EventID\n ;\n parser_WindowsEvent\n};\nparser (disabled = disabled) ", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftWindowsEvents/ASimProcessTerminateMicrosoftWindowsEvents.json b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftWindowsEvents/ASimProcessTerminateMicrosoftWindowsEvents.json index ec03f1ba72f..a6f91b82aa1 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftWindowsEvents/ASimProcessTerminateMicrosoftWindowsEvents.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftWindowsEvents/ASimProcessTerminateMicrosoftWindowsEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessTerminateMicrosoftWindowsEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessTerminateMicrosoftWindowsEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate Event ASIM parser for WEF Security Events", - "category": "ASIM", - "FunctionAlias": "ASimProcessTerminateMicrosoftWindowsEvents", - "query": "let ASIM_GetFilenamePart = (path:string) { tostring(split(path,@'\\')[-1]) };\nlet ASIM_ResolveWindowsUsername = (T:(username:string, domain:string, sid:string)) { \n T \n | extend \n type = case (\n username == \"-\", \"\",\n domain == \"-\", \"Simple\",\n \"Windows\"\n ),\n username = case (\n username == \"-\", \"\",\n domain == '-', username,\n strcat(domain, @\"\\\" , username)\n )\n};\nlet parser=(disabled:boolean=false){\nWindowsEvent\n| where not(disabled)\n| where EventID == 4689\n| project-rename\n DvcHostname = Computer\n| extend\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Events',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessTerminated',\n EventOriginalType = tostring(EventID),\n DvcOs = 'Windows'\n| extend \n ActorUsername = strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), \n SubjectUserSid = tostring(EventData.SubjectUserSid)\n| extend\n ActorUserIdType = iff (SubjectUserSid <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (SubjectUserSid <> \"S-1-0-0\", SubjectUserSid, \"\"), \n ActorUsernameType = \"Windows\"\n| extend \n ActorUserSid = ActorUserId,\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\n| extend\n ActorSessionId = tostring(toint(EventData.SubjectLogonId)),\n // Processes \n TargetProcessId = tostring(toint(tolong(EventData.NewProcessId))),\n TargetProcessName = tostring(EventData.NewProcessName),\n TargetProcessStatusCode = tostring(EventData.Status)\n| extend \n TargetProcessFilename = ASIM_GetFilenamePart(TargetProcessName)\n// -- Aliases\n| extend\n User = ActorUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n| project-away Channel, EventData, Data, EventID, EventLevelName, EventLevel, Provider, RawEventData, Task, TenantId, ManagementGroupName, SourceSystem, EventOriginId, SubjectUserSid\n}; \nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate Event ASIM parser for WEF Security Events", + "category": "ASIM", + "FunctionAlias": "ASimProcessTerminateMicrosoftWindowsEvents", + "query": "let ASIM_GetFilenamePart = (path:string) { tostring(split(path,@'\\')[-1]) };\nlet ASIM_ResolveWindowsUsername = (T:(username:string, domain:string, sid:string)) { \n T \n | extend \n type = case (\n username == \"-\", \"\",\n domain == \"-\", \"Simple\",\n \"Windows\"\n ),\n username = case (\n username == \"-\", \"\",\n domain == '-', username,\n strcat(domain, @\"\\\" , username)\n )\n};\nlet parser=(disabled:boolean=false){\nWindowsEvent\n| where not(disabled)\n| where EventID == 4689\n| project-rename\n DvcHostname = Computer\n| extend\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Events',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessTerminated',\n EventOriginalType = tostring(EventID),\n DvcOs = 'Windows'\n| extend \n ActorUsername = strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), \n SubjectUserSid = tostring(EventData.SubjectUserSid)\n| extend\n ActorUserIdType = iff (SubjectUserSid <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (SubjectUserSid <> \"S-1-0-0\", SubjectUserSid, \"\"), \n ActorUsernameType = \"Windows\"\n| extend \n ActorUserSid = ActorUserId,\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\n| extend\n ActorSessionId = tostring(toint(EventData.SubjectLogonId)),\n // Processes \n TargetProcessId = tostring(toint(tolong(EventData.NewProcessId))),\n TargetProcessName = tostring(EventData.NewProcessName),\n TargetProcessStatusCode = tostring(EventData.Status)\n| extend \n TargetProcessFilename = ASIM_GetFilenamePart(TargetProcessName)\n// -- Aliases\n| extend\n User = ActorUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n| project-away Channel, EventData, Data, EventID, EventLevelName, EventLevel, Provider, RawEventData, Task, TenantId, ManagementGroupName, SourceSystem, EventOriginId, SubjectUserSid\n}; \nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateVMwareCarbonBlackCloud/ASimProcessTerminateVMwareCarbonBlackCloud.json b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateVMwareCarbonBlackCloud/ASimProcessTerminateVMwareCarbonBlackCloud.json index 203e573a643..6a43fe8a959 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateVMwareCarbonBlackCloud/ASimProcessTerminateVMwareCarbonBlackCloud.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateVMwareCarbonBlackCloud/ASimProcessTerminateVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessTerminateVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessTerminateVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate ASIM parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "ASimProcessTerminateVMwareCarbonBlackCloud", - "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet parser = (disabled: bool=false) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where eventType_s == \"endpoint.event.procend\" and isnotempty(process_pid_d)\n | parse process_hash_s with * '[\"' TargetProcessMD5: string '\",\"' TargetProcessSHA256: string '\"]'\n | parse parent_hash_s with * '[\"' ActingProcessMD5: string '\",\"' ActingProcessSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetProcessId = tostring(toint(process_pid_d)),\n ActingProcessId = tostring(toint(parent_pid_d)),\n ActorUsername = process_username_s,\n TargetProcessCommandLine = coalesce(target_cmdline_s, process_cmdline_s),\n AdditionalFields = bag_pack(\n \"org_key\", org_key_s,\n \"alert_id\", alert_id_g,\n \"process_reputation\", process_reputation_s,\n \"parent_reputation\", parent_reputation_s,\n \"parent_guid\", parent_guid_s,\n \"process_guid\", process_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename \n TargetProcessName = process_path_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n ActingProcessCommandLine = parent_cmdline_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ActingProcessName = parent_path_s,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessTerminated\",\n EventVendor = \"VMware\",\n EventSchema = \"ProcessEvent\"\n | extend \n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Hash = coalesce(TargetProcessSHA256, TargetProcessMD5),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = ActorUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n HashType = case(\n isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n )\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate ASIM parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "ASimProcessTerminateVMwareCarbonBlackCloud", + "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet parser = (disabled: bool=false) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where eventType_s == \"endpoint.event.procend\" and isnotempty(process_pid_d)\n | parse process_hash_s with * '[\"' TargetProcessMD5: string '\",\"' TargetProcessSHA256: string '\"]'\n | parse parent_hash_s with * '[\"' ActingProcessMD5: string '\",\"' ActingProcessSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetProcessId = tostring(toint(process_pid_d)),\n ActingProcessId = tostring(toint(parent_pid_d)),\n ActorUsername = process_username_s,\n TargetProcessCommandLine = coalesce(target_cmdline_s, process_cmdline_s),\n AdditionalFields = bag_pack(\n \"org_key\", org_key_s,\n \"alert_id\", alert_id_g,\n \"process_reputation\", process_reputation_s,\n \"parent_reputation\", parent_reputation_s,\n \"parent_guid\", parent_guid_s,\n \"process_guid\", process_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename \n TargetProcessName = process_path_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n ActingProcessCommandLine = parent_cmdline_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ActingProcessName = parent_path_s,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessTerminated\",\n EventVendor = \"VMware\",\n EventSchema = \"ProcessEvent\"\n | extend \n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Hash = coalesce(TargetProcessSHA256, TargetProcessMD5),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = ActorUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n HashType = case(\n isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n )\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/imProcessCreate/imProcessCreate.json b/Parsers/ASimProcessEvent/ARM/imProcessCreate/imProcessCreate.json index 08b58a3a888..4cd9bd18619 100644 --- a/Parsers/ASimProcessEvent/ARM/imProcessCreate/imProcessCreate.json +++ b/Parsers/ASimProcessEvent/ARM/imProcessCreate/imProcessCreate.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/imProcessCreate')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "imProcessCreate", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create ASIM parser", - "category": "ASIM", - "FunctionAlias": "imProcessCreate", - "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), targetusername:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvcname_has_any:dynamic=dynamic([]), hashes_has_any:dynamic=dynamic([]), eventtype:string='*'){\nlet DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimProcessCreate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imBuiltInDisabled=toscalar('ExcludevimProcessCreateBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimProcessEmpty,\n vimProcessEventMicrosoft365D (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessEventMicrosoft365D' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSysmon' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftSecurityEvents(starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) ))),\n vimProcessCreateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateLinuxSysmon' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) ))),\n vimProcessCreateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) ))),\n vimProcessCreateSentinelOne (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateSentinelOne' in (DisabledParsers) ))),\n vimProcessEventNative (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imBuiltInDisabled or('ExcludevimProcessEventNative' in (DisabledParsers) ))),\n vimProcessCreateVMwareCarbonBlackCloud (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imBuiltInDisabled or('ExcludevimProcessCreateVMwareCarbonBlackCloud' in (DisabledParsers) ))),\n vimProcessCreateTrendMicroVisionOne (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateTrendMicroVisionOne' in (DisabledParsers) )))\n};\nGeneric(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcipaddr_has_any_prefix, hashes_has_any=hashes_has_any, eventtype=eventtype)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),eventtype:string='*'" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create ASIM parser", + "category": "ASIM", + "FunctionAlias": "imProcessCreate", + "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), targetusername:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvcname_has_any:dynamic=dynamic([]), hashes_has_any:dynamic=dynamic([]), eventtype:string='*'){\nlet DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimProcessCreate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imBuiltInDisabled=toscalar('ExcludevimProcessCreateBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimProcessEmpty,\n vimProcessEventMicrosoft365D (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessEventMicrosoft365D' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSysmon' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftSecurityEvents(starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) ))),\n vimProcessCreateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateLinuxSysmon' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) ))),\n vimProcessCreateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) ))),\n vimProcessCreateSentinelOne (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateSentinelOne' in (DisabledParsers) ))),\n vimProcessEventNative (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imBuiltInDisabled or('ExcludevimProcessEventNative' in (DisabledParsers) ))),\n vimProcessCreateVMwareCarbonBlackCloud (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imBuiltInDisabled or('ExcludevimProcessCreateVMwareCarbonBlackCloud' in (DisabledParsers) ))),\n vimProcessCreateTrendMicroVisionOne (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateTrendMicroVisionOne' in (DisabledParsers) )))\n};\nGeneric(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcipaddr_has_any_prefix, hashes_has_any=hashes_has_any, eventtype=eventtype)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),eventtype:string='*'" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/imProcessEvent/imProcessEvent.json b/Parsers/ASimProcessEvent/ARM/imProcessEvent/imProcessEvent.json index 7f00f3e1fc6..191d0928b43 100644 --- a/Parsers/ASimProcessEvent/ARM/imProcessEvent/imProcessEvent.json +++ b/Parsers/ASimProcessEvent/ARM/imProcessEvent/imProcessEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/imProcessEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "imProcessEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Event filtering parser", - "category": "ASIM", - "FunctionAlias": "imProcessEvent", - "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), actorusername:string='*', targetusername:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvcname_has_any:dynamic=dynamic([]), hashes_has_any:dynamic=dynamic([]), eventtype:string='*'){\nlet DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imBuiltInDisabled=toscalar('ExcludevimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimProcessEmpty,\n vimProcessEventMicrosoft365D (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessEventMicrosoft365D' in (DisabledParsers) ))),\n vimProcessEventCreateMicrosoftSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventCreateMicrosoftSysmonn' in (DisabledParsers) ))),\n vimProcessEventCreateMicrosoftSysmonWindowsEvent (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventCreateMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))),\n vimProcessEventTerminateMicrosoftSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventTerminateMicrosoftSysmon' in (DisabledParsers) ))),\n vimProcessEventTerminateMicrosoftSysmonWindowsEvent (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventTerminateMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftSecurityEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) ))),\n vimProcessTerminateMicrosoftSecurityEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) ))),\n vimProcessCreateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateLinuxSysmon' in (DisabledParsers) ))),\n vimProcessTerminateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateLinuxSysmon' in (DisabledParsers) ))),\n vimProcessTerminateMicrosoftWindowsEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) ))),\n vimProcessCreateSentinelOne (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateSentinelOne' in (DisabledParsers) ))),\n vimProcessCreateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMD4IoT' in (DisabledParsers) ))),\n vimProcessTerminateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMD4IoT' in (DisabledParsers) ))),\n vimProcessEventNative (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, actorusername_has=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessEventNative' in (DisabledParsers) ))),\n vimProcessCreateSentinelOne (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateSentinelOne' in (DisabledParsers) ))),\n vimProcessCreateVMwareCarbonBlackCloud (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateVMwareCarbonBlackCloud' in (DisabledParsers) ))),\n vimProcessTerminateVMwareCarbonBlackCloud (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateVMwareCarbonBlackCloud' in (DisabledParsers) )))\n };\nGeneric(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any,actorusername=actorusername, targetusername=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, hashes_has_any=hashes_has_any, eventtype=eventtype)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername:string='*',targetusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),eventtype:string='*'" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Event filtering parser", + "category": "ASIM", + "FunctionAlias": "imProcessEvent", + "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), actorusername:string='*', targetusername:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvcname_has_any:dynamic=dynamic([]), hashes_has_any:dynamic=dynamic([]), eventtype:string='*'){\nlet DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imBuiltInDisabled=toscalar('ExcludevimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimProcessEmpty,\n vimProcessEventMicrosoft365D (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessEventMicrosoft365D' in (DisabledParsers) ))),\n vimProcessEventCreateMicrosoftSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventCreateMicrosoftSysmonn' in (DisabledParsers) ))),\n vimProcessEventCreateMicrosoftSysmonWindowsEvent (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventCreateMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))),\n vimProcessEventTerminateMicrosoftSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventTerminateMicrosoftSysmon' in (DisabledParsers) ))),\n vimProcessEventTerminateMicrosoftSysmonWindowsEvent (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventTerminateMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftSecurityEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) ))),\n vimProcessTerminateMicrosoftSecurityEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) ))),\n vimProcessCreateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateLinuxSysmon' in (DisabledParsers) ))),\n vimProcessTerminateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateLinuxSysmon' in (DisabledParsers) ))),\n vimProcessTerminateMicrosoftWindowsEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) ))),\n vimProcessCreateSentinelOne (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateSentinelOne' in (DisabledParsers) ))),\n vimProcessCreateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMD4IoT' in (DisabledParsers) ))),\n vimProcessTerminateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMD4IoT' in (DisabledParsers) ))),\n vimProcessEventNative (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, actorusername_has=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessEventNative' in (DisabledParsers) ))),\n vimProcessCreateSentinelOne (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateSentinelOne' in (DisabledParsers) ))),\n vimProcessCreateVMwareCarbonBlackCloud (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateVMwareCarbonBlackCloud' in (DisabledParsers) ))),\n vimProcessTerminateVMwareCarbonBlackCloud (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateVMwareCarbonBlackCloud' in (DisabledParsers) )))\n };\nGeneric(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any,actorusername=actorusername, targetusername=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, hashes_has_any=hashes_has_any, eventtype=eventtype)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername:string='*',targetusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),eventtype:string='*'" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/imProcessTerminate/imProcessTerminate.json b/Parsers/ASimProcessEvent/ARM/imProcessTerminate/imProcessTerminate.json index b11b332b8fe..76ed8a65f75 100644 --- a/Parsers/ASimProcessEvent/ARM/imProcessTerminate/imProcessTerminate.json +++ b/Parsers/ASimProcessEvent/ARM/imProcessTerminate/imProcessTerminate.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/imProcessTerminate')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "imProcessTerminate", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate ASIM parser", - "category": "ASIM", - "FunctionAlias": "imProcessTerminate", - "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), actorusername:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvcname_has_any:dynamic=dynamic([]), eventtype:string='*'){\nlet DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimProcessTerminate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imBuiltInDisabled=toscalar('ExcludevimProcessTerminateBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n\nunion isfuzzy=true\n vimProcessEmpty,\n vimProcessTerminateMicrosoftSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSysmon' in (DisabledParsers) ))),\n vimProcessTerminateMicrosoftSecurityEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) ))),\n vimProcessTerminateMicrosoftWindowsEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) ))),\n vimProcessTerminateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateLinuxSysmon' in (DisabledParsers) ))),\n vimProcessTerminateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) ))),\n vimProcessEventNative (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessEventNative' in (DisabledParsers) ))),\n vimProcessTerminateVMwareCarbonBlackCloud (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateVMwareCarbonBlackCloud' in (DisabledParsers) )))\n};\nGeneric(starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*'" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate ASIM parser", + "category": "ASIM", + "FunctionAlias": "imProcessTerminate", + "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), actorusername:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvcname_has_any:dynamic=dynamic([]), eventtype:string='*'){\nlet DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimProcessTerminate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imBuiltInDisabled=toscalar('ExcludevimProcessTerminateBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n\nunion isfuzzy=true\n vimProcessEmpty,\n vimProcessTerminateMicrosoftSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSysmon' in (DisabledParsers) ))),\n vimProcessTerminateMicrosoftSecurityEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) ))),\n vimProcessTerminateMicrosoftWindowsEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) ))),\n vimProcessTerminateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateLinuxSysmon' in (DisabledParsers) ))),\n vimProcessTerminateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) ))),\n vimProcessEventNative (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessEventNative' in (DisabledParsers) ))),\n vimProcessTerminateVMwareCarbonBlackCloud (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateVMwareCarbonBlackCloud' in (DisabledParsers) )))\n};\nGeneric(starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*'" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessCreateLinuxSysmon/vimProcessCreateLinuxSysmon.json b/Parsers/ASimProcessEvent/ARM/vimProcessCreateLinuxSysmon/vimProcessCreateLinuxSysmon.json index f5a11264f7b..b0e32d26ca5 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessCreateLinuxSysmon/vimProcessCreateLinuxSysmon.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessCreateLinuxSysmon/vimProcessCreateLinuxSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessCreateLinuxSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessCreateLinuxSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM filtering parser for Sysmon for Linux", - "category": "ASIM", - "FunctionAlias": "vimProcessCreateLinuxSysmon", - "query": "let ParsedProcessEvent=(){\n Syslog\n // --------------------------------------------------------------------------------------\n | where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and (eventtype=='*' or eventtype=='ProcessCreated')\n and (array_length(commandline_has_all)==0 or SyslogMessage has_all (commandline_has_all)) \n and (array_length(commandline_has_any)==0 or SyslogMessage has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(SyslogMessage, commandline_has_any_ip_prefix) ) \n and (array_length(actingprocess_has_any)==0 or SyslogMessage has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any)==0 or SyslogMessage has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any)==0) /// ????\n and (targetusername=='*' or SyslogMessage has targetusername) \n and (array_length(dvcipaddr_has_any_prefix)==0 or has_any_ipv4_prefix(HostIP,dvcipaddr_has_any_prefix) )\n and (array_length(dvcname_has_any)==0 or SyslogMessage has_any (dvcname_has_any)) \n // --------------------------------------------------------------------------------------\n | where SyslogMessage has_all ('1')\n | parse SyslogMessage with \n *\n '' EventRecordId:int ''\n *\n '' SysmonComputer:string ''\n *\n ''RuleName // parsing the XML using the original fields name - for readability \n ''UtcTime\n '{'ProcessGuid\n '}'ProcessId:string\n ''Image\n ''FileVersion\n ''Description\n ''Product\n ''Company'' *\n // --------------------------------------------------------------------------------------\n | where \n (array_length(dvcname_has_any)==0 or SysmonComputer has_any (dvcname_has_any))\n and (array_length(targetprocess_has_any)==0 or Image has_any (targetprocess_has_any))\n // --------------------------------------------------------------------------------------\n | extend OriginalFileName = extract (@'\"OriginalFileName\">([^<]+)<',1,SyslogMessage) // this field exists in sysmon version 10.42 and above - using extact to avoid parsing failure\n | parse SyslogMessage with *\n ''CommandLine''\n ''CurrentDirectory\n ''User\n '{'LogonGuid\n '}'LogonId\n ''TerminalSessionId\n ''IntegrityLevel\n ''Hashes\n '{'ParentProcessGuid\n '}'ParentProcessId:string\n ''ParentImage\n ''ParentCommandLine ''*\n // --------------------------------------------------------------------------------------\n | where \n (array_length(commandline_has_all)==0 or CommandLine has_all (commandline_has_all))\n and (array_length(commandline_has_any)==0 or CommandLine has_any (commandline_has_any)) // \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(CommandLine, commandline_has_any_ip_prefix) )\n and (array_length(actingprocess_has_any)==0 or ParentImage has_any (actingprocess_has_any))\n and (targetusername=='*' or User has targetusername)\n // --------------------------------------------------------------------------------------\n | parse SyslogMessage with *''ActorUsername '' *// this field appears in newer versions of Sysmon \n | extend TargetProcessSHA1=extract(@'SHA1=(\\w+)',1, tostring(Hashes)),\n TargetProcessSHA256=extract(@'SHA256=(\\w+)',1, tostring(Hashes)),\n TargetProcessIMPHASH=extract(@'IMPHASH=(\\w+)',1,tostring(Hashes)), // add to the empty schema + Excel file\n TargetProcessMD5=extract(@'MD5=(\\w+)',1, tostring(Hashes))\n // End of XML parse\n | project-away SyslogMessage, Hashes\n | extend \n EventType = \"ProcessCreated\",\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventProduct = \"Sysmon for Linux\",\n EventResult = 'Success',\n EventOriginalUid = tostring(EventRecordId),\n DvcOs = \"Linux\",\n TargetUserSessionId = tostring(LogonId) , \n TargetUsernameType = \"Simple\",\n TargetUsername = User,\n TargetProcessCommandLine = CommandLine,\n TargetProcessCurrentDirectory = CurrentDirectory,\n ActorUsernameType = \"Simple\",\n EventOriginalType = '1' // Set with a constant value to avoid parsing\n | project-rename \n // EventMessage = RenderedDescription, // field not available in Linux\n DvcHostName = SysmonComputer, // Computer may be different than HostName, in which case HostIP may be incorrect. \n DvcIpAddr = HostIP, \n TargetUserSessionGuid = LogonGuid, \n TargetProcessId = ProcessId,\n TargetProcessGuid = ProcessGuid,\n TargetProcessName = Image,\n TargetProcessIntegrityLevel = IntegrityLevel,\n TargetProcessCompany = Company,\n TargetProcessFileDescription = Description,\n TargetProcessFileVersion = FileVersion,\n TargetProcessFileProduct = Product,\n ActingProcessId = ParentProcessId,\n ActingProcessGuid = ParentProcessGuid, \n ActingProcessCommandLine = ParentCommandLine,\n ActingProcessName = ParentImage\n | extend // aliases\n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostName,\n Hash = coalesce(TargetProcessSHA256, TargetProcessSHA1, TargetProcessMD5) // which appears first - will be aliases to \"Hash\"\n | project-away\n ProcessName, ProcessID\n}; ParsedProcessEvent", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM filtering parser for Sysmon for Linux", + "category": "ASIM", + "FunctionAlias": "vimProcessCreateLinuxSysmon", + "query": "let ParsedProcessEvent=(){\n Syslog\n // --------------------------------------------------------------------------------------\n | where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and (eventtype=='*' or eventtype=='ProcessCreated')\n and (array_length(commandline_has_all)==0 or SyslogMessage has_all (commandline_has_all)) \n and (array_length(commandline_has_any)==0 or SyslogMessage has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(SyslogMessage, commandline_has_any_ip_prefix) ) \n and (array_length(actingprocess_has_any)==0 or SyslogMessage has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any)==0 or SyslogMessage has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any)==0) /// ????\n and (targetusername=='*' or SyslogMessage has targetusername) \n and (array_length(dvcipaddr_has_any_prefix)==0 or has_any_ipv4_prefix(HostIP,dvcipaddr_has_any_prefix) )\n and (array_length(dvcname_has_any)==0 or SyslogMessage has_any (dvcname_has_any)) \n // --------------------------------------------------------------------------------------\n | where SyslogMessage has_all ('1')\n | parse SyslogMessage with \n *\n '' EventRecordId:int ''\n *\n '' SysmonComputer:string ''\n *\n ''RuleName // parsing the XML using the original fields name - for readability \n ''UtcTime\n '{'ProcessGuid\n '}'ProcessId:string\n ''Image\n ''FileVersion\n ''Description\n ''Product\n ''Company'' *\n // --------------------------------------------------------------------------------------\n | where \n (array_length(dvcname_has_any)==0 or SysmonComputer has_any (dvcname_has_any))\n and (array_length(targetprocess_has_any)==0 or Image has_any (targetprocess_has_any))\n // --------------------------------------------------------------------------------------\n | extend OriginalFileName = extract (@'\"OriginalFileName\">([^<]+)<',1,SyslogMessage) // this field exists in sysmon version 10.42 and above - using extact to avoid parsing failure\n | parse SyslogMessage with *\n ''CommandLine''\n ''CurrentDirectory\n ''User\n '{'LogonGuid\n '}'LogonId\n ''TerminalSessionId\n ''IntegrityLevel\n ''Hashes\n '{'ParentProcessGuid\n '}'ParentProcessId:string\n ''ParentImage\n ''ParentCommandLine ''*\n // --------------------------------------------------------------------------------------\n | where \n (array_length(commandline_has_all)==0 or CommandLine has_all (commandline_has_all))\n and (array_length(commandline_has_any)==0 or CommandLine has_any (commandline_has_any)) // \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(CommandLine, commandline_has_any_ip_prefix) )\n and (array_length(actingprocess_has_any)==0 or ParentImage has_any (actingprocess_has_any))\n and (targetusername=='*' or User has targetusername)\n // --------------------------------------------------------------------------------------\n | parse SyslogMessage with *''ActorUsername '' *// this field appears in newer versions of Sysmon \n | extend TargetProcessSHA1=extract(@'SHA1=(\\w+)',1, tostring(Hashes)),\n TargetProcessSHA256=extract(@'SHA256=(\\w+)',1, tostring(Hashes)),\n TargetProcessIMPHASH=extract(@'IMPHASH=(\\w+)',1,tostring(Hashes)), // add to the empty schema + Excel file\n TargetProcessMD5=extract(@'MD5=(\\w+)',1, tostring(Hashes))\n // End of XML parse\n | project-away SyslogMessage, Hashes\n | extend \n EventType = \"ProcessCreated\",\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventProduct = \"Sysmon for Linux\",\n EventResult = 'Success',\n EventOriginalUid = tostring(EventRecordId),\n DvcOs = \"Linux\",\n TargetUserSessionId = tostring(LogonId) , \n TargetUsernameType = \"Simple\",\n TargetUsername = User,\n TargetProcessCommandLine = CommandLine,\n TargetProcessCurrentDirectory = CurrentDirectory,\n ActorUsernameType = \"Simple\",\n EventOriginalType = '1' // Set with a constant value to avoid parsing\n | project-rename \n // EventMessage = RenderedDescription, // field not available in Linux\n DvcHostName = SysmonComputer, // Computer may be different than HostName, in which case HostIP may be incorrect. \n DvcIpAddr = HostIP, \n TargetUserSessionGuid = LogonGuid, \n TargetProcessId = ProcessId,\n TargetProcessGuid = ProcessGuid,\n TargetProcessName = Image,\n TargetProcessIntegrityLevel = IntegrityLevel,\n TargetProcessCompany = Company,\n TargetProcessFileDescription = Description,\n TargetProcessFileVersion = FileVersion,\n TargetProcessFileProduct = Product,\n ActingProcessId = ParentProcessId,\n ActingProcessGuid = ParentProcessGuid, \n ActingProcessCommandLine = ParentCommandLine,\n ActingProcessName = ParentImage\n | extend // aliases\n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostName,\n Hash = coalesce(TargetProcessSHA256, TargetProcessSHA1, TargetProcessMD5) // which appears first - will be aliases to \"Hash\"\n | project-away\n ProcessName, ProcessID\n}; ParsedProcessEvent", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessCreateMD4IoT/vimProcessCreateMD4IoT.json b/Parsers/ASimProcessEvent/ARM/vimProcessCreateMD4IoT/vimProcessCreateMD4IoT.json index ae5acdc7f4e..eb810c156f9 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessCreateMD4IoT/vimProcessCreateMD4IoT.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessCreateMD4IoT/vimProcessCreateMD4IoT.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessCreateMD4IoT')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessCreateMD4IoT", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for Microsoft Defender for IoT", - "category": "ASIM", - "FunctionAlias": "vimProcessCreateMD4IoT", - "query": "let ProcessEvents_MD4IoT=()\n{\n SecurityIoTRawEvent \n | where RawEventName == \"Process\" // TODO: exclude entries where segment EventType is \"EXIT\" by full segment structure\n // --------------------------------------------------------------------------------------\n | where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(actingprocess_has_any)==0 ) \n and (array_length(parentprocess_has_any)==0) \n and (eventtype=='*' or eventtype=='ProcessCreated')\n and (array_length(commandline_has_any)==0 or EventDetails has_any (commandline_has_any)) \n and (array_length(commandline_has_all)==0 or EventDetails has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(EventDetails, commandline_has_any_ip_prefix) ) \n and (array_length(targetprocess_has_any)==0 or EventDetails has_any (targetprocess_has_any)) \n and (targetusername=='*' or EventDetails has targetusername) \n and (array_length(dvcname_has_any)==0 or DeviceId has_any (dvcname_has_any)) \n // --------------------------------------------------------------------------------------\n | extend\n EventDetails = todynamic(EventDetails)\n | where EventDetails.EventType != 'EXIT' // TODO: move filter to prefiltering. see prev comment \n | extend // required for postfilterring\n TargetProcessCommandLine = coalesce (tostring(EventDetails.Commandline), tostring(EventDetails.Executable)), \n TargetProcessName = coalesce (tostring(EventDetails.Executable), split(EventDetails.Commandline,\" \")[0]),\n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\") // Intermediate fix\n | extend \n TargetUsername = iff (DvcOs == \"Windows\", tostring(EventDetails.UserName), \"\")\n // --------------------------------------------------------------------------------------\n | where (array_length(commandline_has_any)==0 or TargetProcessCommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_all)==0 or TargetProcessCommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(TargetProcessCommandLine, commandline_has_any_ip_prefix) ) \n and (array_length(targetprocess_has_any)==0 or TargetProcessName has_any (targetprocess_has_any)) \n and (targetusername=='*' or TargetUsername has targetusername) \n // --------------------------------------------------------------------------------------\n | extend\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventCount = toint(EventDetails.HitCount), \n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = 'ProcessCreated', \n EventSubType = tostring(EventDetails.EventType),\n EventResult = 'Success', \n TargetProcessId = tostring(EventDetails.ProcessId), \n TargetUsernameType = iif (DvcOs == \"Windows\", \"Windows\", \"Simple\"), \n ActingProcessId = iff (DvcOs == \"Windows\", tostring(EventDetails.ParentProcessId), \"\") \n | project-rename\n DvcHostname = DeviceId,\n EventProductVersion = AgentVersion, \n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n | extend \n // -- aliases\n User = TargetUsername, \n CommandLine = TargetProcessCommandLine, \n Process = TargetProcessName, \n Dvc = DvcHostname \n };\n ProcessEvents_MD4IoT\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for Microsoft Defender for IoT", + "category": "ASIM", + "FunctionAlias": "vimProcessCreateMD4IoT", + "query": "let ProcessEvents_MD4IoT=()\n{\n SecurityIoTRawEvent \n | where RawEventName == \"Process\" // TODO: exclude entries where segment EventType is \"EXIT\" by full segment structure\n // --------------------------------------------------------------------------------------\n | where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(actingprocess_has_any)==0 ) \n and (array_length(parentprocess_has_any)==0) \n and (eventtype=='*' or eventtype=='ProcessCreated')\n and (array_length(commandline_has_any)==0 or EventDetails has_any (commandline_has_any)) \n and (array_length(commandline_has_all)==0 or EventDetails has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(EventDetails, commandline_has_any_ip_prefix) ) \n and (array_length(targetprocess_has_any)==0 or EventDetails has_any (targetprocess_has_any)) \n and (targetusername=='*' or EventDetails has targetusername) \n and (array_length(dvcname_has_any)==0 or DeviceId has_any (dvcname_has_any)) \n // --------------------------------------------------------------------------------------\n | extend\n EventDetails = todynamic(EventDetails)\n | where EventDetails.EventType != 'EXIT' // TODO: move filter to prefiltering. see prev comment \n | extend // required for postfilterring\n TargetProcessCommandLine = coalesce (tostring(EventDetails.Commandline), tostring(EventDetails.Executable)), \n TargetProcessName = coalesce (tostring(EventDetails.Executable), split(EventDetails.Commandline,\" \")[0]),\n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\") // Intermediate fix\n | extend \n TargetUsername = iff (DvcOs == \"Windows\", tostring(EventDetails.UserName), \"\")\n // --------------------------------------------------------------------------------------\n | where (array_length(commandline_has_any)==0 or TargetProcessCommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_all)==0 or TargetProcessCommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(TargetProcessCommandLine, commandline_has_any_ip_prefix) ) \n and (array_length(targetprocess_has_any)==0 or TargetProcessName has_any (targetprocess_has_any)) \n and (targetusername=='*' or TargetUsername has targetusername) \n // --------------------------------------------------------------------------------------\n | extend\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventCount = toint(EventDetails.HitCount), \n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = 'ProcessCreated', \n EventSubType = tostring(EventDetails.EventType),\n EventResult = 'Success', \n TargetProcessId = tostring(EventDetails.ProcessId), \n TargetUsernameType = iif (DvcOs == \"Windows\", \"Windows\", \"Simple\"), \n ActingProcessId = iff (DvcOs == \"Windows\", tostring(EventDetails.ParentProcessId), \"\") \n | project-rename\n DvcHostname = DeviceId,\n EventProductVersion = AgentVersion, \n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n | extend \n // -- aliases\n User = TargetUsername, \n CommandLine = TargetProcessCommandLine, \n Process = TargetProcessName, \n Dvc = DvcHostname \n };\n ProcessEvents_MD4IoT\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftSecurityEvents/vimProcessCreateMicrosoftSecurityEvents.json b/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftSecurityEvents/vimProcessCreateMicrosoftSecurityEvents.json index 897979d726a..8a8661f0f48 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftSecurityEvents/vimProcessCreateMicrosoftSecurityEvents.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftSecurityEvents/vimProcessCreateMicrosoftSecurityEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessCreateMicrosoftSecurityEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessCreateMicrosoftSecurityEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for Windows Security Events", - "category": "ASIM", - "FunctionAlias": "vimProcessCreateMicrosoftSecurityEvents", - "query": "let MandatoryLabelLookup = datatable (MandatoryLabel:string,MandatoryLabelRid:string, MandatoryLabelText:string, MandatoryLabelMeaning:string)\n [\n 'S-1-16-0', '0x00000000', 'SECURITY_MANDATORY_UNTRUSTED_RID', 'Untrusted',\n 'S-1-16-4096', '0x00001000', 'SECURITY_MANDATORY_LOW_RID', 'Low integrity',\n 'S-1-16-8192', '0x00002000', 'SECURITY_MANDATORY_MEDIUM_RID', 'Medium integrity',\n 'S-1-16-8448', '0x00002100', 'SECURITY_MANDATORY_MEDIUM_PLUS_RID', 'Medium high integrity',\n 'S-1-16-12288', '0X00003000', 'SECURITY_MANDATORY_HIGH_RID', 'High integrity',\n 'S-1-16-16384', '0x00004000', 'SECURITY_MANDATORY_SYSTEM_RID', 'System integrity',\n 'S-1-16-20480', '0x00005000', 'SECURITY_MANDATORY_PROTECTED_PROCESS_RID', 'Protected process'\n ];\n // Source: https://support.microsoft.com/topic/0fdcaf87-ee5e-8929-e54c-65e04235a634\n let KnownSIDs = datatable (sid:string, username:string, type:string)\n [\n 'S-1-5-18', 'Local System', 'Simple',\n 'S-1-0-0', 'Nobody', 'Simple'\n ];\n let UserTypeLookup = datatable (AccountType:string, ActorUserType:string)\n [\n 'User', 'Regular',\n 'Machine', 'Machine'\n ];\n let parser=(\n starttime:datetime=datetime(null),\n endtime:datetime=datetime(null),\n commandline_has_any:dynamic=dynamic([]),\n commandline_has_all:dynamic=dynamic([]),\n commandline_has_any_ip_prefix:dynamic=dynamic([]),\n actingprocess_has_any:dynamic=dynamic([]),\n targetprocess_has_any:dynamic=dynamic([]),\n parentprocess_has_any:dynamic=dynamic([]),\n targetusername_has:string='*',\n dvcipaddr_has_any_prefix:dynamic=dynamic([]),\n dvchostname_has_any:dynamic=dynamic([]),\n eventtype:string='*',\n disabled:bool=false\n )\n { SecurityEvent\n // --------------------------------------------------------------------------------------\n | where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n | where EventID == 4688\n | where\n (eventtype=='*' or eventtype=='ProcessCreated')\n and (array_length(commandline_has_all)==0 or CommandLine has_all (commandline_has_all))\n and (array_length(commandline_has_any)==0 or CommandLine has_any (commandline_has_any))\n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(CommandLine, commandline_has_any_ip_prefix) )\n and (array_length(actingprocess_has_any)==0 or ParentProcessName has_any (actingprocess_has_any))\n and (array_length(targetprocess_has_any)==0 or NewProcessName has_any (targetprocess_has_any))\n and (array_length(parentprocess_has_any)==0)\n and (targetusername_has=='*' or TargetAccount has targetusername_has) // take into account mapping?\n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(dvchostname_has_any)==0 or Computer has_any (dvchostname_has_any))\n // --------------------------------------------------------------------------------------\n | extend\n // Event\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Events',\n EventSchemaVersion = '0.1.3',\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessCreated',\n EventOriginalType = tostring(EventID),\n DvcOs = 'Windows'\n | lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n | extend\n ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount),\n ActorUsernameType = iff(SubjectUserName == '-',type, 'Windows')\n | lookup KnownSIDs on $left.TargetUserSid == $right.sid\n | extend\n TargetUsername = iff (TargetUserName == \"-\", username, TargetAccount),\n TargetUsernameType = iff(TargetDomainName == '-',type, 'Windows')\n | lookup UserTypeLookup on AccountType\n | extend\n ActorUserIdType = 'SID',\n TargetUserIdType = 'SID',\n // Processes\n ActingProcessId = tostring(toint(ProcessId)),\n TargetProcessId = tostring(toint(NewProcessId)),\n TargetProcessCommandLine = CommandLine\n | project-rename\n DvcId = SourceComputerId,\n DvcHostname = Computer,\n ActingProcessName = ParentProcessName,\n TargetProcessName = NewProcessName,\n ActorDomainName = SubjectDomainName,\n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n TargetUserId =TargetUserSid,\n TargetUserSessionId = TargetLogonId,\n EventOriginalUid = EventOriginId,\n TargetProcessTokenElevation = TokenElevationType\n | lookup MandatoryLabelLookup on MandatoryLabel\n // -- Aliases\n | extend\n User = TargetUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n // -- Remove potentially confusing\n | project-keep Event*, Dvc*, Actor*, Target*, Acting*, User, Dvc, Process, CommandLine, TimeGenerated, Type, _ResourceId\n | project-away\n TargetDomainName,\n TargetUserName,\n TargetAccount,\n EventID\n };\n parser (\n starttime=starttime,\n endtime=endtime,\n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n disabled=disabled\n )", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for Windows Security Events", + "category": "ASIM", + "FunctionAlias": "vimProcessCreateMicrosoftSecurityEvents", + "query": "let MandatoryLabelLookup = datatable (MandatoryLabel:string,MandatoryLabelRid:string, MandatoryLabelText:string, MandatoryLabelMeaning:string)\n [\n 'S-1-16-0', '0x00000000', 'SECURITY_MANDATORY_UNTRUSTED_RID', 'Untrusted',\n 'S-1-16-4096', '0x00001000', 'SECURITY_MANDATORY_LOW_RID', 'Low integrity',\n 'S-1-16-8192', '0x00002000', 'SECURITY_MANDATORY_MEDIUM_RID', 'Medium integrity',\n 'S-1-16-8448', '0x00002100', 'SECURITY_MANDATORY_MEDIUM_PLUS_RID', 'Medium high integrity',\n 'S-1-16-12288', '0X00003000', 'SECURITY_MANDATORY_HIGH_RID', 'High integrity',\n 'S-1-16-16384', '0x00004000', 'SECURITY_MANDATORY_SYSTEM_RID', 'System integrity',\n 'S-1-16-20480', '0x00005000', 'SECURITY_MANDATORY_PROTECTED_PROCESS_RID', 'Protected process'\n ];\n // Source: https://support.microsoft.com/topic/0fdcaf87-ee5e-8929-e54c-65e04235a634\n let KnownSIDs = datatable (sid:string, username:string, type:string)\n [\n 'S-1-5-18', 'Local System', 'Simple',\n 'S-1-0-0', 'Nobody', 'Simple'\n ];\n let UserTypeLookup = datatable (AccountType:string, ActorUserType:string)\n [\n 'User', 'Regular',\n 'Machine', 'Machine'\n ];\n let parser=(\n starttime:datetime=datetime(null),\n endtime:datetime=datetime(null),\n commandline_has_any:dynamic=dynamic([]),\n commandline_has_all:dynamic=dynamic([]),\n commandline_has_any_ip_prefix:dynamic=dynamic([]),\n actingprocess_has_any:dynamic=dynamic([]),\n targetprocess_has_any:dynamic=dynamic([]),\n parentprocess_has_any:dynamic=dynamic([]),\n targetusername_has:string='*',\n dvcipaddr_has_any_prefix:dynamic=dynamic([]),\n dvchostname_has_any:dynamic=dynamic([]),\n eventtype:string='*',\n disabled:bool=false\n )\n { SecurityEvent\n // --------------------------------------------------------------------------------------\n | where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n | where EventID == 4688\n | where\n (eventtype=='*' or eventtype=='ProcessCreated')\n and (array_length(commandline_has_all)==0 or CommandLine has_all (commandline_has_all))\n and (array_length(commandline_has_any)==0 or CommandLine has_any (commandline_has_any))\n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(CommandLine, commandline_has_any_ip_prefix) )\n and (array_length(actingprocess_has_any)==0 or ParentProcessName has_any (actingprocess_has_any))\n and (array_length(targetprocess_has_any)==0 or NewProcessName has_any (targetprocess_has_any))\n and (array_length(parentprocess_has_any)==0)\n and (targetusername_has=='*' or TargetAccount has targetusername_has) // take into account mapping?\n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(dvchostname_has_any)==0 or Computer has_any (dvchostname_has_any))\n // --------------------------------------------------------------------------------------\n | extend\n // Event\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Events',\n EventSchemaVersion = '0.1.3',\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessCreated',\n EventOriginalType = tostring(EventID),\n DvcOs = 'Windows'\n | lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n | extend\n ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount),\n ActorUsernameType = iff(SubjectUserName == '-',type, 'Windows')\n | lookup KnownSIDs on $left.TargetUserSid == $right.sid\n | extend\n TargetUsername = iff (TargetUserName == \"-\", username, TargetAccount),\n TargetUsernameType = iff(TargetDomainName == '-',type, 'Windows')\n | lookup UserTypeLookup on AccountType\n | extend\n ActorUserIdType = 'SID',\n TargetUserIdType = 'SID',\n // Processes\n ActingProcessId = tostring(toint(ProcessId)),\n TargetProcessId = tostring(toint(NewProcessId)),\n TargetProcessCommandLine = CommandLine\n | project-rename\n DvcId = SourceComputerId,\n DvcHostname = Computer,\n ActingProcessName = ParentProcessName,\n TargetProcessName = NewProcessName,\n ActorDomainName = SubjectDomainName,\n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n TargetUserId =TargetUserSid,\n TargetUserSessionId = TargetLogonId,\n EventOriginalUid = EventOriginId,\n TargetProcessTokenElevation = TokenElevationType\n | lookup MandatoryLabelLookup on MandatoryLabel\n // -- Aliases\n | extend\n User = TargetUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n // -- Remove potentially confusing\n | project-keep Event*, Dvc*, Actor*, Target*, Acting*, User, Dvc, Process, CommandLine, TimeGenerated, Type, _ResourceId\n | project-away\n TargetDomainName,\n TargetUserName,\n TargetAccount,\n EventID\n };\n parser (\n starttime=starttime,\n endtime=endtime,\n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n disabled=disabled\n )", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftSysmon/vimProcessCreateMicrosoftSysmon.json b/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftSysmon/vimProcessCreateMicrosoftSysmon.json index ccfa846ddba..23af7e060ee 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftSysmon/vimProcessCreateMicrosoftSysmon.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftSysmon/vimProcessCreateMicrosoftSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessEventCreateMicrosoftSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessEventCreateMicrosoftSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for Sysmon", - "category": "ASIM", - "FunctionAlias": "vimProcessEventCreateMicrosoftSysmon", - "query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n targetusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n disabled: bool=false\n ) {\n // this is the parser for sysmon from Event table\n let parser_Event = \n Event \n // pre-filtering\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and not (disabled)\n and (eventtype == '*' or eventtype == 'ProcessCreated')\n and (Source == \"Microsoft-Windows-Sysmon\" and EventID == 1)\n and (array_length(dvcipaddr_has_any_prefix) == 0)\n and (array_length(commandline_has_all) == 0 or EventData has_all (commandline_has_all)) \n and (array_length(commandline_has_any) == 0 or EventData has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(EventData, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or EventData has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any) == 0 or EventData has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any) == 0)\n and (targetusername_has == '*' or EventData has targetusername_has) \n and (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any)) \n // -- \n | parse-kv EventData as (\n ProcessGuid: string, \n ProcessId: string,\n Image: string,\n FileVersion: string,\n Description: string,\n Product: string,\n Company: string,\n OriginalFileName: string,\n CommandLine: string,\n CurrentDirectory: string,\n User: string,\n LogonGuid: string, \n LogonId: string,\n IntegrityLevel: string,\n Hashes: string,\n ParentProcessGuid: string, \n ParentProcessId: string,\n ParentImage: string,\n ParentCommandLine: string,\n ParentUser: string\n ) \n with (regex=@'{?([^<]*?)}?')\n // -- post-filtering\n | where (array_length(commandline_has_any) == 0 or CommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_all) == 0 or CommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(CommandLine, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or ParentImage has_any (actingprocess_has_any)) \n and (targetusername_has == '*' or User has targetusername_has) \n and (array_length(targetprocess_has_any) == 0 or Image has_any (targetprocess_has_any))\n // --\n | parse-kv Hashes as (MD5: string, SHA1: string, SHA256: string, IMPHASH: string) with (quote='\"')\n | extend\n Hash = coalesce (SHA256, SHA1, IMPHASH, MD5, \"\")\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"IMPHASH\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, IMPHASH, MD5), Hash)])\n | project-rename\n TargetProcessMD5 = MD5,\n TargetProcessSHA1 = SHA1,\n TargetProcessSHA256 = SHA256,\n TargetProcessIMPHASH = IMPHASH\n | project-away Hashes\n | extend \n TargetUsername = User,\n TargetProcessCommandLine = CommandLine\n | project-rename \n DvcHostname = Computer,\n TargetUserSessionGuid = LogonGuid,\n TargetProcessId = ProcessId,\n TargetUserSessionId = LogonId, \n TargetProcessGuid = ProcessGuid,\n TargetProcessName = Image,\n TargetProcessFilename = OriginalFileName,\n TargetProcessCurrentDirectory = CurrentDirectory,\n TargetProcessIntegrityLevel = IntegrityLevel, \n TargetProcessFileCompany = Company,\n TargetProcessFileDescription = Description,\n TargetProcessFileVersion = FileVersion,\n TargetProcessFileProduct = Product, \n ActingProcessId = ParentProcessId,\n ActingProcessGuid = ParentProcessGuid, \n ActingProcessCommandLine = ParentCommandLine,\n ActingProcessName = ParentImage,\n ActorUsername = ParentUser\n | extend \n TargetUsernameType = iff(isnotempty(TargetUsername), 'Windows', ''),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n EventProduct = \"Sysmon\",\n // aliases\n Process = TargetProcessName,\n Dvc = DvcHostname,\n EventUid = _ItemId\n | project-away\n EventData,\n ParameterXml,\n AzureDeploymentID,\n EventCategory,\n EventID,\n EventLevel,\n EventLevelName,\n TenantId,\n EventLog,\n MG,\n ManagementGroupName,\n Message,\n Role,\n SourceSystem,\n Source,\n UserName,\n RenderedDescription,\n _ResourceId,\n _ItemId\n | extend \n EventType = \"ProcessCreated\",\n EventOriginalType = \"1\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n DvcOs = \"Windows\",\n TargetUsernameType = \"Windows\",\n ActorUsernameType = \"Windows\";\n parser_Event\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n disabled=disabled\n ) ", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for Sysmon", + "category": "ASIM", + "FunctionAlias": "vimProcessEventCreateMicrosoftSysmon", + "query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n targetusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n disabled: bool=false\n ) {\n // this is the parser for sysmon from Event table\n let parser_Event = \n Event \n // pre-filtering\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and not (disabled)\n and (eventtype == '*' or eventtype == 'ProcessCreated')\n and (Source == \"Microsoft-Windows-Sysmon\" and EventID == 1)\n and (array_length(dvcipaddr_has_any_prefix) == 0)\n and (array_length(commandline_has_all) == 0 or EventData has_all (commandline_has_all)) \n and (array_length(commandline_has_any) == 0 or EventData has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(EventData, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or EventData has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any) == 0 or EventData has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any) == 0)\n and (targetusername_has == '*' or EventData has targetusername_has) \n and (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any)) \n // -- \n | parse-kv EventData as (\n ProcessGuid: string, \n ProcessId: string,\n Image: string,\n FileVersion: string,\n Description: string,\n Product: string,\n Company: string,\n OriginalFileName: string,\n CommandLine: string,\n CurrentDirectory: string,\n User: string,\n LogonGuid: string, \n LogonId: string,\n IntegrityLevel: string,\n Hashes: string,\n ParentProcessGuid: string, \n ParentProcessId: string,\n ParentImage: string,\n ParentCommandLine: string,\n ParentUser: string\n ) \n with (regex=@'{?([^<]*?)}?')\n // -- post-filtering\n | where (array_length(commandline_has_any) == 0 or CommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_all) == 0 or CommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(CommandLine, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or ParentImage has_any (actingprocess_has_any)) \n and (targetusername_has == '*' or User has targetusername_has) \n and (array_length(targetprocess_has_any) == 0 or Image has_any (targetprocess_has_any))\n // --\n | parse-kv Hashes as (MD5: string, SHA1: string, SHA256: string, IMPHASH: string) with (quote='\"')\n | extend\n Hash = coalesce (SHA256, SHA1, IMPHASH, MD5, \"\")\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"IMPHASH\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, IMPHASH, MD5), Hash)])\n | project-rename\n TargetProcessMD5 = MD5,\n TargetProcessSHA1 = SHA1,\n TargetProcessSHA256 = SHA256,\n TargetProcessIMPHASH = IMPHASH\n | project-away Hashes\n | extend \n TargetUsername = User,\n TargetProcessCommandLine = CommandLine\n | project-rename \n DvcHostname = Computer,\n TargetUserSessionGuid = LogonGuid,\n TargetProcessId = ProcessId,\n TargetUserSessionId = LogonId, \n TargetProcessGuid = ProcessGuid,\n TargetProcessName = Image,\n TargetProcessFilename = OriginalFileName,\n TargetProcessCurrentDirectory = CurrentDirectory,\n TargetProcessIntegrityLevel = IntegrityLevel, \n TargetProcessFileCompany = Company,\n TargetProcessFileDescription = Description,\n TargetProcessFileVersion = FileVersion,\n TargetProcessFileProduct = Product, \n ActingProcessId = ParentProcessId,\n ActingProcessGuid = ParentProcessGuid, \n ActingProcessCommandLine = ParentCommandLine,\n ActingProcessName = ParentImage,\n ActorUsername = ParentUser\n | extend \n TargetUsernameType = iff(isnotempty(TargetUsername), 'Windows', ''),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n EventProduct = \"Sysmon\",\n // aliases\n Process = TargetProcessName,\n Dvc = DvcHostname,\n EventUid = _ItemId\n | project-away\n EventData,\n ParameterXml,\n AzureDeploymentID,\n EventCategory,\n EventID,\n EventLevel,\n EventLevelName,\n TenantId,\n EventLog,\n MG,\n ManagementGroupName,\n Message,\n Role,\n SourceSystem,\n Source,\n UserName,\n RenderedDescription,\n _ResourceId,\n _ItemId\n | extend \n EventType = \"ProcessCreated\",\n EventOriginalType = \"1\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n DvcOs = \"Windows\",\n TargetUsernameType = \"Windows\",\n ActorUsernameType = \"Windows\";\n parser_Event\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n disabled=disabled\n ) ", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftSysmonWidowsEvent/vimProcessCreateMicrosoftSysmonWidowsEvent.json b/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftSysmonWidowsEvent/vimProcessCreateMicrosoftSysmonWidowsEvent.json index de4b061c669..b4a59c84b09 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftSysmonWidowsEvent/vimProcessCreateMicrosoftSysmonWidowsEvent.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftSysmonWidowsEvent/vimProcessCreateMicrosoftSysmonWidowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessEventCreateMicrosoftSysmonWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessEventCreateMicrosoftSysmonWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for Sysmon", - "category": "ASIM", - "FunctionAlias": "vimProcessEventCreateMicrosoftSysmonWindowsEvent", - "query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n targetusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n disabled: bool=false\n ) {\n // this is the parser for sysmon from WindowsEvent table\n let parser_WindowsEvent=\n WindowsEvent\n | where\n // -- pre-filtering\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and not(disabled)\n and (eventtype == '*' or eventtype == 'ProcessCreated')\n and Provider == \"Microsoft-Windows-Sysmon\" and EventID == 1\n and (array_length(commandline_has_all) == 0 or EventData.CommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any) == 0 or EventData.CommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(EventData.CommandLine, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or EventData.ParentImage has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any) == 0 or EventData.Image has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any) == 0)\n and (targetusername_has == '*' or EventData.User has targetusername_has) \n and (array_length(dvcipaddr_has_any_prefix) == 0)\n and (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any)) \n // --\n | parse-kv tostring(EventData.Hashes) as (MD5: string, SHA1: string, SHA256: string, IMPHASH: string) with (quote='\"')\n | extend\n Hash = coalesce (SHA256, SHA1, IMPHASH, MD5, \"\")\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"IMPHASH\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, IMPHASH, MD5), Hash)])\n | project-rename\n TargetProcessMD5 = MD5,\n TargetProcessSHA1 = SHA1,\n TargetProcessSHA256 = SHA256,\n TargetProcessIMPHASH = IMPHASH\n | extend \n EventOriginalType = tostring(EventID),\n TargetUserSessionId = tostring(EventData.LogonId), \n TargetUsername = tostring(EventData.User),\n TargetProcessCommandLine = tostring(EventData.CommandLine),\n TargetProcessCurrentDirectory = tostring(EventData.CurrentDirectory),\n TargetUserSessionGuid = tostring(EventData.LogonGuid), \n TargetProcessId = tostring(EventData.ProcessId),\n TargetProcessGuid = tostring(EventData.ProcessGuid),\n TargetProcessName = tostring(EventData.Image),\n TargetProcessFilename = tostring(EventData.OriginalFileName),\n TargetProcessIntegrityLevel = tostring(EventData.IntegrityLevel),\n TargetProcessFileCompany = tostring(EventData.Company),\n TargetProcessFileDescription = tostring(EventData.Description),\n TargetProcessFileVersion = tostring(EventData.FileVersion),\n TargetProcessFileProduct = tostring(EventData.Product),\n ActingProcessId = tostring(EventData.ParentProcessId),\n ActingProcessGuid = tostring(EventData.ParentProcessGuid), \n ActingProcessCommandLine = tostring(EventData.ParentCommandLine),\n ActingProcessName = tostring(EventData.ParentImage),\n ActorUsername = tostring(EventData.ParentUser)\n // -- post-filtering\n | where (array_length(commandline_has_any) == 0 or TargetProcessCommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_all) == 0 or TargetProcessCommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(TargetProcessCommandLine, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or ActingProcessName has_any (actingprocess_has_any)) \n and (targetusername_has == '*' or TargetUsername has targetusername_has) \n and (array_length(targetprocess_has_any) == 0 or TargetProcessName has_any (targetprocess_has_any)) \n // --\n | extend \n TargetUsernameType = iff(isnotempty(TargetUsername), 'Windows', ''),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n EventProduct = \"Security Events\"\n | project-rename\n DvcHostname = Computer,\n EventOriginalUid = EventOriginId\n | extend // aliases \n Dvc = DvcHostname,\n User = TargetUsername,\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n EventUid = _ItemId\n | project-away\n EventData,\n Provider,\n ManagementGroupName,\n RawEventData,\n SourceSystem,\n Task,\n TenantId,\n EventID,\n Data,\n Channel,\n EventLevel,\n EventLevelName,\n Correlation,\n EventRecordId,\n Keywords,\n Opcode,\n SystemProcessId,\n SystemThreadId,\n SystemUserId,\n TimeCreated,\n Version,\n _ResourceId,\n _ItemId\n | extend \n EventType = \"ProcessCreated\",\n EventOriginalType = \"1\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n DvcOs = \"Windows\",\n TargetUsernameType = \"Windows\",\n ActorUsernameType = \"Windows\";\n parser_WindowsEvent\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n disabled=disabled\n ) ", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for Sysmon", + "category": "ASIM", + "FunctionAlias": "vimProcessEventCreateMicrosoftSysmonWindowsEvent", + "query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n targetusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n disabled: bool=false\n ) {\n // this is the parser for sysmon from WindowsEvent table\n let parser_WindowsEvent=\n WindowsEvent\n | where\n // -- pre-filtering\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and not(disabled)\n and (eventtype == '*' or eventtype == 'ProcessCreated')\n and Provider == \"Microsoft-Windows-Sysmon\" and EventID == 1\n and (array_length(commandline_has_all) == 0 or EventData.CommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any) == 0 or EventData.CommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(EventData.CommandLine, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or EventData.ParentImage has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any) == 0 or EventData.Image has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any) == 0)\n and (targetusername_has == '*' or EventData.User has targetusername_has) \n and (array_length(dvcipaddr_has_any_prefix) == 0)\n and (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any)) \n // --\n | parse-kv tostring(EventData.Hashes) as (MD5: string, SHA1: string, SHA256: string, IMPHASH: string) with (quote='\"')\n | extend\n Hash = coalesce (SHA256, SHA1, IMPHASH, MD5, \"\")\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"IMPHASH\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, IMPHASH, MD5), Hash)])\n | project-rename\n TargetProcessMD5 = MD5,\n TargetProcessSHA1 = SHA1,\n TargetProcessSHA256 = SHA256,\n TargetProcessIMPHASH = IMPHASH\n | extend \n EventOriginalType = tostring(EventID),\n TargetUserSessionId = tostring(EventData.LogonId), \n TargetUsername = tostring(EventData.User),\n TargetProcessCommandLine = tostring(EventData.CommandLine),\n TargetProcessCurrentDirectory = tostring(EventData.CurrentDirectory),\n TargetUserSessionGuid = tostring(EventData.LogonGuid), \n TargetProcessId = tostring(EventData.ProcessId),\n TargetProcessGuid = tostring(EventData.ProcessGuid),\n TargetProcessName = tostring(EventData.Image),\n TargetProcessFilename = tostring(EventData.OriginalFileName),\n TargetProcessIntegrityLevel = tostring(EventData.IntegrityLevel),\n TargetProcessFileCompany = tostring(EventData.Company),\n TargetProcessFileDescription = tostring(EventData.Description),\n TargetProcessFileVersion = tostring(EventData.FileVersion),\n TargetProcessFileProduct = tostring(EventData.Product),\n ActingProcessId = tostring(EventData.ParentProcessId),\n ActingProcessGuid = tostring(EventData.ParentProcessGuid), \n ActingProcessCommandLine = tostring(EventData.ParentCommandLine),\n ActingProcessName = tostring(EventData.ParentImage),\n ActorUsername = tostring(EventData.ParentUser)\n // -- post-filtering\n | where (array_length(commandline_has_any) == 0 or TargetProcessCommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_all) == 0 or TargetProcessCommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(TargetProcessCommandLine, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or ActingProcessName has_any (actingprocess_has_any)) \n and (targetusername_has == '*' or TargetUsername has targetusername_has) \n and (array_length(targetprocess_has_any) == 0 or TargetProcessName has_any (targetprocess_has_any)) \n // --\n | extend \n TargetUsernameType = iff(isnotempty(TargetUsername), 'Windows', ''),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n EventProduct = \"Security Events\"\n | project-rename\n DvcHostname = Computer,\n EventOriginalUid = EventOriginId\n | extend // aliases \n Dvc = DvcHostname,\n User = TargetUsername,\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n EventUid = _ItemId\n | project-away\n EventData,\n Provider,\n ManagementGroupName,\n RawEventData,\n SourceSystem,\n Task,\n TenantId,\n EventID,\n Data,\n Channel,\n EventLevel,\n EventLevelName,\n Correlation,\n EventRecordId,\n Keywords,\n Opcode,\n SystemProcessId,\n SystemThreadId,\n SystemUserId,\n TimeCreated,\n Version,\n _ResourceId,\n _ItemId\n | extend \n EventType = \"ProcessCreated\",\n EventOriginalType = \"1\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n DvcOs = \"Windows\",\n TargetUsernameType = \"Windows\",\n ActorUsernameType = \"Windows\";\n parser_WindowsEvent\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n disabled=disabled\n ) ", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftWindowsEvents/vimProcessCreateMicrosoftWindowsEvents.json b/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftWindowsEvents/vimProcessCreateMicrosoftWindowsEvents.json index 0d259dab016..c129562e226 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftWindowsEvents/vimProcessCreateMicrosoftWindowsEvents.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftWindowsEvents/vimProcessCreateMicrosoftWindowsEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessCreateMicrosoftWindowsEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessCreateMicrosoftWindowsEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for WEF Security Events", - "category": "ASIM", - "FunctionAlias": "vimProcessCreateMicrosoftWindowsEvents", - "query": "let ASIM_GetFilenamePart = (path:string) { tostring(split(path,@'\\')[-1]) };\nlet ASIM_ResolveWindowsUsername = (T:(username:string, domain:string, sid:string)) { \n T \n | extend \n type = case (\n username == \"-\", \"\",\n domain == \"-\", \"Simple\",\n \"Windows\"\n ),\n username = case (\n username == \"-\", \"\",\n domain == '-', username,\n strcat(domain, @\"\\\" , username)\n )\n};\nlet MandatoryLabelLookup = datatable (MandatoryLabel:string,MandatoryLabelRid:string, MandatoryLabelText:string, MandatoryLabelMeaning:string)\n[\n 'S-1-16-0', '0x00000000', 'SECURITY_MANDATORY_UNTRUSTED_RID', 'Untrusted',\n 'S-1-16-4096', '0x00001000', 'SECURITY_MANDATORY_LOW_RID', 'Low integrity',\n 'S-1-16-8192', '0x00002000', 'SECURITY_MANDATORY_MEDIUM_RID', 'Medium integrity',\n 'S-1-16-8448', '0x00002100', 'SECURITY_MANDATORY_MEDIUM_PLUS_RID', 'Medium high integrity',\n 'S-1-16-12288', '0X00003000', 'SECURITY_MANDATORY_HIGH_RID', 'High integrity',\n 'S-1-16-16384', '0x00004000', 'SECURITY_MANDATORY_SYSTEM_RID', 'System integrity',\n 'S-1-16-20480', '0x00005000', 'SECURITY_MANDATORY_PROTECTED_PROCESS_RID', 'Protected process'\n ];\nlet parser = (\n starttime:datetime=datetime(null),\n endtime:datetime=datetime(null),\n commandline_has_any:dynamic=dynamic([]),\n commandline_has_all:dynamic=dynamic([]),\n commandline_has_any_ip_prefix:dynamic=dynamic([]),\n actingprocess_has_any:dynamic=dynamic([]),\n targetprocess_has_any:dynamic=dynamic([]),\n parentprocess_has_any:dynamic=dynamic([]),\n targetusername_has:string='*',\n dvcipaddr_has_any_prefix:dynamic=dynamic([]),\n dvchostname_has_any:dynamic=dynamic([]),\n eventtype:string='*',\n hashes_has_any:dynamic=dynamic([]),\n disabled:bool=false\n) {\nWindowsEvent\n// -- pre-filtering\n| where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and EventID == 4688\n and not(disabled)\n and (eventtype=='*' or eventtype=='ProcessCreated')\n and (array_length(parentprocess_has_any)==0)\n and (array_length(hashes_has_any) == 0)\n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(commandline_has_all)==0 or EventData.CommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any)==0 or EventData.CommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(EventData.CommandLine, commandline_has_any_ip_prefix) ) \n and (array_length(actingprocess_has_any)==0 or EventData.ParentProcessName has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any)==0 or EventData.NewProcessName has_any (targetprocess_has_any)) \n and (targetusername_has=='*' or EventData has targetusername_has) \n and (array_length(dvchostname_has_any)==0 or Computer has_any (dvchostname_has_any)) \n // --\n| project-rename\n DvcHostname = Computer\n| extend\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Events',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessCreated',\n EventOriginalType = tostring(EventID),\n DvcOs = 'Windows'\n| extend \n ActorUsername = strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), \n ActorUserId = tostring(EventData.SubjectUserSid)\n| extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\"), \n ActorUsernameType = \"Windows\",\n username = tostring(EventData.TargetUserName)\n| extend\n TargetUsername = iff(username == \"-\", ActorUsername, strcat(EventData.SubjectDomainName, @'\\', username))\n| where // -- post filtering\n (targetusername_has=='*' or TargetUsername has targetusername_has) \n| extend\n TargetUserId = iff(username == \"-\", ActorUserId, tostring(EventData.TargetUserSid))\n| extend\n TargetUserIdType = iff (TargetUserId <> \"S-1-0-0\", \"SID\", \"\"),\n TargetUserId = iff (TargetUserId <> \"S-1-0-0\", TargetUserId, \"\"), \n TargetUsernameType = \"Windows\"\n| project-away\n username\n| extend \n TargetUserSid = TargetUserId,\n ActorUserSid = ActorUserId,\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId),\n TargetUserType = _ASIM_GetWindowsUserType(TargetUsername, TargetUserId)\n| extend\n ActorSessionId = tostring(toint(EventData.SubjectLogonId)),\n TargetUserSessionId = tostring(toint(EventData.TargetLogonId)), \n // Processes \n ActingProcessId = tostring(toint(tolong(EventData.ProcessId))),\n ActingProcessName = tostring(EventData.ParentProcessName),\n TargetProcessId = tostring(toint(tolong(EventData.NewProcessId))),\n TargetProcessName = tostring(EventData.NewProcessName),\n TargetProcessCommandLine = tostring(EventData.CommandLine),\n TargetProcessTokenElevation = tostring(EventData.TokenElevationType),\n MandatoryLabel = tostring(EventData.MandatoryLabel)\n| extend \n ActingProcessFilename = ASIM_GetFilenamePart(ActingProcessName),\n TargetProcessFilename = ASIM_GetFilenamePart(TargetProcessName)\n| lookup MandatoryLabelLookup on MandatoryLabel\n// -- Aliases\n| extend\n User = TargetUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName,\n CommandLine = TargetProcessCommandLine\n| project-away Channel, EventData, Data, EventID, EventLevelName, EventLevel, Provider, RawEventData, Task, TenantId, ManagementGroupName, SourceSystem, EventOriginId\n}; \nparser (\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',hashes_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for WEF Security Events", + "category": "ASIM", + "FunctionAlias": "vimProcessCreateMicrosoftWindowsEvents", + "query": "let ASIM_GetFilenamePart = (path:string) { tostring(split(path,@'\\')[-1]) };\nlet ASIM_ResolveWindowsUsername = (T:(username:string, domain:string, sid:string)) { \n T \n | extend \n type = case (\n username == \"-\", \"\",\n domain == \"-\", \"Simple\",\n \"Windows\"\n ),\n username = case (\n username == \"-\", \"\",\n domain == '-', username,\n strcat(domain, @\"\\\" , username)\n )\n};\nlet MandatoryLabelLookup = datatable (MandatoryLabel:string,MandatoryLabelRid:string, MandatoryLabelText:string, MandatoryLabelMeaning:string)\n[\n 'S-1-16-0', '0x00000000', 'SECURITY_MANDATORY_UNTRUSTED_RID', 'Untrusted',\n 'S-1-16-4096', '0x00001000', 'SECURITY_MANDATORY_LOW_RID', 'Low integrity',\n 'S-1-16-8192', '0x00002000', 'SECURITY_MANDATORY_MEDIUM_RID', 'Medium integrity',\n 'S-1-16-8448', '0x00002100', 'SECURITY_MANDATORY_MEDIUM_PLUS_RID', 'Medium high integrity',\n 'S-1-16-12288', '0X00003000', 'SECURITY_MANDATORY_HIGH_RID', 'High integrity',\n 'S-1-16-16384', '0x00004000', 'SECURITY_MANDATORY_SYSTEM_RID', 'System integrity',\n 'S-1-16-20480', '0x00005000', 'SECURITY_MANDATORY_PROTECTED_PROCESS_RID', 'Protected process'\n ];\nlet parser = (\n starttime:datetime=datetime(null),\n endtime:datetime=datetime(null),\n commandline_has_any:dynamic=dynamic([]),\n commandline_has_all:dynamic=dynamic([]),\n commandline_has_any_ip_prefix:dynamic=dynamic([]),\n actingprocess_has_any:dynamic=dynamic([]),\n targetprocess_has_any:dynamic=dynamic([]),\n parentprocess_has_any:dynamic=dynamic([]),\n targetusername_has:string='*',\n dvcipaddr_has_any_prefix:dynamic=dynamic([]),\n dvchostname_has_any:dynamic=dynamic([]),\n eventtype:string='*',\n hashes_has_any:dynamic=dynamic([]),\n disabled:bool=false\n) {\nWindowsEvent\n// -- pre-filtering\n| where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and EventID == 4688\n and not(disabled)\n and (eventtype=='*' or eventtype=='ProcessCreated')\n and (array_length(parentprocess_has_any)==0)\n and (array_length(hashes_has_any) == 0)\n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(commandline_has_all)==0 or EventData.CommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any)==0 or EventData.CommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(EventData.CommandLine, commandline_has_any_ip_prefix) ) \n and (array_length(actingprocess_has_any)==0 or EventData.ParentProcessName has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any)==0 or EventData.NewProcessName has_any (targetprocess_has_any)) \n and (targetusername_has=='*' or EventData has targetusername_has) \n and (array_length(dvchostname_has_any)==0 or Computer has_any (dvchostname_has_any)) \n // --\n| project-rename\n DvcHostname = Computer\n| extend\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Events',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessCreated',\n EventOriginalType = tostring(EventID),\n DvcOs = 'Windows'\n| extend \n ActorUsername = strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), \n ActorUserId = tostring(EventData.SubjectUserSid)\n| extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\"), \n ActorUsernameType = \"Windows\",\n username = tostring(EventData.TargetUserName)\n| extend\n TargetUsername = iff(username == \"-\", ActorUsername, strcat(EventData.SubjectDomainName, @'\\', username))\n| where // -- post filtering\n (targetusername_has=='*' or TargetUsername has targetusername_has) \n| extend\n TargetUserId = iff(username == \"-\", ActorUserId, tostring(EventData.TargetUserSid))\n| extend\n TargetUserIdType = iff (TargetUserId <> \"S-1-0-0\", \"SID\", \"\"),\n TargetUserId = iff (TargetUserId <> \"S-1-0-0\", TargetUserId, \"\"), \n TargetUsernameType = \"Windows\"\n| project-away\n username\n| extend \n TargetUserSid = TargetUserId,\n ActorUserSid = ActorUserId,\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId),\n TargetUserType = _ASIM_GetWindowsUserType(TargetUsername, TargetUserId)\n| extend\n ActorSessionId = tostring(toint(EventData.SubjectLogonId)),\n TargetUserSessionId = tostring(toint(EventData.TargetLogonId)), \n // Processes \n ActingProcessId = tostring(toint(tolong(EventData.ProcessId))),\n ActingProcessName = tostring(EventData.ParentProcessName),\n TargetProcessId = tostring(toint(tolong(EventData.NewProcessId))),\n TargetProcessName = tostring(EventData.NewProcessName),\n TargetProcessCommandLine = tostring(EventData.CommandLine),\n TargetProcessTokenElevation = tostring(EventData.TokenElevationType),\n MandatoryLabel = tostring(EventData.MandatoryLabel)\n| extend \n ActingProcessFilename = ASIM_GetFilenamePart(ActingProcessName),\n TargetProcessFilename = ASIM_GetFilenamePart(TargetProcessName)\n| lookup MandatoryLabelLookup on MandatoryLabel\n// -- Aliases\n| extend\n User = TargetUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName,\n CommandLine = TargetProcessCommandLine\n| project-away Channel, EventData, Data, EventID, EventLevelName, EventLevel, Provider, RawEventData, Task, TenantId, ManagementGroupName, SourceSystem, EventOriginId\n}; \nparser (\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',hashes_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessCreateSentinelOne/vimProcessCreateSentinelOne.json b/Parsers/ASimProcessEvent/ARM/vimProcessCreateSentinelOne/vimProcessCreateSentinelOne.json index 0e20f0d29e0..2c9c4c22c55 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessCreateSentinelOne/vimProcessCreateSentinelOne.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessCreateSentinelOne/vimProcessCreateSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessCreateSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessCreateSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create ASIM parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "vimProcessCreateSentinelOne", - "query": "let ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n[\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n[\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n[\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n targetusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n hashes_has_any: dynamic=dynamic([]),\n disabled: bool=false) {\n let alldata = SentinelOne_CL\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s == \"PROCESSCREATION\"\n and (eventtype == '*' or eventtype == 'ProcessCreated')\n and array_length(dvcipaddr_has_any_prefix) == 0\n and (targetusername_has == '*' or sourceProcessInfo_user_s has targetusername_has)\n and (array_length(commandline_has_all) == 0 or targetProcessInfo_tgtProcCmdLine_s has_all (commandline_has_all))\n and (array_length(commandline_has_any) == 0 or targetProcessInfo_tgtProcCmdLine_s has_any (commandline_has_any))\n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(targetProcessInfo_tgtProcCmdLine_s, commandline_has_any_ip_prefix))\n and (array_length(actingprocess_has_any) == 0 or sourceProcessInfo_name_s has_any (actingprocess_has_any))\n and (array_length(targetprocess_has_any) == 0 or targetProcessInfo_tgtProcName_s has_any (targetprocess_has_any))\n and (array_length(parentprocess_has_any) == 0 or sourceParentProcessInfo_name_s has_any (parentprocess_has_any))\n and (array_length(dvchostname_has_any) == 0 or agentDetectionInfo_name_s has_any (dvchostname_has_any))\n and (array_length(hashes_has_any) == 0 or targetProcessInfo_tgtFileHashSha1_s has_any (hashes_has_any) or targetProcessInfo_tgtFileHashSha256_s has_any (hashes_has_any));\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maaliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maaliciousdata\n | extend ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n DvcId = agentDetectionInfo_uuid_g,\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n TargetProcessCommandLine = targetProcessInfo_tgtProcCmdLine_s,\n TargetProcessId = targetProcessInfo_tgtProcPid_s,\n TargetProcessName = targetProcessInfo_tgtProcName_s,\n EventUid = _ItemId,\n TargetProcessCreationTime = targetProcessInfo_tgtProcessStartTime_t,\n ActingProcessName = sourceProcessInfo_name_s,\n ParentProcessName = sourceParentProcessInfo_name_s,\n ActingProcessCommandLine = sourceProcessInfo_commandline_s,\n ActingProcessGuid = sourceProcessInfo_uniqueId_g,\n ActingProcessSHA1 = sourceProcessInfo_fileHashSha1_s,\n ParentProcessSHA1 = sourceParentProcessInfo_fileHashSha1_s,\n ActingProcessSHA256 = sourceProcessInfo_fileHashSha256_s,\n ParentProcessSHA256 = sourceParentProcessInfo_fileHashSha256_s,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n TargetProcessIntegrityLevel = targetProcessInfo_tgtProcIntegrityLevel_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend\n ActingProcessId = sourceProcessInfo_pid_s,\n ActorUsername = sourceProcessInfo_user_s,\n TargetUsername = sourceProcessInfo_user_s,\n Hash = coalesce(targetProcessInfo_tgtFileHashSha256_s, targetProcessInfo_tgtFileHashSha1_s),\n ParentProcessId = sourceProcessInfo_pid_s,\n TargetProcessSHA1 = targetProcessInfo_tgtFileHashSha1_s,\n TargetProcessSHA256 = targetProcessInfo_tgtFileHashSha256_s,\n ParentProcessMD5 = replace_string(sourceParentProcessInfo_fileHashMd5_g, \"-\", \"\"),\n ActingProcessMD5 = replace_string(sourceProcessInfo_fileHashMd5_g, \"-\", \"\"),\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity)\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessCreated\",\n EventVendor = \"SentinelOne\",\n EventSchema = \"ProcessEvent\"\n | extend\n Dvc = DvcId,\n EventEndTime = EventStartTime,\n User = TargetUsername,\n ActingProcessCreationTime = EventStartTime,\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n Rule = RuleName\n | extend\n HashType = case(\n isnotempty(Hash) and isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(Hash) and isnotempty(TargetProcessSHA1),\n \"TargetProcessSHA1\",\n \"\"\n ),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\")\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',hashes_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create ASIM parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "vimProcessCreateSentinelOne", + "query": "let ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n[\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n[\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n[\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n targetusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n hashes_has_any: dynamic=dynamic([]),\n disabled: bool=false) {\n let alldata = SentinelOne_CL\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s == \"PROCESSCREATION\"\n and (eventtype == '*' or eventtype == 'ProcessCreated')\n and array_length(dvcipaddr_has_any_prefix) == 0\n and (targetusername_has == '*' or sourceProcessInfo_user_s has targetusername_has)\n and (array_length(commandline_has_all) == 0 or targetProcessInfo_tgtProcCmdLine_s has_all (commandline_has_all))\n and (array_length(commandline_has_any) == 0 or targetProcessInfo_tgtProcCmdLine_s has_any (commandline_has_any))\n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(targetProcessInfo_tgtProcCmdLine_s, commandline_has_any_ip_prefix))\n and (array_length(actingprocess_has_any) == 0 or sourceProcessInfo_name_s has_any (actingprocess_has_any))\n and (array_length(targetprocess_has_any) == 0 or targetProcessInfo_tgtProcName_s has_any (targetprocess_has_any))\n and (array_length(parentprocess_has_any) == 0 or sourceParentProcessInfo_name_s has_any (parentprocess_has_any))\n and (array_length(dvchostname_has_any) == 0 or agentDetectionInfo_name_s has_any (dvchostname_has_any))\n and (array_length(hashes_has_any) == 0 or targetProcessInfo_tgtFileHashSha1_s has_any (hashes_has_any) or targetProcessInfo_tgtFileHashSha256_s has_any (hashes_has_any));\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maaliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maaliciousdata\n | extend ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n DvcId = agentDetectionInfo_uuid_g,\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n TargetProcessCommandLine = targetProcessInfo_tgtProcCmdLine_s,\n TargetProcessId = targetProcessInfo_tgtProcPid_s,\n TargetProcessName = targetProcessInfo_tgtProcName_s,\n EventUid = _ItemId,\n TargetProcessCreationTime = targetProcessInfo_tgtProcessStartTime_t,\n ActingProcessName = sourceProcessInfo_name_s,\n ParentProcessName = sourceParentProcessInfo_name_s,\n ActingProcessCommandLine = sourceProcessInfo_commandline_s,\n ActingProcessGuid = sourceProcessInfo_uniqueId_g,\n ActingProcessSHA1 = sourceProcessInfo_fileHashSha1_s,\n ParentProcessSHA1 = sourceParentProcessInfo_fileHashSha1_s,\n ActingProcessSHA256 = sourceProcessInfo_fileHashSha256_s,\n ParentProcessSHA256 = sourceParentProcessInfo_fileHashSha256_s,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n TargetProcessIntegrityLevel = targetProcessInfo_tgtProcIntegrityLevel_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend\n ActingProcessId = sourceProcessInfo_pid_s,\n ActorUsername = sourceProcessInfo_user_s,\n TargetUsername = sourceProcessInfo_user_s,\n Hash = coalesce(targetProcessInfo_tgtFileHashSha256_s, targetProcessInfo_tgtFileHashSha1_s),\n ParentProcessId = sourceProcessInfo_pid_s,\n TargetProcessSHA1 = targetProcessInfo_tgtFileHashSha1_s,\n TargetProcessSHA256 = targetProcessInfo_tgtFileHashSha256_s,\n ParentProcessMD5 = replace_string(sourceParentProcessInfo_fileHashMd5_g, \"-\", \"\"),\n ActingProcessMD5 = replace_string(sourceProcessInfo_fileHashMd5_g, \"-\", \"\"),\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity)\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessCreated\",\n EventVendor = \"SentinelOne\",\n EventSchema = \"ProcessEvent\"\n | extend\n Dvc = DvcId,\n EventEndTime = EventStartTime,\n User = TargetUsername,\n ActingProcessCreationTime = EventStartTime,\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n Rule = RuleName\n | extend\n HashType = case(\n isnotempty(Hash) and isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(Hash) and isnotempty(TargetProcessSHA1),\n \"TargetProcessSHA1\",\n \"\"\n ),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\")\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',hashes_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessCreateTrendMicroVisionOne/vimProcessCreateTrendMicroVisionOne.json b/Parsers/ASimProcessEvent/ARM/vimProcessCreateTrendMicroVisionOne/vimProcessCreateTrendMicroVisionOne.json index c66bbe1cfc4..34a0b7730df 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessCreateTrendMicroVisionOne/vimProcessCreateTrendMicroVisionOne.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessCreateTrendMicroVisionOne/vimProcessCreateTrendMicroVisionOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessCreateTrendMicroVisionOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessCreateTrendMicroVisionOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create ASIM parser", - "category": "ASIM", - "FunctionAlias": "vimProcessCreateTrendMicroVisionOne", - "query": "let GetFilenamePart = (path: string) { tostring(split(path, @'\\')[-1]) };\nlet IntegrityLevelLookup = datatable(IntegrityLevel: real, IntegrityType: string)\n [\n 0, \"Untrusted\",\n 4096, \"Low\",\n 8192, \"Medium\",\n 12288, \"High\",\n 16384, \"System\"\n];\nlet EventSeverityLookup = datatable(detail_filterRiskLevel_s: string, EventSeverity: string)[\n \"low\", \"Low\",\n \"medium\", \"Medium\",\n \"high\", \"High\",\n \"info\", \"Informational\",\n \"critical\", \"High\"\n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n targetusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n hashes_has_any: dynamic=dynamic([]),\n disabled: bool=false) {\n TrendMicro_XDR_OAT_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and detail_eventId_s == \"TELEMETRY_PROCESS\"\n and detail_eventSubId_s has_any (\"TELEMETRY_PROCESS_CREATE\",\"TELEMETRY_PROCESS_LOAD_IMAGE\",\"TELEMETRY_PROCESS_OPEN\")\n and (eventtype == '*' or eventtype == 'ProcessCreated')\n and array_length(dvcipaddr_has_any_prefix) == 0 \n and (targetusername_has == '*' or detail_objectUser_s has targetusername_has) \n and (array_length(commandline_has_all) == 0 or detail_objectCmd_s has_all (commandline_has_all)) \n and (array_length(commandline_has_any) == 0 or detail_objectCmd_s has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(detail_objectCmd_s, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or detail_processName_s has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any) == 0 or detail_objectName_s has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any) == 0 or detail_parentName_s has_any (parentprocess_has_any))\n and (array_length(dvchostname_has_any) == 0 or detail_endpointHostName_s has_any (dvchostname_has_any))\n and array_length(hashes_has_any) == 0 or detail_objectFileHashSha1_s has_any (hashes_has_any) or detail_objectFileHashSha256_s has_any (hashes_has_any)\n | parse filters_s with * \"[\" filters: string \"]\"\n | parse-kv filters as (description: string, name: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | extend\n ActingProcessId = tostring(toint(detail_processPid_d)),\n TargetProcessId = tostring(toint(detail_objectPid_d)),\n ParentProcessId = tostring(toint(detail_parentPid_d)),\n TargetProcessCreationTime = unixtime_milliseconds_todatetime(detail_objectLaunchTime_d),\n ActingProcessCreationTime = unixtime_milliseconds_todatetime(detail_processLaunchTime_d),\n ActingProcessFilename = GetFilenamePart(detail_processFilePath_s),\n ParentProcessCreationTime = unixtime_milliseconds_todatetime(detail_parentLaunchTime_d),\n ParentProcessName = detail_parentName_s,\n TargetProcessFilename = GetFilenamePart(detail_objectFilePath_s),\n ActingProcessFileSize = tolong(detail_processFileSize_d),\n TargetUserSessionId = tostring(toint(detail_objectAuthId_d)),\n ActorSessionId = tostring(toint(detail_authId_d)),\n TargetProcessMD5 = replace_string(detail_objectFileHashMd5_g, \"-\", \"\"),\n ActingProcessMD5 = replace_string(detail_processFileHashMd5_g, \"-\", \"\"),\n ParentProcessMD5 = replace_string(detail_parentFileHashMd5_g, \"-\", \"\"),\n TargetProcessCommandLine = replace_string(detail_objectCmd_s, '\"', ''),\n ActingProcessCommandLine = replace_string(detail_processCmd_s, '\"', ''),\n AdditionalFields = bag_pack(\n \"name\", name,\n \"tags\", detail_tags_s\n )\n | lookup EventSeverityLookup on detail_filterRiskLevel_s\n | invoke _ASIM_ResolveDvcFQDN('detail_endpointHostName_s')\n | lookup IntegrityLevelLookup on $left.detail_parentIntegrityLevel_d == $right.IntegrityLevel\n | project-rename ParentProcessIntegrityLevel = IntegrityType\n | lookup IntegrityLevelLookup on $left.detail_objectIntegrityLevel_d == $right.IntegrityLevel\n | project-rename TargetProcessIntegrityLevel = IntegrityType\n | lookup IntegrityLevelLookup on $left.detail_integrityLevel_d == $right.IntegrityLevel\n | project-rename ActingProcessIntegrityLevel = IntegrityType\n | extend\n EventCount = int(1),\n EventProduct = \"Vision One\",\n EventResult = \"Success\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessCreated\",\n EventVendor = \"Trend Micro\",\n EventSchema = \"ProcessEvent\",\n DvcAction = \"Allowed\"\n | project-rename\n ActorUsername = detail_processUser_s,\n EventStartTime = detail_eventTimeDT_t,\n TargetProcessName = detail_objectName_s,\n TargetUsername = detail_objectUser_s,\n ActingProcessName = detail_processName_s,\n ActingProcessSHA1 = detail_processFileHashSha1_s,\n ActingProcessSHA256 = detail_processFileHashSha256_s,\n DvcId = detail_endpointGuid_g,\n DvcOs = detail_osName_s,\n DvcOsVersion = detail_osVer_s,\n EventOriginalSubType = detail_eventSubId_s,\n EventOriginalType = detail_eventId_s,\n EventOriginalUid = detail_uuid_g,\n EventOriginalSeverity = detail_filterRiskLevel_s,\n EventProductVersion = detail_pver_s,\n ParentProcessSHA1 = detail_parentFileHashSha1_s,\n ParentProcessSHA256 = detail_parentFileHashSha256_s,\n TargetProcessSHA1 = detail_objectFileHashSha1_s,\n TargetProcessSHA256 = detail_objectFileHashSha256_s,\n EventUid = _ItemId,\n EventMessage = description\n | extend \n Dvc = DvcHostname,\n EventEndTime = EventStartTime,\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = TargetUsername,\n Hash = coalesce(TargetProcessSHA256, TargetProcessSHA1, TargetProcessMD5)\n | extend\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\"),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n HashType = case(\n isnotempty(Hash) and isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(Hash) and isnotempty(TargetProcessSHA1),\n \"TargetProcessSHA1\",\n isnotempty(Hash) and isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n )\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n filters,\n name\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create ASIM parser", + "category": "ASIM", + "FunctionAlias": "vimProcessCreateTrendMicroVisionOne", + "query": "let GetFilenamePart = (path: string) { tostring(split(path, @'\\')[-1]) };\nlet IntegrityLevelLookup = datatable(IntegrityLevel: real, IntegrityType: string)\n [\n 0, \"Untrusted\",\n 4096, \"Low\",\n 8192, \"Medium\",\n 12288, \"High\",\n 16384, \"System\"\n];\nlet EventSeverityLookup = datatable(detail_filterRiskLevel_s: string, EventSeverity: string)[\n \"low\", \"Low\",\n \"medium\", \"Medium\",\n \"high\", \"High\",\n \"info\", \"Informational\",\n \"critical\", \"High\"\n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n targetusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n hashes_has_any: dynamic=dynamic([]),\n disabled: bool=false) {\n TrendMicro_XDR_OAT_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and detail_eventId_s == \"TELEMETRY_PROCESS\"\n and detail_eventSubId_s has_any (\"TELEMETRY_PROCESS_CREATE\",\"TELEMETRY_PROCESS_LOAD_IMAGE\",\"TELEMETRY_PROCESS_OPEN\")\n and (eventtype == '*' or eventtype == 'ProcessCreated')\n and array_length(dvcipaddr_has_any_prefix) == 0 \n and (targetusername_has == '*' or detail_objectUser_s has targetusername_has) \n and (array_length(commandline_has_all) == 0 or detail_objectCmd_s has_all (commandline_has_all)) \n and (array_length(commandline_has_any) == 0 or detail_objectCmd_s has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(detail_objectCmd_s, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or detail_processName_s has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any) == 0 or detail_objectName_s has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any) == 0 or detail_parentName_s has_any (parentprocess_has_any))\n and (array_length(dvchostname_has_any) == 0 or detail_endpointHostName_s has_any (dvchostname_has_any))\n and array_length(hashes_has_any) == 0 or detail_objectFileHashSha1_s has_any (hashes_has_any) or detail_objectFileHashSha256_s has_any (hashes_has_any)\n | parse filters_s with * \"[\" filters: string \"]\"\n | parse-kv filters as (description: string, name: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | extend\n ActingProcessId = tostring(toint(detail_processPid_d)),\n TargetProcessId = tostring(toint(detail_objectPid_d)),\n ParentProcessId = tostring(toint(detail_parentPid_d)),\n TargetProcessCreationTime = unixtime_milliseconds_todatetime(detail_objectLaunchTime_d),\n ActingProcessCreationTime = unixtime_milliseconds_todatetime(detail_processLaunchTime_d),\n ActingProcessFilename = GetFilenamePart(detail_processFilePath_s),\n ParentProcessCreationTime = unixtime_milliseconds_todatetime(detail_parentLaunchTime_d),\n ParentProcessName = detail_parentName_s,\n TargetProcessFilename = GetFilenamePart(detail_objectFilePath_s),\n ActingProcessFileSize = tolong(detail_processFileSize_d),\n TargetUserSessionId = tostring(toint(detail_objectAuthId_d)),\n ActorSessionId = tostring(toint(detail_authId_d)),\n TargetProcessMD5 = replace_string(detail_objectFileHashMd5_g, \"-\", \"\"),\n ActingProcessMD5 = replace_string(detail_processFileHashMd5_g, \"-\", \"\"),\n ParentProcessMD5 = replace_string(detail_parentFileHashMd5_g, \"-\", \"\"),\n TargetProcessCommandLine = replace_string(detail_objectCmd_s, '\"', ''),\n ActingProcessCommandLine = replace_string(detail_processCmd_s, '\"', ''),\n AdditionalFields = bag_pack(\n \"name\", name,\n \"tags\", detail_tags_s\n )\n | lookup EventSeverityLookup on detail_filterRiskLevel_s\n | invoke _ASIM_ResolveDvcFQDN('detail_endpointHostName_s')\n | lookup IntegrityLevelLookup on $left.detail_parentIntegrityLevel_d == $right.IntegrityLevel\n | project-rename ParentProcessIntegrityLevel = IntegrityType\n | lookup IntegrityLevelLookup on $left.detail_objectIntegrityLevel_d == $right.IntegrityLevel\n | project-rename TargetProcessIntegrityLevel = IntegrityType\n | lookup IntegrityLevelLookup on $left.detail_integrityLevel_d == $right.IntegrityLevel\n | project-rename ActingProcessIntegrityLevel = IntegrityType\n | extend\n EventCount = int(1),\n EventProduct = \"Vision One\",\n EventResult = \"Success\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessCreated\",\n EventVendor = \"Trend Micro\",\n EventSchema = \"ProcessEvent\",\n DvcAction = \"Allowed\"\n | project-rename\n ActorUsername = detail_processUser_s,\n EventStartTime = detail_eventTimeDT_t,\n TargetProcessName = detail_objectName_s,\n TargetUsername = detail_objectUser_s,\n ActingProcessName = detail_processName_s,\n ActingProcessSHA1 = detail_processFileHashSha1_s,\n ActingProcessSHA256 = detail_processFileHashSha256_s,\n DvcId = detail_endpointGuid_g,\n DvcOs = detail_osName_s,\n DvcOsVersion = detail_osVer_s,\n EventOriginalSubType = detail_eventSubId_s,\n EventOriginalType = detail_eventId_s,\n EventOriginalUid = detail_uuid_g,\n EventOriginalSeverity = detail_filterRiskLevel_s,\n EventProductVersion = detail_pver_s,\n ParentProcessSHA1 = detail_parentFileHashSha1_s,\n ParentProcessSHA256 = detail_parentFileHashSha256_s,\n TargetProcessSHA1 = detail_objectFileHashSha1_s,\n TargetProcessSHA256 = detail_objectFileHashSha256_s,\n EventUid = _ItemId,\n EventMessage = description\n | extend \n Dvc = DvcHostname,\n EventEndTime = EventStartTime,\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = TargetUsername,\n Hash = coalesce(TargetProcessSHA256, TargetProcessSHA1, TargetProcessMD5)\n | extend\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\"),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n HashType = case(\n isnotempty(Hash) and isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(Hash) and isnotempty(TargetProcessSHA1),\n \"TargetProcessSHA1\",\n isnotempty(Hash) and isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n )\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n filters,\n name\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessCreateVMwareCarbonBlackCloud/vimProcessCreateVMwareCarbonBlackCloud.json b/Parsers/ASimProcessEvent/ARM/vimProcessCreateVMwareCarbonBlackCloud/vimProcessCreateVMwareCarbonBlackCloud.json index 50abd33f255..1ca6499ce56 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessCreateVMwareCarbonBlackCloud/vimProcessCreateVMwareCarbonBlackCloud.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessCreateVMwareCarbonBlackCloud/vimProcessCreateVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessCreateVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessCreateVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create ASIM parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "vimProcessCreateVMwareCarbonBlackCloud", - "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet ThreatConfidenceLookup = datatable (ThreatOriginalConfidence: string, ThreatConfidence: int)\n [\n \"1\", 10,\n \"2\", 20,\n \"3\", 30,\n \"4\", 40,\n \"5\", 50,\n \"6\", 60,\n \"7\", 70,\n \"8\", 80,\n \"9\", 90,\n \"10\", 100\n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n targetusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n hashes_has_any: dynamic=dynamic([]),\n disabled: bool=false) {\n let CarbonBlackEventsSchema = datatable (\n eventType_s: string,\n childproc_pid_d: real,\n process_hash_s: string,\n parent_hash_s: string,\n childproc_hash_s: string,\n sensor_action_s: string,\n alert_id_g: string,\n event_id_g: string,\n createTime_s: string,\n process_pid_d: real,\n parent_pid_d: real,\n org_key_s: string,\n parent_cmdline_s: string,\n process_reputation_s: string,\n childproc_reputation_s: string,\n parent_reputation_s: string,\n process_guid_s: string,\n childproc_guid_s: string,\n parent_guid_s: string,\n process_username_s: string,\n target_cmdline_s: string,\n childproc_name_s: string,\n childproc_username_s: string,\n device_external_ip_s: string,\n device_group_s: string,\n process_cmdline_s: string,\n process_path_s: string,\n device_id_s: string,\n device_os_s: string,\n event_description_s: string,\n action_s: string,\n event_origin_s: string,\n parent_path_s: string,\n device_name_s: string\n)[];\n let CarbonBlackNotificationsSchema = datatable (\n type_s: string,\n threatInfo_incidentId_g: string,\n threatInfo_score_d: real,\n threatInfo_summary_s: string,\n threatInfo_time_d: real,\n threatInfo_threatCause_threatCategory_s: string,\n threatInfo_threatCause_causeEventId_g: string,\n ruleName_s: string,\n deviceInfo_deviceVersion_s: string,\n threatInfo_threatCause_originSourceType_s: string,\n threatInfo_threatCause_reputation_s: string,\n threatInfo_threatCause_reason_s: string,\n id_g: string,\n primary_event_id_g: string,\n threat_id_g: string\n)[];\n let processdata = union (CarbonBlackEvents_CL), (CarbonBlackEventsSchema)\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and eventType_s == \"endpoint.event.procstart\" and isnotempty(childproc_pid_d)\n and (eventtype == '*' or eventtype == 'ProcessCreated')\n and (array_length(dvcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(device_external_ip_s, dvcipaddr_has_any_prefix))\n and (targetusername_has == '*' or childproc_username_s has targetusername_has) \n and (array_length(commandline_has_all) == 0 or target_cmdline_s has_all (commandline_has_all)) \n and (array_length(commandline_has_any) == 0 or target_cmdline_s has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(target_cmdline_s, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or process_path_s has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any) == 0 or childproc_name_s has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any) == 0 or parent_path_s has_any (parentprocess_has_any))\n and (array_length(dvchostname_has_any) == 0 or device_name_s has_any (dvchostname_has_any))\n and array_length(hashes_has_any) == 0 or childproc_hash_s has_any (hashes_has_any)\n | parse process_hash_s with * '[\"' ActingProcessMD5: string '\",\"' ActingProcessSHA256: string '\"]'\n | parse parent_hash_s with * '[\"' ParentProcessMD5: string '\",\"' ParentProcessSHA256: string '\"]'\n | parse childproc_hash_s with * '[\"' TargetProcessMD5: string '\",\"' TargetProcessSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s; \n let processdatawiththreat = processdata\n | where isnotempty(alert_id_g) and isnotempty(event_id_g)\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"THREAT\"\n | project\n threatInfo_incidentId_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_time_d,\n threatInfo_threatCause_threatCategory_s,\n threatInfo_threatCause_causeEventId_g,\n ruleName_s,\n deviceInfo_deviceVersion_s,\n threatInfo_threatCause_originSourceType_s,\n threatInfo_threatCause_reputation_s,\n threatInfo_threatCause_reason_s)\n on\n $left.alert_id_g == $right.threatInfo_incidentId_g,\n $left.event_id_g == $right.threatInfo_threatCause_causeEventId_g\n | join kind=leftouter (union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"CB_ANALYTICS\"\n | project\n id_g,\n primary_event_id_g,\n deviceInfo_deviceVersion_s,\n threat_id_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.id_g, $left.event_id_g == $right.primary_event_id_g\n | extend \n ThreatDescription = coalesce(threatInfo_summary_s, threatInfo_summary_s1),\n ThreatCategory = threatInfo_threatCause_threatCategory_s,\n ThreatFirstReportedTime = unixtime_milliseconds_todatetime(threatInfo_time_d),\n RuleName = ruleName_s,\n AdditionalFields_threat = bag_pack(\n \"threatInfo_threatCause_reason\",\n coalesce(threatInfo_threatCause_reason_s, threatInfo_threatCause_reason_s1),\n \"threatInfo_threatCause_reputation\",\n threatInfo_threatCause_reputation_s,\n \"threatInfo_threatCause_originSourceType\",\n threatInfo_threatCause_originSourceType_s\n ),\n ThreatId = threat_id_g,\n ThreatOriginalConfidence = tostring(toint(coalesce(threatInfo_score_d, threatInfo_score_d1))),\n DvcOsVersion = coalesce(deviceInfo_deviceVersion_s, deviceInfo_deviceVersion_s1)\n | lookup ThreatConfidenceLookup on ThreatOriginalConfidence\n | extend Rule = RuleName;\n let processdatawithoutthreat = processdata\n | where isempty(alert_id_g) or isempty(event_id_g);\n union processdatawithoutthreat, processdatawiththreat\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetProcessId = tostring(toint(childproc_pid_d)),\n ActingProcessId = tostring(toint(process_pid_d)),\n ParentProcessId = tostring(toint(parent_pid_d)),\n AdditionalFields_Common = bag_pack(\n \"org_key\",\n org_key_s,\n \"alert_id\",\n alert_id_g,\n \"parent_cmdline\",\n parent_cmdline_s,\n \"process_reputation\",\n process_reputation_s,\n \"childproc_reputation\",\n childproc_reputation_s,\n \"parent_reputation\",\n parent_reputation_s,\n \"process_guid\",\n process_guid_s,\n \"childproc_guid\",\n childproc_guid_s,\n \"parent_guid\",\n parent_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename \n ActorUsername = process_username_s,\n TargetProcessCommandLine = target_cmdline_s,\n TargetProcessName = childproc_name_s,\n TargetUsername = childproc_username_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n ActingProcessCommandLine = process_cmdline_s,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ParentProcessName = parent_path_s,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessCreated\",\n EventVendor = \"VMware\",\n EventSchema = \"ProcessEvent\",\n AdditionalFields = bag_merge(AdditionalFields_threat, AdditionalFields_Common)\n | extend \n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Hash = coalesce(TargetProcessSHA256, TargetProcessMD5),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = TargetUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n HashType = case(\n isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n ),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\")\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n AdditionalFields_*\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create ASIM parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "vimProcessCreateVMwareCarbonBlackCloud", + "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet ThreatConfidenceLookup = datatable (ThreatOriginalConfidence: string, ThreatConfidence: int)\n [\n \"1\", 10,\n \"2\", 20,\n \"3\", 30,\n \"4\", 40,\n \"5\", 50,\n \"6\", 60,\n \"7\", 70,\n \"8\", 80,\n \"9\", 90,\n \"10\", 100\n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n targetusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n hashes_has_any: dynamic=dynamic([]),\n disabled: bool=false) {\n let CarbonBlackEventsSchema = datatable (\n eventType_s: string,\n childproc_pid_d: real,\n process_hash_s: string,\n parent_hash_s: string,\n childproc_hash_s: string,\n sensor_action_s: string,\n alert_id_g: string,\n event_id_g: string,\n createTime_s: string,\n process_pid_d: real,\n parent_pid_d: real,\n org_key_s: string,\n parent_cmdline_s: string,\n process_reputation_s: string,\n childproc_reputation_s: string,\n parent_reputation_s: string,\n process_guid_s: string,\n childproc_guid_s: string,\n parent_guid_s: string,\n process_username_s: string,\n target_cmdline_s: string,\n childproc_name_s: string,\n childproc_username_s: string,\n device_external_ip_s: string,\n device_group_s: string,\n process_cmdline_s: string,\n process_path_s: string,\n device_id_s: string,\n device_os_s: string,\n event_description_s: string,\n action_s: string,\n event_origin_s: string,\n parent_path_s: string,\n device_name_s: string\n)[];\n let CarbonBlackNotificationsSchema = datatable (\n type_s: string,\n threatInfo_incidentId_g: string,\n threatInfo_score_d: real,\n threatInfo_summary_s: string,\n threatInfo_time_d: real,\n threatInfo_threatCause_threatCategory_s: string,\n threatInfo_threatCause_causeEventId_g: string,\n ruleName_s: string,\n deviceInfo_deviceVersion_s: string,\n threatInfo_threatCause_originSourceType_s: string,\n threatInfo_threatCause_reputation_s: string,\n threatInfo_threatCause_reason_s: string,\n id_g: string,\n primary_event_id_g: string,\n threat_id_g: string\n)[];\n let processdata = union (CarbonBlackEvents_CL), (CarbonBlackEventsSchema)\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and eventType_s == \"endpoint.event.procstart\" and isnotempty(childproc_pid_d)\n and (eventtype == '*' or eventtype == 'ProcessCreated')\n and (array_length(dvcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(device_external_ip_s, dvcipaddr_has_any_prefix))\n and (targetusername_has == '*' or childproc_username_s has targetusername_has) \n and (array_length(commandline_has_all) == 0 or target_cmdline_s has_all (commandline_has_all)) \n and (array_length(commandline_has_any) == 0 or target_cmdline_s has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(target_cmdline_s, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or process_path_s has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any) == 0 or childproc_name_s has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any) == 0 or parent_path_s has_any (parentprocess_has_any))\n and (array_length(dvchostname_has_any) == 0 or device_name_s has_any (dvchostname_has_any))\n and array_length(hashes_has_any) == 0 or childproc_hash_s has_any (hashes_has_any)\n | parse process_hash_s with * '[\"' ActingProcessMD5: string '\",\"' ActingProcessSHA256: string '\"]'\n | parse parent_hash_s with * '[\"' ParentProcessMD5: string '\",\"' ParentProcessSHA256: string '\"]'\n | parse childproc_hash_s with * '[\"' TargetProcessMD5: string '\",\"' TargetProcessSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s; \n let processdatawiththreat = processdata\n | where isnotempty(alert_id_g) and isnotempty(event_id_g)\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"THREAT\"\n | project\n threatInfo_incidentId_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_time_d,\n threatInfo_threatCause_threatCategory_s,\n threatInfo_threatCause_causeEventId_g,\n ruleName_s,\n deviceInfo_deviceVersion_s,\n threatInfo_threatCause_originSourceType_s,\n threatInfo_threatCause_reputation_s,\n threatInfo_threatCause_reason_s)\n on\n $left.alert_id_g == $right.threatInfo_incidentId_g,\n $left.event_id_g == $right.threatInfo_threatCause_causeEventId_g\n | join kind=leftouter (union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"CB_ANALYTICS\"\n | project\n id_g,\n primary_event_id_g,\n deviceInfo_deviceVersion_s,\n threat_id_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.id_g, $left.event_id_g == $right.primary_event_id_g\n | extend \n ThreatDescription = coalesce(threatInfo_summary_s, threatInfo_summary_s1),\n ThreatCategory = threatInfo_threatCause_threatCategory_s,\n ThreatFirstReportedTime = unixtime_milliseconds_todatetime(threatInfo_time_d),\n RuleName = ruleName_s,\n AdditionalFields_threat = bag_pack(\n \"threatInfo_threatCause_reason\",\n coalesce(threatInfo_threatCause_reason_s, threatInfo_threatCause_reason_s1),\n \"threatInfo_threatCause_reputation\",\n threatInfo_threatCause_reputation_s,\n \"threatInfo_threatCause_originSourceType\",\n threatInfo_threatCause_originSourceType_s\n ),\n ThreatId = threat_id_g,\n ThreatOriginalConfidence = tostring(toint(coalesce(threatInfo_score_d, threatInfo_score_d1))),\n DvcOsVersion = coalesce(deviceInfo_deviceVersion_s, deviceInfo_deviceVersion_s1)\n | lookup ThreatConfidenceLookup on ThreatOriginalConfidence\n | extend Rule = RuleName;\n let processdatawithoutthreat = processdata\n | where isempty(alert_id_g) or isempty(event_id_g);\n union processdatawithoutthreat, processdatawiththreat\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetProcessId = tostring(toint(childproc_pid_d)),\n ActingProcessId = tostring(toint(process_pid_d)),\n ParentProcessId = tostring(toint(parent_pid_d)),\n AdditionalFields_Common = bag_pack(\n \"org_key\",\n org_key_s,\n \"alert_id\",\n alert_id_g,\n \"parent_cmdline\",\n parent_cmdline_s,\n \"process_reputation\",\n process_reputation_s,\n \"childproc_reputation\",\n childproc_reputation_s,\n \"parent_reputation\",\n parent_reputation_s,\n \"process_guid\",\n process_guid_s,\n \"childproc_guid\",\n childproc_guid_s,\n \"parent_guid\",\n parent_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename \n ActorUsername = process_username_s,\n TargetProcessCommandLine = target_cmdline_s,\n TargetProcessName = childproc_name_s,\n TargetUsername = childproc_username_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n ActingProcessCommandLine = process_cmdline_s,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ParentProcessName = parent_path_s,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessCreated\",\n EventVendor = \"VMware\",\n EventSchema = \"ProcessEvent\",\n AdditionalFields = bag_merge(AdditionalFields_threat, AdditionalFields_Common)\n | extend \n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Hash = coalesce(TargetProcessSHA256, TargetProcessMD5),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = TargetUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n HashType = case(\n isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n ),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\")\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n AdditionalFields_*\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessEmpty/vimProcessEmpty.json b/Parsers/ASimProcessEvent/ARM/vimProcessEmpty/vimProcessEmpty.json index 1cf23a68148..8053bf3826c 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessEmpty/vimProcessEmpty.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessEmpty/vimProcessEmpty.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessEmpty')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessEmpty", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Event ASIM schema function", - "category": "ASIM", - "FunctionAlias": "vimProcessEmpty", - "query": "let EmptyNewProcessEvents = datatable(\n // ****** Mandatory LA fields ******\n TimeGenerated:datetime, // => EventEndTime\n _ResourceId:string,\n Type:string,\n // ****** Event fields ******\n EventType:string,\n EventProduct:string,\n EventProductVersion:string,\n EventCount:int,\n EventMessage:string,\n EventVendor:string,\n EventSchema:string,\n EventSchemaVersion:string,\n EventSeverity:string,\n EventSubType:string,\n EventOriginalUid:string,\n EventOriginalType:string,\n EventOriginalResultDetails:string,\n EventOriginalSeverity:string,\n EventOriginalSubType:string,\n EventStartTime:datetime,\n EventEndTime:datetime,\n EventReportUrl:string,\n EventResult: string,\n EventResultDetails: string,\n AdditionalFields:dynamic,\n EventOwner:string,\n // ****** Device fields ******\n DvcId:string,\n DvcHostname:string,\n DvcDomain:string,\n DvcDomainType:string,\n DvcFQDN:string,\n DvcIpAddr:string,\n DvcOs:string,\n DvcOsVersion:string,\n DvcMacAddr:string,\n DvcAction:string,\n DvcOriginalAction:string,\n DvcDescription: string,\n DvcIdType: string,\n DvcInterface: string,\n DvcZone: string,\n DvcScopeId:string,\n DvcScope:string,\n // ****** Target fields ******\n TargetUsername:string,\n TargetUsernameType:string,\n TargetOriginalUserType:string,\n TargetUserId:string,\n TargetUserIdType:string,\n TargetUserType:string,\n TargetUserSessionId:string,\n TargetUserUid:string,\n TargetUserScopeId:string,\n TargetUserScope:string,\n TargetProcessName:string,\n TargetProcessFileDescription:string,\n TargetProcessFileProduct:string,\n TargetProcessFileVersion:string,\n TargetProcessFileCompany: string,\n TargetProcessFileInternalName: string,\n TargetProcessFileOriginalName: string,\n TargetProcessFileSize: long,\n TargetProcessCurrentDirectory: string,\n TargetProcessIsHidden:bool,\n TargetProcessInjectedAddress:string,\n TargetProcessMD5:string,\n TargetProcessSHA1:string,\n TargetProcessSHA256:string,\n TargetProcessSHA512:string,\n TargetProcessIMPHASH:string,\n TargetProcessCommandLine:string,\n TargetProcessCreationTime:datetime,\n TargetProcessId:string,\n TargetProcessGuid:string,\n TargetProcessIntegrityLevel:string,\n TargetProcessTokenElevation:string,\n // ****** Process fields ******\n ActorUsername:string,\n ActorUsernameType:string,\n ActorUserId:string,\n ActorUserIdType:string,\n ActorUserType:string,\n ActorOriginalUserType:string,\n ActorSessionId:string,\n ActorUserAadId:string,\n ActorUserSid:string,\n ActorScopeId:string,\n ActorScope:string,\n ActingProcessCommandLine:string,\n ActingProcessName:string,\n ActingProcessFileDescription:string,\n ActingProcessFileProduct:string,\n ActingProcessFileCompany: string,\n ActingProcessFileInternalName: string,\n ActingProcessFileOriginalName: string,\n ActingProcessFileSize: long,\n ActingProcessFileVersion:string,\n ActingProcessIsHidden:bool,\n ActingProcessTokenElevation: string,\n ActingProcessInjectedAddress:string,\n ActingProcessId:string,\n ActingProcessGuid:string,\n ActingProcessIntegrityLevel:string,\n ActingProcessMD5:string,\n ActingProcessSHA1:string,\n ActingProcessSHA256:string,\n ActingProcessSHA512:string,\n ActingProcessIMPHASH:string,\n ActingProcessCreationTime:datetime,\n ParentProcessName:string,\n ParentProcessFileDescription:string,\n ParentProcessFileProduct:string,\n ParentProcessFileVersion:string,\n ParentProcessFileCompany: string,\n ParentProcessTokenElevation:string,\n ParentProcessIsHidden:bool,\n ParentProcessInjectedAddress:string,\n ParentProcessId:string,\n ParentProcessGuid:string,\n ParentProcessIntegrityLevel:string,\n ParentProcessMD5:string,\n ParentProcessSHA1:string,\n ParentProcessSHA256:string,\n ParentProcessSHA512:string,\n ParentProcessIMPHASH:string,\n ParentProcessCreationTime:datetime,\n ParentProcessCommandLine:string,\n ParentProcessFileInternalName: string,\n ParentProcessFileOriginalName: string,\n ParentProcessFileSize: long,\n //****** Inspection fields ******\n RuleName:string,\n RuleNumber:int,\n ThreatId:string,\n ThreatName:string,\n ThreatCategory:string,\n ThreatRiskLevel:int,\n ThreatOriginalRiskLevel:string,\n ThreatConfidence:int,\n ThreatOriginalConfidence:string,\n ThreatIsActive:bool,\n ThreatFirstReportedTime:datetime,\n ThreatLastReportedTime:datetime,\n ThreatField:string,\n //****** aliases ******\n Dvc:string,\n Src:string,\n Dst:string,\n User:string,\n Process:string,\n CommandLine:string,\n Hash:string,\n HashType:string\n )[];\n EmptyNewProcessEvents\n", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Event ASIM schema function", + "category": "ASIM", + "FunctionAlias": "vimProcessEmpty", + "query": "let EmptyNewProcessEvents = datatable(\n // ****** Mandatory LA fields ******\n TimeGenerated:datetime, // => EventEndTime\n _ResourceId:string,\n Type:string,\n // ****** Event fields ******\n EventType:string,\n EventProduct:string,\n EventProductVersion:string,\n EventCount:int,\n EventMessage:string,\n EventVendor:string,\n EventSchema:string,\n EventSchemaVersion:string,\n EventSeverity:string,\n EventSubType:string,\n EventOriginalUid:string,\n EventOriginalType:string,\n EventOriginalResultDetails:string,\n EventOriginalSeverity:string,\n EventOriginalSubType:string,\n EventStartTime:datetime,\n EventEndTime:datetime,\n EventReportUrl:string,\n EventResult: string,\n EventResultDetails: string,\n AdditionalFields:dynamic,\n EventOwner:string,\n // ****** Device fields ******\n DvcId:string,\n DvcHostname:string,\n DvcDomain:string,\n DvcDomainType:string,\n DvcFQDN:string,\n DvcIpAddr:string,\n DvcOs:string,\n DvcOsVersion:string,\n DvcMacAddr:string,\n DvcAction:string,\n DvcOriginalAction:string,\n DvcDescription: string,\n DvcIdType: string,\n DvcInterface: string,\n DvcZone: string,\n DvcScopeId:string,\n DvcScope:string,\n // ****** Target fields ******\n TargetUsername:string,\n TargetUsernameType:string,\n TargetOriginalUserType:string,\n TargetUserId:string,\n TargetUserIdType:string,\n TargetUserType:string,\n TargetUserSessionId:string,\n TargetUserUid:string,\n TargetUserScopeId:string,\n TargetUserScope:string,\n TargetProcessName:string,\n TargetProcessFileDescription:string,\n TargetProcessFileProduct:string,\n TargetProcessFileVersion:string,\n TargetProcessFileCompany: string,\n TargetProcessFileInternalName: string,\n TargetProcessFileOriginalName: string,\n TargetProcessFileSize: long,\n TargetProcessCurrentDirectory: string,\n TargetProcessIsHidden:bool,\n TargetProcessInjectedAddress:string,\n TargetProcessMD5:string,\n TargetProcessSHA1:string,\n TargetProcessSHA256:string,\n TargetProcessSHA512:string,\n TargetProcessIMPHASH:string,\n TargetProcessCommandLine:string,\n TargetProcessCreationTime:datetime,\n TargetProcessId:string,\n TargetProcessGuid:string,\n TargetProcessIntegrityLevel:string,\n TargetProcessTokenElevation:string,\n // ****** Process fields ******\n ActorUsername:string,\n ActorUsernameType:string,\n ActorUserId:string,\n ActorUserIdType:string,\n ActorUserType:string,\n ActorOriginalUserType:string,\n ActorSessionId:string,\n ActorUserAadId:string,\n ActorUserSid:string,\n ActorScopeId:string,\n ActorScope:string,\n ActingProcessCommandLine:string,\n ActingProcessName:string,\n ActingProcessFileDescription:string,\n ActingProcessFileProduct:string,\n ActingProcessFileCompany: string,\n ActingProcessFileInternalName: string,\n ActingProcessFileOriginalName: string,\n ActingProcessFileSize: long,\n ActingProcessFileVersion:string,\n ActingProcessIsHidden:bool,\n ActingProcessTokenElevation: string,\n ActingProcessInjectedAddress:string,\n ActingProcessId:string,\n ActingProcessGuid:string,\n ActingProcessIntegrityLevel:string,\n ActingProcessMD5:string,\n ActingProcessSHA1:string,\n ActingProcessSHA256:string,\n ActingProcessSHA512:string,\n ActingProcessIMPHASH:string,\n ActingProcessCreationTime:datetime,\n ParentProcessName:string,\n ParentProcessFileDescription:string,\n ParentProcessFileProduct:string,\n ParentProcessFileVersion:string,\n ParentProcessFileCompany: string,\n ParentProcessTokenElevation:string,\n ParentProcessIsHidden:bool,\n ParentProcessInjectedAddress:string,\n ParentProcessId:string,\n ParentProcessGuid:string,\n ParentProcessIntegrityLevel:string,\n ParentProcessMD5:string,\n ParentProcessSHA1:string,\n ParentProcessSHA256:string,\n ParentProcessSHA512:string,\n ParentProcessIMPHASH:string,\n ParentProcessCreationTime:datetime,\n ParentProcessCommandLine:string,\n ParentProcessFileInternalName: string,\n ParentProcessFileOriginalName: string,\n ParentProcessFileSize: long,\n //****** Inspection fields ******\n RuleName:string,\n RuleNumber:int,\n ThreatId:string,\n ThreatName:string,\n ThreatCategory:string,\n ThreatRiskLevel:int,\n ThreatOriginalRiskLevel:string,\n ThreatConfidence:int,\n ThreatOriginalConfidence:string,\n ThreatIsActive:bool,\n ThreatFirstReportedTime:datetime,\n ThreatLastReportedTime:datetime,\n ThreatField:string,\n //****** aliases ******\n Dvc:string,\n Src:string,\n Dst:string,\n User:string,\n Process:string,\n CommandLine:string,\n Hash:string,\n HashType:string\n )[];\n EmptyNewProcessEvents\n", + "version": 1 + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessEventMD4IoT/vimProcessEventMD4IoT.json b/Parsers/ASimProcessEvent/ARM/vimProcessEventMD4IoT/vimProcessEventMD4IoT.json index 513771babcc..30517cc1911 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessEventMD4IoT/vimProcessEventMD4IoT.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessEventMD4IoT/vimProcessEventMD4IoT.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessEventMD4IoT')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessEventMD4IoT", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for Microsoft Defender for IoT", - "category": "ASIM", - "FunctionAlias": "vimProcessEventMD4IoT", - "query": "let ProcessEvents_MD4IoT=()\n{\n SecurityIoTRawEvent \n | where RawEventName == \"Process\" \n // --------------------------------------------------------------------------------------\n | where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(actingprocess_has_any)==0 ) \n and (array_length(parentprocess_has_any)==0) \n and (eventtype=='*' or eventtype=='ProcessCreated')\n and (array_length(commandline_has_any)==0 or EventDetails has_any (commandline_has_any)) \n and (array_length(commandline_has_all)==0 or EventDetails has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(EventDetails, commandline_has_any_ip_prefix) ) \n and (array_length(targetprocess_has_any)==0 or EventDetails has_any (targetprocess_has_any)) \n and (targetusername=='*' or EventDetails has targetusername) \n and (array_length(dvcname_has_any)==0 or DeviceId has_any (dvcname_has_any)) \n // --------------------------------------------------------------------------------------\n | extend\n EventDetails = todynamic(EventDetails)\n | extend // required for postfilterring\n TargetProcessCommandLine = coalesce (tostring(EventDetails.Commandline), tostring(EventDetails.Executable)), \n TargetProcessName = coalesce (tostring(EventDetails.Executable), split(EventDetails.Commandline,\" \")[0]),\n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\") // Intermediate fix\n | extend \n TargetUsername = iff (DvcOs == \"Windows\", tostring(EventDetails.UserName), \"\")\n // --------------------------------------------------------------------------------------\n | where (array_length(commandline_has_any)==0 or TargetProcessCommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_all)==0 or TargetProcessCommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(TargetProcessCommandLine, commandline_has_any_ip_prefix) ) \n and (array_length(targetprocess_has_any)==0 or TargetProcessName has_any (targetprocess_has_any)) \n and (targetusername=='*' or TargetUsername has targetusername) \n // --------------------------------------------------------------------------------------\n | extend\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventCount = toint(EventDetails.HitCount), \n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = iff (EventDetails.EventType == 'EXIT', 'ProcessTerminate', 'ProcessCreated'), \n EventSubType = tostring(EventDetails.EventType),\n EventResult = 'Success', \n TargetProcessId = tostring(EventDetails.ProcessId), \n TargetUsernameType = iif (DvcOs == \"Windows\", \"Windows\", \"Simple\"), \n ActingProcessId = iff (DvcOs == \"Windows\", tostring(EventDetails.ParentProcessId), \"\") \n | project-rename\n DvcHostname = DeviceId,\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n | extend \n // -- aliases\n User = TargetUsername, \n CommandLine = TargetProcessCommandLine, \n Process = TargetProcessName, \n Dvc = DvcHostname \n };\n ProcessEvents_MD4IoT\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for Microsoft Defender for IoT", + "category": "ASIM", + "FunctionAlias": "vimProcessEventMD4IoT", + "query": "let ProcessEvents_MD4IoT=()\n{\n SecurityIoTRawEvent \n | where RawEventName == \"Process\" \n // --------------------------------------------------------------------------------------\n | where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(actingprocess_has_any)==0 ) \n and (array_length(parentprocess_has_any)==0) \n and (eventtype=='*' or eventtype=='ProcessCreated')\n and (array_length(commandline_has_any)==0 or EventDetails has_any (commandline_has_any)) \n and (array_length(commandline_has_all)==0 or EventDetails has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(EventDetails, commandline_has_any_ip_prefix) ) \n and (array_length(targetprocess_has_any)==0 or EventDetails has_any (targetprocess_has_any)) \n and (targetusername=='*' or EventDetails has targetusername) \n and (array_length(dvcname_has_any)==0 or DeviceId has_any (dvcname_has_any)) \n // --------------------------------------------------------------------------------------\n | extend\n EventDetails = todynamic(EventDetails)\n | extend // required for postfilterring\n TargetProcessCommandLine = coalesce (tostring(EventDetails.Commandline), tostring(EventDetails.Executable)), \n TargetProcessName = coalesce (tostring(EventDetails.Executable), split(EventDetails.Commandline,\" \")[0]),\n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\") // Intermediate fix\n | extend \n TargetUsername = iff (DvcOs == \"Windows\", tostring(EventDetails.UserName), \"\")\n // --------------------------------------------------------------------------------------\n | where (array_length(commandline_has_any)==0 or TargetProcessCommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_all)==0 or TargetProcessCommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(TargetProcessCommandLine, commandline_has_any_ip_prefix) ) \n and (array_length(targetprocess_has_any)==0 or TargetProcessName has_any (targetprocess_has_any)) \n and (targetusername=='*' or TargetUsername has targetusername) \n // --------------------------------------------------------------------------------------\n | extend\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventCount = toint(EventDetails.HitCount), \n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = iff (EventDetails.EventType == 'EXIT', 'ProcessTerminate', 'ProcessCreated'), \n EventSubType = tostring(EventDetails.EventType),\n EventResult = 'Success', \n TargetProcessId = tostring(EventDetails.ProcessId), \n TargetUsernameType = iif (DvcOs == \"Windows\", \"Windows\", \"Simple\"), \n ActingProcessId = iff (DvcOs == \"Windows\", tostring(EventDetails.ParentProcessId), \"\") \n | project-rename\n DvcHostname = DeviceId,\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n | extend \n // -- aliases\n User = TargetUsername, \n CommandLine = TargetProcessCommandLine, \n Process = TargetProcessName, \n Dvc = DvcHostname \n };\n ProcessEvents_MD4IoT\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessEventMicrosoft365D/vimProcessEventMicrosoft365D.json b/Parsers/ASimProcessEvent/ARM/vimProcessEventMicrosoft365D/vimProcessEventMicrosoft365D.json index 30076232597..49c88a590ac 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessEventMicrosoft365D/vimProcessEventMicrosoft365D.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessEventMicrosoft365D/vimProcessEventMicrosoft365D.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessEventMicrosoft365D')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessEventMicrosoft365D", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for Microsoft 365 Defender for endpoint", - "category": "ASIM", - "FunctionAlias": "vimProcessEventMicrosoft365D", - "query": "let parser = (\n starttime:datetime=datetime(null),\n endtime:datetime=datetime(null),\n commandline_has_any:dynamic=dynamic([]),\n commandline_has_all:dynamic=dynamic([]),\n commandline_has_any_ip_prefix:dynamic=dynamic([]),\n actingprocess_has_any:dynamic=dynamic([]),\n targetprocess_has_any:dynamic=dynamic([]),\n parentprocess_has_any:dynamic=dynamic([]),\n targetusername_has:string='*',\n dvcipaddr_has_any_prefix:dynamic=dynamic([]),\n dvchostname_has_any:dynamic=dynamic([]),\n eventtype:string='*',\n hashes_has_any:dynamic=dynamic([]),\n disabled:bool=false\n ) {\n DeviceProcessEvents \n // -- pre-filtering\n | where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(commandline_has_all)==0 or ProcessCommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any)==0 or ProcessCommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(ProcessCommandLine, commandline_has_any_ip_prefix) ) \n and (array_length(actingprocess_has_any)==0 or InitiatingProcessFolderPath has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any)==0 or FolderPath has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any)==0 or InitiatingProcessParentFileName has_any (parentprocess_has_any)) \n and (targetusername_has=='*' or AccountName has targetusername_has or AccountDomain has targetusername_has) \n and (array_length(dvchostname_has_any)==0 or DeviceName has_any (dvchostname_has_any)) \n and (array_length(hashes_has_any)==0 or SHA256 in (hashes_has_any) or SHA1 in (hashes_has_any) or MD5 in (hashes_has_any))\n and (eventtype=='*' or eventtype=='ProcessCreated')\n | extend\n EventOriginalUid = tostring(ReportId),\n EventCount = int(1),\n EventProduct = 'M365 Defender for Endpoint',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventResult = 'Success'\n | extend\n ActorUsername = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\n TargetUsername = iff (AccountDomain == '', AccountName, strcat(AccountDomain, '\\\\', AccountName)),\n TargetUsernameType = iff(AccountDomain == '','Simple', 'Windows'),\n ActorUsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\n ActorUserIdType = 'SID',\n TargetUserIdType = 'SID',\n ActorSessionId = tostring(InitiatingProcessLogonId),\n TargetUserSessionId = tostring(LogonId),\n Hash = coalesce (SHA256, SHA1, MD5, \"\"),\n TargetProcessId = tostring(ProcessId),\n ActingProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId),\n DvcOs = iff (AdditionalFields has \"ProcessPosixProcessGroupId\", \"Linux\", \"Windows\")\n | project-away InitiatingProcessAccountDomain, InitiatingProcessAccountName, AccountDomain, AccountName, ProcessId, InitiatingProcessId, InitiatingProcessParentId, LogonId, InitiatingProcessLogonId, ReportId\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, MD5),Hash)])\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | project-rename\n DvcId = DeviceId,\n EventType = ActionType,\n ActorUserId = InitiatingProcessAccountSid,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn,\n TargetUserId = AccountSid,\n TargetUserAadId = AccountObjectId,\n TargetUserUpn = AccountUpn,\n ParentProcessName = InitiatingProcessParentFileName,\n TargetProcessFilename = FileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime,\n TargetProcessName = FolderPath,\n TargetProcessCommandLine = ProcessCommandLine,\n TargetProcessMD5 = MD5,\n TargetProcessSHA1 = SHA1,\n TargetProcessSHA256 = SHA256,\n TargetProcessIntegrityLevel = ProcessIntegrityLevel,\n TargetProcessTokenElevation = ProcessTokenElevation,\n TargetProcessCreationTime = ProcessCreationTime,\n ActingProcessName = InitiatingProcessFolderPath, \n ActingProcessFilename = InitiatingProcessFileName,\n ActingProcessCommandLine = InitiatingProcessCommandLine, \n ActingProcessMD5 = InitiatingProcessMD5, \n ActingProcessSHA1 = InitiatingProcessSHA1, \n ActingProcessSHA256 = InitiatingProcessSHA256, \n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n ActingProcessTokenElevation = InitiatingProcessTokenElevation,\n ActingProcessCreationTime = InitiatingProcessCreationTime,\n MDE_MachineGroup = MachineGroup\n | extend // -- aliases\n User = coalesce(TargetUsername, ActorUsername),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n Dvc = DvcHostname\n | project-away AppGuardContainerId, Timestamp , SourceSystem, TenantId\n };\n parser (\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',hashes_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for Microsoft 365 Defender for endpoint", + "category": "ASIM", + "FunctionAlias": "vimProcessEventMicrosoft365D", + "query": "let parser = (\n starttime:datetime=datetime(null),\n endtime:datetime=datetime(null),\n commandline_has_any:dynamic=dynamic([]),\n commandline_has_all:dynamic=dynamic([]),\n commandline_has_any_ip_prefix:dynamic=dynamic([]),\n actingprocess_has_any:dynamic=dynamic([]),\n targetprocess_has_any:dynamic=dynamic([]),\n parentprocess_has_any:dynamic=dynamic([]),\n targetusername_has:string='*',\n dvcipaddr_has_any_prefix:dynamic=dynamic([]),\n dvchostname_has_any:dynamic=dynamic([]),\n eventtype:string='*',\n hashes_has_any:dynamic=dynamic([]),\n disabled:bool=false\n ) {\n DeviceProcessEvents \n // -- pre-filtering\n | where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(commandline_has_all)==0 or ProcessCommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any)==0 or ProcessCommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(ProcessCommandLine, commandline_has_any_ip_prefix) ) \n and (array_length(actingprocess_has_any)==0 or InitiatingProcessFolderPath has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any)==0 or FolderPath has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any)==0 or InitiatingProcessParentFileName has_any (parentprocess_has_any)) \n and (targetusername_has=='*' or AccountName has targetusername_has or AccountDomain has targetusername_has) \n and (array_length(dvchostname_has_any)==0 or DeviceName has_any (dvchostname_has_any)) \n and (array_length(hashes_has_any)==0 or SHA256 in (hashes_has_any) or SHA1 in (hashes_has_any) or MD5 in (hashes_has_any))\n and (eventtype=='*' or eventtype=='ProcessCreated')\n | extend\n EventOriginalUid = tostring(ReportId),\n EventCount = int(1),\n EventProduct = 'M365 Defender for Endpoint',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventResult = 'Success'\n | extend\n ActorUsername = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\n TargetUsername = iff (AccountDomain == '', AccountName, strcat(AccountDomain, '\\\\', AccountName)),\n TargetUsernameType = iff(AccountDomain == '','Simple', 'Windows'),\n ActorUsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\n ActorUserIdType = 'SID',\n TargetUserIdType = 'SID',\n ActorSessionId = tostring(InitiatingProcessLogonId),\n TargetUserSessionId = tostring(LogonId),\n Hash = coalesce (SHA256, SHA1, MD5, \"\"),\n TargetProcessId = tostring(ProcessId),\n ActingProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId),\n DvcOs = iff (AdditionalFields has \"ProcessPosixProcessGroupId\", \"Linux\", \"Windows\")\n | project-away InitiatingProcessAccountDomain, InitiatingProcessAccountName, AccountDomain, AccountName, ProcessId, InitiatingProcessId, InitiatingProcessParentId, LogonId, InitiatingProcessLogonId, ReportId\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, MD5),Hash)])\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | project-rename\n DvcId = DeviceId,\n EventType = ActionType,\n ActorUserId = InitiatingProcessAccountSid,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn,\n TargetUserId = AccountSid,\n TargetUserAadId = AccountObjectId,\n TargetUserUpn = AccountUpn,\n ParentProcessName = InitiatingProcessParentFileName,\n TargetProcessFilename = FileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime,\n TargetProcessName = FolderPath,\n TargetProcessCommandLine = ProcessCommandLine,\n TargetProcessMD5 = MD5,\n TargetProcessSHA1 = SHA1,\n TargetProcessSHA256 = SHA256,\n TargetProcessIntegrityLevel = ProcessIntegrityLevel,\n TargetProcessTokenElevation = ProcessTokenElevation,\n TargetProcessCreationTime = ProcessCreationTime,\n ActingProcessName = InitiatingProcessFolderPath, \n ActingProcessFilename = InitiatingProcessFileName,\n ActingProcessCommandLine = InitiatingProcessCommandLine, \n ActingProcessMD5 = InitiatingProcessMD5, \n ActingProcessSHA1 = InitiatingProcessSHA1, \n ActingProcessSHA256 = InitiatingProcessSHA256, \n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n ActingProcessTokenElevation = InitiatingProcessTokenElevation,\n ActingProcessCreationTime = InitiatingProcessCreationTime,\n MDE_MachineGroup = MachineGroup\n | extend // -- aliases\n User = coalesce(TargetUsername, ActorUsername),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n Dvc = DvcHostname\n | project-away AppGuardContainerId, Timestamp , SourceSystem, TenantId\n };\n parser (\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',hashes_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessEventNative/vimProcessEventNative.json b/Parsers/ASimProcessEvent/ARM/vimProcessEventNative/vimProcessEventNative.json index 852d8db56d6..fe94e581071 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessEventNative/vimProcessEventNative.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessEventNative/vimProcessEventNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessEventNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessEventNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Event ASIM filtering parser for Microsoft Sentinel native Process Event table", - "category": "ASIM", - "FunctionAlias": "vimProcessEventNative", - "query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n targetusername_has: string='*',\n actorusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n hashes_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n ASimProcessEventLogs \n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(dvcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DvcIpAddr, dvcipaddr_has_any_prefix))\n and (array_length(commandline_has_all) == 0 or TargetProcessCommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any) == 0 or TargetProcessCommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(TargetProcessCommandLine, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or ActingProcessName has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any) == 0 or TargetProcessName has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any) == 0 or ParentProcessName has_any (parentprocess_has_any)) \n and (targetusername_has == '*' or TargetUsername has targetusername_has)\n and (actorusername_has == '*' or ActorUsername has actorusername_has) \n and (array_length(dvchostname_has_any) == 0 or DvcHostname has_any (dvchostname_has_any)) \n and (array_length(hashes_has_any) == 0 or TargetProcessSHA512 has_any (hashes_has_any) or TargetProcessSHA256 has_any (hashes_has_any) or TargetProcessSHA1 has_any (hashes_has_any) or TargetProcessMD5 has_any (hashes_has_any) or TargetProcessIMPHASH has_any (hashes_has_any))\n and (eventtype == '*' or EventType == eventtype)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"ProcessEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = TargetUsername,\n Process = TargetProcessName,\n CommandLine = TargetProcessCommandLine,\n Hash = coalesce(TargetProcessSHA512, TargetProcessSHA256, TargetProcessMD5, TargetProcessSHA1, TargetProcessIMPHASH)\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n actorusername_has=actorusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',actorusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',hashes_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Event ASIM filtering parser for Microsoft Sentinel native Process Event table", + "category": "ASIM", + "FunctionAlias": "vimProcessEventNative", + "query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n targetusername_has: string='*',\n actorusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n hashes_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n ASimProcessEventLogs \n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(dvcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DvcIpAddr, dvcipaddr_has_any_prefix))\n and (array_length(commandline_has_all) == 0 or TargetProcessCommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any) == 0 or TargetProcessCommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(TargetProcessCommandLine, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or ActingProcessName has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any) == 0 or TargetProcessName has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any) == 0 or ParentProcessName has_any (parentprocess_has_any)) \n and (targetusername_has == '*' or TargetUsername has targetusername_has)\n and (actorusername_has == '*' or ActorUsername has actorusername_has) \n and (array_length(dvchostname_has_any) == 0 or DvcHostname has_any (dvchostname_has_any)) \n and (array_length(hashes_has_any) == 0 or TargetProcessSHA512 has_any (hashes_has_any) or TargetProcessSHA256 has_any (hashes_has_any) or TargetProcessSHA1 has_any (hashes_has_any) or TargetProcessMD5 has_any (hashes_has_any) or TargetProcessIMPHASH has_any (hashes_has_any))\n and (eventtype == '*' or EventType == eventtype)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"ProcessEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = TargetUsername,\n Process = TargetProcessName,\n CommandLine = TargetProcessCommandLine,\n Hash = coalesce(TargetProcessSHA512, TargetProcessSHA256, TargetProcessMD5, TargetProcessSHA1, TargetProcessIMPHASH)\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n actorusername_has=actorusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',actorusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',hashes_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateLinuxSysmon/vimProcessTerminateLinuxSysmon.json b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateLinuxSysmon/vimProcessTerminateLinuxSysmon.json index f63d175a5be..d25653b22ba 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateLinuxSysmon/vimProcessTerminateLinuxSysmon.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateLinuxSysmon/vimProcessTerminateLinuxSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessTerminateLinuxSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessTerminateLinuxSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate Event ASIM parser for Sysmon for Linux", - "category": "ASIM", - "FunctionAlias": "vimProcessTerminateLinuxSysmon", - "query": "let ParsedProcessEvent=(){\nSyslog\n| where SyslogMessage has_all ('5')\n// --------------------------------------------------------------------------------------\n| where\n(isnull(starttime) or TimeGenerated >= starttime )\nand (isnull(endtime) or TimeGenerated <= endtime )\nand not(disabled)\nand (array_length(dvcipaddr_has_any_prefix)==0)\nand (array_length(commandline_has_all)==0) \nand (array_length(commandline_has_any)==0) \nand (array_length(actingprocess_has_any)==0) \nand (array_length(parentprocess_has_any)==0) \nand (array_length(commandline_has_any_ip_prefix)==0) \nand (eventtype=='*' or eventtype=='ProcessTerminated')\nand (array_length(targetprocess_has_any)==0 or SyslogMessage has_any (targetprocess_has_any)) \nand (actorusername=='*' or SyslogMessage has actorusername) \nand (array_length(dvcname_has_any)==0 or Computer has_any (dvcname_has_any)) \n// --------------------------------------------------------------------------------------\n| parse SyslogMessage with *''ActorUsername '' *\n// --------------------------------------------------------------------------------------\n| where\n (actorusername=='*' or ActorUsername has actorusername) \n// --------------------------------------------------------------------------------------\n| parse SyslogMessage with * ''RuleName''\n ''UtcTime''\n '{'ProcessGuid'}'\n ''ProcessId:string''\n ''Image''*\n// --------------------------------------------------------------------------------------\n| where\n (array_length(targetprocess_has_any)==0 or Image has_any (targetprocess_has_any)) \n// --------------------------------------------------------------------------------------\n| project-away SyslogMessage\n| extend \n EventType = \"ProcessTerminated\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventOriginalType='5',\n EventProduct = \"Sysmon\",\n EventResult = 'Success',\n DvcOs = \"Linux\"\n| project-rename\n DvcHostname = Computer,\n TargetProcessName = Image,\n TargetProcessId = ProcessId\n| extend\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\n TargetProcessGuid = ProcessGuid,\n //***** Aliases ******\n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostname\n}; ParsedProcessEvent\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate Event ASIM parser for Sysmon for Linux", + "category": "ASIM", + "FunctionAlias": "vimProcessTerminateLinuxSysmon", + "query": "let ParsedProcessEvent=(){\nSyslog\n| where SyslogMessage has_all ('5')\n// --------------------------------------------------------------------------------------\n| where\n(isnull(starttime) or TimeGenerated >= starttime )\nand (isnull(endtime) or TimeGenerated <= endtime )\nand not(disabled)\nand (array_length(dvcipaddr_has_any_prefix)==0)\nand (array_length(commandline_has_all)==0) \nand (array_length(commandline_has_any)==0) \nand (array_length(actingprocess_has_any)==0) \nand (array_length(parentprocess_has_any)==0) \nand (array_length(commandline_has_any_ip_prefix)==0) \nand (eventtype=='*' or eventtype=='ProcessTerminated')\nand (array_length(targetprocess_has_any)==0 or SyslogMessage has_any (targetprocess_has_any)) \nand (actorusername=='*' or SyslogMessage has actorusername) \nand (array_length(dvcname_has_any)==0 or Computer has_any (dvcname_has_any)) \n// --------------------------------------------------------------------------------------\n| parse SyslogMessage with *''ActorUsername '' *\n// --------------------------------------------------------------------------------------\n| where\n (actorusername=='*' or ActorUsername has actorusername) \n// --------------------------------------------------------------------------------------\n| parse SyslogMessage with * ''RuleName''\n ''UtcTime''\n '{'ProcessGuid'}'\n ''ProcessId:string''\n ''Image''*\n// --------------------------------------------------------------------------------------\n| where\n (array_length(targetprocess_has_any)==0 or Image has_any (targetprocess_has_any)) \n// --------------------------------------------------------------------------------------\n| project-away SyslogMessage\n| extend \n EventType = \"ProcessTerminated\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventOriginalType='5',\n EventProduct = \"Sysmon\",\n EventResult = 'Success',\n DvcOs = \"Linux\"\n| project-rename\n DvcHostname = Computer,\n TargetProcessName = Image,\n TargetProcessId = ProcessId\n| extend\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\n TargetProcessGuid = ProcessGuid,\n //***** Aliases ******\n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostname\n}; ParsedProcessEvent\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMD4IoT/vimProcessTerminateMD4IoT.json b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMD4IoT/vimProcessTerminateMD4IoT.json index c0f055ae5b0..9f40f10f059 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMD4IoT/vimProcessTerminateMD4IoT.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMD4IoT/vimProcessTerminateMD4IoT.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessTerminateMD4IoT')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessTerminateMD4IoT", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate Event ASIM parser for Microsoft Defender for IoT", - "category": "ASIM", - "FunctionAlias": "vimProcessTerminateMD4IoT", - "query": "let ProcessEvents_MD4IoT=()\n{\n SecurityIoTRawEvent \n | where RawEventName == \"Process\" and EventDetails has_cs 'EXIT'\n // --------------------------------------------------------------------------------------\n | where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(actingprocess_has_any)==0 ) \n and (array_length(parentprocess_has_any)==0) \n and (eventtype=='*' or eventtype=='ProcessTerminated')\n and (array_length(commandline_has_any)==0 or EventDetails has_any (commandline_has_any)) \n and (array_length(commandline_has_all)==0 or EventDetails has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(EventDetails, commandline_has_any_ip_prefix) ) \n and (array_length(targetprocess_has_any)==0 or EventDetails has_any (targetprocess_has_any)) \n and (actorusername=='*' or EventDetails has actorusername) \n and (array_length(dvcname_has_any)==0 or DeviceId has_any (dvcname_has_any)) \n // --------------------------------------------------------------------------------------\n | extend\n EventDetails = todynamic(EventDetails)\n | where tostring(EventDetails.EventType) == 'EXIT'\n | extend // required for postfilterring\n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"), // Intermediate fix\n TargetProcessCommandLine = coalesce (tostring(EventDetails.Commandline), tostring(EventDetails.Executable)), \n TargetProcessName = coalesce (tostring(EventDetails.Executable), split(EventDetails.Commandline,\" \")[0])\n | extend // required for postfilterring\n ActorUsername = iff (DvcOs == \"Windows\", tostring(EventDetails.UserName), \"\")\n // --------------------------------------------------------------------------------------\n | where (array_length(commandline_has_any)==0 or TargetProcessCommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_all)==0 or TargetProcessCommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(TargetProcessCommandLine, commandline_has_any_ip_prefix) ) \n and (array_length(targetprocess_has_any)==0 or TargetProcessName has_any (targetprocess_has_any)) \n and (actorusername=='*' or ActorUsername has actorusername) \n // --------------------------------------------------------------------------------------\n | extend\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventCount = toint(EventDetails.HitCount), \n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent', \n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = 'ProcessTerminated', \n EventSubType = tostring(EventDetails.EventType),\n EventResult = 'Success', \n TargetProcessId = tostring(EventDetails.ProcessId), \n ActorUsernameType = iif (DvcOs == \"Windows\", \"Windows\", \"Simple\"), \n ActingProcessId = iff (DvcOs == \"Windows\", tostring(EventDetails.ParentProcessId), \"\") \n | project-rename\n DvcHostname = DeviceId,\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n | extend \n // -- aliases\n User = ActorUsername, \n CommandLine = TargetProcessCommandLine, \n Process = TargetProcessName, \n Dvc = DvcHostname \n };\n ProcessEvents_MD4IoT\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate Event ASIM parser for Microsoft Defender for IoT", + "category": "ASIM", + "FunctionAlias": "vimProcessTerminateMD4IoT", + "query": "let ProcessEvents_MD4IoT=()\n{\n SecurityIoTRawEvent \n | where RawEventName == \"Process\" and EventDetails has_cs 'EXIT'\n // --------------------------------------------------------------------------------------\n | where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(actingprocess_has_any)==0 ) \n and (array_length(parentprocess_has_any)==0) \n and (eventtype=='*' or eventtype=='ProcessTerminated')\n and (array_length(commandline_has_any)==0 or EventDetails has_any (commandline_has_any)) \n and (array_length(commandline_has_all)==0 or EventDetails has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(EventDetails, commandline_has_any_ip_prefix) ) \n and (array_length(targetprocess_has_any)==0 or EventDetails has_any (targetprocess_has_any)) \n and (actorusername=='*' or EventDetails has actorusername) \n and (array_length(dvcname_has_any)==0 or DeviceId has_any (dvcname_has_any)) \n // --------------------------------------------------------------------------------------\n | extend\n EventDetails = todynamic(EventDetails)\n | where tostring(EventDetails.EventType) == 'EXIT'\n | extend // required for postfilterring\n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"), // Intermediate fix\n TargetProcessCommandLine = coalesce (tostring(EventDetails.Commandline), tostring(EventDetails.Executable)), \n TargetProcessName = coalesce (tostring(EventDetails.Executable), split(EventDetails.Commandline,\" \")[0])\n | extend // required for postfilterring\n ActorUsername = iff (DvcOs == \"Windows\", tostring(EventDetails.UserName), \"\")\n // --------------------------------------------------------------------------------------\n | where (array_length(commandline_has_any)==0 or TargetProcessCommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_all)==0 or TargetProcessCommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(TargetProcessCommandLine, commandline_has_any_ip_prefix) ) \n and (array_length(targetprocess_has_any)==0 or TargetProcessName has_any (targetprocess_has_any)) \n and (actorusername=='*' or ActorUsername has actorusername) \n // --------------------------------------------------------------------------------------\n | extend\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventCount = toint(EventDetails.HitCount), \n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent', \n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = 'ProcessTerminated', \n EventSubType = tostring(EventDetails.EventType),\n EventResult = 'Success', \n TargetProcessId = tostring(EventDetails.ProcessId), \n ActorUsernameType = iif (DvcOs == \"Windows\", \"Windows\", \"Simple\"), \n ActingProcessId = iff (DvcOs == \"Windows\", tostring(EventDetails.ParentProcessId), \"\") \n | project-rename\n DvcHostname = DeviceId,\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n | extend \n // -- aliases\n User = ActorUsername, \n CommandLine = TargetProcessCommandLine, \n Process = TargetProcessName, \n Dvc = DvcHostname \n };\n ProcessEvents_MD4IoT\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftSecurityEvents/vimProcessTerminateMicrosoftSecurityEvents.json b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftSecurityEvents/vimProcessTerminateMicrosoftSecurityEvents.json index c4b4b690b79..e209d38e0f8 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftSecurityEvents/vimProcessTerminateMicrosoftSecurityEvents.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftSecurityEvents/vimProcessTerminateMicrosoftSecurityEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessTerminateMicrosoftSecurityEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessTerminateMicrosoftSecurityEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate Event ASIM parser for Windows Security Events", - "category": "ASIM", - "FunctionAlias": "vimProcessTerminateMicrosoftSecurityEvents", - "query": "let ProcessEvents=(){\nSecurityEvent\n// -- Filter\n| where EventID == 4689\n// --------------------------------------------------------------------------------------\n| where\n(isnull(starttime) or TimeGenerated >= starttime )\nand (isnull(endtime) or TimeGenerated <= endtime )\nand not(disabled)\nand (array_length(actingprocess_has_any)==0 ) \nand (array_length(parentprocess_has_any)==0) \nand (array_length(dvcipaddr_has_any_prefix)==0)\nand (eventtype=='*' or eventtype=='ProcessTerminated')\nand (array_length(commandline_has_any)==0 or CommandLine has_any (commandline_has_any)) \nand (array_length(commandline_has_all)==0 or CommandLine has_all (commandline_has_all)) \nand (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(CommandLine, commandline_has_any_ip_prefix) ) \nand (array_length(targetprocess_has_any)==0 or ProcessName has_any (targetprocess_has_any)) \nand (actorusername=='*' or SubjectAccount has actorusername) \nand (array_length(dvcname_has_any)==0 or Computer has_any (dvcname_has_any)) \n// --------------------------------------------------------------------------------------\n// -- Map\n| extend\n // Event\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Security Events\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = \"ProcessTerminated\",\n EventResult = 'Success',\n EventOriginalType = tostring(EventID),\n EventOriginalUid = EventOriginId,\n EventResultDetails = Status,\n EventOriginalResultDetails = Status, \n // Device\n DvcId = SourceComputerId,\n DvcHostname = Computer,\n DvcOs = \"Windows\",\n // Users\n ActorUserIdType = iff (SubjectUserSid <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (SubjectUserSid <> \"S-1-0-0\", SubjectUserSid, \"\"), \n ActorUsername = iff (SubjectDomainName == '-', SubjectUserName, SubjectAccount),\n ActorUsernameType = iff(SubjectDomainName == '-','Simple', 'Windows'),\n ActorSessionId = SubjectLogonId,\n ActorDomainName = SubjectDomainName,\n // Processes \n TargetProcessId = tostring(toint(ProcessId)),\n TargetProcessName = ProcessName,\n TargetProcessCommandLine = CommandLine,\n TargetProcessTokenElevation = TokenElevationType,\n Process = ProcessName\n // Aliases\n | extend \n User = ActorUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n}; ProcessEvents\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate Event ASIM parser for Windows Security Events", + "category": "ASIM", + "FunctionAlias": "vimProcessTerminateMicrosoftSecurityEvents", + "query": "let ProcessEvents=(){\nSecurityEvent\n// -- Filter\n| where EventID == 4689\n// --------------------------------------------------------------------------------------\n| where\n(isnull(starttime) or TimeGenerated >= starttime )\nand (isnull(endtime) or TimeGenerated <= endtime )\nand not(disabled)\nand (array_length(actingprocess_has_any)==0 ) \nand (array_length(parentprocess_has_any)==0) \nand (array_length(dvcipaddr_has_any_prefix)==0)\nand (eventtype=='*' or eventtype=='ProcessTerminated')\nand (array_length(commandline_has_any)==0 or CommandLine has_any (commandline_has_any)) \nand (array_length(commandline_has_all)==0 or CommandLine has_all (commandline_has_all)) \nand (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(CommandLine, commandline_has_any_ip_prefix) ) \nand (array_length(targetprocess_has_any)==0 or ProcessName has_any (targetprocess_has_any)) \nand (actorusername=='*' or SubjectAccount has actorusername) \nand (array_length(dvcname_has_any)==0 or Computer has_any (dvcname_has_any)) \n// --------------------------------------------------------------------------------------\n// -- Map\n| extend\n // Event\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Security Events\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = \"ProcessTerminated\",\n EventResult = 'Success',\n EventOriginalType = tostring(EventID),\n EventOriginalUid = EventOriginId,\n EventResultDetails = Status,\n EventOriginalResultDetails = Status, \n // Device\n DvcId = SourceComputerId,\n DvcHostname = Computer,\n DvcOs = \"Windows\",\n // Users\n ActorUserIdType = iff (SubjectUserSid <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (SubjectUserSid <> \"S-1-0-0\", SubjectUserSid, \"\"), \n ActorUsername = iff (SubjectDomainName == '-', SubjectUserName, SubjectAccount),\n ActorUsernameType = iff(SubjectDomainName == '-','Simple', 'Windows'),\n ActorSessionId = SubjectLogonId,\n ActorDomainName = SubjectDomainName,\n // Processes \n TargetProcessId = tostring(toint(ProcessId)),\n TargetProcessName = ProcessName,\n TargetProcessCommandLine = CommandLine,\n TargetProcessTokenElevation = TokenElevationType,\n Process = ProcessName\n // Aliases\n | extend \n User = ActorUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n}; ProcessEvents\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftSysmon/vimProcessTerminateMicrosoftSysmon.json b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftSysmon/vimProcessTerminateMicrosoftSysmon.json index c5c298127ca..9dabfd6aadf 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftSysmon/vimProcessTerminateMicrosoftSysmon.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftSysmon/vimProcessTerminateMicrosoftSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessEventTerminateMicrosoftSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessEventTerminateMicrosoftSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate Event ASIM parser for Microsoft Windows Security Events", - "category": "ASIM", - "FunctionAlias": "vimProcessEventTerminateMicrosoftSysmon", - "query": "let parser = (\n starttime:datetime=datetime(null),\n endtime:datetime=datetime(null),\n commandline_has_any:dynamic=dynamic([]),\n commandline_has_all:dynamic=dynamic([]),\n commandline_has_any_ip_prefix:dynamic=dynamic([]),\n actingprocess_has_any:dynamic=dynamic([]),\n targetprocess_has_any:dynamic=dynamic([]),\n parentprocess_has_any:dynamic=dynamic([]),\n actorusername_has:string='*',\n dvcipaddr_has_any_prefix:dynamic=dynamic([]),\n dvchostname_has_any:dynamic=dynamic([]),\n eventtype:string='*',\n disabled:bool=false\n ) {\n // this is the parser for sysmon from Event table\n let parser_Event =\n Event\n | where // pre-filtering\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and Source == \"Microsoft-Windows-Sysmon\" and EventID == 5\n and (eventtype=='*' or eventtype=='ProcessTerminated')\n and (array_length(commandline_has_all)==0) \n and (array_length(commandline_has_any)==0) \n and (array_length(commandline_has_any_ip_prefix)==0) \n and (array_length(actingprocess_has_any)==0) \n and (array_length(parentprocess_has_any)==0) \n and (array_length(targetprocess_has_any)==0 or EventData has_any (targetprocess_has_any)) \n and (actorusername_has=='*' or EventData has actorusername_has) \n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(dvchostname_has_any)==0 or Computer has_any (dvchostname_has_any))\n | parse-kv EventData as (\n ProcessId:string,\n ProcessGuid:string,\n Image:string,\n User:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename\n ActorUsername = User,\n DvcHostname = Computer,\n TargetProcessName = Image,\n TargetProcessGuid = ProcessGuid,\n TargetProcessId = ProcessId\n | where // post-filtering\n (actorusername_has=='*' or ActorUsername has actorusername_has) \n and (array_length(targetprocess_has_any)==0 or TargetProcessName has_any (targetprocess_has_any)) \n | extend \n EventProduct = \"Sysmon\"\n | project-away EventData, ParameterXml, RenderedDescription, MG, ManagementGroupName, Message, AzureDeploymentID, SourceSystem, EventCategory, EventLevelName, EventLevel, EventLog, Role, TenantId, UserName, Source\n | extend \n EventType = \"ProcessTerminated\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventOriginalType=tostring(EventID),\n EventResult = 'Success',\n DvcOs = \"Windows\",\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\n // -- Aliases \n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostname\n | project-away EventID,_ResourceId\n ;\n parser_Event\n };\nparser (\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n actorusername_has=actorusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n disabled=disabled\n) ", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate Event ASIM parser for Microsoft Windows Security Events", + "category": "ASIM", + "FunctionAlias": "vimProcessEventTerminateMicrosoftSysmon", + "query": "let parser = (\n starttime:datetime=datetime(null),\n endtime:datetime=datetime(null),\n commandline_has_any:dynamic=dynamic([]),\n commandline_has_all:dynamic=dynamic([]),\n commandline_has_any_ip_prefix:dynamic=dynamic([]),\n actingprocess_has_any:dynamic=dynamic([]),\n targetprocess_has_any:dynamic=dynamic([]),\n parentprocess_has_any:dynamic=dynamic([]),\n actorusername_has:string='*',\n dvcipaddr_has_any_prefix:dynamic=dynamic([]),\n dvchostname_has_any:dynamic=dynamic([]),\n eventtype:string='*',\n disabled:bool=false\n ) {\n // this is the parser for sysmon from Event table\n let parser_Event =\n Event\n | where // pre-filtering\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and Source == \"Microsoft-Windows-Sysmon\" and EventID == 5\n and (eventtype=='*' or eventtype=='ProcessTerminated')\n and (array_length(commandline_has_all)==0) \n and (array_length(commandline_has_any)==0) \n and (array_length(commandline_has_any_ip_prefix)==0) \n and (array_length(actingprocess_has_any)==0) \n and (array_length(parentprocess_has_any)==0) \n and (array_length(targetprocess_has_any)==0 or EventData has_any (targetprocess_has_any)) \n and (actorusername_has=='*' or EventData has actorusername_has) \n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(dvchostname_has_any)==0 or Computer has_any (dvchostname_has_any))\n | parse-kv EventData as (\n ProcessId:string,\n ProcessGuid:string,\n Image:string,\n User:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename\n ActorUsername = User,\n DvcHostname = Computer,\n TargetProcessName = Image,\n TargetProcessGuid = ProcessGuid,\n TargetProcessId = ProcessId\n | where // post-filtering\n (actorusername_has=='*' or ActorUsername has actorusername_has) \n and (array_length(targetprocess_has_any)==0 or TargetProcessName has_any (targetprocess_has_any)) \n | extend \n EventProduct = \"Sysmon\"\n | project-away EventData, ParameterXml, RenderedDescription, MG, ManagementGroupName, Message, AzureDeploymentID, SourceSystem, EventCategory, EventLevelName, EventLevel, EventLog, Role, TenantId, UserName, Source\n | extend \n EventType = \"ProcessTerminated\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventOriginalType=tostring(EventID),\n EventResult = 'Success',\n DvcOs = \"Windows\",\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\n // -- Aliases \n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostname\n | project-away EventID,_ResourceId\n ;\n parser_Event\n };\nparser (\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n actorusername_has=actorusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n disabled=disabled\n) ", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftSysmonWindowsEvent/vimProcessTerminateMicrosoftSysmonWindowsEvent.json b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftSysmonWindowsEvent/vimProcessTerminateMicrosoftSysmonWindowsEvent.json index 361a9f597a7..a8283b911bb 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftSysmonWindowsEvent/vimProcessTerminateMicrosoftSysmonWindowsEvent.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftSysmonWindowsEvent/vimProcessTerminateMicrosoftSysmonWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessEventTerminateMicrosoftSysmonWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessEventTerminateMicrosoftSysmonWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate Event ASIM parser for Microsoft Windows Security Events", - "category": "ASIM", - "FunctionAlias": "vimProcessEventTerminateMicrosoftSysmonWindowsEvent", - "query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n actorusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n disabled: bool=false\n ) {\n let parser_WindowsEvent=\n WindowsEvent\n | where // pre-filtering\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and not(disabled)\n and Provider == \"Microsoft-Windows-Sysmon\" and EventID == 5\n and (eventtype == '*' or eventtype == 'ProcessTerminated')\n and (array_length(commandline_has_all) == 0) \n and (array_length(commandline_has_any) == 0) \n and (array_length(commandline_has_any_ip_prefix) == 0) \n and (array_length(actingprocess_has_any) == 0) \n and (array_length(parentprocess_has_any) == 0) \n and (array_length(targetprocess_has_any) == 0 or EventData has_any (targetprocess_has_any)) \n and (actorusername_has == '*' or EventData has actorusername_has) \n and (array_length(dvcipaddr_has_any_prefix) == 0)\n and (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | extend\n EventProduct = \"Security Events\",\n ActorUsername = tostring(EventData.User),\n TargetProcessName = tostring(EventData.Image),\n TargetProcessId = tostring(EventData.ProcessId),\n TargetProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string))\n | where // post-filtering\n (actorusername_has == '*' or ActorUsername has actorusername_has) \n and (array_length(targetprocess_has_any) == 0 or TargetProcessName has_any (targetprocess_has_any)) \n | project-rename\n DvcHostname = Computer,\n EventOriginalUid = EventOriginId\n | project-away\n Channel,\n Data,\n EventData,\n EventLevelName,\n EventLevel,\n ManagementGroupName,\n Provider,\n RawEventData,\n SourceSystem,\n Task,\n TenantId\n | extend \n EventType = \"ProcessTerminated\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventOriginalType=tostring(EventID),\n EventResult = 'Success',\n DvcOs = \"Windows\",\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n // -- Aliases \n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostname\n | project-away\n EventID,\n Correlation,\n EventRecordId,\n Keywords,\n Opcode,\n SystemProcessId,\n SystemThreadId,\n SystemUserId,\n TimeCreated,\n Version,\n _ResourceId\n ;\n parser_WindowsEvent\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n actorusername_has=actorusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n disabled=disabled\n) ", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate Event ASIM parser for Microsoft Windows Security Events", + "category": "ASIM", + "FunctionAlias": "vimProcessEventTerminateMicrosoftSysmonWindowsEvent", + "query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n actorusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n disabled: bool=false\n ) {\n let parser_WindowsEvent=\n WindowsEvent\n | where // pre-filtering\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and not(disabled)\n and Provider == \"Microsoft-Windows-Sysmon\" and EventID == 5\n and (eventtype == '*' or eventtype == 'ProcessTerminated')\n and (array_length(commandline_has_all) == 0) \n and (array_length(commandline_has_any) == 0) \n and (array_length(commandline_has_any_ip_prefix) == 0) \n and (array_length(actingprocess_has_any) == 0) \n and (array_length(parentprocess_has_any) == 0) \n and (array_length(targetprocess_has_any) == 0 or EventData has_any (targetprocess_has_any)) \n and (actorusername_has == '*' or EventData has actorusername_has) \n and (array_length(dvcipaddr_has_any_prefix) == 0)\n and (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | extend\n EventProduct = \"Security Events\",\n ActorUsername = tostring(EventData.User),\n TargetProcessName = tostring(EventData.Image),\n TargetProcessId = tostring(EventData.ProcessId),\n TargetProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string))\n | where // post-filtering\n (actorusername_has == '*' or ActorUsername has actorusername_has) \n and (array_length(targetprocess_has_any) == 0 or TargetProcessName has_any (targetprocess_has_any)) \n | project-rename\n DvcHostname = Computer,\n EventOriginalUid = EventOriginId\n | project-away\n Channel,\n Data,\n EventData,\n EventLevelName,\n EventLevel,\n ManagementGroupName,\n Provider,\n RawEventData,\n SourceSystem,\n Task,\n TenantId\n | extend \n EventType = \"ProcessTerminated\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventOriginalType=tostring(EventID),\n EventResult = 'Success',\n DvcOs = \"Windows\",\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n // -- Aliases \n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostname\n | project-away\n EventID,\n Correlation,\n EventRecordId,\n Keywords,\n Opcode,\n SystemProcessId,\n SystemThreadId,\n SystemUserId,\n TimeCreated,\n Version,\n _ResourceId\n ;\n parser_WindowsEvent\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n actorusername_has=actorusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n disabled=disabled\n) ", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftWindowsEvents/vimProcessTerminateMicrosoftWindowsEvents.json b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftWindowsEvents/vimProcessTerminateMicrosoftWindowsEvents.json index c6fd467a2a9..f1444f95774 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftWindowsEvents/vimProcessTerminateMicrosoftWindowsEvents.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftWindowsEvents/vimProcessTerminateMicrosoftWindowsEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessTerminateMicrosoftWindowsEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessTerminateMicrosoftWindowsEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate Event ASIM parser for WEF Security Events", - "category": "ASIM", - "FunctionAlias": "vimProcessTerminateMicrosoftWindowsEvents", - "query": "let ASIM_GetFilenamePart = (path:string) { tostring(split(path,@'\\')[-1]) };\nlet ASIM_ResolveWindowsUsername = (T:(username:string, domain:string, sid:string)) { \n T \n | extend \n type = case (\n username == \"-\", \"\",\n domain == \"-\", \"Simple\",\n \"Windows\"\n ),\n username = case (\n username == \"-\", \"\",\n domain == '-', username,\n strcat(domain, @\"\\\" , username)\n )\n};\nlet parser = (\n starttime:datetime=datetime(null),\n endtime:datetime=datetime(null),\n commandline_has_any:dynamic=dynamic([]),\n commandline_has_all:dynamic=dynamic([]),\n commandline_has_any_ip_prefix:dynamic=dynamic([]),\n actingprocess_has_any:dynamic=dynamic([]),\n targetprocess_has_any:dynamic=dynamic([]),\n parentprocess_has_any:dynamic=dynamic([]),\n actorusername_has:string='*',\n dvcipaddr_has_any_prefix:dynamic=dynamic([]),\n dvchostname_has_any:dynamic=dynamic([]),\n eventtype:string='*',\n hashes_has_any:dynamic=dynamic([]),\n disabled:bool=false\n) {\nWindowsEvent\n| where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and EventID == 4689\n and (array_length(actingprocess_has_any)==0) \n and (array_length(parentprocess_has_any)==0) \n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (eventtype=='*' or eventtype=='ProcessTerminated')\n and (array_length(commandline_has_all)==0) \n and (array_length(commandline_has_any)==0) \n and (array_length(commandline_has_any_ip_prefix)==0) \n and (array_length(hashes_has_any)==0) \n and (array_length(targetprocess_has_any)==0 or EventData.ProcessName has_any (targetprocess_has_any)) \n and (actorusername_has=='*' or EventData has actorusername_has) \n and (array_length(dvchostname_has_any)==0 or Computer has_any (dvchostname_has_any)) \n| project-rename\n DvcHostname = Computer\n| extend\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Events',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessTerminated',\n EventOriginalType = tostring(EventID),\n DvcOs = 'Windows'\n| extend \n ActorUsername = strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), \n ActorUserId = tostring(EventData.SubjectUserSid)\n| extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\"), \n ActorUsernameType = \"Windows\"\n| where // -- post filtering\n (actorusername_has=='*' or ActorUsername has actorusername_has) \n| extend \n ActorUserSid = ActorUserId,\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\n| extend\n ActorSessionId = tostring(toint(EventData.SubjectLogonId)),\n // Processes \n TargetProcessId = tostring(toint(tolong(EventData.ProcessId))),\n TargetProcessName = tostring(EventData.ProcessName),\n TargetProcessStatusCode = tostring(EventData.Status)\n| extend \n TargetProcessFilename = ASIM_GetFilenamePart(TargetProcessName)\n// -- Aliases\n| extend\n User = ActorUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n| project-away Channel, EventData, Data, EventID, EventLevelName, EventLevel, Provider, RawEventData, Task, TenantId, ManagementGroupName, SourceSystem, EventOriginId\n}; \nparser (\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n actorusername_has=actorusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',hashes_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate Event ASIM parser for WEF Security Events", + "category": "ASIM", + "FunctionAlias": "vimProcessTerminateMicrosoftWindowsEvents", + "query": "let ASIM_GetFilenamePart = (path:string) { tostring(split(path,@'\\')[-1]) };\nlet ASIM_ResolveWindowsUsername = (T:(username:string, domain:string, sid:string)) { \n T \n | extend \n type = case (\n username == \"-\", \"\",\n domain == \"-\", \"Simple\",\n \"Windows\"\n ),\n username = case (\n username == \"-\", \"\",\n domain == '-', username,\n strcat(domain, @\"\\\" , username)\n )\n};\nlet parser = (\n starttime:datetime=datetime(null),\n endtime:datetime=datetime(null),\n commandline_has_any:dynamic=dynamic([]),\n commandline_has_all:dynamic=dynamic([]),\n commandline_has_any_ip_prefix:dynamic=dynamic([]),\n actingprocess_has_any:dynamic=dynamic([]),\n targetprocess_has_any:dynamic=dynamic([]),\n parentprocess_has_any:dynamic=dynamic([]),\n actorusername_has:string='*',\n dvcipaddr_has_any_prefix:dynamic=dynamic([]),\n dvchostname_has_any:dynamic=dynamic([]),\n eventtype:string='*',\n hashes_has_any:dynamic=dynamic([]),\n disabled:bool=false\n) {\nWindowsEvent\n| where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and EventID == 4689\n and (array_length(actingprocess_has_any)==0) \n and (array_length(parentprocess_has_any)==0) \n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (eventtype=='*' or eventtype=='ProcessTerminated')\n and (array_length(commandline_has_all)==0) \n and (array_length(commandline_has_any)==0) \n and (array_length(commandline_has_any_ip_prefix)==0) \n and (array_length(hashes_has_any)==0) \n and (array_length(targetprocess_has_any)==0 or EventData.ProcessName has_any (targetprocess_has_any)) \n and (actorusername_has=='*' or EventData has actorusername_has) \n and (array_length(dvchostname_has_any)==0 or Computer has_any (dvchostname_has_any)) \n| project-rename\n DvcHostname = Computer\n| extend\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Events',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessTerminated',\n EventOriginalType = tostring(EventID),\n DvcOs = 'Windows'\n| extend \n ActorUsername = strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), \n ActorUserId = tostring(EventData.SubjectUserSid)\n| extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\"), \n ActorUsernameType = \"Windows\"\n| where // -- post filtering\n (actorusername_has=='*' or ActorUsername has actorusername_has) \n| extend \n ActorUserSid = ActorUserId,\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\n| extend\n ActorSessionId = tostring(toint(EventData.SubjectLogonId)),\n // Processes \n TargetProcessId = tostring(toint(tolong(EventData.ProcessId))),\n TargetProcessName = tostring(EventData.ProcessName),\n TargetProcessStatusCode = tostring(EventData.Status)\n| extend \n TargetProcessFilename = ASIM_GetFilenamePart(TargetProcessName)\n// -- Aliases\n| extend\n User = ActorUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n| project-away Channel, EventData, Data, EventID, EventLevelName, EventLevel, Provider, RawEventData, Task, TenantId, ManagementGroupName, SourceSystem, EventOriginId\n}; \nparser (\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n actorusername_has=actorusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',hashes_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateVMwareCarbonBlackCloud/vimProcessTerminateVMwareCarbonBlackCloud.json b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateVMwareCarbonBlackCloud/vimProcessTerminateVMwareCarbonBlackCloud.json index 3e6f481abb2..c13f5be5287 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateVMwareCarbonBlackCloud/vimProcessTerminateVMwareCarbonBlackCloud.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateVMwareCarbonBlackCloud/vimProcessTerminateVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessTerminateVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessTerminateVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate ASIM parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "vimProcessTerminateVMwareCarbonBlackCloud", - "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n actorusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n disabled: bool=false) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (eventType_s == \"endpoint.event.procend\" and isnotempty(process_pid_d))\n and (eventtype == '*' or eventtype == 'ProcessTerminated')\n and array_length(parentprocess_has_any) == 0\n and (array_length(dvcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(device_external_ip_s, dvcipaddr_has_any_prefix)) \n and (actorusername_has == '*' or process_username_s has actorusername_has) \n and (array_length(commandline_has_all) == 0 or target_cmdline_s has_all (commandline_has_all) or process_cmdline_s has_all (commandline_has_all))\n and (array_length(commandline_has_any) == 0 or target_cmdline_s has_any (commandline_has_any) or process_cmdline_s has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(target_cmdline_s, commandline_has_any_ip_prefix) or has_any_ipv4_prefix(process_cmdline_s, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or parent_path_s has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any) == 0 or process_path_s has_any (targetprocess_has_any)) \n and (array_length(dvchostname_has_any) == 0 or device_name_s has_any (dvchostname_has_any))\n | parse process_hash_s with * '[\"' TargetProcessMD5: string '\",\"' TargetProcessSHA256: string '\"]'\n | parse parent_hash_s with * '[\"' ActingProcessMD5: string '\",\"' ActingProcessSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetProcessId = tostring(toint(process_pid_d)),\n ActingProcessId = tostring(toint(parent_pid_d)),\n ActorUsername = process_username_s,\n TargetProcessCommandLine = coalesce(target_cmdline_s, process_cmdline_s),\n AdditionalFields = bag_pack(\n \"org_key\", org_key_s,\n \"alert_id\", alert_id_g,\n \"process_reputation\", process_reputation_s,\n \"parent_reputation\", parent_reputation_s,\n \"parent_guid\", parent_guid_s,\n \"process_guid\", process_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename \n TargetProcessName = process_path_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n ActingProcessCommandLine = parent_cmdline_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ActingProcessName = parent_path_s,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessTerminated\",\n EventVendor = \"VMware\",\n EventSchema = \"ProcessEvent\"\n | extend \n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Hash = coalesce(TargetProcessSHA256, TargetProcessMD5),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = ActorUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n HashType = case(\n isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n )\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n actorusername_has=actorusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate ASIM parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "vimProcessTerminateVMwareCarbonBlackCloud", + "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n actorusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n disabled: bool=false) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (eventType_s == \"endpoint.event.procend\" and isnotempty(process_pid_d))\n and (eventtype == '*' or eventtype == 'ProcessTerminated')\n and array_length(parentprocess_has_any) == 0\n and (array_length(dvcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(device_external_ip_s, dvcipaddr_has_any_prefix)) \n and (actorusername_has == '*' or process_username_s has actorusername_has) \n and (array_length(commandline_has_all) == 0 or target_cmdline_s has_all (commandline_has_all) or process_cmdline_s has_all (commandline_has_all))\n and (array_length(commandline_has_any) == 0 or target_cmdline_s has_any (commandline_has_any) or process_cmdline_s has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(target_cmdline_s, commandline_has_any_ip_prefix) or has_any_ipv4_prefix(process_cmdline_s, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or parent_path_s has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any) == 0 or process_path_s has_any (targetprocess_has_any)) \n and (array_length(dvchostname_has_any) == 0 or device_name_s has_any (dvchostname_has_any))\n | parse process_hash_s with * '[\"' TargetProcessMD5: string '\",\"' TargetProcessSHA256: string '\"]'\n | parse parent_hash_s with * '[\"' ActingProcessMD5: string '\",\"' ActingProcessSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetProcessId = tostring(toint(process_pid_d)),\n ActingProcessId = tostring(toint(parent_pid_d)),\n ActorUsername = process_username_s,\n TargetProcessCommandLine = coalesce(target_cmdline_s, process_cmdline_s),\n AdditionalFields = bag_pack(\n \"org_key\", org_key_s,\n \"alert_id\", alert_id_g,\n \"process_reputation\", process_reputation_s,\n \"parent_reputation\", parent_reputation_s,\n \"parent_guid\", parent_guid_s,\n \"process_guid\", process_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename \n TargetProcessName = process_path_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n ActingProcessCommandLine = parent_cmdline_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ActingProcessName = parent_path_s,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessTerminated\",\n EventVendor = \"VMware\",\n EventSchema = \"ProcessEvent\"\n | extend \n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Hash = coalesce(TargetProcessSHA256, TargetProcessMD5),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = ActorUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n HashType = case(\n isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n )\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n actorusername_has=actorusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEvent/ASimRegistryEvent.json b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEvent/ASimRegistryEvent.json index 5309fb04f2b..8344eaa34df 100644 --- a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEvent/ASimRegistryEvent.json +++ b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEvent/ASimRegistryEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimRegistry')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimRegistry", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM Parser", - "category": "ASIM", - "FunctionAlias": "ASimRegistry", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimRegistry') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimRegistryEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimRegistryEventEmpty,\n ASimRegistryEventMicrosoft365D(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoft365D' in (DisabledParsers) ))),\n ASimRegistryEventMicrosoftSysmon(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftSysmon' in (DisabledParsers) ))),\n ASimRegistryEventMicrosoftWindowsEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftWindowsEvent' in (DisabledParsers) ))),\n ASimRegistryEventMicrosoftSysmonWindowsEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))),\n ASimRegistryEventMicrosoftSecurityEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftSecurityEvent' in (DisabledParsers) ))),\n ASimRegistryEventSentinelOne(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventSentinelOne' in (DisabledParsers) ))),\n ASimRegistryEventNative(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventNative' in (DisabledParsers) ))),\n ASimRegistryEventVMwareCarbonBlackCloud(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventVMwareCarbonBlackCloud' in (DisabledParsers) ))),\n ASimRegistryEventTrendMicroVisionOne(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventTrendMicroVisionOne' in (DisabledParsers) )))\n };\n parser (pack=pack)\n", - "version": 1, - "functionParameters": "pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM Parser", + "category": "ASIM", + "FunctionAlias": "ASimRegistry", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimRegistry') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimRegistryEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimRegistryEventEmpty,\n ASimRegistryEventMicrosoft365D(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoft365D' in (DisabledParsers) ))),\n ASimRegistryEventMicrosoftSysmon(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftSysmon' in (DisabledParsers) ))),\n ASimRegistryEventMicrosoftWindowsEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftWindowsEvent' in (DisabledParsers) ))),\n ASimRegistryEventMicrosoftSysmonWindowsEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))),\n ASimRegistryEventMicrosoftSecurityEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftSecurityEvent' in (DisabledParsers) ))),\n ASimRegistryEventSentinelOne(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventSentinelOne' in (DisabledParsers) ))),\n ASimRegistryEventNative(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventNative' in (DisabledParsers) ))),\n ASimRegistryEventVMwareCarbonBlackCloud(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventVMwareCarbonBlackCloud' in (DisabledParsers) ))),\n ASimRegistryEventTrendMicroVisionOne(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventTrendMicroVisionOne' in (DisabledParsers) )))\n };\n parser (pack=pack)\n", + "version": 1, + "functionParameters": "pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoft365D/ASimRegistryEventMicrosoft365D.json b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoft365D/ASimRegistryEventMicrosoft365D.json index 1ae310de4e6..335f346fcd7 100644 --- a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoft365D/ASimRegistryEventMicrosoft365D.json +++ b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoft365D/ASimRegistryEventMicrosoft365D.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimRegistryEventMicrosoft365D')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimRegistryEventMicrosoft365D", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM parser for Microsoft 365 Defender for Endpoint", - "category": "ASIM", - "FunctionAlias": "ASimRegistryEventMicrosoft365D", - "query": "let RegistryType = datatable (TypeCode: string, TypeName: string)\n [\n \"None\", \"Reg_None\",\n \"String\", \"Reg_Sz\",\n \"ExpandString\", \"Reg_Expand_Sz\",\n \"Binary\", \"Reg_Binary\",\n \"Dword\", \"Reg_DWord\",\n \"MultiString\", \"Reg_Multi_Sz\",\n \"QWord\", \"Reg_QWord\"\n];\nlet parser = (\n disabled: bool=false\n ) {\n DeviceRegistryEvents\n | where not(disabled)\n | extend\n // Event\n EventOriginalUid = tostring(ReportId), \n EventCount = int(1), \n EventProduct = 'M365 Defender for Endpoint', \n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventStartTime = TimeGenerated, \n EventEndTime = TimeGenerated, \n EventType = ActionType,\n // Registry\n RegistryKey = iff (ActionType in (\"RegistryKeyDeleted\", \"RegistryValueDeleted\"), PreviousRegistryKey, RegistryKey),\n RegistryValue = iff (ActionType == \"RegistryValueDeleted\", PreviousRegistryValueName, RegistryValueName),\n // RegistryValueType -- original name is fine \n // RegistryValueData -- original name is fine \n RegistryKeyModified = iff (ActionType == \"RegistryKeyRenamed\", PreviousRegistryKey, \"\"),\n RegistryValueModified = iff (ActionType == \"RegistryValueSet\", PreviousRegistryValueName, \"\"),\n // RegistryValueTypeModified -- Not provided by Defender\n RegistryValueDataModified = PreviousRegistryValueData\n | lookup RegistryType on $left.RegistryValueType == $right.TypeCode\n | extend RegistryValueType = TypeName\n | project-away\n TypeName,\n PreviousRegistryKey,\n PreviousRegistryValueName,\n PreviousRegistryValueData\n // Device\n | extend\n DvcHostname = DeviceName, \n DvcId = DeviceId, \n Dvc = DeviceName \n // Users\n | extend\n ActorUsername = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)), \n ActorUsernameType = iff(InitiatingProcessAccountDomain == '', 'Simple', 'Windows'), \n ActorUserIdType = 'SID'\n //| project-away InitiatingProcessAccountDomain, InitiatingProcessAccountName\n | project-rename\n ActorUserId = InitiatingProcessAccountSid, \n ActorUserAadId = InitiatingProcessAccountObjectId, \n ActorUserUpn = InitiatingProcessAccountUpn\n // Processes\n | extend\n ActingProcessId = tostring(InitiatingProcessId), \n ParentProcessId = tostring(InitiatingProcessParentId) \n | project-away InitiatingProcessId, InitiatingProcessParentId\n | project-rename\n ParentProcessName = InitiatingProcessParentFileName, \n ParentProcessCreationTime = InitiatingProcessParentCreationTime, \n ActingProcessName = InitiatingProcessFolderPath, \n ActingProcessFileName = InitiatingProcessFileName,\n ActingProcessCommandLine = InitiatingProcessCommandLine, \n ActingProcessMD5 = InitiatingProcessMD5, \n ActingProcessSHA1 = InitiatingProcessSHA1, //OK\n ActingProcessSHA256 = InitiatingProcessSHA256, \n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel, \n ActingProcessTokenElevation = InitiatingProcessTokenElevation, \n ActingProcessCreationTime = InitiatingProcessCreationTime \n // -- aliases\n | extend \n Username = ActorUsername,\n UserId = ActorUserId,\n UserIdType = ActorUserIdType,\n User = ActorUsername,\n CommandLine = ActingProcessCommandLine,\n Process = ActingProcessName\n};\nparser (\n disabled = disabled\n)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM parser for Microsoft 365 Defender for Endpoint", + "category": "ASIM", + "FunctionAlias": "ASimRegistryEventMicrosoft365D", + "query": "let RegistryType = datatable (TypeCode: string, TypeName: string)\n [\n \"None\", \"Reg_None\",\n \"String\", \"Reg_Sz\",\n \"ExpandString\", \"Reg_Expand_Sz\",\n \"Binary\", \"Reg_Binary\",\n \"Dword\", \"Reg_DWord\",\n \"MultiString\", \"Reg_Multi_Sz\",\n \"QWord\", \"Reg_QWord\"\n];\nlet parser = (\n disabled: bool=false\n ) {\n DeviceRegistryEvents\n | where not(disabled)\n | extend\n // Event\n EventOriginalUid = tostring(ReportId), \n EventCount = int(1), \n EventProduct = 'M365 Defender for Endpoint', \n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventStartTime = TimeGenerated, \n EventEndTime = TimeGenerated, \n EventType = ActionType,\n // Registry\n RegistryKey = iff (ActionType in (\"RegistryKeyDeleted\", \"RegistryValueDeleted\"), PreviousRegistryKey, RegistryKey),\n RegistryValue = iff (ActionType == \"RegistryValueDeleted\", PreviousRegistryValueName, RegistryValueName),\n // RegistryValueType -- original name is fine \n // RegistryValueData -- original name is fine \n RegistryKeyModified = iff (ActionType == \"RegistryKeyRenamed\", PreviousRegistryKey, \"\"),\n RegistryValueModified = iff (ActionType == \"RegistryValueSet\", PreviousRegistryValueName, \"\"),\n // RegistryValueTypeModified -- Not provided by Defender\n RegistryValueDataModified = PreviousRegistryValueData\n | lookup RegistryType on $left.RegistryValueType == $right.TypeCode\n | extend RegistryValueType = TypeName\n | project-away\n TypeName,\n PreviousRegistryKey,\n PreviousRegistryValueName,\n PreviousRegistryValueData\n // Device\n | extend\n DvcHostname = DeviceName, \n DvcId = DeviceId, \n Dvc = DeviceName \n // Users\n | extend\n ActorUsername = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)), \n ActorUsernameType = iff(InitiatingProcessAccountDomain == '', 'Simple', 'Windows'), \n ActorUserIdType = 'SID'\n //| project-away InitiatingProcessAccountDomain, InitiatingProcessAccountName\n | project-rename\n ActorUserId = InitiatingProcessAccountSid, \n ActorUserAadId = InitiatingProcessAccountObjectId, \n ActorUserUpn = InitiatingProcessAccountUpn\n // Processes\n | extend\n ActingProcessId = tostring(InitiatingProcessId), \n ParentProcessId = tostring(InitiatingProcessParentId) \n | project-away InitiatingProcessId, InitiatingProcessParentId\n | project-rename\n ParentProcessName = InitiatingProcessParentFileName, \n ParentProcessCreationTime = InitiatingProcessParentCreationTime, \n ActingProcessName = InitiatingProcessFolderPath, \n ActingProcessFileName = InitiatingProcessFileName,\n ActingProcessCommandLine = InitiatingProcessCommandLine, \n ActingProcessMD5 = InitiatingProcessMD5, \n ActingProcessSHA1 = InitiatingProcessSHA1, //OK\n ActingProcessSHA256 = InitiatingProcessSHA256, \n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel, \n ActingProcessTokenElevation = InitiatingProcessTokenElevation, \n ActingProcessCreationTime = InitiatingProcessCreationTime \n // -- aliases\n | extend \n Username = ActorUsername,\n UserId = ActorUserId,\n UserIdType = ActorUserIdType,\n User = ActorUsername,\n CommandLine = ActingProcessCommandLine,\n Process = ActingProcessName\n};\nparser (\n disabled = disabled\n)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftSecurityEvent/ASimRegistryEventMicrosoftSecurityEvent.json b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftSecurityEvent/ASimRegistryEventMicrosoftSecurityEvent.json index 5a1399079f2..f5cc5a86d0b 100644 --- a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftSecurityEvent/ASimRegistryEventMicrosoftSecurityEvent.json +++ b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftSecurityEvent/ASimRegistryEventMicrosoftSecurityEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimRegistryEventMicrosoftSecurityEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimRegistryEventMicrosoftSecurityEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM parser for Microsoft Windows Events (registry creation event)", - "category": "ASIM", - "FunctionAlias": "ASimRegistryEventMicrosoftSecurityEvent", - "query": "let parser = (\ndisabled: bool=false\n) {\nlet ASIM_GetAccountType = (sid: string) { \niif ( \nsid in (\"S-1-0-0\", \"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"),\n\"Simple\"\n ,\n\"Windows\"\n)\n};\n let ASIM_ParseSecurityEvents = (SecurityEvent: (SubjectDomainName: string, SubjectUserName: string, ProcessId: string, ObjectName: string, SubjectUserSid: string, SubjectLogonId: string, ProcessName: string)) {\n SecurityEvent\n | project-rename\n ActorUsername = SubjectUserName\n ,\n ActorUserId = SubjectUserSid\n ,\n ActorSessionId = SubjectLogonId\n ,\n ActingProcessName = ProcessName\n ,\n ActorDomainName = SubjectDomainName\n | extend\n ActorUsername = iif(isnotempty(ActorDomainName), strcat(ActorDomainName, @'\\', ActorUsername), ActorUsername)\n ,\n ActingProcessId = tostring(toint(tolong(ProcessId)))\n ,\n RegistryKey = iif(\n ObjectName startswith @\"\\REGISTRY\\MACHINE\",\n replace_string(ObjectName, @\"\\REGISTRY\\MACHINE\", \"HKEY_LOCAL_MACHINE\")\n ,\n replace_string(ObjectName, @\"\\REGISTRY\\USER\", \"HKEY_USERS\")\n )\n};\n let Event4663TypeLookup = datatable (AccessMask: string, EventType: string)\n [\n \"0x1\", \"RegistryValueRead\"\n ,\n \"0x10\", \"RegistryKeyNotify\"\n ,\n \"0x10000\", \"RegistryKeyDeleted\"\n ,\n \"0x2\", \"RegistryValueSet\"\n ,\n \"0x20000\", \"MetadataAccessed\"\n ,\n \"0x20006\", \"RegistryValueSet\"\n ,\n \"0x40000\", \"MetadataModified\"\n ,\n \"0x8\", \"RegistrySubkeyEnumerated\"\n];\n let Event4567TypeLookup = datatable (EventOriginalSubType: string, EventType: string)\n [\n \"%%1904\", \"RegistryValueSet\"\n ,\n \"%%1905\", \"RegistryValueSet\"\n ,\n \"%%1906\", \"RegistryValueDeleted\"\n];\n let RegistryType = datatable (TypeCode: string, TypeName: string)\n [\n \"%%1872\", \"REG_NONE\"\n ,\n \"%%1873\", \"REG_SZ\"\n ,\n \"%%1874\", \"REG_EXPAND_SZ\"\n ,\n \"%%1875\", \"REG_BINARY\"\n ,\n \"%%1876\", \"REG_DWORD\"\n ,\n \"%%1879\", \"REG_MULTI_SZ\"\n ,\n \"%%1883\", \"REG_QWORD\"\n];\n union isfuzzy=false\n (\n SecurityEvent\n | where not(disabled)\n | where EventID == 4663 and ObjectType == \"Key\"\n | lookup Event4663TypeLookup on AccessMask\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | invoke ASIM_ParseSecurityEvents()\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n Type\n ),\n (\n SecurityEvent\n | where not(disabled)\n | where EventID == 4657\n | invoke ASIM_ParseSecurityEvents()\n | extend\n EventOriginalSubType = OperationType\n ,\n RegistryValue = ObjectValueName\n | lookup Event4567TypeLookup on EventOriginalSubType\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n Type,\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue,\n RegistryValue\n )\n | lookup RegistryType on $left.NewValueType == $right.TypeCode\n | project-rename RegistryValueType = TypeName\n | lookup RegistryType on $left.OldValueType == $right.TypeCode\n | project-rename RegistryPreviousValueType = TypeName\n | extend\n RegistryValueData = iff (EventOriginalSubType == \"%%1906\", OldValue, NewValue)\n ,\n RegistryPreviousKey = iff (EventOriginalSubType == \"%%1905\", RegistryKey, \"\")\n ,\n RegistryPreviousValue = iff (EventOriginalSubType == \"%%1905\", RegistryValue, \"\")\n ,\n RegistryPreviousValueData = iff (EventOriginalSubType == \"%%1905\", OldValue, \"\")\n | project-away\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue\n | invoke _ASIM_ResolveFQDN (\"Computer\")\n | extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\")\n | project-rename\n DvcDomainType = DomainType\n ,\n DvcHostname = ExtractedHostname\n | extend\n DvcFQDN = iif(DvcDomainType == \"FQDN\", FQDN, \"\")\n ,\n DvcDomain = iif(isnotempty(Domain), Domain, \"\")\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", FQDN, \"DvcHostname\")\n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\n ,\n ActorUsernameType = ASIM_GetAccountType(ActorUserId)\n | extend\n User = ActorUsername\n ,\n UserId = ActorUserId\n ,\n ActorUserSid = ActorUserId\n ,\n Process = ActingProcessName\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", Computer, \"\")\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventOriginalType = tostring(EventID)\n | extend\n EventSchemaVersion = \"0.1\" \n ,\n EventSchema = \"RegistryEvent\"\n ,\n EventCount = toint(1)\n ,\n EventResult = \"Success\"\n ,\n EventVendor = \"Microsoft\"\n ,\n EventProduct = \"Security Events\" \n ,\n DvcOs = \"Windows\"\n | project-away ActorDomainName,ActorUserSid,ActorUserType,Computer,Domain,DvcDomainType,DvcDomain,DvcFQDN,EventID,FQDN,UserId,_ResourceId\n};\nparser (\n disabled = disabled\n)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM parser for Microsoft Windows Events (registry creation event)", + "category": "ASIM", + "FunctionAlias": "ASimRegistryEventMicrosoftSecurityEvent", + "query": "let parser = (\ndisabled: bool=false\n) {\nlet ASIM_GetAccountType = (sid: string) { \niif ( \nsid in (\"S-1-0-0\", \"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"),\n\"Simple\"\n ,\n\"Windows\"\n)\n};\n let ASIM_ParseSecurityEvents = (SecurityEvent: (SubjectDomainName: string, SubjectUserName: string, ProcessId: string, ObjectName: string, SubjectUserSid: string, SubjectLogonId: string, ProcessName: string)) {\n SecurityEvent\n | project-rename\n ActorUsername = SubjectUserName\n ,\n ActorUserId = SubjectUserSid\n ,\n ActorSessionId = SubjectLogonId\n ,\n ActingProcessName = ProcessName\n ,\n ActorDomainName = SubjectDomainName\n | extend\n ActorUsername = iif(isnotempty(ActorDomainName), strcat(ActorDomainName, @'\\', ActorUsername), ActorUsername)\n ,\n ActingProcessId = tostring(toint(tolong(ProcessId)))\n ,\n RegistryKey = iif(\n ObjectName startswith @\"\\REGISTRY\\MACHINE\",\n replace_string(ObjectName, @\"\\REGISTRY\\MACHINE\", \"HKEY_LOCAL_MACHINE\")\n ,\n replace_string(ObjectName, @\"\\REGISTRY\\USER\", \"HKEY_USERS\")\n )\n};\n let Event4663TypeLookup = datatable (AccessMask: string, EventType: string)\n [\n \"0x1\", \"RegistryValueRead\"\n ,\n \"0x10\", \"RegistryKeyNotify\"\n ,\n \"0x10000\", \"RegistryKeyDeleted\"\n ,\n \"0x2\", \"RegistryValueSet\"\n ,\n \"0x20000\", \"MetadataAccessed\"\n ,\n \"0x20006\", \"RegistryValueSet\"\n ,\n \"0x40000\", \"MetadataModified\"\n ,\n \"0x8\", \"RegistrySubkeyEnumerated\"\n];\n let Event4567TypeLookup = datatable (EventOriginalSubType: string, EventType: string)\n [\n \"%%1904\", \"RegistryValueSet\"\n ,\n \"%%1905\", \"RegistryValueSet\"\n ,\n \"%%1906\", \"RegistryValueDeleted\"\n];\n let RegistryType = datatable (TypeCode: string, TypeName: string)\n [\n \"%%1872\", \"REG_NONE\"\n ,\n \"%%1873\", \"REG_SZ\"\n ,\n \"%%1874\", \"REG_EXPAND_SZ\"\n ,\n \"%%1875\", \"REG_BINARY\"\n ,\n \"%%1876\", \"REG_DWORD\"\n ,\n \"%%1879\", \"REG_MULTI_SZ\"\n ,\n \"%%1883\", \"REG_QWORD\"\n];\n union isfuzzy=false\n (\n SecurityEvent\n | where not(disabled)\n | where EventID == 4663 and ObjectType == \"Key\"\n | lookup Event4663TypeLookup on AccessMask\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | invoke ASIM_ParseSecurityEvents()\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n Type\n ),\n (\n SecurityEvent\n | where not(disabled)\n | where EventID == 4657\n | invoke ASIM_ParseSecurityEvents()\n | extend\n EventOriginalSubType = OperationType\n ,\n RegistryValue = ObjectValueName\n | lookup Event4567TypeLookup on EventOriginalSubType\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n Type,\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue,\n RegistryValue\n )\n | lookup RegistryType on $left.NewValueType == $right.TypeCode\n | project-rename RegistryValueType = TypeName\n | lookup RegistryType on $left.OldValueType == $right.TypeCode\n | project-rename RegistryPreviousValueType = TypeName\n | extend\n RegistryValueData = iff (EventOriginalSubType == \"%%1906\", OldValue, NewValue)\n ,\n RegistryPreviousKey = iff (EventOriginalSubType == \"%%1905\", RegistryKey, \"\")\n ,\n RegistryPreviousValue = iff (EventOriginalSubType == \"%%1905\", RegistryValue, \"\")\n ,\n RegistryPreviousValueData = iff (EventOriginalSubType == \"%%1905\", OldValue, \"\")\n | project-away\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue\n | invoke _ASIM_ResolveFQDN (\"Computer\")\n | extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\")\n | project-rename\n DvcDomainType = DomainType\n ,\n DvcHostname = ExtractedHostname\n | extend\n DvcFQDN = iif(DvcDomainType == \"FQDN\", FQDN, \"\")\n ,\n DvcDomain = iif(isnotempty(Domain), Domain, \"\")\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", FQDN, \"DvcHostname\")\n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\n ,\n ActorUsernameType = ASIM_GetAccountType(ActorUserId)\n | extend\n User = ActorUsername\n ,\n UserId = ActorUserId\n ,\n ActorUserSid = ActorUserId\n ,\n Process = ActingProcessName\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", Computer, \"\")\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventOriginalType = tostring(EventID)\n | extend\n EventSchemaVersion = \"0.1\" \n ,\n EventSchema = \"RegistryEvent\"\n ,\n EventCount = toint(1)\n ,\n EventResult = \"Success\"\n ,\n EventVendor = \"Microsoft\"\n ,\n EventProduct = \"Security Events\" \n ,\n DvcOs = \"Windows\"\n | project-away ActorDomainName,ActorUserSid,ActorUserType,Computer,Domain,DvcDomainType,DvcDomain,DvcFQDN,EventID,FQDN,UserId,_ResourceId\n};\nparser (\n disabled = disabled\n)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftSysmon/ASimRegistryEventMicrosoftSysmon.json b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftSysmon/ASimRegistryEventMicrosoftSysmon.json index 65b36c6c540..67ca69ac58a 100644 --- a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftSysmon/ASimRegistryEventMicrosoftSysmon.json +++ b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftSysmon/ASimRegistryEventMicrosoftSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimRegistryEventMicrosoftSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimRegistryEventMicrosoftSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM parser for Microsoft Sysmon (registry creation event)", - "category": "ASIM", - "FunctionAlias": "ASimRegistryEventMicrosoftSysmon", - "query": "let parser = (\n disabled: bool=false\n ) {\n let RegistryAction = datatable (EventType: string, NewEventType: string)\n [\n \"CreateKey\", \"RegistryKeyCreated\",\n \"DeleteKey\", \"RegistryKeyDeleted\",\n \"DeleteValue\", \"RegistryValueDeleted\", \n \"SetValue\", \"RegistryValueSet\",\n \"RenameKey\", \"RegistryKeyRenamed\"\n ]; \n let Hives = datatable (KeyPrefix: string, Hive: string)\n [\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\", \n \"HKCR\", \"HKEY_LOCAL_MACHINE\\\\Classes\" \n ];\n // this is the parser for sysmon from Event table\n // Create the raw table from the raw XML file structure\n let ParsedRegistryEvent_Event=() {\n Event\n | where not(disabled)\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID in (12, 13, 14)\n | parse EventData with \n * ''RuleName // parsing the XML using the original fields name - for readibliy \n ''EventType\n ''UtcTime\n '{'ProcessGuid\n '}'ProcessId\n ''Image\n ''TargetObject\n '' EventDataRemainder \n | parse EventDataRemainder with '' Parameter '' ActorUsername '' *\n | project-away EventDataRemainder\n // End of XML parse\n | extend \n EventStartTime = todatetime(TimeGenerated), \n EventEndTime = todatetime(TimeGenerated), \n EventCount = int(1), \n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\", \n EventProduct = \"Sysmon\",\n EventOriginalType = tostring(EventID), \n DvcOs = \"Windows\",\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', '')\n | project-rename \n EventMessage = RenderedDescription, \n DvcHostName = Computer, \n ActingProcessId = ProcessId,\n ActingProcessGuid = ProcessGuid, \n ActingProcessName = Image \n // Lookup Event Type\n | lookup RegistryAction on EventType \n | project-rename EventOriginalSubType = EventType\n | project-rename EventType = NewEventType\n // Normalize Key Hive\n | parse TargetObject with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend Key = strcat (Hive, \"\\\\\", KeyMain)\n | parse Parameter with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend NewName = strcat (Hive, \"\\\\\", KeyMain)\n | project-away KeyPrefix, KeyMain, Hive\n // Split Key and Value for relevant events \n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", Key)\n | extend Key = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][0], Key)\n | extend Value = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][1], \"\")\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", NewName)\n | extend NewKey = ParsedKey[0][0]\n | extend NewValue = ParsedKey[0][1]\n | project-away ParsedKey, TargetObject, NewName\n // Set normalized registry fields\n | extend\n RegistryKey = iff (EventType == \"RegistryKeyRenamed\", NewKey, Key),\n RegistryKeyModified = iff (EventType in (\"RegistryKeyRenamed\", \"RegistryValueSet\"), Key, \"\"),\n RegistryValue = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), Value, \"\"),\n RegistryValueModified = iff (EventType == \"RegistryValueSet\", Value, \"\"),\n RegistryValueData = iff (EventType == \"RegistryValueSet\", Parameter, \"\"),\n EventResult = \"Success\",\n EventSchema = \"RegistryEvent\",\n Rule=RuleName\n | extend // aliases\n User = ActorUsername,\n Process = ActingProcessName,\n Dvc = DvcHostName\n | project-away\n Parameter,\n Value,\n Key,\n NewKey,\n NewValue,\n EventData,\n ParameterXml,\n DvcHostName,\n EventCategory,\n EventID,\n EventLevelName,\n EventLevel,\n EventLog,\n Hive1,\n MG,\n AzureDeploymentID,\n RegistryKeyModified,\n RegistryValueModified,\n Role,\n SourceSystem,\n Source,\n TenantId,\n UserName,\n UtcTime,\n ManagementGroupName,\n Message,_ResourceId\n };\n ParsedRegistryEvent_Event\n };\n parser (\n disabled = disabled\n )", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM parser for Microsoft Sysmon (registry creation event)", + "category": "ASIM", + "FunctionAlias": "ASimRegistryEventMicrosoftSysmon", + "query": "let parser = (\n disabled: bool=false\n ) {\n let RegistryAction = datatable (EventType: string, NewEventType: string)\n [\n \"CreateKey\", \"RegistryKeyCreated\",\n \"DeleteKey\", \"RegistryKeyDeleted\",\n \"DeleteValue\", \"RegistryValueDeleted\", \n \"SetValue\", \"RegistryValueSet\",\n \"RenameKey\", \"RegistryKeyRenamed\"\n ]; \n let Hives = datatable (KeyPrefix: string, Hive: string)\n [\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\", \n \"HKCR\", \"HKEY_LOCAL_MACHINE\\\\Classes\" \n ];\n // this is the parser for sysmon from Event table\n // Create the raw table from the raw XML file structure\n let ParsedRegistryEvent_Event=() {\n Event\n | where not(disabled)\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID in (12, 13, 14)\n | parse EventData with \n * ''RuleName // parsing the XML using the original fields name - for readibliy \n ''EventType\n ''UtcTime\n '{'ProcessGuid\n '}'ProcessId\n ''Image\n ''TargetObject\n '' EventDataRemainder \n | parse EventDataRemainder with '' Parameter '' ActorUsername '' *\n | project-away EventDataRemainder\n // End of XML parse\n | extend \n EventStartTime = todatetime(TimeGenerated), \n EventEndTime = todatetime(TimeGenerated), \n EventCount = int(1), \n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\", \n EventProduct = \"Sysmon\",\n EventOriginalType = tostring(EventID), \n DvcOs = \"Windows\",\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', '')\n | project-rename \n EventMessage = RenderedDescription, \n DvcHostName = Computer, \n ActingProcessId = ProcessId,\n ActingProcessGuid = ProcessGuid, \n ActingProcessName = Image \n // Lookup Event Type\n | lookup RegistryAction on EventType \n | project-rename EventOriginalSubType = EventType\n | project-rename EventType = NewEventType\n // Normalize Key Hive\n | parse TargetObject with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend Key = strcat (Hive, \"\\\\\", KeyMain)\n | parse Parameter with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend NewName = strcat (Hive, \"\\\\\", KeyMain)\n | project-away KeyPrefix, KeyMain, Hive\n // Split Key and Value for relevant events \n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", Key)\n | extend Key = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][0], Key)\n | extend Value = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][1], \"\")\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", NewName)\n | extend NewKey = ParsedKey[0][0]\n | extend NewValue = ParsedKey[0][1]\n | project-away ParsedKey, TargetObject, NewName\n // Set normalized registry fields\n | extend\n RegistryKey = iff (EventType == \"RegistryKeyRenamed\", NewKey, Key),\n RegistryKeyModified = iff (EventType in (\"RegistryKeyRenamed\", \"RegistryValueSet\"), Key, \"\"),\n RegistryValue = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), Value, \"\"),\n RegistryValueModified = iff (EventType == \"RegistryValueSet\", Value, \"\"),\n RegistryValueData = iff (EventType == \"RegistryValueSet\", Parameter, \"\"),\n EventResult = \"Success\",\n EventSchema = \"RegistryEvent\",\n Rule=RuleName\n | extend // aliases\n User = ActorUsername,\n Process = ActingProcessName,\n Dvc = DvcHostName\n | project-away\n Parameter,\n Value,\n Key,\n NewKey,\n NewValue,\n EventData,\n ParameterXml,\n DvcHostName,\n EventCategory,\n EventID,\n EventLevelName,\n EventLevel,\n EventLog,\n Hive1,\n MG,\n AzureDeploymentID,\n RegistryKeyModified,\n RegistryValueModified,\n Role,\n SourceSystem,\n Source,\n TenantId,\n UserName,\n UtcTime,\n ManagementGroupName,\n Message,_ResourceId\n };\n ParsedRegistryEvent_Event\n };\n parser (\n disabled = disabled\n )", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftSysmonWindowsEvent/ASimRegistryEventMicrosoftSysmonWindowsEvent.json b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftSysmonWindowsEvent/ASimRegistryEventMicrosoftSysmonWindowsEvent.json index 61dce80a432..8fcce5bca8a 100644 --- a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftSysmonWindowsEvent/ASimRegistryEventMicrosoftSysmonWindowsEvent.json +++ b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftSysmonWindowsEvent/ASimRegistryEventMicrosoftSysmonWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimRegistryEventMicrosoftSysmonWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimRegistryEventMicrosoftSysmonWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM parser for Microsoft Sysmon (registry creation event)", - "category": "ASIM", - "FunctionAlias": "ASimRegistryEventMicrosoftSysmonWindowsEvent", - "query": "let parser = (\n disabled: bool=false\n ) {\n let RegistryAction = datatable (EventType: string, NewEventType: string)\n [\n \"CreateKey\", \"RegistryKeyCreated\",\n \"DeleteKey\", \"RegistryKeyDeleted\",\n \"DeleteValue\", \"RegistryValueDeleted\", \n \"SetValue\", \"RegistryValueSet\",\n \"RenameKey\", \"RegistryKeyRenamed\"\n ]; \n let Hives = datatable (KeyPrefix: string, Hive: string)\n [\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\", \n \"HKCR\", \"HKEY_LOCAL_MACHINE\\\\Classes\" \n ];\n // this is the parser for sysmon from WindowsEvent table\n let ParsedRegistryEvent_WindowsEvent=() {\n WindowsEvent\n | where not(disabled)\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID in (12, 13, 14)\n | extend \n EventStartTime = todatetime(TimeGenerated), \n EventEndTime = todatetime(TimeGenerated), \n EventCount = int(1), \n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\", \n EventProduct = \"Sysmon\",\n EventOriginalType = tostring(EventID),\n EventType = tostring(EventData.EventType),\n DvcOs = \"Windows\",\n EventMessage = tostring(EventData.RenderedDescription), \n ActorUsername = tostring(EventData.User),\n ActingProcessId = tostring(EventData.ProcessId),\n ActingProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string)),\n ActingProcessName = tostring(EventData.Image),\n TargetObject = tostring(EventData.TargetObject),\n Parameter = tostring(EventData.Parameter)\n | project-rename\n DvcHostName = Computer \n | lookup RegistryAction on EventType\n | project-rename EventOriginalSubType = EventType\n | project-rename EventType = NewEventType\n // Normalize Key Hive\n | parse TargetObject with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend Key = strcat (Hive, \"\\\\\", KeyMain)\n | parse Parameter with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend NewName = strcat (Hive, \"\\\\\", KeyMain)\n | project-away KeyPrefix, KeyMain, Hive\n // Split Key and Value for relevant events \n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", Key)\n | extend Key = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][0], Key)\n | extend Value = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][1], \"\")\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", NewName)\n | extend NewKey = ParsedKey[0][0]\n | extend NewValue = ParsedKey[0][1]\n | project-away ParsedKey, TargetObject, NewName\n // Set normalized registry fields\n | extend\n RegistryKey = iff (EventType == \"RegistryKeyRenamed\", NewKey, Key),\n RegistryKeyModified = iff (EventType in (\"RegistryKeyRenamed\", \"RegistryValueSet\"), Key, \"\"),\n RegistryValue = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), Value, \"\"),\n RegistryValueModified = iff (EventType == \"RegistryValueSet\", Value, \"\"),\n RegistryValueData = iff (EventType == \"RegistryValueSet\", Parameter, \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', '')\n | extend // aliases\n User = ActorUsername,\n Process = ActingProcessName,\n Dvc = DvcHostName,\n EventResult = \"Success\",\n EventSchema = \"RegistryEvent\"\n | project-away\n Parameter,\n Value,\n Key,\n NewKey,\n NewValue,\n EventData,\n Channel,Correlation,Data,DvcHostName,EventID,EventLevelName,EventLevel,EventOriginId,EventRecordId,Hive1,Keywords,ManagementGroupName,_ResourceId,Opcode,Provider,RawEventData,RegistryKeyModified,RegistryValueModified,SourceSystem,SystemProcessId,SystemThreadId,SystemUserId,Task,TenantId,TimeCreated,Version,_ResourceId\n };\n ParsedRegistryEvent_WindowsEvent\n };\n parser (\n disabled = disabled\n )", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM parser for Microsoft Sysmon (registry creation event)", + "category": "ASIM", + "FunctionAlias": "ASimRegistryEventMicrosoftSysmonWindowsEvent", + "query": "let parser = (\n disabled: bool=false\n ) {\n let RegistryAction = datatable (EventType: string, NewEventType: string)\n [\n \"CreateKey\", \"RegistryKeyCreated\",\n \"DeleteKey\", \"RegistryKeyDeleted\",\n \"DeleteValue\", \"RegistryValueDeleted\", \n \"SetValue\", \"RegistryValueSet\",\n \"RenameKey\", \"RegistryKeyRenamed\"\n ]; \n let Hives = datatable (KeyPrefix: string, Hive: string)\n [\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\", \n \"HKCR\", \"HKEY_LOCAL_MACHINE\\\\Classes\" \n ];\n // this is the parser for sysmon from WindowsEvent table\n let ParsedRegistryEvent_WindowsEvent=() {\n WindowsEvent\n | where not(disabled)\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID in (12, 13, 14)\n | extend \n EventStartTime = todatetime(TimeGenerated), \n EventEndTime = todatetime(TimeGenerated), \n EventCount = int(1), \n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\", \n EventProduct = \"Sysmon\",\n EventOriginalType = tostring(EventID),\n EventType = tostring(EventData.EventType),\n DvcOs = \"Windows\",\n EventMessage = tostring(EventData.RenderedDescription), \n ActorUsername = tostring(EventData.User),\n ActingProcessId = tostring(EventData.ProcessId),\n ActingProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string)),\n ActingProcessName = tostring(EventData.Image),\n TargetObject = tostring(EventData.TargetObject),\n Parameter = tostring(EventData.Parameter)\n | project-rename\n DvcHostName = Computer \n | lookup RegistryAction on EventType\n | project-rename EventOriginalSubType = EventType\n | project-rename EventType = NewEventType\n // Normalize Key Hive\n | parse TargetObject with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend Key = strcat (Hive, \"\\\\\", KeyMain)\n | parse Parameter with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend NewName = strcat (Hive, \"\\\\\", KeyMain)\n | project-away KeyPrefix, KeyMain, Hive\n // Split Key and Value for relevant events \n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", Key)\n | extend Key = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][0], Key)\n | extend Value = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][1], \"\")\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", NewName)\n | extend NewKey = ParsedKey[0][0]\n | extend NewValue = ParsedKey[0][1]\n | project-away ParsedKey, TargetObject, NewName\n // Set normalized registry fields\n | extend\n RegistryKey = iff (EventType == \"RegistryKeyRenamed\", NewKey, Key),\n RegistryKeyModified = iff (EventType in (\"RegistryKeyRenamed\", \"RegistryValueSet\"), Key, \"\"),\n RegistryValue = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), Value, \"\"),\n RegistryValueModified = iff (EventType == \"RegistryValueSet\", Value, \"\"),\n RegistryValueData = iff (EventType == \"RegistryValueSet\", Parameter, \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', '')\n | extend // aliases\n User = ActorUsername,\n Process = ActingProcessName,\n Dvc = DvcHostName,\n EventResult = \"Success\",\n EventSchema = \"RegistryEvent\"\n | project-away\n Parameter,\n Value,\n Key,\n NewKey,\n NewValue,\n EventData,\n Channel,Correlation,Data,DvcHostName,EventID,EventLevelName,EventLevel,EventOriginId,EventRecordId,Hive1,Keywords,ManagementGroupName,_ResourceId,Opcode,Provider,RawEventData,RegistryKeyModified,RegistryValueModified,SourceSystem,SystemProcessId,SystemThreadId,SystemUserId,Task,TenantId,TimeCreated,Version,_ResourceId\n };\n ParsedRegistryEvent_WindowsEvent\n };\n parser (\n disabled = disabled\n )", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftWindowsEvent/ASimRegistryEventMicrosoftWindowsEvent.json b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftWindowsEvent/ASimRegistryEventMicrosoftWindowsEvent.json index 5ed1071d700..4ecb7e00a70 100644 --- a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftWindowsEvent/ASimRegistryEventMicrosoftWindowsEvent.json +++ b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftWindowsEvent/ASimRegistryEventMicrosoftWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimRegistryEventMicrosoftWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimRegistryEventMicrosoftWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM parser for Microsoft Windows Events (registry creation event)", - "category": "ASIM", - "FunctionAlias": "ASimRegistryEventMicrosoftWindowsEvent", - "query": "let parser = (\ndisabled: bool=false\n) {\nlet ASIM_GetAccountType = (sid: string) { \niif ( \nsid in (\"S-1-0-0\", \"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"),\n\"Simple\"\n ,\n\"Windows\"\n)\n};\n let ASIM_ParseWindowsEvents = (WindowsEvent: (EventData: dynamic)) {\n WindowsEvent\n | extend\n ActorUsername = iif(isnotempty(EventData.SubjectDomainName), strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), EventData.SubjectUserName)\n ,\n ActorDomainName = tostring(EventData.SubjectDomainName)\n ,\n ActorUserId = tostring(EventData.SubjectUserSid)\n ,\n ActorSessionId = tostring(EventData.SubjectLogonId)\n ,\n ActingProcessName = tostring(EventData.ProcessName)\n ,\n ActingProcessId = tostring(toint(tolong(EventData.ProcessId)))\n ,\n RegistryKey = iif(\n EventData.ObjectName startswith @\"\\REGISTRY\\MACHINE\",\n replace_string(tostring(EventData.ObjectName), @\"\\REGISTRY\\MACHINE\", \"HKEY_LOCAL_MACHINE\")\n ,\n replace_string(tostring(EventData.ObjectName), @\"\\REGISTRY\\USER\", \"HKEY_USERS\")\n )\n};\n let Event4663TypeLookup = datatable (AccessMask: string, EventType: string)\n [\n \"0x1\", \"RegistryValueRead\"\n ,\n \"0x10\", \"RegistryKeyNotify\"\n ,\n \"0x10000\", \"RegistryKeyDeleted\"\n ,\n \"0x2\", \"RegistryValueSet\"\n ,\n \"0x20000\", \"MetadataAccessed\"\n ,\n \"0x20006\", \"RegistryValueSet\"\n ,\n \"0x40000\", \"MetadataModified\"\n ,\n \"0x8\", \"RegistrySubkeyEnumerated\"\n];\n let Event4567TypeLookup = datatable (EventOriginalSubType: string, EventType: string)\n [\n \"%%1904\", \"RegistryValueSet\"\n ,\n \"%%1905\", \"RegistryValueSet\"\n ,\n \"%%1906\", \"RegistryValueDeleted\"\n];\n let RegistryType = datatable (TypeCode: string, TypeName: string)\n [\n \"%%1872\", \"REG_NONE\"\n ,\n \"%%1873\", \"REG_SZ\"\n ,\n \"%%1874\", \"REG_EXPAND_SZ\"\n ,\n \"%%1875\", \"REG_BINARY\"\n ,\n \"%%1876\", \"REG_DWORD\"\n ,\n \"%%1879\", \"REG_MULTI_SZ\"\n ,\n \"%%1883\", \"REG_QWORD\"\n];\n union isfuzzy=false\n (\n WindowsEvent\n | where not(disabled)\n | where EventID == 4663 and EventData.ObjectType == \"Key\"\n | extend\n AccessMask = tostring(EventData.AccessMask)\n ,\n Type = \"WindowsEvent\"\n | lookup Event4663TypeLookup on AccessMask\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | invoke ASIM_ParseWindowsEvents()\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n Type\n ),\n (\n WindowsEvent\n | where not(disabled)\n | where EventID == 4657\n | invoke ASIM_ParseWindowsEvents()\n | extend\n EventOriginalSubType = tostring(EventData.OperationType)\n ,\n OldValue = tostring(EventData.OldValue)\n ,\n NewValue = tostring(EventData.NewValue)\n ,\n RegistryValue = tostring(EventData.ObjectValueName)\n ,\n NewValueType = tostring(EventData.NewValueType)\n ,\n OldValueType = tostring(EventData.OldValueType)\n | lookup Event4567TypeLookup on EventOriginalSubType\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n RegistryValue,\n Type,\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue\n | lookup RegistryType on $left.NewValueType == $right.TypeCode\n | project-rename RegistryValueType = TypeName\n | lookup RegistryType on $left.OldValueType == $right.TypeCode\n | project-rename RegistryPreviousValueType = TypeName\n | extend\n RegistryValueData = iff (EventOriginalSubType == \"%%1906\", OldValue, NewValue)\n ,\n RegistryPreviousKey = iff (EventOriginalSubType == \"%%1905\", RegistryKey, \"\")\n ,\n RegistryPreviousValue = iff (EventOriginalSubType == \"%%1905\", RegistryValue, \"\")\n ,\n RegistryPreviousValueData = iff (EventOriginalSubType == \"%%1905\", OldValue, \"\")\n | project-away\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue\n )\n | invoke _ASIM_ResolveFQDN (\"Computer\")\n | extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\")\n | project-rename\n DvcDomainType = DomainType\n ,\n DvcHostname = ExtractedHostname\n | extend\n DvcFQDN = iif(DvcDomainType == \"FQDN\", FQDN, \"\")\n ,\n DvcDomain = iif(isnotempty(Domain), Domain, \"\")\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", FQDN, \"DvcHostname\")\n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\n ,\n ActorUsernameType = ASIM_GetAccountType(ActorUserId)\n | extend\n User = ActorUsername\n ,\n UserId = ActorUserId\n ,\n ActorUserSid = ActorUserId\n ,\n Process = ActingProcessName\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", Computer, \"\")\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventOriginalType = tostring(EventID)\n | extend\n EventSchemaVersion = \"0.1\" \n ,\n EventSchema = \"RegistryEvent\"\n ,\n EventCount = toint(1)\n ,\n EventResult = \"Success\"\n ,\n EventVendor = \"Microsoft\"\n ,\n EventProduct = \"Security Events\" \n ,\n DvcOs = \"Windows\"\n | project-away ActorDomainName,ActorUserSid,ActorUserType,Computer,Domain,DvcDomainType,DvcDomain,DvcFQDN,EventID,FQDN,UserId,_ResourceId };\nparser (\n disabled = disabled\n)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM parser for Microsoft Windows Events (registry creation event)", + "category": "ASIM", + "FunctionAlias": "ASimRegistryEventMicrosoftWindowsEvent", + "query": "let parser = (\ndisabled: bool=false\n) {\nlet ASIM_GetAccountType = (sid: string) { \niif ( \nsid in (\"S-1-0-0\", \"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"),\n\"Simple\"\n ,\n\"Windows\"\n)\n};\n let ASIM_ParseWindowsEvents = (WindowsEvent: (EventData: dynamic)) {\n WindowsEvent\n | extend\n ActorUsername = iif(isnotempty(EventData.SubjectDomainName), strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), EventData.SubjectUserName)\n ,\n ActorDomainName = tostring(EventData.SubjectDomainName)\n ,\n ActorUserId = tostring(EventData.SubjectUserSid)\n ,\n ActorSessionId = tostring(EventData.SubjectLogonId)\n ,\n ActingProcessName = tostring(EventData.ProcessName)\n ,\n ActingProcessId = tostring(toint(tolong(EventData.ProcessId)))\n ,\n RegistryKey = iif(\n EventData.ObjectName startswith @\"\\REGISTRY\\MACHINE\",\n replace_string(tostring(EventData.ObjectName), @\"\\REGISTRY\\MACHINE\", \"HKEY_LOCAL_MACHINE\")\n ,\n replace_string(tostring(EventData.ObjectName), @\"\\REGISTRY\\USER\", \"HKEY_USERS\")\n )\n};\n let Event4663TypeLookup = datatable (AccessMask: string, EventType: string)\n [\n \"0x1\", \"RegistryValueRead\"\n ,\n \"0x10\", \"RegistryKeyNotify\"\n ,\n \"0x10000\", \"RegistryKeyDeleted\"\n ,\n \"0x2\", \"RegistryValueSet\"\n ,\n \"0x20000\", \"MetadataAccessed\"\n ,\n \"0x20006\", \"RegistryValueSet\"\n ,\n \"0x40000\", \"MetadataModified\"\n ,\n \"0x8\", \"RegistrySubkeyEnumerated\"\n];\n let Event4567TypeLookup = datatable (EventOriginalSubType: string, EventType: string)\n [\n \"%%1904\", \"RegistryValueSet\"\n ,\n \"%%1905\", \"RegistryValueSet\"\n ,\n \"%%1906\", \"RegistryValueDeleted\"\n];\n let RegistryType = datatable (TypeCode: string, TypeName: string)\n [\n \"%%1872\", \"REG_NONE\"\n ,\n \"%%1873\", \"REG_SZ\"\n ,\n \"%%1874\", \"REG_EXPAND_SZ\"\n ,\n \"%%1875\", \"REG_BINARY\"\n ,\n \"%%1876\", \"REG_DWORD\"\n ,\n \"%%1879\", \"REG_MULTI_SZ\"\n ,\n \"%%1883\", \"REG_QWORD\"\n];\n union isfuzzy=false\n (\n WindowsEvent\n | where not(disabled)\n | where EventID == 4663 and EventData.ObjectType == \"Key\"\n | extend\n AccessMask = tostring(EventData.AccessMask)\n ,\n Type = \"WindowsEvent\"\n | lookup Event4663TypeLookup on AccessMask\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | invoke ASIM_ParseWindowsEvents()\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n Type\n ),\n (\n WindowsEvent\n | where not(disabled)\n | where EventID == 4657\n | invoke ASIM_ParseWindowsEvents()\n | extend\n EventOriginalSubType = tostring(EventData.OperationType)\n ,\n OldValue = tostring(EventData.OldValue)\n ,\n NewValue = tostring(EventData.NewValue)\n ,\n RegistryValue = tostring(EventData.ObjectValueName)\n ,\n NewValueType = tostring(EventData.NewValueType)\n ,\n OldValueType = tostring(EventData.OldValueType)\n | lookup Event4567TypeLookup on EventOriginalSubType\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n RegistryValue,\n Type,\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue\n | lookup RegistryType on $left.NewValueType == $right.TypeCode\n | project-rename RegistryValueType = TypeName\n | lookup RegistryType on $left.OldValueType == $right.TypeCode\n | project-rename RegistryPreviousValueType = TypeName\n | extend\n RegistryValueData = iff (EventOriginalSubType == \"%%1906\", OldValue, NewValue)\n ,\n RegistryPreviousKey = iff (EventOriginalSubType == \"%%1905\", RegistryKey, \"\")\n ,\n RegistryPreviousValue = iff (EventOriginalSubType == \"%%1905\", RegistryValue, \"\")\n ,\n RegistryPreviousValueData = iff (EventOriginalSubType == \"%%1905\", OldValue, \"\")\n | project-away\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue\n )\n | invoke _ASIM_ResolveFQDN (\"Computer\")\n | extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\")\n | project-rename\n DvcDomainType = DomainType\n ,\n DvcHostname = ExtractedHostname\n | extend\n DvcFQDN = iif(DvcDomainType == \"FQDN\", FQDN, \"\")\n ,\n DvcDomain = iif(isnotempty(Domain), Domain, \"\")\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", FQDN, \"DvcHostname\")\n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\n ,\n ActorUsernameType = ASIM_GetAccountType(ActorUserId)\n | extend\n User = ActorUsername\n ,\n UserId = ActorUserId\n ,\n ActorUserSid = ActorUserId\n ,\n Process = ActingProcessName\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", Computer, \"\")\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventOriginalType = tostring(EventID)\n | extend\n EventSchemaVersion = \"0.1\" \n ,\n EventSchema = \"RegistryEvent\"\n ,\n EventCount = toint(1)\n ,\n EventResult = \"Success\"\n ,\n EventVendor = \"Microsoft\"\n ,\n EventProduct = \"Security Events\" \n ,\n DvcOs = \"Windows\"\n | project-away ActorDomainName,ActorUserSid,ActorUserType,Computer,Domain,DvcDomainType,DvcDomain,DvcFQDN,EventID,FQDN,UserId,_ResourceId };\nparser (\n disabled = disabled\n)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventNative/ASimRegistryEventNative.json b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventNative/ASimRegistryEventNative.json index d98d15b754e..fe5e650986e 100644 --- a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventNative/ASimRegistryEventNative.json +++ b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventNative/ASimRegistryEventNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimRegistryEventNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimRegistryEventNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM parser for Microsoft Sentinel native Registry Event table", - "category": "ASIM", - "FunctionAlias": "ASimRegistryEventNative", - "query": "let parser=(disabled: bool=false) {\n ASimRegistryEventLogs\n | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"RegistryEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n User = ActorUsername,\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n Process = ActingProcessName\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM parser for Microsoft Sentinel native Registry Event table", + "category": "ASIM", + "FunctionAlias": "ASimRegistryEventNative", + "query": "let parser=(disabled: bool=false) {\n ASimRegistryEventLogs\n | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"RegistryEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n User = ActorUsername,\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n Process = ActingProcessName\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventSentinelOne/ASimRegistryEventSentinelOne.json b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventSentinelOne/ASimRegistryEventSentinelOne.json index 774fe409837..4ece2bdd2bd 100644 --- a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventSentinelOne/ASimRegistryEventSentinelOne.json +++ b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventSentinelOne/ASimRegistryEventSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimRegistryEventSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimRegistryEventSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM Parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "ASimRegistryEventSentinelOne", - "query": "let EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\n[\n \"REGVALUEMODIFIED\", \"RegistryValueSet\",\n \"REGVALUECREATE\", \"RegistryValueSet\",\n \"REGKEYCREATE\", \"RegistryKeyCreated\",\n \"REGKEYDELETE\", \"RegistryKeyDeleted\",\n \"REGVALUEDELETE\", \"RegistryValueDeleted\",\n \"REGKEYRENAME\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable (\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)\n [\n \"MACHINE\", \"HKEY_LOCAL_MACHINE\",\n \"USER\", \"HKEY_USERS\",\n \"CONFIG\", \"HKEY_CURRENT_CONFIG\",\n \"ROOT\", \"HKEY_CLASSES_ROOT\"\n];\nlet RegistryPreviousValueTypeLookup = datatable (\n alertInfo_registryOldValueType_s: string,\n RegistryPreviousValueType_lookup: string\n)\n [\n \"BINARY\", \"Reg_Binary\",\n \"DWORD\", \"Reg_DWord\",\n \"QWORD\", \"Reg_QWord\",\n \"SZ\", \"Reg_Sz\",\n \"EXPAND_SZ\", \"Reg_Expand_Sz\",\n \"MULTI_SZ\", \"Reg_Multi_Sz\",\n \"DWORD_BIG_ENDIAN\", \"Reg_DWord\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (disabled: bool=false) { \n let alldata = SentinelOne_CL \n | where not(disabled)\n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\", \"REGKEYCREATE\", \"REGKEYDELETE\", \"REGVALUEDELETE\", \"REGKEYRENAME\")\n | lookup EventTypeLookup on alertInfo_eventType_s\n | lookup RegistryPreviousValueTypeLookup on alertInfo_registryOldValueType_s;\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maliciousdata\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend RegistryKeyPrefix = tostring(split(alertInfo_registryKeyPath_s, @'\\')[0])\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend RegistryKey = replace_string(alertInfo_registryKeyPath_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix)\n | extend RegistryValue = iff(alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\", \"REGVALUEDELETE\"), tostring(split(alertInfo_registryKeyPath_s, @'\\')[-1]), \"\")\n | extend RegistryValueType = case(\n alertInfo_registryValue_s matches regex '^[0-9]+$',\n \"Reg_Dword\",\n alertInfo_registryValue_s startswith \"0x\" and strlen(alertInfo_registryValue_s) <= 10,\n \"Reg_DWord\",\n alertInfo_registryValue_s startswith \"0x\" and strlen(alertInfo_registryValue_s) > 10,\n \"Reg_QWord\",\n alertInfo_registryValue_s matches regex '^[A-Fa-f0-9]+$',\n \"Reg_Binary\",\n \"\"\n )\n | extend RegistryValueType = iff(alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\") and isempty(RegistryValueType), \"Reg_Sz\", RegistryValueType),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n ActingProcessId = sourceProcessInfo_pid_s,\n ActorUsername = sourceProcessInfo_user_s,\n EventStartTime= sourceProcessInfo_pidStarttime_t,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventUid = _ItemId,\n ParentProcessId = sourceParentProcessInfo_pid_s,\n ActingProcessName = sourceProcessInfo_name_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalType = alertInfo_eventType_s,\n ParentProcessName = sourceParentProcessInfo_name_s,\n RegistryValueData = alertInfo_registryValue_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\"\n | extend\n Dvc = coalesce(DvcHostname, EventProduct), \n EventEndTime = EventStartTime,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n RegistryPreviousKey = RegistryKey,\n RegistryPreviousValueData = coalesce(alertInfo_registryOldValue_s, RegistryValueData),\n RegistryPreviousValueType = coalesce(RegistryPreviousValueType_lookup, RegistryValueType),\n RegistryPreviousValue = RegistryValue,\n Process = ActingProcessName,\n User = ActorUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n Rule = RuleName\n | project-away \n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n RegistryKeyPrefix,\n RegistryKeyNormalizedPrefix,\n RegistryPreviousValueType_lookup,\n ThreatConfidence_*\n};\nparser(disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM Parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "ASimRegistryEventSentinelOne", + "query": "let EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\n[\n \"REGVALUEMODIFIED\", \"RegistryValueSet\",\n \"REGVALUECREATE\", \"RegistryValueSet\",\n \"REGKEYCREATE\", \"RegistryKeyCreated\",\n \"REGKEYDELETE\", \"RegistryKeyDeleted\",\n \"REGVALUEDELETE\", \"RegistryValueDeleted\",\n \"REGKEYRENAME\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable (\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)\n [\n \"MACHINE\", \"HKEY_LOCAL_MACHINE\",\n \"USER\", \"HKEY_USERS\",\n \"CONFIG\", \"HKEY_CURRENT_CONFIG\",\n \"ROOT\", \"HKEY_CLASSES_ROOT\"\n];\nlet RegistryPreviousValueTypeLookup = datatable (\n alertInfo_registryOldValueType_s: string,\n RegistryPreviousValueType_lookup: string\n)\n [\n \"BINARY\", \"Reg_Binary\",\n \"DWORD\", \"Reg_DWord\",\n \"QWORD\", \"Reg_QWord\",\n \"SZ\", \"Reg_Sz\",\n \"EXPAND_SZ\", \"Reg_Expand_Sz\",\n \"MULTI_SZ\", \"Reg_Multi_Sz\",\n \"DWORD_BIG_ENDIAN\", \"Reg_DWord\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (disabled: bool=false) { \n let alldata = SentinelOne_CL \n | where not(disabled)\n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\", \"REGKEYCREATE\", \"REGKEYDELETE\", \"REGVALUEDELETE\", \"REGKEYRENAME\")\n | lookup EventTypeLookup on alertInfo_eventType_s\n | lookup RegistryPreviousValueTypeLookup on alertInfo_registryOldValueType_s;\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maliciousdata\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend RegistryKeyPrefix = tostring(split(alertInfo_registryKeyPath_s, @'\\')[0])\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend RegistryKey = replace_string(alertInfo_registryKeyPath_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix)\n | extend RegistryValue = iff(alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\", \"REGVALUEDELETE\"), tostring(split(alertInfo_registryKeyPath_s, @'\\')[-1]), \"\")\n | extend RegistryValueType = case(\n alertInfo_registryValue_s matches regex '^[0-9]+$',\n \"Reg_Dword\",\n alertInfo_registryValue_s startswith \"0x\" and strlen(alertInfo_registryValue_s) <= 10,\n \"Reg_DWord\",\n alertInfo_registryValue_s startswith \"0x\" and strlen(alertInfo_registryValue_s) > 10,\n \"Reg_QWord\",\n alertInfo_registryValue_s matches regex '^[A-Fa-f0-9]+$',\n \"Reg_Binary\",\n \"\"\n )\n | extend RegistryValueType = iff(alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\") and isempty(RegistryValueType), \"Reg_Sz\", RegistryValueType),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n ActingProcessId = sourceProcessInfo_pid_s,\n ActorUsername = sourceProcessInfo_user_s,\n EventStartTime= sourceProcessInfo_pidStarttime_t,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventUid = _ItemId,\n ParentProcessId = sourceParentProcessInfo_pid_s,\n ActingProcessName = sourceProcessInfo_name_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalType = alertInfo_eventType_s,\n ParentProcessName = sourceParentProcessInfo_name_s,\n RegistryValueData = alertInfo_registryValue_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\"\n | extend\n Dvc = coalesce(DvcHostname, EventProduct), \n EventEndTime = EventStartTime,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n RegistryPreviousKey = RegistryKey,\n RegistryPreviousValueData = coalesce(alertInfo_registryOldValue_s, RegistryValueData),\n RegistryPreviousValueType = coalesce(RegistryPreviousValueType_lookup, RegistryValueType),\n RegistryPreviousValue = RegistryValue,\n Process = ActingProcessName,\n User = ActorUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n Rule = RuleName\n | project-away \n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n RegistryKeyPrefix,\n RegistryKeyNormalizedPrefix,\n RegistryPreviousValueType_lookup,\n ThreatConfidence_*\n};\nparser(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventTrendMicroVisionOne/ASimRegistryEventTrendMicroVisionOne.json b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventTrendMicroVisionOne/ASimRegistryEventTrendMicroVisionOne.json index 1860d86c854..92947d8e069 100644 --- a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventTrendMicroVisionOne/ASimRegistryEventTrendMicroVisionOne.json +++ b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventTrendMicroVisionOne/ASimRegistryEventTrendMicroVisionOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimRegistryEventTrendMicroVisionOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimRegistryEventTrendMicroVisionOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM Parser for Trend Micro Vision One", - "category": "ASIM", - "FunctionAlias": "ASimRegistryEventTrendMicroVisionOne", - "query": "let EventTypeLookup = datatable(detail_eventSubId_s: string, EventType: string)[\n \"TELEMETRY_REGISTRY_CREATE\", \"RegistryKeyCreated\",\n \"TELEMETRY_REGISTRY_SET\", \"RegistryValueSet\",\n \"TELEMETRY_REGISTRY_DELETE\", \"RegistryKeyDeleted\",\n \"TELEMETRY_REGISTRY_RENAME\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable(\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)[\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\",\n \"HKCU\", \"HKEY_CURRENT_USER\",\n \"HKCR\", \"HKEY_CLASSES_ROOT\",\n \"HKCC\", \"HKEY_CURRENT_CONFIG\"\n];\nlet RegistryValueTypeLookup = datatable (detail_objectRegType_d: real, RegistryValueType: string)[\n 0, \"Reg_None\",\n 1, \"Reg_Sz\",\n 2, \"Reg_Expand_Sz\",\n 3, \"Reg_Binary\",\n 4, \"Reg_DWord\",\n 5, \"Reg_DWord\",\n 7, \"Reg_Multi_Sz\",\n 11, \"Reg_QWord\"\n];\nlet EventSeverityLookup = datatable(detail_filterRiskLevel_s: string, EventSeverity: string)[\n \"low\", \"Low\",\n \"medium\", \"Medium\",\n \"high\", \"High\",\n \"info\", \"Informational\",\n \"critical\", \"High\"\n];\nlet parser = (disabled: bool=false) {\n TrendMicro_XDR_OAT_CL\n | where not(disabled)\n | where detail_eventId_s == \"TELEMETRY_REGISTRY\"\n | parse filters_s with * \"[\" filters: string \"]\"\n | parse-kv filters as (description: string, name: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventTypeLookup on detail_eventSubId_s\n | lookup RegistryValueTypeLookup on detail_objectRegType_d\n | lookup EventSeverityLookup on detail_filterRiskLevel_s\n | invoke _ASIM_ResolveDvcFQDN('detail_endpointHostName_s')\n | extend RegistryKeyPrefix = tostring(split(detail_objectRegistryKeyHandle_s, @'\\')[0])\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend \n RegistryKey = replace_string(detail_objectRegistryKeyHandle_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix),\n ActingProcessId = tostring(toint(detail_processPid_d)),\n ParentProcessId = tostring(toint(detail_parentPid_d)),\n ActorSessionId = tostring(toint(detail_authId_d)),\n AdditionalFields = bag_pack(\n \"name\", name,\n \"tags\", detail_tags_s,\n \"objectRegType\", detail_objectRegType_d\n )\n | extend\n EventCount = int(1),\n EventProduct = \"Vision One\",\n EventVendor = \"Trend Micro\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\"\n | project-rename\n ActorUsername = detail_processUser_s,\n EventStartTime = detail_eventTimeDT_t,\n RegistryValue = detail_objectRegistryValue_s,\n RegistryValueData = detail_objectRegistryData_s,\n ActingProcessName = detail_processName_s,\n DvcId = detail_endpointGuid_g,\n DvcOs = detail_osName_s,\n DvcOsVersion = detail_osVer_s,\n EventUid = _ItemId,\n EventOriginalSubType = detail_eventSubId_s,\n EventOriginalType = detail_eventId_s,\n EventOriginalUid = detail_uuid_g,\n EventOriginalSeverity = detail_filterRiskLevel_s,\n EventProductVersion = detail_pver_s,\n EventMessage = description\n | extend\n User = ActorUsername,\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername,\"\"),\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n Process = ActingProcessName,\n EventEndTime = EventStartTime,\n RegistryPreviousKey = RegistryKey,\n RegistryPreviousValue = RegistryValue,\n RegistryPreviousValueData = RegistryValueData,\n RegistryPreviousValueType = RegistryValueType\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n name,\n filters,\n *Prefix\n};\nparser(disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM Parser for Trend Micro Vision One", + "category": "ASIM", + "FunctionAlias": "ASimRegistryEventTrendMicroVisionOne", + "query": "let EventTypeLookup = datatable(detail_eventSubId_s: string, EventType: string)[\n \"TELEMETRY_REGISTRY_CREATE\", \"RegistryKeyCreated\",\n \"TELEMETRY_REGISTRY_SET\", \"RegistryValueSet\",\n \"TELEMETRY_REGISTRY_DELETE\", \"RegistryKeyDeleted\",\n \"TELEMETRY_REGISTRY_RENAME\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable(\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)[\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\",\n \"HKCU\", \"HKEY_CURRENT_USER\",\n \"HKCR\", \"HKEY_CLASSES_ROOT\",\n \"HKCC\", \"HKEY_CURRENT_CONFIG\"\n];\nlet RegistryValueTypeLookup = datatable (detail_objectRegType_d: real, RegistryValueType: string)[\n 0, \"Reg_None\",\n 1, \"Reg_Sz\",\n 2, \"Reg_Expand_Sz\",\n 3, \"Reg_Binary\",\n 4, \"Reg_DWord\",\n 5, \"Reg_DWord\",\n 7, \"Reg_Multi_Sz\",\n 11, \"Reg_QWord\"\n];\nlet EventSeverityLookup = datatable(detail_filterRiskLevel_s: string, EventSeverity: string)[\n \"low\", \"Low\",\n \"medium\", \"Medium\",\n \"high\", \"High\",\n \"info\", \"Informational\",\n \"critical\", \"High\"\n];\nlet parser = (disabled: bool=false) {\n TrendMicro_XDR_OAT_CL\n | where not(disabled)\n | where detail_eventId_s == \"TELEMETRY_REGISTRY\"\n | parse filters_s with * \"[\" filters: string \"]\"\n | parse-kv filters as (description: string, name: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventTypeLookup on detail_eventSubId_s\n | lookup RegistryValueTypeLookup on detail_objectRegType_d\n | lookup EventSeverityLookup on detail_filterRiskLevel_s\n | invoke _ASIM_ResolveDvcFQDN('detail_endpointHostName_s')\n | extend RegistryKeyPrefix = tostring(split(detail_objectRegistryKeyHandle_s, @'\\')[0])\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend \n RegistryKey = replace_string(detail_objectRegistryKeyHandle_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix),\n ActingProcessId = tostring(toint(detail_processPid_d)),\n ParentProcessId = tostring(toint(detail_parentPid_d)),\n ActorSessionId = tostring(toint(detail_authId_d)),\n AdditionalFields = bag_pack(\n \"name\", name,\n \"tags\", detail_tags_s,\n \"objectRegType\", detail_objectRegType_d\n )\n | extend\n EventCount = int(1),\n EventProduct = \"Vision One\",\n EventVendor = \"Trend Micro\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\"\n | project-rename\n ActorUsername = detail_processUser_s,\n EventStartTime = detail_eventTimeDT_t,\n RegistryValue = detail_objectRegistryValue_s,\n RegistryValueData = detail_objectRegistryData_s,\n ActingProcessName = detail_processName_s,\n DvcId = detail_endpointGuid_g,\n DvcOs = detail_osName_s,\n DvcOsVersion = detail_osVer_s,\n EventUid = _ItemId,\n EventOriginalSubType = detail_eventSubId_s,\n EventOriginalType = detail_eventId_s,\n EventOriginalUid = detail_uuid_g,\n EventOriginalSeverity = detail_filterRiskLevel_s,\n EventProductVersion = detail_pver_s,\n EventMessage = description\n | extend\n User = ActorUsername,\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername,\"\"),\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n Process = ActingProcessName,\n EventEndTime = EventStartTime,\n RegistryPreviousKey = RegistryKey,\n RegistryPreviousValue = RegistryValue,\n RegistryPreviousValueData = RegistryValueData,\n RegistryPreviousValueType = RegistryValueType\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n name,\n filters,\n *Prefix\n};\nparser(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventVMwareCarbonBlackCloud/ASimRegistryEventVMwareCarbonBlackCloud.json b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventVMwareCarbonBlackCloud/ASimRegistryEventVMwareCarbonBlackCloud.json index a1d836c8012..fea19655e62 100644 --- a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventVMwareCarbonBlackCloud/ASimRegistryEventVMwareCarbonBlackCloud.json +++ b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventVMwareCarbonBlackCloud/ASimRegistryEventVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimRegistryEventVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimRegistryEventVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM Parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "ASimRegistryEventVMwareCarbonBlackCloud", - "query": "let EventTypeLookup = datatable (temp_action: string, EventType: string)\n[\n \"ACTION_WRITE_VALUE\", \"RegistryValueSet\",\n \"ACTION_CREATE_KEY\", \"RegistryKeyCreated\",\n \"ACTION_DELETE_KEY\", \"RegistryKeyDeleted\",\n \"ACTION_DELETE_VALUE\", \"RegistryValueDeleted\",\n \"ACTION_RENAME_KEY\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable(\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)[\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\",\n \"HKCU\", \"HKEY_CURRENT_USER\",\n \"HKCR\", \"HKEY_CLASSES_ROOT\",\n \"HKCC\", \"HKEY_CURRENT_CONFIG\"\n];\nlet actionvalues = dynamic([\"ACTION_WRITE_VALUE\", \"ACTION_CREATE_KEY\", \"ACTION_DELETE_KEY\", \"ACTION_DELETE_VALUE\", \"ACTION_RENAME_KEY\"]);\nlet parser=(disabled: bool=false) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where eventType_s == \"endpoint.event.regmod\"\n and isnotempty(regmod_name_s)\n | extend\n temp_action = case(\n action_s has \"|\" and action_s has \"delete\",\n \"ACTION_DELETE_KEY\",\n action_s has \"|\" and action_s !has \"delete\",\n \"ACTION_CREATE_KEY\",\n action_s\n ),\n RegistryKeyPrefix = tostring(split(regmod_name_s, @'\\')[0])\n | where temp_action in (actionvalues)\n | lookup EventTypeLookup on temp_action\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend\n RegistryKey = replace_string(regmod_name_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix),\n ActingProcessId = tostring(toint(process_pid_d)),\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n ParentProcessId = tostring(toint(parent_pid_d)),\n AdditionalFields = bag_pack(\n \"process_guid\", process_guid_s,\n \"parent_guid\", parent_guid_s \n )\n | project-rename\n ActorUsername = process_username_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n EventUid = _ItemId,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ParentProcessName = processDetails_parentName_s,\n ActorScopeId = org_key_s\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | extend\n EventCount = toint(1),\n EventProduct = \"Carbon Black Cloud\",\n EventVendor = \"VMware\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\"\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n EventEndTime = EventStartTime,\n Process = ActingProcessName,\n User = ActorUsername,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\")\n | project-away\n *_d,\n *_s,\n *_g,\n *_b,\n temp_action,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n RegistryKeyPrefix,\n RegistryKeyNormalizedPrefix\n};\nparser(disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM Parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "ASimRegistryEventVMwareCarbonBlackCloud", + "query": "let EventTypeLookup = datatable (temp_action: string, EventType: string)\n[\n \"ACTION_WRITE_VALUE\", \"RegistryValueSet\",\n \"ACTION_CREATE_KEY\", \"RegistryKeyCreated\",\n \"ACTION_DELETE_KEY\", \"RegistryKeyDeleted\",\n \"ACTION_DELETE_VALUE\", \"RegistryValueDeleted\",\n \"ACTION_RENAME_KEY\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable(\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)[\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\",\n \"HKCU\", \"HKEY_CURRENT_USER\",\n \"HKCR\", \"HKEY_CLASSES_ROOT\",\n \"HKCC\", \"HKEY_CURRENT_CONFIG\"\n];\nlet actionvalues = dynamic([\"ACTION_WRITE_VALUE\", \"ACTION_CREATE_KEY\", \"ACTION_DELETE_KEY\", \"ACTION_DELETE_VALUE\", \"ACTION_RENAME_KEY\"]);\nlet parser=(disabled: bool=false) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where eventType_s == \"endpoint.event.regmod\"\n and isnotempty(regmod_name_s)\n | extend\n temp_action = case(\n action_s has \"|\" and action_s has \"delete\",\n \"ACTION_DELETE_KEY\",\n action_s has \"|\" and action_s !has \"delete\",\n \"ACTION_CREATE_KEY\",\n action_s\n ),\n RegistryKeyPrefix = tostring(split(regmod_name_s, @'\\')[0])\n | where temp_action in (actionvalues)\n | lookup EventTypeLookup on temp_action\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend\n RegistryKey = replace_string(regmod_name_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix),\n ActingProcessId = tostring(toint(process_pid_d)),\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n ParentProcessId = tostring(toint(parent_pid_d)),\n AdditionalFields = bag_pack(\n \"process_guid\", process_guid_s,\n \"parent_guid\", parent_guid_s \n )\n | project-rename\n ActorUsername = process_username_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n EventUid = _ItemId,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ParentProcessName = processDetails_parentName_s,\n ActorScopeId = org_key_s\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | extend\n EventCount = toint(1),\n EventProduct = \"Carbon Black Cloud\",\n EventVendor = \"VMware\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\"\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n EventEndTime = EventStartTime,\n Process = ActingProcessName,\n User = ActorUsername,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\")\n | project-away\n *_d,\n *_s,\n *_g,\n *_b,\n temp_action,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n RegistryKeyPrefix,\n RegistryKeyNormalizedPrefix\n};\nparser(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/imRegistryEvent/imRegistryEvent.json b/Parsers/ASimRegistryEvent/ARM/imRegistryEvent/imRegistryEvent.json index 7af55176ab9..d27e498feff 100644 --- a/Parsers/ASimRegistryEvent/ARM/imRegistryEvent/imRegistryEvent.json +++ b/Parsers/ASimRegistryEvent/ARM/imRegistryEvent/imRegistryEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/imRegistry')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "imRegistry", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM Parser", - "category": "ASIM", - "FunctionAlias": "imRegistry", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimRegistry') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimRegistryEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n registrykey_has_any: dynamic =dynamic([]),\n registryvalue_has_any: dynamic =dynamic([]),\n registrydata_has_any: dynamic =dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n pack:bool=false\n )\n {\nunion isfuzzy=true\n vimRegistryEventEmpty,\n vimRegistryEventMicrosoft365D (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoft365D' in (DisabledParsers) ))),\n vimRegistryEventMicrosoftSysmon(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftSysmon' in (DisabledParsers) ))),\n vimRegistryEventMicrosoftSysmonWindowsEvent(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))),\n vimRegistryEventMicrosoftWindowsEvent (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftWindowsEvent' in (DisabledParsers) ))),\n vimRegistryEventMicrosoftSecurityEvent (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftSecurityEvent' in (DisabledParsers) ))),\n vimRegistryEventSentinelOne (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventSentinelOne' in (DisabledParsers) ))),\n vimRegistryEventNative (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventNative' in (DisabledParsers) ))),\n vimRegistryEventVMwareCarbonBlackCloud(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registryvaluedata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventVMwareCarbonBlackCloud' in (DisabledParsers) ))),\n vimRegistryEventTrendMicroVisionOne (starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, actorusername_has_any=actorusername_has_any, registrykey_has_any=registrykey_has_any, registryvalue_has_any=registryvalue_has_any, registryvaluedata_has_any=registrydata_has_any, dvchostname_has_any=dvchostname_has_any, disabled= (vimBuiltInDisabled or('ExcludevimRegistryEventTrendMicroVisionOne' in (DisabledParsers) )))\n };\n parser(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, pack=pack)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False,pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM Parser", + "category": "ASIM", + "FunctionAlias": "imRegistry", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimRegistry') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimRegistryEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n registrykey_has_any: dynamic =dynamic([]),\n registryvalue_has_any: dynamic =dynamic([]),\n registrydata_has_any: dynamic =dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n pack:bool=false\n )\n {\nunion isfuzzy=true\n vimRegistryEventEmpty,\n vimRegistryEventMicrosoft365D (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoft365D' in (DisabledParsers) ))),\n vimRegistryEventMicrosoftSysmon(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftSysmon' in (DisabledParsers) ))),\n vimRegistryEventMicrosoftSysmonWindowsEvent(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))),\n vimRegistryEventMicrosoftWindowsEvent (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftWindowsEvent' in (DisabledParsers) ))),\n vimRegistryEventMicrosoftSecurityEvent (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftSecurityEvent' in (DisabledParsers) ))),\n vimRegistryEventSentinelOne (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventSentinelOne' in (DisabledParsers) ))),\n vimRegistryEventNative (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventNative' in (DisabledParsers) ))),\n vimRegistryEventVMwareCarbonBlackCloud(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registryvaluedata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventVMwareCarbonBlackCloud' in (DisabledParsers) ))),\n vimRegistryEventTrendMicroVisionOne (starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, actorusername_has_any=actorusername_has_any, registrykey_has_any=registrykey_has_any, registryvalue_has_any=registryvalue_has_any, registryvaluedata_has_any=registrydata_has_any, dvchostname_has_any=dvchostname_has_any, disabled= (vimBuiltInDisabled or('ExcludevimRegistryEventTrendMicroVisionOne' in (DisabledParsers) )))\n };\n parser(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, pack=pack)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False,pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventEmpty/vimRegistryEventEmpty.json b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventEmpty/vimRegistryEventEmpty.json index 0cb0caa4133..8325f2bbe82 100644 --- a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventEmpty/vimRegistryEventEmpty.json +++ b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventEmpty/vimRegistryEventEmpty.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimRegistryEventEmpty')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimRegistryEventEmpty", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM schema function", - "category": "ASIM", - "FunctionAlias": "vimRegistryEventEmpty", - "query": "let EmptyNewRegistryEvents = datatable(\n// ****** Mandatory LA fields ******\n TimeGenerated:datetime, // => EventEndTime\n _ResourceId:string,\n Type:string,\n// ****** Event fields ******\n EventType:string,\n EventSubType:string,\n EventProduct:string,\n EventResult:string,\n EventResultDetails:string,\n EventOriginalSubType:string,\n EventOriginalResultDetails:string,\n EventSeverity:string,\n EventOriginalSeverity:string,\n EventSchema:string,\n EventOwner:string,\n EventProductVersion:string, \n EventCount:int, \n EventMessage:string, \n EventVendor:string, \n EventSchemaVersion:string, \n EventOriginalUid:string, \n EventOriginalType:string,\n EventStartTime:datetime, \n EventEndTime:datetime, \n EventReportUrl:string, \n AdditionalFields:dynamic, \n //****** RegistryFields ****** \n RegistryKey:string,\n RegistryValue:string,\n RegistryValueType:string,\n RegistryValueData:string,\n RegistryPreviousKey:string,\n RegistryPreviousValue:string,\n RegistryPreviousValueType:string,\n RegistryPreviousValueData:string,\n //****** Device fields ******\n DvcId:string, \n DvcHostname:string, \n DvcIpAddr:string, \n DvcOs:string, \n DvcOsVersion:string, \n DvcMacAddr:string,\n DvcFQDN:string,\n DvcDomain:string,\n DvcDomainType:string,\n DvcDescription:string,\n DvcZone:string,\n DvcAction:string,\n DvcOriginalAction:string,\n DvcInterface:string,\n DvcScopeId:string,\n DvcScope:string,\n DvcIdType:string,\n // -- User fields\n ActorUsername:string, \n ActorUsernameType:string, \n ActorUserId:string, \n ActorUserIdType:string, \n ActorSessionId:string,\n ActorUserAadId:string,\n ActorUserSid:string,\n ActorScopeId:string,\n ActorScope:string,\n ActorUserType:string,\n ActorOriginalUserType:string,\n ActingProcessCommandLine:string,\n //****** Process fields ******\n ActingProcessName:string,\n ActingProcessId:string,\n ActingProcessGuid:string,\n ParentProcessName:string,\n ParentProcessId:string,\n ParentProcessGuid:string,\n ParentProcessCommandLine:string,\n //****** Inspection fields ******\n RuleName:string,\n RuleNumber:int,\n ThreatId:string,\n ThreatName:string,\n ThreatCategory:string,\n ThreatRiskLevel:int,\n ThreatOriginalRiskLevel:string,\n ThreatConfidence:int,\n ThreatOriginalConfidence:string,\n ThreatIsActive:bool,\n ThreatFirstReportedTime:datetime,\n ThreatLastReportedTime:datetime,\n ThreatField:string,\n //****** aliases ****** \n Dvc:string,\n User:string,\n Process:string,\n Src:string,\n Dst:string\n )[];\n EmptyNewRegistryEvents", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM schema function", + "category": "ASIM", + "FunctionAlias": "vimRegistryEventEmpty", + "query": "let EmptyNewRegistryEvents = datatable(\n// ****** Mandatory LA fields ******\n TimeGenerated:datetime, // => EventEndTime\n _ResourceId:string,\n Type:string,\n// ****** Event fields ******\n EventType:string,\n EventSubType:string,\n EventProduct:string,\n EventResult:string,\n EventResultDetails:string,\n EventOriginalSubType:string,\n EventOriginalResultDetails:string,\n EventSeverity:string,\n EventOriginalSeverity:string,\n EventSchema:string,\n EventOwner:string,\n EventProductVersion:string, \n EventCount:int, \n EventMessage:string, \n EventVendor:string, \n EventSchemaVersion:string, \n EventOriginalUid:string, \n EventOriginalType:string,\n EventStartTime:datetime, \n EventEndTime:datetime, \n EventReportUrl:string, \n AdditionalFields:dynamic, \n //****** RegistryFields ****** \n RegistryKey:string,\n RegistryValue:string,\n RegistryValueType:string,\n RegistryValueData:string,\n RegistryPreviousKey:string,\n RegistryPreviousValue:string,\n RegistryPreviousValueType:string,\n RegistryPreviousValueData:string,\n //****** Device fields ******\n DvcId:string, \n DvcHostname:string, \n DvcIpAddr:string, \n DvcOs:string, \n DvcOsVersion:string, \n DvcMacAddr:string,\n DvcFQDN:string,\n DvcDomain:string,\n DvcDomainType:string,\n DvcDescription:string,\n DvcZone:string,\n DvcAction:string,\n DvcOriginalAction:string,\n DvcInterface:string,\n DvcScopeId:string,\n DvcScope:string,\n DvcIdType:string,\n // -- User fields\n ActorUsername:string, \n ActorUsernameType:string, \n ActorUserId:string, \n ActorUserIdType:string, \n ActorSessionId:string,\n ActorUserAadId:string,\n ActorUserSid:string,\n ActorScopeId:string,\n ActorScope:string,\n ActorUserType:string,\n ActorOriginalUserType:string,\n ActingProcessCommandLine:string,\n //****** Process fields ******\n ActingProcessName:string,\n ActingProcessId:string,\n ActingProcessGuid:string,\n ParentProcessName:string,\n ParentProcessId:string,\n ParentProcessGuid:string,\n ParentProcessCommandLine:string,\n //****** Inspection fields ******\n RuleName:string,\n RuleNumber:int,\n ThreatId:string,\n ThreatName:string,\n ThreatCategory:string,\n ThreatRiskLevel:int,\n ThreatOriginalRiskLevel:string,\n ThreatConfidence:int,\n ThreatOriginalConfidence:string,\n ThreatIsActive:bool,\n ThreatFirstReportedTime:datetime,\n ThreatLastReportedTime:datetime,\n ThreatField:string,\n //****** aliases ****** \n Dvc:string,\n User:string,\n Process:string,\n Src:string,\n Dst:string\n )[];\n EmptyNewRegistryEvents", + "version": 1 + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoft365D/vimRegistryEventMicrosoft365D.json b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoft365D/vimRegistryEventMicrosoft365D.json index 0954b70afdd..8ea5483a633 100644 --- a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoft365D/vimRegistryEventMicrosoft365D.json +++ b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoft365D/vimRegistryEventMicrosoft365D.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimRegistryEventMicrosoft365D')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimRegistryEventMicrosoft365D", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM parser for Microsoft 365 Defender for Endpoint", - "category": "ASIM", - "FunctionAlias": "vimRegistryEventMicrosoft365D", - "query": "let RegistryType = datatable (TypeCode: string, TypeName: string)\n [\n \"None\", \"Reg_None\",\n \"String\", \"Reg_Sz\",\n \"ExpandString\", \"Reg_Expand_Sz\",\n \"Binary\", \"Reg_Binary\",\n \"Dword\", \"Reg_DWord\",\n \"MultiString\", \"Reg_Multi_Sz\",\n \"QWord\", \"Reg_QWord\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n registrykey_has_any: dynamic =dynamic([]),\n registryvalue_has_any: dynamic =dynamic([]),\n registrydata_has_any: dynamic =dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n DeviceRegistryEvents\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(eventtype_in) == 0 or ActionType in~ (eventtype_in)) and\n (array_length(actorusername_has_any) == 0 or (InitiatingProcessAccountName has_any (actorusername_has_any)) or (InitiatingProcessAccountDomain has_any (actorusername_has_any)) or (strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName) has_any (actorusername_has_any))) and\n ((array_length(registrykey_has_any)) == 0 or (RegistryKey has_any (registrykey_has_any)) or (PreviousRegistryKey has_any (registrykey_has_any))) and \n ((array_length(registryvalue_has_any)) == 0 or (RegistryValueName has_any (registryvalue_has_any)) or (PreviousRegistryValueName has_any (registryvalue_has_any))) and \n (array_length(registrydata_has_any) == 0 or RegistryValueData has_any (registrydata_has_any)) and\n (array_length(dvchostname_has_any) == 0 or DeviceName has_any (dvchostname_has_any))\n | extend\n // Event\n EventOriginalUid = tostring(ReportId), \n EventCount = int(1), \n EventProduct = 'M365 Defender for Endpoint', \n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventStartTime = TimeGenerated, \n EventEndTime = TimeGenerated, \n EventType = ActionType,\n // Registry\n RegistryKey = iff (ActionType in (\"RegistryKeyDeleted\", \"RegistryValueDeleted\"), PreviousRegistryKey, RegistryKey),\n RegistryValue = iff (ActionType == \"RegistryValueDeleted\", PreviousRegistryValueName, RegistryValueName),\n // RegistryValueType -- original name is fine \n // RegistryValueData -- original name is fine \n RegistryKeyModified = iff (ActionType == \"RegistryKeyRenamed\", PreviousRegistryKey, \"\"),\n RegistryValueModified = iff (ActionType == \"RegistryValueSet\", PreviousRegistryValueName, \"\"),\n // RegistryValueTypeModified -- Not provided by Defender\n RegistryValueDataModified = PreviousRegistryValueData\n | where ((array_length(registrykey_has_any)) == 0 or (RegistryKey has_any (registrykey_has_any))) and\n ((array_length(registryvalue_has_any)) == 0 or (RegistryValue has_any (registryvalue_has_any)))\n | lookup RegistryType on $left.RegistryValueType == $right.TypeCode\n | extend RegistryValueType = TypeName\n | project-away\n TypeName,\n PreviousRegistryKey,\n PreviousRegistryValueName,\n PreviousRegistryValueData\n // Device\n | extend\n DvcHostname = DeviceName, \n DvcId = DeviceId, \n Dvc = DeviceName \n // Users\n | extend\n ActorUsername = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)), \n ActorUsernameType = iff(InitiatingProcessAccountDomain == '', 'Simple', 'Windows'), \n ActorUserIdType = 'SID'\n //| project-away InitiatingProcessAccountDomain, InitiatingProcessAccountName\n | project-rename\n ActorUserId = InitiatingProcessAccountSid, \n ActorUserAadId = InitiatingProcessAccountObjectId, \n ActorUserUpn = InitiatingProcessAccountUpn\n // Processes\n | extend\n ActingProcessId = tostring(InitiatingProcessId), \n ParentProcessId = tostring(InitiatingProcessParentId) \n | project-away InitiatingProcessId, InitiatingProcessParentId\n | project-rename\n ParentProcessName = InitiatingProcessParentFileName, \n ParentProcessCreationTime = InitiatingProcessParentCreationTime, \n ActingProcessName = InitiatingProcessFolderPath, \n ActingProcessFileName = InitiatingProcessFileName,\n ActingProcessCommandLine = InitiatingProcessCommandLine, \n ActingProcessMD5 = InitiatingProcessMD5, \n ActingProcessSHA1 = InitiatingProcessSHA1, //OK\n ActingProcessSHA256 = InitiatingProcessSHA256, \n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel, \n ActingProcessTokenElevation = InitiatingProcessTokenElevation, \n ActingProcessCreationTime = InitiatingProcessCreationTime \n // -- aliases\n | extend \n Username = ActorUsername,\n UserId = ActorUserId,\n UserIdType = ActorUserIdType,\n User = ActorUsername,\n CommandLine = ActingProcessCommandLine,\n Process = ActingProcessName\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM parser for Microsoft 365 Defender for Endpoint", + "category": "ASIM", + "FunctionAlias": "vimRegistryEventMicrosoft365D", + "query": "let RegistryType = datatable (TypeCode: string, TypeName: string)\n [\n \"None\", \"Reg_None\",\n \"String\", \"Reg_Sz\",\n \"ExpandString\", \"Reg_Expand_Sz\",\n \"Binary\", \"Reg_Binary\",\n \"Dword\", \"Reg_DWord\",\n \"MultiString\", \"Reg_Multi_Sz\",\n \"QWord\", \"Reg_QWord\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n registrykey_has_any: dynamic =dynamic([]),\n registryvalue_has_any: dynamic =dynamic([]),\n registrydata_has_any: dynamic =dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n DeviceRegistryEvents\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(eventtype_in) == 0 or ActionType in~ (eventtype_in)) and\n (array_length(actorusername_has_any) == 0 or (InitiatingProcessAccountName has_any (actorusername_has_any)) or (InitiatingProcessAccountDomain has_any (actorusername_has_any)) or (strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName) has_any (actorusername_has_any))) and\n ((array_length(registrykey_has_any)) == 0 or (RegistryKey has_any (registrykey_has_any)) or (PreviousRegistryKey has_any (registrykey_has_any))) and \n ((array_length(registryvalue_has_any)) == 0 or (RegistryValueName has_any (registryvalue_has_any)) or (PreviousRegistryValueName has_any (registryvalue_has_any))) and \n (array_length(registrydata_has_any) == 0 or RegistryValueData has_any (registrydata_has_any)) and\n (array_length(dvchostname_has_any) == 0 or DeviceName has_any (dvchostname_has_any))\n | extend\n // Event\n EventOriginalUid = tostring(ReportId), \n EventCount = int(1), \n EventProduct = 'M365 Defender for Endpoint', \n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventStartTime = TimeGenerated, \n EventEndTime = TimeGenerated, \n EventType = ActionType,\n // Registry\n RegistryKey = iff (ActionType in (\"RegistryKeyDeleted\", \"RegistryValueDeleted\"), PreviousRegistryKey, RegistryKey),\n RegistryValue = iff (ActionType == \"RegistryValueDeleted\", PreviousRegistryValueName, RegistryValueName),\n // RegistryValueType -- original name is fine \n // RegistryValueData -- original name is fine \n RegistryKeyModified = iff (ActionType == \"RegistryKeyRenamed\", PreviousRegistryKey, \"\"),\n RegistryValueModified = iff (ActionType == \"RegistryValueSet\", PreviousRegistryValueName, \"\"),\n // RegistryValueTypeModified -- Not provided by Defender\n RegistryValueDataModified = PreviousRegistryValueData\n | where ((array_length(registrykey_has_any)) == 0 or (RegistryKey has_any (registrykey_has_any))) and\n ((array_length(registryvalue_has_any)) == 0 or (RegistryValue has_any (registryvalue_has_any)))\n | lookup RegistryType on $left.RegistryValueType == $right.TypeCode\n | extend RegistryValueType = TypeName\n | project-away\n TypeName,\n PreviousRegistryKey,\n PreviousRegistryValueName,\n PreviousRegistryValueData\n // Device\n | extend\n DvcHostname = DeviceName, \n DvcId = DeviceId, \n Dvc = DeviceName \n // Users\n | extend\n ActorUsername = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)), \n ActorUsernameType = iff(InitiatingProcessAccountDomain == '', 'Simple', 'Windows'), \n ActorUserIdType = 'SID'\n //| project-away InitiatingProcessAccountDomain, InitiatingProcessAccountName\n | project-rename\n ActorUserId = InitiatingProcessAccountSid, \n ActorUserAadId = InitiatingProcessAccountObjectId, \n ActorUserUpn = InitiatingProcessAccountUpn\n // Processes\n | extend\n ActingProcessId = tostring(InitiatingProcessId), \n ParentProcessId = tostring(InitiatingProcessParentId) \n | project-away InitiatingProcessId, InitiatingProcessParentId\n | project-rename\n ParentProcessName = InitiatingProcessParentFileName, \n ParentProcessCreationTime = InitiatingProcessParentCreationTime, \n ActingProcessName = InitiatingProcessFolderPath, \n ActingProcessFileName = InitiatingProcessFileName,\n ActingProcessCommandLine = InitiatingProcessCommandLine, \n ActingProcessMD5 = InitiatingProcessMD5, \n ActingProcessSHA1 = InitiatingProcessSHA1, //OK\n ActingProcessSHA256 = InitiatingProcessSHA256, \n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel, \n ActingProcessTokenElevation = InitiatingProcessTokenElevation, \n ActingProcessCreationTime = InitiatingProcessCreationTime \n // -- aliases\n | extend \n Username = ActorUsername,\n UserId = ActorUserId,\n UserIdType = ActorUserIdType,\n User = ActorUsername,\n CommandLine = ActingProcessCommandLine,\n Process = ActingProcessName\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftSecurityEvent/vimRegistryEventMicrosoftSecurityEvent.json b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftSecurityEvent/vimRegistryEventMicrosoftSecurityEvent.json index d7a37fb0bb6..59c7031237d 100644 --- a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftSecurityEvent/vimRegistryEventMicrosoftSecurityEvent.json +++ b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftSecurityEvent/vimRegistryEventMicrosoftSecurityEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimRegistryEventMicrosoftSecurityEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimRegistryEventMicrosoftSecurityEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM filtering parser for Microsoft Windows Events and Security Events (registry creation event)", - "category": "ASIM", - "FunctionAlias": "vimRegistryEventMicrosoftSecurityEvent", - "query": "let parser = (\nstarttime: datetime=datetime(null),\nendtime: datetime=datetime(null),\neventtype_in: dynamic=dynamic([]),\nactorusername_has_any: dynamic=dynamic([]),\nregistrykey_has_any: dynamic =dynamic([]),\nregistryvalue_has_any: dynamic =dynamic([]),\nregistrydata_has_any: dynamic =dynamic([]),\ndvchostname_has_any: dynamic=dynamic([]),\ndisabled: bool=false\n) {\nlet ASIM_GetAccountType = (sid: string) {\niif (\nsid in (\"S-1-0-0\", \"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"),\n\"Simple\"\n ,\n\"Windows\"\n)\n};\n let ASIM_ParseSecurityEvents = (SecurityEvent: (SubjectDomainName: string, SubjectUserName: string, ProcessId: string, ObjectName: string, SubjectUserSid: string, SubjectLogonId: string, ProcessName: string)) {\n SecurityEvent\n | project-rename\n ActorUsername = SubjectUserName\n ,\n ActorUserId = SubjectUserSid\n ,\n ActorSessionId = SubjectLogonId\n ,\n ActingProcessName = ProcessName\n ,\n ActorDomainName = SubjectDomainName\n | extend\n ActorUsername = iif(isnotempty(ActorDomainName), strcat(ActorDomainName, @'\\', ActorUsername), ActorUsername)\n ,\n ActingProcessId = tostring(toint(tolong(ProcessId)))\n ,\n RegistryKey = iif(\n ObjectName startswith @\"\\REGISTRY\\MACHINE\",\n replace_string(ObjectName, @\"\\REGISTRY\\MACHINE\", \"HKEY_LOCAL_MACHINE\")\n ,\n replace_string(ObjectName, @\"\\REGISTRY\\USER\", \"HKEY_USERS\")\n )\n};\n let Event4663TypeLookup = datatable (AccessMask: string, EventType: string)\n [\n \"0x1\", \"RegistryValueRead\"\n ,\n \"0x10\", \"RegistryKeyNotify\"\n ,\n \"0x10000\", \"RegistryKeyDeleted\"\n ,\n \"0x2\", \"RegistryValueSet\"\n ,\n \"0x20000\", \"MetadataAccessed\"\n ,\n \"0x20006\", \"RegistryValueSet\"\n ,\n \"0x40000\", \"MetadataModified\"\n ,\n \"0x8\", \"RegistrySubkeyEnumerated\"\n];\n let Event4567TypeLookup = datatable (EventOriginalSubType: string, EventType: string)\n [\n \"%%1904\", \"RegistryValueSet\"\n ,\n \"%%1905\", \"RegistryValueSet\"\n ,\n \"%%1906\", \"RegistryValueDeleted\"\n];\n let RegistryType = datatable (TypeCode: string, TypeName: string)\n [\n \"%%1872\", \"REG_NONE\"\n ,\n \"%%1873\", \"REG_SZ\"\n ,\n \"%%1874\", \"REG_EXPAND_SZ\"\n ,\n \"%%1875\", \"REG_BINARY\"\n ,\n \"%%1876\", \"REG_DWORD\"\n ,\n \"%%1879\", \"REG_MULTI_SZ\"\n ,\n \"%%1883\", \"REG_QWORD\"\n];\n union isfuzzy=false\n (\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID == 4663 and ObjectType == \"Key\"\n | where (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or (strcat(SubjectDomainName, '\\\\', SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(registryvalue_has_any) == 0) and\n (array_length(registrydata_has_any) == 0) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | lookup Event4663TypeLookup on AccessMask\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | invoke ASIM_ParseSecurityEvents()\n | where (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n Type\n ),\n (\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID == 4657\n | where (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or (strcat(SubjectDomainName, '\\\\', SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(registryvalue_has_any) == 0 or (ObjectValueName) has_any (registrydata_has_any)) and\n (array_length(registrydata_has_any) == 0 or (NewValue) has_any (registrydata_has_any)) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | invoke ASIM_ParseSecurityEvents()\n | where (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))\n | extend\n EventOriginalSubType = OperationType\n ,\n RegistryValue = ObjectValueName\n | lookup Event4567TypeLookup on EventOriginalSubType\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n Type,\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue,\n RegistryValue\n )\n | lookup RegistryType on $left.NewValueType == $right.TypeCode\n | project-rename RegistryValueType = TypeName\n | lookup RegistryType on $left.OldValueType == $right.TypeCode\n | project-rename RegistryPreviousValueType = TypeName\n | extend\n RegistryValueData = iff (EventOriginalSubType == \"%%1906\", OldValue, NewValue)\n ,\n RegistryPreviousKey = iff (EventOriginalSubType == \"%%1905\", RegistryKey, \"\")\n ,\n RegistryPreviousValue = iff (EventOriginalSubType == \"%%1905\", RegistryValue, \"\")\n ,\n RegistryPreviousValueData = iff (EventOriginalSubType == \"%%1905\", OldValue, \"\")\n | project-away\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue\n | invoke _ASIM_ResolveFQDN (\"Computer\")\n | extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\")\n | project-rename\n DvcDomainType = DomainType\n ,\n DvcHostname = ExtractedHostname\n | extend\n DvcFQDN = iif(DvcDomainType == \"FQDN\", FQDN, \"\")\n ,\n DvcDomain = iif(isnotempty(Domain), Domain, \"\")\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", FQDN, \"DvcHostname\")\n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\n ,\n ActorUsernameType = ASIM_GetAccountType(ActorUserId)\n | extend\n User = ActorUsername\n ,\n UserId = ActorUserId\n ,\n ActorUserSid = ActorUserId\n ,\n Process = ActingProcessName\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", Computer, \"\")\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventOriginalType = tostring(EventID)\n | extend\n EventSchemaVersion = \"0.1\"\n ,\n EventSchema = \"RegistryEvent\"\n ,\n EventCount = toint(1)\n ,\n EventResult = \"Success\"\n ,\n EventVendor = \"Microsoft\"\n ,\n EventProduct = \"Security Events\"\n ,\n DvcOs = \"Windows\"\n | project-away ActorDomainName,ActorUserSid,ActorUserType,Computer,Domain,DvcDomainType,DvcDomain,DvcFQDN,EventID,FQDN,UserId,_ResourceId\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM filtering parser for Microsoft Windows Events and Security Events (registry creation event)", + "category": "ASIM", + "FunctionAlias": "vimRegistryEventMicrosoftSecurityEvent", + "query": "let parser = (\nstarttime: datetime=datetime(null),\nendtime: datetime=datetime(null),\neventtype_in: dynamic=dynamic([]),\nactorusername_has_any: dynamic=dynamic([]),\nregistrykey_has_any: dynamic =dynamic([]),\nregistryvalue_has_any: dynamic =dynamic([]),\nregistrydata_has_any: dynamic =dynamic([]),\ndvchostname_has_any: dynamic=dynamic([]),\ndisabled: bool=false\n) {\nlet ASIM_GetAccountType = (sid: string) {\niif (\nsid in (\"S-1-0-0\", \"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"),\n\"Simple\"\n ,\n\"Windows\"\n)\n};\n let ASIM_ParseSecurityEvents = (SecurityEvent: (SubjectDomainName: string, SubjectUserName: string, ProcessId: string, ObjectName: string, SubjectUserSid: string, SubjectLogonId: string, ProcessName: string)) {\n SecurityEvent\n | project-rename\n ActorUsername = SubjectUserName\n ,\n ActorUserId = SubjectUserSid\n ,\n ActorSessionId = SubjectLogonId\n ,\n ActingProcessName = ProcessName\n ,\n ActorDomainName = SubjectDomainName\n | extend\n ActorUsername = iif(isnotempty(ActorDomainName), strcat(ActorDomainName, @'\\', ActorUsername), ActorUsername)\n ,\n ActingProcessId = tostring(toint(tolong(ProcessId)))\n ,\n RegistryKey = iif(\n ObjectName startswith @\"\\REGISTRY\\MACHINE\",\n replace_string(ObjectName, @\"\\REGISTRY\\MACHINE\", \"HKEY_LOCAL_MACHINE\")\n ,\n replace_string(ObjectName, @\"\\REGISTRY\\USER\", \"HKEY_USERS\")\n )\n};\n let Event4663TypeLookup = datatable (AccessMask: string, EventType: string)\n [\n \"0x1\", \"RegistryValueRead\"\n ,\n \"0x10\", \"RegistryKeyNotify\"\n ,\n \"0x10000\", \"RegistryKeyDeleted\"\n ,\n \"0x2\", \"RegistryValueSet\"\n ,\n \"0x20000\", \"MetadataAccessed\"\n ,\n \"0x20006\", \"RegistryValueSet\"\n ,\n \"0x40000\", \"MetadataModified\"\n ,\n \"0x8\", \"RegistrySubkeyEnumerated\"\n];\n let Event4567TypeLookup = datatable (EventOriginalSubType: string, EventType: string)\n [\n \"%%1904\", \"RegistryValueSet\"\n ,\n \"%%1905\", \"RegistryValueSet\"\n ,\n \"%%1906\", \"RegistryValueDeleted\"\n];\n let RegistryType = datatable (TypeCode: string, TypeName: string)\n [\n \"%%1872\", \"REG_NONE\"\n ,\n \"%%1873\", \"REG_SZ\"\n ,\n \"%%1874\", \"REG_EXPAND_SZ\"\n ,\n \"%%1875\", \"REG_BINARY\"\n ,\n \"%%1876\", \"REG_DWORD\"\n ,\n \"%%1879\", \"REG_MULTI_SZ\"\n ,\n \"%%1883\", \"REG_QWORD\"\n];\n union isfuzzy=false\n (\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID == 4663 and ObjectType == \"Key\"\n | where (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or (strcat(SubjectDomainName, '\\\\', SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(registryvalue_has_any) == 0) and\n (array_length(registrydata_has_any) == 0) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | lookup Event4663TypeLookup on AccessMask\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | invoke ASIM_ParseSecurityEvents()\n | where (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n Type\n ),\n (\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID == 4657\n | where (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or (strcat(SubjectDomainName, '\\\\', SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(registryvalue_has_any) == 0 or (ObjectValueName) has_any (registrydata_has_any)) and\n (array_length(registrydata_has_any) == 0 or (NewValue) has_any (registrydata_has_any)) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | invoke ASIM_ParseSecurityEvents()\n | where (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))\n | extend\n EventOriginalSubType = OperationType\n ,\n RegistryValue = ObjectValueName\n | lookup Event4567TypeLookup on EventOriginalSubType\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n Type,\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue,\n RegistryValue\n )\n | lookup RegistryType on $left.NewValueType == $right.TypeCode\n | project-rename RegistryValueType = TypeName\n | lookup RegistryType on $left.OldValueType == $right.TypeCode\n | project-rename RegistryPreviousValueType = TypeName\n | extend\n RegistryValueData = iff (EventOriginalSubType == \"%%1906\", OldValue, NewValue)\n ,\n RegistryPreviousKey = iff (EventOriginalSubType == \"%%1905\", RegistryKey, \"\")\n ,\n RegistryPreviousValue = iff (EventOriginalSubType == \"%%1905\", RegistryValue, \"\")\n ,\n RegistryPreviousValueData = iff (EventOriginalSubType == \"%%1905\", OldValue, \"\")\n | project-away\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue\n | invoke _ASIM_ResolveFQDN (\"Computer\")\n | extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\")\n | project-rename\n DvcDomainType = DomainType\n ,\n DvcHostname = ExtractedHostname\n | extend\n DvcFQDN = iif(DvcDomainType == \"FQDN\", FQDN, \"\")\n ,\n DvcDomain = iif(isnotempty(Domain), Domain, \"\")\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", FQDN, \"DvcHostname\")\n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\n ,\n ActorUsernameType = ASIM_GetAccountType(ActorUserId)\n | extend\n User = ActorUsername\n ,\n UserId = ActorUserId\n ,\n ActorUserSid = ActorUserId\n ,\n Process = ActingProcessName\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", Computer, \"\")\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventOriginalType = tostring(EventID)\n | extend\n EventSchemaVersion = \"0.1\"\n ,\n EventSchema = \"RegistryEvent\"\n ,\n EventCount = toint(1)\n ,\n EventResult = \"Success\"\n ,\n EventVendor = \"Microsoft\"\n ,\n EventProduct = \"Security Events\"\n ,\n DvcOs = \"Windows\"\n | project-away ActorDomainName,ActorUserSid,ActorUserType,Computer,Domain,DvcDomainType,DvcDomain,DvcFQDN,EventID,FQDN,UserId,_ResourceId\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftSysmon/vimRegistryEventMicrosoftSysmon.json b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftSysmon/vimRegistryEventMicrosoftSysmon.json index 46964ba043a..4f7ba7e947b 100644 --- a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftSysmon/vimRegistryEventMicrosoftSysmon.json +++ b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftSysmon/vimRegistryEventMicrosoftSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimRegistryEventMicrosoftSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimRegistryEventMicrosoftSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM filtering parser for Microsoft Sysmon (registry creation event)", - "category": "ASIM", - "FunctionAlias": "vimRegistryEventMicrosoftSysmon", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n registrykey_has_any: dynamic =dynamic([]),\n registryvalue_has_any: dynamic =dynamic([]),\n registrydata_has_any: dynamic =dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let RegistryAction = datatable (EventType: string, NewEventType: string)\n [\n \"CreateKey\", \"RegistryKeyCreated\",\n \"DeleteKey\", \"RegistryKeyDeleted\",\n \"DeleteValue\", \"RegistryValueDeleted\", \n \"SetValue\", \"RegistryValueSet\",\n \"RenameKey\", \"RegistryKeyRenamed\"\n ]; \n let Hives = datatable (KeyPrefix: string, Hive: string)\n [\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\", \n \"HKCR\", \"HKEY_LOCAL_MACHINE\\\\Classes\" \n ];\n // this is the parser for sysmon from Event table\n // Create the raw table from the raw XML file structure\n let ParsedRegistryEvent_Event=() {\n Event\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID in (12, 13, 14)\n | where (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(registrydata_has_any) == 0 or EventData has_any (registrydata_has_any)) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | parse EventData with \n * ''RuleName // parsing the XML using the original fields name - for readibliy \n ''EventType\n ''UtcTime\n '{'ProcessGuid\n '}'ProcessId\n ''Image\n ''TargetObject\n '' EventDataRemainder \n | parse EventDataRemainder with '' Parameter '' ActorUsername '' *\n | where (array_length(actorusername_has_any) == 0 or (ActorUsername has_any (actorusername_has_any)))\n | project-away EventDataRemainder\n // End of XML parse\n | extend \n EventStartTime = todatetime(TimeGenerated), \n EventEndTime = todatetime(TimeGenerated), \n EventCount = int(1), \n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\", \n EventProduct = \"Sysmon\",\n EventOriginalType = tostring(EventID), \n DvcOs = \"Windows\",\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', '')\n | project-rename \n EventMessage = RenderedDescription, \n DvcHostName = Computer, \n ActingProcessId = ProcessId,\n ActingProcessGuid = ProcessGuid, \n ActingProcessName = Image \n // Lookup Event Type\n | lookup RegistryAction on EventType \n | project-rename EventOriginalSubType = EventType\n | project-rename EventType = NewEventType\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n // Normalize Key Hive\n | parse TargetObject with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend Key = strcat (Hive, \"\\\\\", KeyMain)\n | parse Parameter with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend NewName = strcat (Hive, \"\\\\\", KeyMain)\n | project-away KeyPrefix, KeyMain, Hive\n // Split Key and Value for relevant events \n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", Key)\n | extend Key = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][0], Key)\n | extend Value = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][1], \"\")\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", NewName)\n | extend NewKey = ParsedKey[0][0]\n | extend NewValue = ParsedKey[0][1]\n | project-away ParsedKey, TargetObject, NewName\n // Set normalized registry fields\n | extend\n RegistryKey = iff (EventType == \"RegistryKeyRenamed\", NewKey, Key),\n RegistryKeyModified = iff (EventType in (\"RegistryKeyRenamed\", \"RegistryValueSet\"), Key, \"\"),\n RegistryValue = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), Value, \"\"),\n RegistryValueModified = iff (EventType == \"RegistryValueSet\", Value, \"\"),\n RegistryValueData = iff (EventType == \"RegistryValueSet\", Parameter, \"\")\n | where (array_length(registrykey_has_any) == 0 or (RegistryKey has_any (registrykey_has_any))) and \n (array_length(registryvalue_has_any) == 0 or (RegistryValue has_any (registryvalue_has_any))) and \n (array_length(registrydata_has_any) == 0 or RegistryValueData has_any (registrydata_has_any))\n | extend // aliases\n User = ActorUsername,\n Process = ActingProcessName,\n Dvc = DvcHostName,\n EventResult = \"Success\",\n EventSchema = \"RegistryEvent\",\n Rule = RuleName\n | project-away\n Parameter,\n Value,\n Key,\n NewKey,\n NewValue,\n EventData,\n ParameterXml,\n AzureDeploymentID,DvcHostName,EventCategory,EventID,EventLevelName,EventLevel,EventLog,Hive1,MG,ManagementGroupName,Message,RegistryKeyModified,_ResourceId,RegistryValueModified,Role,SourceSystem,Source,TenantId,UserName,UtcTime\n };\n ParsedRegistryEvent_Event \n };\n parser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n )", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM filtering parser for Microsoft Sysmon (registry creation event)", + "category": "ASIM", + "FunctionAlias": "vimRegistryEventMicrosoftSysmon", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n registrykey_has_any: dynamic =dynamic([]),\n registryvalue_has_any: dynamic =dynamic([]),\n registrydata_has_any: dynamic =dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let RegistryAction = datatable (EventType: string, NewEventType: string)\n [\n \"CreateKey\", \"RegistryKeyCreated\",\n \"DeleteKey\", \"RegistryKeyDeleted\",\n \"DeleteValue\", \"RegistryValueDeleted\", \n \"SetValue\", \"RegistryValueSet\",\n \"RenameKey\", \"RegistryKeyRenamed\"\n ]; \n let Hives = datatable (KeyPrefix: string, Hive: string)\n [\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\", \n \"HKCR\", \"HKEY_LOCAL_MACHINE\\\\Classes\" \n ];\n // this is the parser for sysmon from Event table\n // Create the raw table from the raw XML file structure\n let ParsedRegistryEvent_Event=() {\n Event\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID in (12, 13, 14)\n | where (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(registrydata_has_any) == 0 or EventData has_any (registrydata_has_any)) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | parse EventData with \n * ''RuleName // parsing the XML using the original fields name - for readibliy \n ''EventType\n ''UtcTime\n '{'ProcessGuid\n '}'ProcessId\n ''Image\n ''TargetObject\n '' EventDataRemainder \n | parse EventDataRemainder with '' Parameter '' ActorUsername '' *\n | where (array_length(actorusername_has_any) == 0 or (ActorUsername has_any (actorusername_has_any)))\n | project-away EventDataRemainder\n // End of XML parse\n | extend \n EventStartTime = todatetime(TimeGenerated), \n EventEndTime = todatetime(TimeGenerated), \n EventCount = int(1), \n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\", \n EventProduct = \"Sysmon\",\n EventOriginalType = tostring(EventID), \n DvcOs = \"Windows\",\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', '')\n | project-rename \n EventMessage = RenderedDescription, \n DvcHostName = Computer, \n ActingProcessId = ProcessId,\n ActingProcessGuid = ProcessGuid, \n ActingProcessName = Image \n // Lookup Event Type\n | lookup RegistryAction on EventType \n | project-rename EventOriginalSubType = EventType\n | project-rename EventType = NewEventType\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n // Normalize Key Hive\n | parse TargetObject with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend Key = strcat (Hive, \"\\\\\", KeyMain)\n | parse Parameter with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend NewName = strcat (Hive, \"\\\\\", KeyMain)\n | project-away KeyPrefix, KeyMain, Hive\n // Split Key and Value for relevant events \n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", Key)\n | extend Key = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][0], Key)\n | extend Value = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][1], \"\")\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", NewName)\n | extend NewKey = ParsedKey[0][0]\n | extend NewValue = ParsedKey[0][1]\n | project-away ParsedKey, TargetObject, NewName\n // Set normalized registry fields\n | extend\n RegistryKey = iff (EventType == \"RegistryKeyRenamed\", NewKey, Key),\n RegistryKeyModified = iff (EventType in (\"RegistryKeyRenamed\", \"RegistryValueSet\"), Key, \"\"),\n RegistryValue = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), Value, \"\"),\n RegistryValueModified = iff (EventType == \"RegistryValueSet\", Value, \"\"),\n RegistryValueData = iff (EventType == \"RegistryValueSet\", Parameter, \"\")\n | where (array_length(registrykey_has_any) == 0 or (RegistryKey has_any (registrykey_has_any))) and \n (array_length(registryvalue_has_any) == 0 or (RegistryValue has_any (registryvalue_has_any))) and \n (array_length(registrydata_has_any) == 0 or RegistryValueData has_any (registrydata_has_any))\n | extend // aliases\n User = ActorUsername,\n Process = ActingProcessName,\n Dvc = DvcHostName,\n EventResult = \"Success\",\n EventSchema = \"RegistryEvent\",\n Rule = RuleName\n | project-away\n Parameter,\n Value,\n Key,\n NewKey,\n NewValue,\n EventData,\n ParameterXml,\n AzureDeploymentID,DvcHostName,EventCategory,EventID,EventLevelName,EventLevel,EventLog,Hive1,MG,ManagementGroupName,Message,RegistryKeyModified,_ResourceId,RegistryValueModified,Role,SourceSystem,Source,TenantId,UserName,UtcTime\n };\n ParsedRegistryEvent_Event \n };\n parser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n )", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftSysmonWindowsEvent/vimRegistryEventMicrosoftSysmonWindowsEvent.json b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftSysmonWindowsEvent/vimRegistryEventMicrosoftSysmonWindowsEvent.json index 66add29da4f..fc16eb206c3 100644 --- a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftSysmonWindowsEvent/vimRegistryEventMicrosoftSysmonWindowsEvent.json +++ b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftSysmonWindowsEvent/vimRegistryEventMicrosoftSysmonWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimRegistryEventMicrosoftSysmonWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimRegistryEventMicrosoftSysmonWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM filtering parser for Microsoft Sysmon (registry creation event)", - "category": "ASIM", - "FunctionAlias": "vimRegistryEventMicrosoftSysmonWindowsEvent", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n registrykey_has_any: dynamic =dynamic([]),\n registryvalue_has_any: dynamic =dynamic([]),\n registrydata_has_any: dynamic =dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let RegistryAction = datatable (EventType: string, NewEventType: string)\n [\n \"CreateKey\", \"RegistryKeyCreated\",\n \"DeleteKey\", \"RegistryKeyDeleted\",\n \"DeleteValue\", \"RegistryValueDeleted\", \n \"SetValue\", \"RegistryValueSet\",\n \"RenameKey\", \"RegistryKeyRenamed\"\n ]; \n let Hives = datatable (KeyPrefix: string, Hive: string)\n [\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\", \n \"HKCR\", \"HKEY_LOCAL_MACHINE\\\\Classes\" \n ];\n // this is the parser for sysmon from WindowsEvent table\n let ParsedRegistryEvent_WindowsEvent=() {\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID in (12, 13, 14)\n | where (array_length(actorusername_has_any) == 0 or (tostring(EventData.User) has_any (actorusername_has_any))) and\n (array_length(registrydata_has_any) == 0 or (tostring(EventData.Parameter) has_any (registrydata_has_any))) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | extend \n EventStartTime = todatetime(TimeGenerated), \n EventEndTime = todatetime(TimeGenerated), \n EventCount = int(1), \n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\", \n EventProduct = \"Sysmon\",\n EventOriginalType = tostring(EventID),\n EventType = tostring(EventData.EventType),\n DvcOs = \"Windows\",\n EventMessage = tostring(EventData.RenderedDescription), \n ActorUsername = tostring(EventData.User),\n ActingProcessId = tostring(EventData.ProcessId),\n ActingProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string)),\n ActingProcessName = tostring(EventData.Image),\n TargetObject = tostring(EventData.TargetObject),\n Parameter = tostring(EventData.Parameter)\n | project-rename\n DvcHostName = Computer \n | lookup RegistryAction on EventType\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | project-rename EventOriginalSubType = EventType\n | project-rename EventType = NewEventType\n // Normalize Key Hive\n | parse TargetObject with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend Key = strcat (Hive, \"\\\\\", KeyMain)\n | parse Parameter with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend NewName = strcat (Hive, \"\\\\\", KeyMain)\n | project-away KeyPrefix, KeyMain, Hive\n // Split Key and Value for relevant events \n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", Key)\n | extend Key = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][0], Key)\n | extend Value = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][1], \"\")\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", NewName)\n | extend NewKey = ParsedKey[0][0]\n | extend NewValue = ParsedKey[0][1]\n | project-away ParsedKey, TargetObject, NewName\n // Set normalized registry fields\n | extend\n RegistryKey = iff (EventType == \"RegistryKeyRenamed\", NewKey, Key),\n RegistryKeyModified = iff (EventType in (\"RegistryKeyRenamed\", \"RegistryValueSet\"), Key, \"\"),\n RegistryValue = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), Value, \"\"),\n RegistryValueModified = iff (EventType == \"RegistryValueSet\", Value, \"\"),\n RegistryValueData = iff (EventType == \"RegistryValueSet\", Parameter, \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', '')\n | where (array_length(registrykey_has_any) == 0 or (RegistryKey has_any (registrykey_has_any))) and \n (array_length(registryvalue_has_any) == 0 or (RegistryValue has_any (registryvalue_has_any))) and \n (array_length(registrydata_has_any) == 0 or RegistryValueData has_any (registrydata_has_any))\n | extend // aliases\n User = ActorUsername,\n Process = ActingProcessName,\n Dvc = DvcHostName,\n EventResult = \"Success\",\n EventSchema = \"RegistryEvent\"\n | project-away\n Parameter,\n Value,\n Key,\n NewKey,\n NewValue,\n EventData,\n Channel,Correlation,Data,DvcHostName,EventID,EventLevelName,EventLevel,EventOriginId,EventRecordId,Hive1,Keywords,ManagementGroupName,_ResourceId,Opcode,Provider,RawEventData,RegistryKeyModified,RegistryValueModified,SourceSystem,SystemProcessId,SystemThreadId,SystemUserId,Task,TenantId,TimeCreated,Version,_ResourceId\n };\n ParsedRegistryEvent_WindowsEvent\n };\n parser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n )\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM filtering parser for Microsoft Sysmon (registry creation event)", + "category": "ASIM", + "FunctionAlias": "vimRegistryEventMicrosoftSysmonWindowsEvent", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n registrykey_has_any: dynamic =dynamic([]),\n registryvalue_has_any: dynamic =dynamic([]),\n registrydata_has_any: dynamic =dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let RegistryAction = datatable (EventType: string, NewEventType: string)\n [\n \"CreateKey\", \"RegistryKeyCreated\",\n \"DeleteKey\", \"RegistryKeyDeleted\",\n \"DeleteValue\", \"RegistryValueDeleted\", \n \"SetValue\", \"RegistryValueSet\",\n \"RenameKey\", \"RegistryKeyRenamed\"\n ]; \n let Hives = datatable (KeyPrefix: string, Hive: string)\n [\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\", \n \"HKCR\", \"HKEY_LOCAL_MACHINE\\\\Classes\" \n ];\n // this is the parser for sysmon from WindowsEvent table\n let ParsedRegistryEvent_WindowsEvent=() {\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID in (12, 13, 14)\n | where (array_length(actorusername_has_any) == 0 or (tostring(EventData.User) has_any (actorusername_has_any))) and\n (array_length(registrydata_has_any) == 0 or (tostring(EventData.Parameter) has_any (registrydata_has_any))) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | extend \n EventStartTime = todatetime(TimeGenerated), \n EventEndTime = todatetime(TimeGenerated), \n EventCount = int(1), \n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\", \n EventProduct = \"Sysmon\",\n EventOriginalType = tostring(EventID),\n EventType = tostring(EventData.EventType),\n DvcOs = \"Windows\",\n EventMessage = tostring(EventData.RenderedDescription), \n ActorUsername = tostring(EventData.User),\n ActingProcessId = tostring(EventData.ProcessId),\n ActingProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string)),\n ActingProcessName = tostring(EventData.Image),\n TargetObject = tostring(EventData.TargetObject),\n Parameter = tostring(EventData.Parameter)\n | project-rename\n DvcHostName = Computer \n | lookup RegistryAction on EventType\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | project-rename EventOriginalSubType = EventType\n | project-rename EventType = NewEventType\n // Normalize Key Hive\n | parse TargetObject with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend Key = strcat (Hive, \"\\\\\", KeyMain)\n | parse Parameter with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend NewName = strcat (Hive, \"\\\\\", KeyMain)\n | project-away KeyPrefix, KeyMain, Hive\n // Split Key and Value for relevant events \n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", Key)\n | extend Key = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][0], Key)\n | extend Value = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][1], \"\")\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", NewName)\n | extend NewKey = ParsedKey[0][0]\n | extend NewValue = ParsedKey[0][1]\n | project-away ParsedKey, TargetObject, NewName\n // Set normalized registry fields\n | extend\n RegistryKey = iff (EventType == \"RegistryKeyRenamed\", NewKey, Key),\n RegistryKeyModified = iff (EventType in (\"RegistryKeyRenamed\", \"RegistryValueSet\"), Key, \"\"),\n RegistryValue = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), Value, \"\"),\n RegistryValueModified = iff (EventType == \"RegistryValueSet\", Value, \"\"),\n RegistryValueData = iff (EventType == \"RegistryValueSet\", Parameter, \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', '')\n | where (array_length(registrykey_has_any) == 0 or (RegistryKey has_any (registrykey_has_any))) and \n (array_length(registryvalue_has_any) == 0 or (RegistryValue has_any (registryvalue_has_any))) and \n (array_length(registrydata_has_any) == 0 or RegistryValueData has_any (registrydata_has_any))\n | extend // aliases\n User = ActorUsername,\n Process = ActingProcessName,\n Dvc = DvcHostName,\n EventResult = \"Success\",\n EventSchema = \"RegistryEvent\"\n | project-away\n Parameter,\n Value,\n Key,\n NewKey,\n NewValue,\n EventData,\n Channel,Correlation,Data,DvcHostName,EventID,EventLevelName,EventLevel,EventOriginId,EventRecordId,Hive1,Keywords,ManagementGroupName,_ResourceId,Opcode,Provider,RawEventData,RegistryKeyModified,RegistryValueModified,SourceSystem,SystemProcessId,SystemThreadId,SystemUserId,Task,TenantId,TimeCreated,Version,_ResourceId\n };\n ParsedRegistryEvent_WindowsEvent\n };\n parser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n )\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftWindowsEvent/vimRegistryEventMicrosoftWindowsEvent.json b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftWindowsEvent/vimRegistryEventMicrosoftWindowsEvent.json index 7237edc547c..39ea666b297 100644 --- a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftWindowsEvent/vimRegistryEventMicrosoftWindowsEvent.json +++ b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftWindowsEvent/vimRegistryEventMicrosoftWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimRegistryEventMicrosoftWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimRegistryEventMicrosoftWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM filtering parser for Microsoft Windows Events and Security Events (registry creation event)", - "category": "ASIM", - "FunctionAlias": "vimRegistryEventMicrosoftWindowsEvent", - "query": "let parser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null),\neventtype_in: dynamic=dynamic([]),\nactorusername_has_any: dynamic=dynamic([]),\nregistrykey_has_any: dynamic =dynamic([]),\nregistryvalue_has_any: dynamic =dynamic([]),\nregistrydata_has_any: dynamic =dynamic([]),\ndvchostname_has_any: dynamic=dynamic([]),\ndisabled: bool=false\n) {\nlet ASIM_GetAccountType = (sid: string) { \niif ( \nsid in (\"S-1-0-0\", \"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"),\n\"Simple\"\n ,\n\"Windows\"\n)\n};\n let ASIM_ParseWindowsEvents = (WindowsEvent: (EventData: dynamic)) {\n WindowsEvent\n | extend\n ActorUsername = iif(isnotempty(EventData.SubjectDomainName), strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), EventData.SubjectUserName)\n ,\n ActorDomainName = tostring(EventData.SubjectDomainName)\n ,\n ActorUserId = tostring(EventData.SubjectUserSid)\n ,\n ActorSessionId = tostring(EventData.SubjectLogonId)\n ,\n ActingProcessName = tostring(EventData.ProcessName)\n ,\n ActingProcessId = tostring(toint(tolong(EventData.ProcessId)))\n ,\n RegistryKey = iif(\n EventData.ObjectName startswith @\"\\REGISTRY\\MACHINE\",\n replace_string(tostring(EventData.ObjectName), @\"\\REGISTRY\\MACHINE\", \"HKEY_LOCAL_MACHINE\")\n ,\n replace_string(tostring(EventData.ObjectName), @\"\\REGISTRY\\USER\", \"HKEY_USERS\")\n )\n};\n let Event4663TypeLookup = datatable (AccessMask: string, EventType: string)\n [\n \"0x1\", \"RegistryValueRead\"\n ,\n \"0x10\", \"RegistryKeyNotify\"\n ,\n \"0x10000\", \"RegistryKeyDeleted\"\n ,\n \"0x2\", \"RegistryValueSet\"\n ,\n \"0x20000\", \"MetadataAccessed\"\n ,\n \"0x20006\", \"RegistryValueSet\"\n ,\n \"0x40000\", \"MetadataModified\"\n ,\n \"0x8\", \"RegistrySubkeyEnumerated\"\n];\n let Event4567TypeLookup = datatable (EventOriginalSubType: string, EventType: string)\n [\n \"%%1904\", \"RegistryValueSet\"\n ,\n \"%%1905\", \"RegistryValueSet\"\n ,\n \"%%1906\", \"RegistryValueDeleted\"\n];\n let RegistryType = datatable (TypeCode: string, TypeName: string)\n [\n \"%%1872\", \"REG_NONE\"\n ,\n \"%%1873\", \"REG_SZ\"\n ,\n \"%%1874\", \"REG_EXPAND_SZ\"\n ,\n \"%%1875\", \"REG_BINARY\"\n ,\n \"%%1876\", \"REG_DWORD\"\n ,\n \"%%1879\", \"REG_MULTI_SZ\"\n ,\n \"%%1883\", \"REG_QWORD\"\n];\n union isfuzzy=false\n (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID == 4663 and EventData.ObjectType == \"Key\"\n | where (array_length(actorusername_has_any) == 0 or (EventData.SubjectDomainName has_any (actorusername_has_any)) or (EventData.SubjectUserName has_any (actorusername_has_any)) or (strcat(EventData.SubjectDomainName, '\\\\', EventData.SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(registryvalue_has_any) == 0) and \n (array_length(registrydata_has_any) == 0) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | extend\n AccessMask = tostring(EventData.AccessMask)\n ,\n Type = \"WindowsEvent\"\n | lookup Event4663TypeLookup on AccessMask\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | invoke ASIM_ParseWindowsEvents()\n | where (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n Type\n ),\n (\n union isfuzzy=false\n (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID == 4657\n | where (array_length(actorusername_has_any) == 0 or (EventData.SubjectDomainName has_any (actorusername_has_any)) or (EventData.SubjectUserName has_any (actorusername_has_any)) or (strcat(EventData.SubjectDomainName, '\\\\', EventData.SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(registryvalue_has_any) == 0 or (EventData.ObjectValueName) has_any (registryvalue_has_any)) and \n (array_length(registrydata_has_any) == 0 or (EventData.NewValue) has_any (registrydata_has_any)) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | invoke ASIM_ParseWindowsEvents()\n | where (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))\n | extend\n EventOriginalSubType = tostring(EventData.OperationType)\n ,\n OldValue = tostring(EventData.OldValue)\n ,\n NewValue = tostring(EventData.NewValue)\n ,\n RegistryValue = tostring(EventData.ObjectValueName)\n ,\n NewValueType = tostring(EventData.NewValueType)\n ,\n OldValueType = tostring(EventData.OldValueType)\n | lookup Event4567TypeLookup on EventOriginalSubType\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n RegistryValue,\n Type,\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue\n )\n | lookup RegistryType on $left.NewValueType == $right.TypeCode\n | project-rename RegistryValueType = TypeName\n | lookup RegistryType on $left.OldValueType == $right.TypeCode\n | project-rename RegistryPreviousValueType = TypeName\n | extend\n RegistryValueData = iff (EventOriginalSubType == \"%%1906\", OldValue, NewValue)\n ,\n RegistryPreviousKey = iff (EventOriginalSubType == \"%%1905\", RegistryKey, \"\")\n ,\n RegistryPreviousValue = iff (EventOriginalSubType == \"%%1905\", RegistryValue, \"\")\n ,\n RegistryPreviousValueData = iff (EventOriginalSubType == \"%%1905\", OldValue, \"\")\n | project-away\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue\n )\n | invoke _ASIM_ResolveFQDN (\"Computer\")\n | extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\")\n | project-rename\n DvcDomainType = DomainType\n ,\n DvcHostname = ExtractedHostname\n | extend\n DvcFQDN = iif(DvcDomainType == \"FQDN\", FQDN, \"\")\n ,\n DvcDomain = iif(isnotempty(Domain), Domain, \"\")\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", FQDN, \"DvcHostname\")\n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\n ,\n ActorUsernameType = ASIM_GetAccountType(ActorUserId)\n | extend\n User = ActorUsername\n ,\n UserId = ActorUserId\n ,\n ActorUserSid = ActorUserId\n ,\n Process = ActingProcessName\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", Computer, \"\")\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventOriginalType = tostring(EventID)\n | extend\n EventSchemaVersion = \"0.1\" \n ,\n EventSchema = \"RegistryEvent\"\n ,\n EventCount = toint(1)\n ,\n EventResult = \"Success\"\n ,\n EventVendor = \"Microsoft\"\n ,\n EventProduct = \"Security Events\" \n ,\n DvcOs = \"Windows\"\n | project-away ActorDomainName,ActorUserSid,ActorUserType,Computer,Domain,DvcDomainType,DvcDomain,DvcFQDN,EventID,FQDN,UserId,_ResourceId\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM filtering parser for Microsoft Windows Events and Security Events (registry creation event)", + "category": "ASIM", + "FunctionAlias": "vimRegistryEventMicrosoftWindowsEvent", + "query": "let parser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null),\neventtype_in: dynamic=dynamic([]),\nactorusername_has_any: dynamic=dynamic([]),\nregistrykey_has_any: dynamic =dynamic([]),\nregistryvalue_has_any: dynamic =dynamic([]),\nregistrydata_has_any: dynamic =dynamic([]),\ndvchostname_has_any: dynamic=dynamic([]),\ndisabled: bool=false\n) {\nlet ASIM_GetAccountType = (sid: string) { \niif ( \nsid in (\"S-1-0-0\", \"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"),\n\"Simple\"\n ,\n\"Windows\"\n)\n};\n let ASIM_ParseWindowsEvents = (WindowsEvent: (EventData: dynamic)) {\n WindowsEvent\n | extend\n ActorUsername = iif(isnotempty(EventData.SubjectDomainName), strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), EventData.SubjectUserName)\n ,\n ActorDomainName = tostring(EventData.SubjectDomainName)\n ,\n ActorUserId = tostring(EventData.SubjectUserSid)\n ,\n ActorSessionId = tostring(EventData.SubjectLogonId)\n ,\n ActingProcessName = tostring(EventData.ProcessName)\n ,\n ActingProcessId = tostring(toint(tolong(EventData.ProcessId)))\n ,\n RegistryKey = iif(\n EventData.ObjectName startswith @\"\\REGISTRY\\MACHINE\",\n replace_string(tostring(EventData.ObjectName), @\"\\REGISTRY\\MACHINE\", \"HKEY_LOCAL_MACHINE\")\n ,\n replace_string(tostring(EventData.ObjectName), @\"\\REGISTRY\\USER\", \"HKEY_USERS\")\n )\n};\n let Event4663TypeLookup = datatable (AccessMask: string, EventType: string)\n [\n \"0x1\", \"RegistryValueRead\"\n ,\n \"0x10\", \"RegistryKeyNotify\"\n ,\n \"0x10000\", \"RegistryKeyDeleted\"\n ,\n \"0x2\", \"RegistryValueSet\"\n ,\n \"0x20000\", \"MetadataAccessed\"\n ,\n \"0x20006\", \"RegistryValueSet\"\n ,\n \"0x40000\", \"MetadataModified\"\n ,\n \"0x8\", \"RegistrySubkeyEnumerated\"\n];\n let Event4567TypeLookup = datatable (EventOriginalSubType: string, EventType: string)\n [\n \"%%1904\", \"RegistryValueSet\"\n ,\n \"%%1905\", \"RegistryValueSet\"\n ,\n \"%%1906\", \"RegistryValueDeleted\"\n];\n let RegistryType = datatable (TypeCode: string, TypeName: string)\n [\n \"%%1872\", \"REG_NONE\"\n ,\n \"%%1873\", \"REG_SZ\"\n ,\n \"%%1874\", \"REG_EXPAND_SZ\"\n ,\n \"%%1875\", \"REG_BINARY\"\n ,\n \"%%1876\", \"REG_DWORD\"\n ,\n \"%%1879\", \"REG_MULTI_SZ\"\n ,\n \"%%1883\", \"REG_QWORD\"\n];\n union isfuzzy=false\n (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID == 4663 and EventData.ObjectType == \"Key\"\n | where (array_length(actorusername_has_any) == 0 or (EventData.SubjectDomainName has_any (actorusername_has_any)) or (EventData.SubjectUserName has_any (actorusername_has_any)) or (strcat(EventData.SubjectDomainName, '\\\\', EventData.SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(registryvalue_has_any) == 0) and \n (array_length(registrydata_has_any) == 0) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | extend\n AccessMask = tostring(EventData.AccessMask)\n ,\n Type = \"WindowsEvent\"\n | lookup Event4663TypeLookup on AccessMask\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | invoke ASIM_ParseWindowsEvents()\n | where (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n Type\n ),\n (\n union isfuzzy=false\n (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID == 4657\n | where (array_length(actorusername_has_any) == 0 or (EventData.SubjectDomainName has_any (actorusername_has_any)) or (EventData.SubjectUserName has_any (actorusername_has_any)) or (strcat(EventData.SubjectDomainName, '\\\\', EventData.SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(registryvalue_has_any) == 0 or (EventData.ObjectValueName) has_any (registryvalue_has_any)) and \n (array_length(registrydata_has_any) == 0 or (EventData.NewValue) has_any (registrydata_has_any)) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | invoke ASIM_ParseWindowsEvents()\n | where (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))\n | extend\n EventOriginalSubType = tostring(EventData.OperationType)\n ,\n OldValue = tostring(EventData.OldValue)\n ,\n NewValue = tostring(EventData.NewValue)\n ,\n RegistryValue = tostring(EventData.ObjectValueName)\n ,\n NewValueType = tostring(EventData.NewValueType)\n ,\n OldValueType = tostring(EventData.OldValueType)\n | lookup Event4567TypeLookup on EventOriginalSubType\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n RegistryValue,\n Type,\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue\n )\n | lookup RegistryType on $left.NewValueType == $right.TypeCode\n | project-rename RegistryValueType = TypeName\n | lookup RegistryType on $left.OldValueType == $right.TypeCode\n | project-rename RegistryPreviousValueType = TypeName\n | extend\n RegistryValueData = iff (EventOriginalSubType == \"%%1906\", OldValue, NewValue)\n ,\n RegistryPreviousKey = iff (EventOriginalSubType == \"%%1905\", RegistryKey, \"\")\n ,\n RegistryPreviousValue = iff (EventOriginalSubType == \"%%1905\", RegistryValue, \"\")\n ,\n RegistryPreviousValueData = iff (EventOriginalSubType == \"%%1905\", OldValue, \"\")\n | project-away\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue\n )\n | invoke _ASIM_ResolveFQDN (\"Computer\")\n | extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\")\n | project-rename\n DvcDomainType = DomainType\n ,\n DvcHostname = ExtractedHostname\n | extend\n DvcFQDN = iif(DvcDomainType == \"FQDN\", FQDN, \"\")\n ,\n DvcDomain = iif(isnotempty(Domain), Domain, \"\")\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", FQDN, \"DvcHostname\")\n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\n ,\n ActorUsernameType = ASIM_GetAccountType(ActorUserId)\n | extend\n User = ActorUsername\n ,\n UserId = ActorUserId\n ,\n ActorUserSid = ActorUserId\n ,\n Process = ActingProcessName\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", Computer, \"\")\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventOriginalType = tostring(EventID)\n | extend\n EventSchemaVersion = \"0.1\" \n ,\n EventSchema = \"RegistryEvent\"\n ,\n EventCount = toint(1)\n ,\n EventResult = \"Success\"\n ,\n EventVendor = \"Microsoft\"\n ,\n EventProduct = \"Security Events\" \n ,\n DvcOs = \"Windows\"\n | project-away ActorDomainName,ActorUserSid,ActorUserType,Computer,Domain,DvcDomainType,DvcDomain,DvcFQDN,EventID,FQDN,UserId,_ResourceId\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventNative/vimRegistryEventNative.json b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventNative/vimRegistryEventNative.json index 8b5d85cafb1..63eb195004c 100644 --- a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventNative/vimRegistryEventNative.json +++ b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventNative/vimRegistryEventNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimRegistryEventNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimRegistryEventNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM filtering parser for Microsoft Sentinel native Registry Event table", - "category": "ASIM", - "FunctionAlias": "vimRegistryEventNative", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n registrykey_has_any: dynamic =dynamic([]),\n registryvalue_has_any: dynamic =dynamic([]),\n registrydata_has_any: dynamic =dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n ASimRegistryEventLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)) and\n (array_length(actorusername_has_any) == 0 or (ActorUsername has_any (actorusername_has_any))) and\n ((array_length(registrykey_has_any)) == 0 or (RegistryKey has_any (registrykey_has_any))) and \n ((array_length(registryvalue_has_any)) == 0 or (RegistryValue has_any (registryvalue_has_any))) and \n (array_length(registrydata_has_any) == 0 or RegistryValueData has_any (registrydata_has_any)) and\n (array_length(dvchostname_has_any) == 0 or DvcHostname has_any (dvchostname_has_any))\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"RegistryEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n User = ActorUsername,\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n Process = ActingProcessName\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM filtering parser for Microsoft Sentinel native Registry Event table", + "category": "ASIM", + "FunctionAlias": "vimRegistryEventNative", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n registrykey_has_any: dynamic =dynamic([]),\n registryvalue_has_any: dynamic =dynamic([]),\n registrydata_has_any: dynamic =dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n ASimRegistryEventLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)) and\n (array_length(actorusername_has_any) == 0 or (ActorUsername has_any (actorusername_has_any))) and\n ((array_length(registrykey_has_any)) == 0 or (RegistryKey has_any (registrykey_has_any))) and \n ((array_length(registryvalue_has_any)) == 0 or (RegistryValue has_any (registryvalue_has_any))) and \n (array_length(registrydata_has_any) == 0 or RegistryValueData has_any (registrydata_has_any)) and\n (array_length(dvchostname_has_any) == 0 or DvcHostname has_any (dvchostname_has_any))\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"RegistryEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n User = ActorUsername,\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n Process = ActingProcessName\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventSentinelOne/vimRegistryEventSentinelOne.json b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventSentinelOne/vimRegistryEventSentinelOne.json index 2566e201525..9dad566879a 100644 --- a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventSentinelOne/vimRegistryEventSentinelOne.json +++ b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventSentinelOne/vimRegistryEventSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimRegistryEventSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimRegistryEventSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM Parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "vimRegistryEventSentinelOne", - "query": "let EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\n [\n \"REGVALUEMODIFIED\", \"RegistryValueSet\",\n \"REGVALUECREATE\", \"RegistryValueSet\",\n \"REGKEYCREATE\", \"RegistryKeyCreated\",\n \"REGKEYDELETE\", \"RegistryKeyDeleted\",\n \"REGVALUEDELETE\", \"RegistryValueDeleted\",\n \"REGKEYRENAME\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable (\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)\n [\n \"MACHINE\", \"HKEY_LOCAL_MACHINE\",\n \"USER\", \"HKEY_USERS\",\n \"CONFIG\", \"HKEY_CURRENT_CONFIG\",\n \"ROOT\", \"HKEY_CLASSES_ROOT\"\n];\nlet RegistryPreviousValueTypeLookup = datatable (\n alertInfo_registryOldValueType_s: string,\n RegistryPreviousValueType_lookup: string\n)\n [\n \"BINARY\", \"Reg_Binary\",\n \"DWORD\", \"Reg_DWord\",\n \"QWORD\", \"Reg_QWord\",\n \"SZ\", \"Reg_Sz\",\n \"EXPAND_SZ\", \"Reg_Expand_Sz\",\n \"MULTI_SZ\", \"Reg_Multi_Sz\",\n \"DWORD_BIG_ENDIAN\", \"Reg_DWord\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n registrykey_has_any: dynamic =dynamic([]),\n registryvalue_has_any: dynamic =dynamic([]),\n registrydata_has_any: dynamic =dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) { \n let alldata = \n SentinelOne_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(actorusername_has_any) == 0) or (sourceProcessInfo_user_s has_any (actorusername_has_any)))\n and ((array_length(registrydata_has_any) == 0) or (alertInfo_registryValue_s has_any (registrydata_has_any)))\n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\", \"REGKEYCREATE\", \"REGKEYDELETE\", \"REGVALUEDELETE\", \"REGKEYRENAME\")\n | lookup EventTypeLookup on alertInfo_eventType_s\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | lookup RegistryPreviousValueTypeLookup on alertInfo_registryOldValueType_s;\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maliciousdata\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | where (array_length(dvchostname_has_any) == 0 or DvcHostname has_any (dvchostname_has_any))\n | extend RegistryKeyPrefix = tostring(split(alertInfo_registryKeyPath_s, @'\\')[0])\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend RegistryKey = replace_string(alertInfo_registryKeyPath_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix)\n | where ((array_length(registrykey_has_any) == 0) or (RegistryKey has_any (registrykey_has_any)))\n | extend RegistryValue = iff(alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\", \"REGVALUEDELETE\"), tostring(split(alertInfo_registryKeyPath_s, @'\\')[-1]), \"\")\n | where ((array_length(registryvalue_has_any) == 0) or (RegistryValue has_any (registryvalue_has_any)))\n | extend RegistryValueType = case(\n alertInfo_registryValue_s matches regex '^[0-9]+$',\n \"Reg_Dword\",\n alertInfo_registryValue_s startswith \"0x\" and strlen(alertInfo_registryValue_s) <= 10,\n \"Reg_DWord\",\n alertInfo_registryValue_s startswith \"0x\" and strlen(alertInfo_registryValue_s) > 10,\n \"Reg_QWord\",\n alertInfo_registryValue_s matches regex '^[A-Fa-f0-9]+$',\n \"Reg_Binary\",\n \"\"\n )\n | extend\n RegistryValueType = iff(alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\") and isempty(RegistryValueType), \"Reg_Sz\", RegistryValueType),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n ActingProcessId = sourceProcessInfo_pid_s,\n ActorUsername = sourceProcessInfo_user_s,\n EventStartTime= sourceProcessInfo_pidStarttime_t,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventUid = _ItemId,\n ParentProcessId = sourceParentProcessInfo_pid_s,\n ActingProcessName = sourceProcessInfo_name_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalType = alertInfo_eventType_s,\n ParentProcessName = sourceParentProcessInfo_name_s,\n RegistryValueData = alertInfo_registryValue_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\"\n | extend\n Dvc = coalesce(DvcHostname, EventProduct), \n EventEndTime = EventStartTime,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n RegistryPreviousKey = RegistryKey,\n RegistryPreviousValueData = coalesce(alertInfo_registryOldValue_s, RegistryValueData),\n RegistryPreviousValueType = coalesce(RegistryPreviousValueType_lookup, RegistryValueType),\n RegistryPreviousValue = RegistryValue,\n Process = ActingProcessName,\n User = ActorUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n Rule = RuleName\n | project-away \n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n RegistryKeyPrefix,\n RegistryKeyNormalizedPrefix,\n RegistryPreviousValueType_lookup,\n ThreatConfidence_*\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM Parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "vimRegistryEventSentinelOne", + "query": "let EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\n [\n \"REGVALUEMODIFIED\", \"RegistryValueSet\",\n \"REGVALUECREATE\", \"RegistryValueSet\",\n \"REGKEYCREATE\", \"RegistryKeyCreated\",\n \"REGKEYDELETE\", \"RegistryKeyDeleted\",\n \"REGVALUEDELETE\", \"RegistryValueDeleted\",\n \"REGKEYRENAME\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable (\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)\n [\n \"MACHINE\", \"HKEY_LOCAL_MACHINE\",\n \"USER\", \"HKEY_USERS\",\n \"CONFIG\", \"HKEY_CURRENT_CONFIG\",\n \"ROOT\", \"HKEY_CLASSES_ROOT\"\n];\nlet RegistryPreviousValueTypeLookup = datatable (\n alertInfo_registryOldValueType_s: string,\n RegistryPreviousValueType_lookup: string\n)\n [\n \"BINARY\", \"Reg_Binary\",\n \"DWORD\", \"Reg_DWord\",\n \"QWORD\", \"Reg_QWord\",\n \"SZ\", \"Reg_Sz\",\n \"EXPAND_SZ\", \"Reg_Expand_Sz\",\n \"MULTI_SZ\", \"Reg_Multi_Sz\",\n \"DWORD_BIG_ENDIAN\", \"Reg_DWord\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n registrykey_has_any: dynamic =dynamic([]),\n registryvalue_has_any: dynamic =dynamic([]),\n registrydata_has_any: dynamic =dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) { \n let alldata = \n SentinelOne_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(actorusername_has_any) == 0) or (sourceProcessInfo_user_s has_any (actorusername_has_any)))\n and ((array_length(registrydata_has_any) == 0) or (alertInfo_registryValue_s has_any (registrydata_has_any)))\n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\", \"REGKEYCREATE\", \"REGKEYDELETE\", \"REGVALUEDELETE\", \"REGKEYRENAME\")\n | lookup EventTypeLookup on alertInfo_eventType_s\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | lookup RegistryPreviousValueTypeLookup on alertInfo_registryOldValueType_s;\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maliciousdata\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | where (array_length(dvchostname_has_any) == 0 or DvcHostname has_any (dvchostname_has_any))\n | extend RegistryKeyPrefix = tostring(split(alertInfo_registryKeyPath_s, @'\\')[0])\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend RegistryKey = replace_string(alertInfo_registryKeyPath_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix)\n | where ((array_length(registrykey_has_any) == 0) or (RegistryKey has_any (registrykey_has_any)))\n | extend RegistryValue = iff(alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\", \"REGVALUEDELETE\"), tostring(split(alertInfo_registryKeyPath_s, @'\\')[-1]), \"\")\n | where ((array_length(registryvalue_has_any) == 0) or (RegistryValue has_any (registryvalue_has_any)))\n | extend RegistryValueType = case(\n alertInfo_registryValue_s matches regex '^[0-9]+$',\n \"Reg_Dword\",\n alertInfo_registryValue_s startswith \"0x\" and strlen(alertInfo_registryValue_s) <= 10,\n \"Reg_DWord\",\n alertInfo_registryValue_s startswith \"0x\" and strlen(alertInfo_registryValue_s) > 10,\n \"Reg_QWord\",\n alertInfo_registryValue_s matches regex '^[A-Fa-f0-9]+$',\n \"Reg_Binary\",\n \"\"\n )\n | extend\n RegistryValueType = iff(alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\") and isempty(RegistryValueType), \"Reg_Sz\", RegistryValueType),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n ActingProcessId = sourceProcessInfo_pid_s,\n ActorUsername = sourceProcessInfo_user_s,\n EventStartTime= sourceProcessInfo_pidStarttime_t,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventUid = _ItemId,\n ParentProcessId = sourceParentProcessInfo_pid_s,\n ActingProcessName = sourceProcessInfo_name_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalType = alertInfo_eventType_s,\n ParentProcessName = sourceParentProcessInfo_name_s,\n RegistryValueData = alertInfo_registryValue_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\"\n | extend\n Dvc = coalesce(DvcHostname, EventProduct), \n EventEndTime = EventStartTime,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n RegistryPreviousKey = RegistryKey,\n RegistryPreviousValueData = coalesce(alertInfo_registryOldValue_s, RegistryValueData),\n RegistryPreviousValueType = coalesce(RegistryPreviousValueType_lookup, RegistryValueType),\n RegistryPreviousValue = RegistryValue,\n Process = ActingProcessName,\n User = ActorUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n Rule = RuleName\n | project-away \n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n RegistryKeyPrefix,\n RegistryKeyNormalizedPrefix,\n RegistryPreviousValueType_lookup,\n ThreatConfidence_*\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventTrendMicroVisionOne/vimRegistryEventTrendMicroVisionOne.json b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventTrendMicroVisionOne/vimRegistryEventTrendMicroVisionOne.json index 4bb74e13e65..3444e8a31ca 100644 --- a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventTrendMicroVisionOne/vimRegistryEventTrendMicroVisionOne.json +++ b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventTrendMicroVisionOne/vimRegistryEventTrendMicroVisionOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimRegistryEventTrendMicroVisionOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimRegistryEventTrendMicroVisionOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM Parser for Trend Micro Vision One", - "category": "ASIM", - "FunctionAlias": "vimRegistryEventTrendMicroVisionOne", - "query": "let EventTypeLookup = datatable(detail_eventSubId_s: string, EventType: string)[\n \"TELEMETRY_REGISTRY_CREATE\", \"RegistryKeyCreated\",\n \"TELEMETRY_REGISTRY_SET\", \"RegistryValueSet\",\n \"TELEMETRY_REGISTRY_DELETE\", \"RegistryKeyDeleted\",\n \"TELEMETRY_REGISTRY_RENAME\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable(\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)[\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\",\n \"HKCU\", \"HKEY_CURRENT_USER\",\n \"HKCR\", \"HKEY_CLASSES_ROOT\",\n \"HKCC\", \"HKEY_CURRENT_CONFIG\"\n];\nlet RegistryValueTypeLookup = datatable (detail_objectRegType_d: real, RegistryValueType: string)[\n 0, \"Reg_None\",\n 1, \"Reg_Sz\",\n 2, \"Reg_Expand_Sz\",\n 3, \"Reg_Binary\",\n 4, \"Reg_DWord\",\n 5, \"Reg_DWord\",\n 7, \"Reg_Multi_Sz\",\n 11, \"Reg_QWord\"\n];\nlet EventSeverityLookup = datatable(detail_filterRiskLevel_s: string, EventSeverity: string)[\n \"low\", \"Low\",\n \"medium\", \"Medium\",\n \"high\", \"High\",\n \"info\", \"Informational\",\n \"critical\", \"High\"\n];\nlet parser = (starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventtype_in: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), registrykey_has_any: dynamic=dynamic([]), registryvalue_has_any: dynamic=dynamic([]), registryvaluedata_has_any: dynamic=dynamic([]), dvchostname_has_any: dynamic=dynamic([]), disabled: bool=false) {\n TrendMicro_XDR_OAT_CL\n | where not(disabled)\n | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime))\n | where detail_eventId_s == \"TELEMETRY_REGISTRY\"\n | where (array_length(actorusername_has_any) == 0 or detail_processUser_s has_any (actorusername_has_any))\n and (array_length(registryvalue_has_any) == 0 or detail_objectRegistryValue_s has_any (registryvalue_has_any))\n and (array_length(registryvaluedata_has_any) == 0 or detail_objectRegistryData_s has_any (registryvaluedata_has_any))\n and (array_length(dvchostname_has_any) == 0 or detail_endpointHostName_s has_any (dvchostname_has_any))\n | parse filters_s with * \"[\" filters: string \"]\"\n | parse-kv filters as (description: string, name: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventTypeLookup on detail_eventSubId_s\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | invoke _ASIM_ResolveDvcFQDN('detail_endpointHostName_s')\n | extend RegistryKeyPrefix = tostring(split(detail_objectRegistryKeyHandle_s, @'\\')[0])\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend \n RegistryKey = replace_string(detail_objectRegistryKeyHandle_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix)\n | where (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))\n | lookup EventSeverityLookup on detail_filterRiskLevel_s\n | lookup RegistryValueTypeLookup on detail_objectRegType_d\n | extend \n ActingProcessId = tostring(toint(detail_processPid_d)),\n ParentProcessId = tostring(toint(detail_parentPid_d)),\n ActorSessionId = tostring(toint(detail_authId_d)),\n AdditionalFields = bag_pack(\n \"name\", name,\n \"tags\", detail_tags_s,\n \"objectRegType\", detail_objectRegType_d\n )\n | extend\n EventCount = int(1),\n EventProduct = \"Vision One\",\n EventVendor = \"Trend Micro\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\"\n | project-rename\n ActorUsername = detail_processUser_s,\n EventStartTime = detail_eventTimeDT_t,\n RegistryValue = detail_objectRegistryValue_s,\n RegistryValueData = detail_objectRegistryData_s,\n ActingProcessName = detail_processName_s,\n DvcId = detail_endpointGuid_g,\n DvcOs = detail_osName_s,\n DvcOsVersion = detail_osVer_s,\n EventUid = _ItemId,\n EventOriginalSubType = detail_eventSubId_s,\n EventOriginalType = detail_eventId_s,\n EventOriginalUid = detail_uuid_g,\n EventOriginalSeverity = detail_filterRiskLevel_s,\n EventProductVersion = detail_pver_s,\n EventMessage = description\n | extend\n User = ActorUsername,\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n Process = ActingProcessName,\n EventEndTime = EventStartTime,\n RegistryPreviousKey = RegistryKey,\n RegistryPreviousValue = RegistryValue,\n RegistryPreviousValueData = RegistryValueData,\n RegistryPreviousValueType = RegistryValueType\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n name,\n filters,\n *Prefix\n};\nparser(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, actorusername_has_any=actorusername_has_any, registrykey_has_any=registrykey_has_any, registryvalue_has_any=registryvalue_has_any, registryvaluedata_has_any=registryvaluedata_has_any, dvchostname_has_any=dvchostname_has_any, disabled = disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registryvaluedata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM Parser for Trend Micro Vision One", + "category": "ASIM", + "FunctionAlias": "vimRegistryEventTrendMicroVisionOne", + "query": "let EventTypeLookup = datatable(detail_eventSubId_s: string, EventType: string)[\n \"TELEMETRY_REGISTRY_CREATE\", \"RegistryKeyCreated\",\n \"TELEMETRY_REGISTRY_SET\", \"RegistryValueSet\",\n \"TELEMETRY_REGISTRY_DELETE\", \"RegistryKeyDeleted\",\n \"TELEMETRY_REGISTRY_RENAME\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable(\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)[\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\",\n \"HKCU\", \"HKEY_CURRENT_USER\",\n \"HKCR\", \"HKEY_CLASSES_ROOT\",\n \"HKCC\", \"HKEY_CURRENT_CONFIG\"\n];\nlet RegistryValueTypeLookup = datatable (detail_objectRegType_d: real, RegistryValueType: string)[\n 0, \"Reg_None\",\n 1, \"Reg_Sz\",\n 2, \"Reg_Expand_Sz\",\n 3, \"Reg_Binary\",\n 4, \"Reg_DWord\",\n 5, \"Reg_DWord\",\n 7, \"Reg_Multi_Sz\",\n 11, \"Reg_QWord\"\n];\nlet EventSeverityLookup = datatable(detail_filterRiskLevel_s: string, EventSeverity: string)[\n \"low\", \"Low\",\n \"medium\", \"Medium\",\n \"high\", \"High\",\n \"info\", \"Informational\",\n \"critical\", \"High\"\n];\nlet parser = (starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventtype_in: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), registrykey_has_any: dynamic=dynamic([]), registryvalue_has_any: dynamic=dynamic([]), registryvaluedata_has_any: dynamic=dynamic([]), dvchostname_has_any: dynamic=dynamic([]), disabled: bool=false) {\n TrendMicro_XDR_OAT_CL\n | where not(disabled)\n | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime))\n | where detail_eventId_s == \"TELEMETRY_REGISTRY\"\n | where (array_length(actorusername_has_any) == 0 or detail_processUser_s has_any (actorusername_has_any))\n and (array_length(registryvalue_has_any) == 0 or detail_objectRegistryValue_s has_any (registryvalue_has_any))\n and (array_length(registryvaluedata_has_any) == 0 or detail_objectRegistryData_s has_any (registryvaluedata_has_any))\n and (array_length(dvchostname_has_any) == 0 or detail_endpointHostName_s has_any (dvchostname_has_any))\n | parse filters_s with * \"[\" filters: string \"]\"\n | parse-kv filters as (description: string, name: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventTypeLookup on detail_eventSubId_s\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | invoke _ASIM_ResolveDvcFQDN('detail_endpointHostName_s')\n | extend RegistryKeyPrefix = tostring(split(detail_objectRegistryKeyHandle_s, @'\\')[0])\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend \n RegistryKey = replace_string(detail_objectRegistryKeyHandle_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix)\n | where (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))\n | lookup EventSeverityLookup on detail_filterRiskLevel_s\n | lookup RegistryValueTypeLookup on detail_objectRegType_d\n | extend \n ActingProcessId = tostring(toint(detail_processPid_d)),\n ParentProcessId = tostring(toint(detail_parentPid_d)),\n ActorSessionId = tostring(toint(detail_authId_d)),\n AdditionalFields = bag_pack(\n \"name\", name,\n \"tags\", detail_tags_s,\n \"objectRegType\", detail_objectRegType_d\n )\n | extend\n EventCount = int(1),\n EventProduct = \"Vision One\",\n EventVendor = \"Trend Micro\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\"\n | project-rename\n ActorUsername = detail_processUser_s,\n EventStartTime = detail_eventTimeDT_t,\n RegistryValue = detail_objectRegistryValue_s,\n RegistryValueData = detail_objectRegistryData_s,\n ActingProcessName = detail_processName_s,\n DvcId = detail_endpointGuid_g,\n DvcOs = detail_osName_s,\n DvcOsVersion = detail_osVer_s,\n EventUid = _ItemId,\n EventOriginalSubType = detail_eventSubId_s,\n EventOriginalType = detail_eventId_s,\n EventOriginalUid = detail_uuid_g,\n EventOriginalSeverity = detail_filterRiskLevel_s,\n EventProductVersion = detail_pver_s,\n EventMessage = description\n | extend\n User = ActorUsername,\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n Process = ActingProcessName,\n EventEndTime = EventStartTime,\n RegistryPreviousKey = RegistryKey,\n RegistryPreviousValue = RegistryValue,\n RegistryPreviousValueData = RegistryValueData,\n RegistryPreviousValueType = RegistryValueType\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n name,\n filters,\n *Prefix\n};\nparser(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, actorusername_has_any=actorusername_has_any, registrykey_has_any=registrykey_has_any, registryvalue_has_any=registryvalue_has_any, registryvaluedata_has_any=registryvaluedata_has_any, dvchostname_has_any=dvchostname_has_any, disabled = disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registryvaluedata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventVMwareCarbonBlackCloud/vimRegistryEventVMwareCarbonBlackCloud.json b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventVMwareCarbonBlackCloud/vimRegistryEventVMwareCarbonBlackCloud.json index 9a7b23cbdbe..4500281a9a3 100644 --- a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventVMwareCarbonBlackCloud/vimRegistryEventVMwareCarbonBlackCloud.json +++ b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventVMwareCarbonBlackCloud/vimRegistryEventVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimRegistryEventVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimRegistryEventVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM Parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "vimRegistryEventVMwareCarbonBlackCloud", - "query": "let EventTypeLookup = datatable (temp_action: string, EventType: string)\n [\n \"ACTION_WRITE_VALUE\", \"RegistryValueSet\",\n \"ACTION_CREATE_KEY\", \"RegistryKeyCreated\",\n \"ACTION_DELETE_KEY\", \"RegistryKeyDeleted\",\n \"ACTION_DELETE_VALUE\", \"RegistryValueDeleted\",\n \"ACTION_RENAME_KEY\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable(\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)[\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\",\n \"HKCU\", \"HKEY_CURRENT_USER\",\n \"HKCR\", \"HKEY_CLASSES_ROOT\",\n \"HKCC\", \"HKEY_CURRENT_CONFIG\"\n];\nlet actionvalues = dynamic([\"ACTION_WRITE_VALUE\", \"ACTION_CREATE_KEY\", \"ACTION_DELETE_KEY\", \"ACTION_DELETE_VALUE\", \"ACTION_RENAME_KEY\"]);\nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventtype_in: dynamic=dynamic([]), \n actorusername_has_any: dynamic=dynamic([]), \n registrykey_has_any: dynamic=dynamic([]), \n registryvalue_has_any: dynamic=dynamic([]), \n registryvaluedata_has_any: dynamic=dynamic([]), \n dvchostname_has_any: dynamic=dynamic([]), \n disabled: bool=false\n ) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime))\n and eventType_s == \"endpoint.event.regmod\"\n and isnotempty(regmod_name_s)\n | where array_length(registryvalue_has_any) == 0\n and array_length(registryvaluedata_has_any) == 0\n and (array_length(actorusername_has_any) == 0 or process_username_s has_any (actorusername_has_any))\n and (array_length(dvchostname_has_any) == 0 or device_name_s has_any (dvchostname_has_any))\n | extend\n temp_action = case(\n action_s has \"|\" and action_s has \"delete\",\n \"ACTION_DELETE_KEY\",\n action_s has \"|\" and action_s !has \"delete\",\n \"ACTION_CREATE_KEY\",\n action_s\n ),\n RegistryKeyPrefix = tostring(split(regmod_name_s, @'\\')[0])\n | where temp_action in (actionvalues)\n | lookup EventTypeLookup on temp_action\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend RegistryKey = replace_string(regmod_name_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix)\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))\n | extend\n ActingProcessId = tostring(toint(process_pid_d)),\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n ParentProcessId = tostring(toint(parent_pid_d)),\n AdditionalFields = bag_pack(\n \"process_guid\", process_guid_s,\n \"parent_guid\", parent_guid_s \n )\n | project-rename\n ActorUsername = process_username_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n EventUid = _ItemId,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ParentProcessName = processDetails_parentName_s,\n ActorScopeId = org_key_s\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | extend\n EventCount = toint(1),\n EventProduct = \"Carbon Black Cloud\",\n EventVendor = \"VMware\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\"\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n EventEndTime = EventStartTime,\n Process = ActingProcessName,\n User = ActorUsername,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\")\n | project-away\n *_d,\n *_s,\n *_g,\n *_b,\n temp_action,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n RegistryKeyPrefix,\n RegistryKeyNormalizedPrefix\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in, \n actorusername_has_any=actorusername_has_any, \n registrykey_has_any=registrykey_has_any, \n registryvalue_has_any=registryvalue_has_any, \n registryvaluedata_has_any=registryvaluedata_has_any, \n dvchostname_has_any=dvchostname_has_any, \n disabled = disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registryvaluedata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM Parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "vimRegistryEventVMwareCarbonBlackCloud", + "query": "let EventTypeLookup = datatable (temp_action: string, EventType: string)\n [\n \"ACTION_WRITE_VALUE\", \"RegistryValueSet\",\n \"ACTION_CREATE_KEY\", \"RegistryKeyCreated\",\n \"ACTION_DELETE_KEY\", \"RegistryKeyDeleted\",\n \"ACTION_DELETE_VALUE\", \"RegistryValueDeleted\",\n \"ACTION_RENAME_KEY\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable(\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)[\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\",\n \"HKCU\", \"HKEY_CURRENT_USER\",\n \"HKCR\", \"HKEY_CLASSES_ROOT\",\n \"HKCC\", \"HKEY_CURRENT_CONFIG\"\n];\nlet actionvalues = dynamic([\"ACTION_WRITE_VALUE\", \"ACTION_CREATE_KEY\", \"ACTION_DELETE_KEY\", \"ACTION_DELETE_VALUE\", \"ACTION_RENAME_KEY\"]);\nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventtype_in: dynamic=dynamic([]), \n actorusername_has_any: dynamic=dynamic([]), \n registrykey_has_any: dynamic=dynamic([]), \n registryvalue_has_any: dynamic=dynamic([]), \n registryvaluedata_has_any: dynamic=dynamic([]), \n dvchostname_has_any: dynamic=dynamic([]), \n disabled: bool=false\n ) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime))\n and eventType_s == \"endpoint.event.regmod\"\n and isnotempty(regmod_name_s)\n | where array_length(registryvalue_has_any) == 0\n and array_length(registryvaluedata_has_any) == 0\n and (array_length(actorusername_has_any) == 0 or process_username_s has_any (actorusername_has_any))\n and (array_length(dvchostname_has_any) == 0 or device_name_s has_any (dvchostname_has_any))\n | extend\n temp_action = case(\n action_s has \"|\" and action_s has \"delete\",\n \"ACTION_DELETE_KEY\",\n action_s has \"|\" and action_s !has \"delete\",\n \"ACTION_CREATE_KEY\",\n action_s\n ),\n RegistryKeyPrefix = tostring(split(regmod_name_s, @'\\')[0])\n | where temp_action in (actionvalues)\n | lookup EventTypeLookup on temp_action\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend RegistryKey = replace_string(regmod_name_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix)\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))\n | extend\n ActingProcessId = tostring(toint(process_pid_d)),\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n ParentProcessId = tostring(toint(parent_pid_d)),\n AdditionalFields = bag_pack(\n \"process_guid\", process_guid_s,\n \"parent_guid\", parent_guid_s \n )\n | project-rename\n ActorUsername = process_username_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n EventUid = _ItemId,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ParentProcessName = processDetails_parentName_s,\n ActorScopeId = org_key_s\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | extend\n EventCount = toint(1),\n EventProduct = \"Carbon Black Cloud\",\n EventVendor = \"VMware\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\"\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n EventEndTime = EventStartTime,\n Process = ActingProcessName,\n User = ActorUsername,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\")\n | project-away\n *_d,\n *_s,\n *_g,\n *_b,\n temp_action,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n RegistryKeyPrefix,\n RegistryKeyNormalizedPrefix\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in, \n actorusername_has_any=actorusername_has_any, \n registrykey_has_any=registrykey_has_any, \n registryvalue_has_any=registryvalue_has_any, \n registryvaluedata_has_any=registryvaluedata_has_any, \n dvchostname_has_any=dvchostname_has_any, \n disabled = disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registryvaluedata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagement/ASimUserManagement.json b/Parsers/ASimUserManagement/ARM/ASimUserManagement/ASimUserManagement.json index 8721d7ef40a..f35d28b7a68 100644 --- a/Parsers/ASimUserManagement/ARM/ASimUserManagement/ASimUserManagement.json +++ b/Parsers/ASimUserManagement/ARM/ASimUserManagement/ASimUserManagement.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimUserManagement')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimUserManagement", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management ASIM parser", - "category": "ASIM", - "FunctionAlias": "ASimUserManagement", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n | where SearchKey in ('Any', 'ExcludeASimUserManagement')\n | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n pack: bool=false\n ) {\n union isfuzzy=true\n vimUserManagementEmpty,\n ASimUserManagementMicrosoftSecurityEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftSecurityEvent' in (DisabledParsers))),\n ASimUserManagementMicrosoftWindowsEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftWindowsEvent' in (DisabledParsers))),\n ASimUserManagementCiscoISE (ASimBuiltInDisabled or ('ExcludeASimUserManagementCiscoISE' in (DisabledParsers))),\n ASimUserManagementSentinelOne (ASimBuiltInDisabled or ('ExcludeASimUserManagementSentinelOne' in (DisabledParsers))),\n ASimUserManagementLinuxAuthpriv (ASimBuiltInDisabled or ('ExcludeASimUserManagementLinuxAuthpriv' in (DisabledParsers))),\n ASimUserManagementNative (ASimBuiltInDisabled or ('ExcludeASimUserManagementNative' in (DisabledParsers)))\n}; \nparser (\n pack=pack\n)", - "version": 1, - "functionParameters": "pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management ASIM parser", + "category": "ASIM", + "FunctionAlias": "ASimUserManagement", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n | where SearchKey in ('Any', 'ExcludeASimUserManagement')\n | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n pack: bool=false\n ) {\n union isfuzzy=true\n vimUserManagementEmpty,\n ASimUserManagementMicrosoftSecurityEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftSecurityEvent' in (DisabledParsers))),\n ASimUserManagementMicrosoftWindowsEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftWindowsEvent' in (DisabledParsers))),\n ASimUserManagementCiscoISE (ASimBuiltInDisabled or ('ExcludeASimUserManagementCiscoISE' in (DisabledParsers))),\n ASimUserManagementSentinelOne (ASimBuiltInDisabled or ('ExcludeASimUserManagementSentinelOne' in (DisabledParsers))),\n ASimUserManagementLinuxAuthpriv (ASimBuiltInDisabled or ('ExcludeASimUserManagementLinuxAuthpriv' in (DisabledParsers))),\n ASimUserManagementNative (ASimBuiltInDisabled or ('ExcludeASimUserManagementNative' in (DisabledParsers)))\n}; \nparser (\n pack=pack\n)", + "version": 1, + "functionParameters": "pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagementCiscoISE/ASimUserManagementCiscoISE.json b/Parsers/ASimUserManagement/ARM/ASimUserManagementCiscoISE/ASimUserManagementCiscoISE.json index 873ef667c81..a01896b0bb1 100644 --- a/Parsers/ASimUserManagement/ARM/ASimUserManagementCiscoISE/ASimUserManagementCiscoISE.json +++ b/Parsers/ASimUserManagement/ARM/ASimUserManagementCiscoISE/ASimUserManagementCiscoISE.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimUserManagementCiscoISE')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimUserManagementCiscoISE", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management ASIM parser for Cisco ISE", - "category": "ASIM", - "FunctionAlias": "ASimUserManagementCiscoISE", - "query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventResult: string,\nEventType: string,\nEventResultDetails: string,\nEventSubType: string,\nEventSeverity: string,\nEventOriginalSeverity: string,\nEventMessage: string\n)[\n\"25000\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"ISE server password update succeeded\",\n\"25001\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"AD: ISE account password update failed.\",\n\"51101\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password is too short\",\n\"51102\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Too many repeating characters\",\n\"51103\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Missing required character type\",\n\"51104\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains username\",\n\"51105\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains reserved word\",\n\"51107\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password\",\n\"51115\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"The new password is invalid. This password has been previously used.\",\n\"51116\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password must not contain dictionary words or their characters in reverse order\",\n\"58019\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"ISE administrator password reset\",\n\"60460\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to inactivity\",\n\"60461\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to user level date expiry\",\n\"60462\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level date expiry\",\n\"60463\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level days expiry\",\n\"10013\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set as 'never disabled'\",\n\"10014\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set to change password on next login\",\n\"5415\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Change password failed\",\n\"86002\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has suspended a guest user account\",\n\"86003\", \"Success\", \"UserEnabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has enabled a guest user account\",\n\"86004\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user has changed the password\",\n\"86006\", \"Success\", \"UserCreated\", \"\", \"UserCreated\", \"Informational\", \"INFO\", \"Guest user account is created\",\n\"86007\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is updated\",\n\"86008\", \"Success\", \"UserDeleted\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is deleted\",\n\"86015\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"INFO\", \"Invalid Password Change\",\n\"24059\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User password change ended with an error\",\n\"24064\", \"Failure\", \"PasswordChanged\", \"NotAuthorized\", \"UserModified\", \"Low\", \"WARN\", \"The user doesn't have sufficient rights to change password\",\n\"24065\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"WARN\", \"The new password does not conform to LDAP password policy\",\n\"24066\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User password change succeeded\",\n\"24205\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Could not change password to new password\",\n\"24206\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User disabled\",\n\"24347\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account disabled\",\n\"24348\", \"Success\", \"UserLocked\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account locked\",\n\"24370\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"User credentials have been revoked.\",\n\"24425\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User change password against Active Directory succeeded\",\n\"24426\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User change password against Active Directory failed\",\n\"24455\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Change password against Active Directory failed because of a timeout error\",\n\"33108\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Reset admin password to its default value\",\n\"5204\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"Change password succeeded\"\n];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | summarize make_set(EventOriginalType));\nlet CiscoISEUsrMgmtParser=(disabled: bool=false) {\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType(\"CiscoISE\"))\n | where not(disabled)\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n | where EventOriginalType in (EventOriginalTypeList)\n | lookup EventFieldsLookup on EventOriginalType\n | parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n SrcIpAddr=['Remote-Address']\n | extend dvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend ActorUsername = coalesce(['User-Name'], UserName, User)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) \n | extend\n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"UserManagement\"\n , EventSchemaVersion = \"0.1.1\"\n // ***************** ********************\n | invoke _ASIM_ResolveDvcFQDN('dvcHostname')\n | extend \n Hostname = DvcHostname\n , IpAddr = SrcIpAddr\n , Src = SrcIpAddr\n , UpdatedPropertyName = EventSubType\n , User = ActorUsername\n // ***************** *******************\n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n NetworkDeviceName,\n dvcHostname,\n ['User-Name'],\n UserName\n};\nCiscoISEUsrMgmtParser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management ASIM parser for Cisco ISE", + "category": "ASIM", + "FunctionAlias": "ASimUserManagementCiscoISE", + "query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventResult: string,\nEventType: string,\nEventResultDetails: string,\nEventSubType: string,\nEventSeverity: string,\nEventOriginalSeverity: string,\nEventMessage: string\n)[\n\"25000\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"ISE server password update succeeded\",\n\"25001\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"AD: ISE account password update failed.\",\n\"51101\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password is too short\",\n\"51102\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Too many repeating characters\",\n\"51103\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Missing required character type\",\n\"51104\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains username\",\n\"51105\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains reserved word\",\n\"51107\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password\",\n\"51115\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"The new password is invalid. This password has been previously used.\",\n\"51116\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password must not contain dictionary words or their characters in reverse order\",\n\"58019\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"ISE administrator password reset\",\n\"60460\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to inactivity\",\n\"60461\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to user level date expiry\",\n\"60462\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level date expiry\",\n\"60463\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level days expiry\",\n\"10013\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set as 'never disabled'\",\n\"10014\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set to change password on next login\",\n\"5415\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Change password failed\",\n\"86002\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has suspended a guest user account\",\n\"86003\", \"Success\", \"UserEnabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has enabled a guest user account\",\n\"86004\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user has changed the password\",\n\"86006\", \"Success\", \"UserCreated\", \"\", \"UserCreated\", \"Informational\", \"INFO\", \"Guest user account is created\",\n\"86007\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is updated\",\n\"86008\", \"Success\", \"UserDeleted\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is deleted\",\n\"86015\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"INFO\", \"Invalid Password Change\",\n\"24059\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User password change ended with an error\",\n\"24064\", \"Failure\", \"PasswordChanged\", \"NotAuthorized\", \"UserModified\", \"Low\", \"WARN\", \"The user doesn't have sufficient rights to change password\",\n\"24065\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"WARN\", \"The new password does not conform to LDAP password policy\",\n\"24066\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User password change succeeded\",\n\"24205\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Could not change password to new password\",\n\"24206\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User disabled\",\n\"24347\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account disabled\",\n\"24348\", \"Success\", \"UserLocked\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account locked\",\n\"24370\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"User credentials have been revoked.\",\n\"24425\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User change password against Active Directory succeeded\",\n\"24426\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User change password against Active Directory failed\",\n\"24455\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Change password against Active Directory failed because of a timeout error\",\n\"33108\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Reset admin password to its default value\",\n\"5204\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"Change password succeeded\"\n];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | summarize make_set(EventOriginalType));\nlet CiscoISEUsrMgmtParser=(disabled: bool=false) {\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType(\"CiscoISE\"))\n | where not(disabled)\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n | where EventOriginalType in (EventOriginalTypeList)\n | lookup EventFieldsLookup on EventOriginalType\n | parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n SrcIpAddr=['Remote-Address']\n | extend dvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend ActorUsername = coalesce(['User-Name'], UserName, User)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) \n | extend\n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"UserManagement\"\n , EventSchemaVersion = \"0.1.1\"\n // ***************** ********************\n | invoke _ASIM_ResolveDvcFQDN('dvcHostname')\n | extend \n Hostname = DvcHostname\n , IpAddr = SrcIpAddr\n , Src = SrcIpAddr\n , UpdatedPropertyName = EventSubType\n , User = ActorUsername\n // ***************** *******************\n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n NetworkDeviceName,\n dvcHostname,\n ['User-Name'],\n UserName\n};\nCiscoISEUsrMgmtParser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagementLinuxAuthpriv/ASimUserManagementLinuxAuthpriv.json b/Parsers/ASimUserManagement/ARM/ASimUserManagementLinuxAuthpriv/ASimUserManagementLinuxAuthpriv.json index fda5ece200a..1b42529bf65 100644 --- a/Parsers/ASimUserManagement/ARM/ASimUserManagementLinuxAuthpriv/ASimUserManagementLinuxAuthpriv.json +++ b/Parsers/ASimUserManagement/ARM/ASimUserManagementLinuxAuthpriv/ASimUserManagementLinuxAuthpriv.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimUserManagementLinuxAuthpriv')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimUserManagementLinuxAuthpriv", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management ASIM parser for Linux Authpriv logs", - "category": "ASIM", - "FunctionAlias": "ASimUserManagementLinuxAuthpriv", - "query": "let parser = (\n disabled:bool = false\n) {\nlet ActionLookup = datatable (Action:string, EventType:string)\n[\n \"added\", \"UserAddedToGroup\",\n \"removed\",\"UserRemovedFromGroup\"\n];\nlet SeverityLookup = datatable (SeverityLevel:string, EventSeverity:string)\n[\n \"info\", \"Informational\",\n \"warn\", \"Low\",\n \"err\", \"Medium\",\n \"crit\", \"High\"\n]; \nlet ItemParser = (T:(SyslogMessage:string,SeverityLevel:string,ProcessID:int)) {\n T\n | lookup SeverityLookup on SeverityLevel\n | extend ActingAppId = tostring(ProcessID)\n | project-away SyslogMessage,SeverityLevel, ProcessID\n};\nlet SyslogParsed = (\n Syslog\n | where not(disabled)\n | where Computer in (_ASIM_GetSourceBySourceType('LinuxAuthpriv'))\n | where Facility == \"authpriv\"\n and ProcessName in (\"useradd\",\"usermod\",\"userdel\",\"groupadd\",\"groupmod\",\"groupdel\",\"gpasswd\")\n | project-away EventTime,Facility,MG,CollectorHostName,SourceSystem,TenantId\n);\nunion (\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new user: name=\"\n | parse SyslogMessage with \"new user: name=\" TargetUsername \", UID=\" TargetUserId \", GID=\" GroupId \", \" *\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"failed adding user '\"\n | parse SyslogMessage with \"failed adding user '\" TargetUsername \"', exit code: \" EventOriginalResultDetails\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"Other\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new user: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName ==\"useradd\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | extend \n EventType = \"UserCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user name '\"\n | parse SyslogMessage with \"change user name '\" TargetUsername \"'\" *\n | extend \n EventType = \"UserModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName ==\"usermod\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | extend \n EventType = \"UserAddedToGroup\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and not (SyslogMessage endswith \"' password\")\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType \" from '\" PreviousPropertyValue \"' to '\" NewPropertyValue \"'\"\n | extend \n EventType = case (\n EventSubType == \"expiration\" and PreviousPropertyValue == \"never\", \"UserDisabled\",\n EventSubType == \"expiration\" and NewPropertyValue == \"never\", \"UserEnabled\",\n \"UserModified\"\n ),\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and SyslogMessage endswith \"password\"\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType\n | extend \n EventType = \"PasswordChanged\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"lock user '\"\n and SyslogMessage endswith \"' password\"\n | parse SyslogMessage with \"lock user '\" TargetUsername \"' password\"\n | extend \n EventType = \"UserLocked\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete '\"\n | parse SyslogMessage with \"delete '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" *\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete user '\"\n | parse SyslogMessage with \"delete user '\" TargetUsername \"'\" *\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"userdel\"\n and (SyslogMessage startswith \"removed group '\" \n or SyslogMessage startswith \"removed shadow group '\")\n | parse SyslogMessage with \"removed\" * \"group '\" GroupName \"' owned by '\" TargetUsername \"'\"\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and SyslogMessage has \"GID=\"\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and not(SyslogMessage has \"GID=\")\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new group: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"GroupCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"group changed in \"\n | parse SyslogMessage with \"group changed in \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend \n split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"failed to change \"\n | parse SyslogMessage with \"failed to change \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Failure\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupdel\"\n | parse SyslogMessage with \"group '\" GroupName \"' removed\" *\n | extend \n EventType = \"GroupDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"gpasswd\"\n | parse SyslogMessage with \"user \" TargetUsername \" \" Action \" by \" ActorUsername \" \" * \" group \" GroupName\n | lookup ActionLookup on Action\n | project-away Action\n | extend \n EventResult = \"Success\"\n | invoke ItemParser()\n)\n| invoke _ASIM_ResolveDvcFQDN (\"HostName\")\n| project-rename \n ActingAppName = ProcessName,\n DvcId = _ResourceId,\n EventUid = _ItemId\n| extend\n ActingAppType = \"Process\",\n ActorUsernameType = iif(isnotempty(ActorUsername), \"Simple\", \"\"),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n DvcIpAddr = iif(HostIP == \"Unknown IP\",\"\",HostIP),\n DvcOs = \"Linux\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = \"Authpriv\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventStartTime = TimeGenerated,\n EventVendor = \"Linux\",\n GroupIdType = iif(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iif(isnotempty(GroupName), \"Simple\", \"\"),\n Hostname = DvcHostname,\n TargetUserIdType = iif(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = iif(isnotempty(TargetUsername), \"Simple\", \"\"),\n UpdatedPropertyName = EventSubType,\n User = ActorUsername\n | extend SrcIpAddr = DvcIpAddr\n| project-away Computer, HostIP, HostName\n};\nparser (\n disabled = disabled\n)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management ASIM parser for Linux Authpriv logs", + "category": "ASIM", + "FunctionAlias": "ASimUserManagementLinuxAuthpriv", + "query": "let parser = (\n disabled:bool = false\n) {\nlet ActionLookup = datatable (Action:string, EventType:string)\n[\n \"added\", \"UserAddedToGroup\",\n \"removed\",\"UserRemovedFromGroup\"\n];\nlet SeverityLookup = datatable (SeverityLevel:string, EventSeverity:string)\n[\n \"info\", \"Informational\",\n \"warn\", \"Low\",\n \"err\", \"Medium\",\n \"crit\", \"High\"\n]; \nlet ItemParser = (T:(SyslogMessage:string,SeverityLevel:string,ProcessID:int)) {\n T\n | lookup SeverityLookup on SeverityLevel\n | extend ActingAppId = tostring(ProcessID)\n | project-away SyslogMessage,SeverityLevel, ProcessID\n};\nlet SyslogParsed = (\n Syslog\n | where not(disabled)\n | where Computer in (_ASIM_GetSourceBySourceType('LinuxAuthpriv'))\n | where Facility == \"authpriv\"\n and ProcessName in (\"useradd\",\"usermod\",\"userdel\",\"groupadd\",\"groupmod\",\"groupdel\",\"gpasswd\")\n | project-away EventTime,Facility,MG,CollectorHostName,SourceSystem,TenantId\n);\nunion (\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new user: name=\"\n | parse SyslogMessage with \"new user: name=\" TargetUsername \", UID=\" TargetUserId \", GID=\" GroupId \", \" *\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"failed adding user '\"\n | parse SyslogMessage with \"failed adding user '\" TargetUsername \"', exit code: \" EventOriginalResultDetails\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"Other\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new user: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName ==\"useradd\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | extend \n EventType = \"UserCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user name '\"\n | parse SyslogMessage with \"change user name '\" TargetUsername \"'\" *\n | extend \n EventType = \"UserModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName ==\"usermod\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | extend \n EventType = \"UserAddedToGroup\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and not (SyslogMessage endswith \"' password\")\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType \" from '\" PreviousPropertyValue \"' to '\" NewPropertyValue \"'\"\n | extend \n EventType = case (\n EventSubType == \"expiration\" and PreviousPropertyValue == \"never\", \"UserDisabled\",\n EventSubType == \"expiration\" and NewPropertyValue == \"never\", \"UserEnabled\",\n \"UserModified\"\n ),\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and SyslogMessage endswith \"password\"\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType\n | extend \n EventType = \"PasswordChanged\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"lock user '\"\n and SyslogMessage endswith \"' password\"\n | parse SyslogMessage with \"lock user '\" TargetUsername \"' password\"\n | extend \n EventType = \"UserLocked\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete '\"\n | parse SyslogMessage with \"delete '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" *\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete user '\"\n | parse SyslogMessage with \"delete user '\" TargetUsername \"'\" *\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"userdel\"\n and (SyslogMessage startswith \"removed group '\" \n or SyslogMessage startswith \"removed shadow group '\")\n | parse SyslogMessage with \"removed\" * \"group '\" GroupName \"' owned by '\" TargetUsername \"'\"\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and SyslogMessage has \"GID=\"\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and not(SyslogMessage has \"GID=\")\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new group: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"GroupCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"group changed in \"\n | parse SyslogMessage with \"group changed in \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend \n split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"failed to change \"\n | parse SyslogMessage with \"failed to change \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Failure\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupdel\"\n | parse SyslogMessage with \"group '\" GroupName \"' removed\" *\n | extend \n EventType = \"GroupDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"gpasswd\"\n | parse SyslogMessage with \"user \" TargetUsername \" \" Action \" by \" ActorUsername \" \" * \" group \" GroupName\n | lookup ActionLookup on Action\n | project-away Action\n | extend \n EventResult = \"Success\"\n | invoke ItemParser()\n)\n| invoke _ASIM_ResolveDvcFQDN (\"HostName\")\n| project-rename \n ActingAppName = ProcessName,\n DvcId = _ResourceId,\n EventUid = _ItemId\n| extend\n ActingAppType = \"Process\",\n ActorUsernameType = iif(isnotempty(ActorUsername), \"Simple\", \"\"),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n DvcIpAddr = iif(HostIP == \"Unknown IP\",\"\",HostIP),\n DvcOs = \"Linux\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = \"Authpriv\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventStartTime = TimeGenerated,\n EventVendor = \"Linux\",\n GroupIdType = iif(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iif(isnotempty(GroupName), \"Simple\", \"\"),\n Hostname = DvcHostname,\n TargetUserIdType = iif(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = iif(isnotempty(TargetUsername), \"Simple\", \"\"),\n UpdatedPropertyName = EventSubType,\n User = ActorUsername\n | extend SrcIpAddr = DvcIpAddr\n| project-away Computer, HostIP, HostName\n};\nparser (\n disabled = disabled\n)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagementMicrosoftSecurityEvent/ASimUserManagementMicrosoftSecurityEvent.json b/Parsers/ASimUserManagement/ARM/ASimUserManagementMicrosoftSecurityEvent/ASimUserManagementMicrosoftSecurityEvent.json index 9f936f54aff..1c0ce778c73 100644 --- a/Parsers/ASimUserManagement/ARM/ASimUserManagementMicrosoftSecurityEvent/ASimUserManagementMicrosoftSecurityEvent.json +++ b/Parsers/ASimUserManagement/ARM/ASimUserManagementMicrosoftSecurityEvent/ASimUserManagementMicrosoftSecurityEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimUserManagementMicrosoftSecurityEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimUserManagementMicrosoftSecurityEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management ASIM parser for Microsoft Security Event logs", - "category": "ASIM", - "FunctionAlias": "ASimUserManagementMicrosoftSecurityEvent", - "query": "let parser = (\n disabled:bool = false\n) {\n let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string)\n [ \n \"4720\", \"UserCreated\", \"UserCreated\", \"\", \n \"4722\", \"UserEnabled\", \"UserModified\", \"\", \n \"4723\", \"PasswordChanged\", \"UserModified\", \"\", \n \"4724\", \"PasswordReset\", \"UserModified\", \"\", \n \"4725\", \"UserDisabled\", \"UserModified\", \"\", \n \"4726\", \"UserDeleted\", \"UserModified\", \"\", \n \"4727\", \"GroupCreated\", \"GroupCreated\", \"Global Security Enabled\", \n \"4728\", \"UserAddedToGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4729\", \"UserRemovedFromGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4730\", \"GroupDeleted\", \"GroupModified\", \"Global Security Enabled\", \n \"4731\", \"GroupCreated\", \"GroupCreated\", \"Local Security Enabled\", \n \"4732\", \"UserAddedToGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4733\", \"UserRemovedFromGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4734\", \"GroupDeleted\", \"GroupModified\", \"Local Security Enabled\", \n \"4738\", \"UserModified\", \"UserModified\", \"\", \n \"4740\", \"UserLocked\", \"UserModified\", \"\", \n \"4744\", \"GroupCreated\", \"GroupCreated\", \"Local Distribution\", \n \"4748\", \"GroupDeleted\", \"GroupModified\", \"Local Distribution\", \n \"4749\", \"GroupCreated\", \"GroupCreated\", \"Global Distribution\", \n \"4753\", \"GroupDeleted\", \"GroupModified\", \"Global Distribution\", \n \"4754\", \"GroupCreated\", \"GroupCreated\", \"Universal Security Enabled\", \n \"4756\", \"UserAddedToGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4757\", \"UserRemovedFromGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4758\", \"GroupDeleted\", \"GroupModified\", \"Universal Security Enabled\", \n \"4759\", \"GroupCreated\", \"GroupCreated\", \"Universal Distribution\", \n \"4763\", \"GroupDeleted\", \"GroupModified\", \"Universal Distribution\", \n \"4767\", \"UserLocked\", \"UserModified\", \"\", \n \"4781\", \"UserModified\", \"UserModified\", \"\" \n ];\n let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string)\n [\n 'Machine', 'Machine',\n 'User', 'Regular'\n ]; \n let UserEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where EventSubType in(\"UserCreated\",\"UserModified\") \n | summarize make_set(EventID)\n );\n let GroupEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where EventSubType in(\"GroupCreated\",\"GroupModified\") \n | summarize make_set(EventID)\n );\n union (\n SecurityEvent\n | where not(disabled)\n | where EventID in(UserEventID)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n TargetDomain = TargetDomainName,\n TargetUserId = TargetSid,\n TargetUsername = TargetUserName,\n EventMessage = Activity\n | parse-kv EventData as \n (\n OldTargetUserName:string,\n NewTargetUserName:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename\n NewPropertyValue = NewTargetUserName,\n PreviousPropertyValue = OldTargetUserName\n | extend \n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, SourceComputerId, EventMessage\n | extend\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\n | project-away TargetDomain\n ),(\n SecurityEvent\n | where not(disabled)\n | where not (EventID in (4744, 4748, 4749, 4753, 4759, 4763))\n | where EventID in(GroupEventID)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n GroupDomain = TargetDomainName,\n GroupId = TargetSid,\n GroupName = TargetUserName,\n EventMessage = Activity\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\n | parse-kv EventData as \n (\n MemberName:string,\n MemberSid:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename \n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n ),(\n SecurityEvent\n | where not(disabled)\n | where EventID in (4744, 4748, 4749, 4753, 4759, 4763)\n | parse-kv EventData as \n (\n TargetUserName:string,\n TargetDomainName:string,\n TargetSid:string,\n SubjectUserSid:string,\n AccountType:string,\n SubjectLogonId:string,\n SubjectDomainName:string,\n SubjectUserName:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n GroupDomain = TargetDomainName,\n GroupId = TargetSid,\n GroupName = TargetUserName,\n EventMessage = Activity\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\n | parse-kv EventData as \n (\n MemberName:string,\n MemberSid:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename \n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n )\n| lookup EventIDLookup on EventID\n| extend UpdatedPropertyName = EventSubType\n| invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n| lookup UserTypeLookup on ActorOriginalUserType\n| extend \n DvcId = coalesce(_ResourceId, SourceComputerId),\n EventOriginalType = tostring(EventID)\n| project-rename \n EventUid = _ItemId\n| extend \n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n Dvc = DvcHostname,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceID\", \"\"),\n DvcOs = \"Windows\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'Security Events',\n EventResult = \"Success\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventSeverity = \"Informational\",\n EventStartTime = TimeGenerated,\n EventVendor = 'Microsoft',\n Hostname = DvcHostname, \n ActorUserIdType=\"SID\"\n| project-away Subject*, Computer, _ResourceId, SourceComputerId,EventID\n| extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),\n GroupNameType = _ASIM_GetUsernameType(GroupName),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId),\n User = ActorUsername\n};\n parser (\n disabled = disabled\n )", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management ASIM parser for Microsoft Security Event logs", + "category": "ASIM", + "FunctionAlias": "ASimUserManagementMicrosoftSecurityEvent", + "query": "let parser = (\n disabled:bool = false\n) {\n let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string)\n [ \n \"4720\", \"UserCreated\", \"UserCreated\", \"\", \n \"4722\", \"UserEnabled\", \"UserModified\", \"\", \n \"4723\", \"PasswordChanged\", \"UserModified\", \"\", \n \"4724\", \"PasswordReset\", \"UserModified\", \"\", \n \"4725\", \"UserDisabled\", \"UserModified\", \"\", \n \"4726\", \"UserDeleted\", \"UserModified\", \"\", \n \"4727\", \"GroupCreated\", \"GroupCreated\", \"Global Security Enabled\", \n \"4728\", \"UserAddedToGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4729\", \"UserRemovedFromGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4730\", \"GroupDeleted\", \"GroupModified\", \"Global Security Enabled\", \n \"4731\", \"GroupCreated\", \"GroupCreated\", \"Local Security Enabled\", \n \"4732\", \"UserAddedToGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4733\", \"UserRemovedFromGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4734\", \"GroupDeleted\", \"GroupModified\", \"Local Security Enabled\", \n \"4738\", \"UserModified\", \"UserModified\", \"\", \n \"4740\", \"UserLocked\", \"UserModified\", \"\", \n \"4744\", \"GroupCreated\", \"GroupCreated\", \"Local Distribution\", \n \"4748\", \"GroupDeleted\", \"GroupModified\", \"Local Distribution\", \n \"4749\", \"GroupCreated\", \"GroupCreated\", \"Global Distribution\", \n \"4753\", \"GroupDeleted\", \"GroupModified\", \"Global Distribution\", \n \"4754\", \"GroupCreated\", \"GroupCreated\", \"Universal Security Enabled\", \n \"4756\", \"UserAddedToGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4757\", \"UserRemovedFromGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4758\", \"GroupDeleted\", \"GroupModified\", \"Universal Security Enabled\", \n \"4759\", \"GroupCreated\", \"GroupCreated\", \"Universal Distribution\", \n \"4763\", \"GroupDeleted\", \"GroupModified\", \"Universal Distribution\", \n \"4767\", \"UserLocked\", \"UserModified\", \"\", \n \"4781\", \"UserModified\", \"UserModified\", \"\" \n ];\n let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string)\n [\n 'Machine', 'Machine',\n 'User', 'Regular'\n ]; \n let UserEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where EventSubType in(\"UserCreated\",\"UserModified\") \n | summarize make_set(EventID)\n );\n let GroupEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where EventSubType in(\"GroupCreated\",\"GroupModified\") \n | summarize make_set(EventID)\n );\n union (\n SecurityEvent\n | where not(disabled)\n | where EventID in(UserEventID)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n TargetDomain = TargetDomainName,\n TargetUserId = TargetSid,\n TargetUsername = TargetUserName,\n EventMessage = Activity\n | parse-kv EventData as \n (\n OldTargetUserName:string,\n NewTargetUserName:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename\n NewPropertyValue = NewTargetUserName,\n PreviousPropertyValue = OldTargetUserName\n | extend \n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, SourceComputerId, EventMessage\n | extend\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\n | project-away TargetDomain\n ),(\n SecurityEvent\n | where not(disabled)\n | where not (EventID in (4744, 4748, 4749, 4753, 4759, 4763))\n | where EventID in(GroupEventID)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n GroupDomain = TargetDomainName,\n GroupId = TargetSid,\n GroupName = TargetUserName,\n EventMessage = Activity\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\n | parse-kv EventData as \n (\n MemberName:string,\n MemberSid:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename \n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n ),(\n SecurityEvent\n | where not(disabled)\n | where EventID in (4744, 4748, 4749, 4753, 4759, 4763)\n | parse-kv EventData as \n (\n TargetUserName:string,\n TargetDomainName:string,\n TargetSid:string,\n SubjectUserSid:string,\n AccountType:string,\n SubjectLogonId:string,\n SubjectDomainName:string,\n SubjectUserName:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n GroupDomain = TargetDomainName,\n GroupId = TargetSid,\n GroupName = TargetUserName,\n EventMessage = Activity\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\n | parse-kv EventData as \n (\n MemberName:string,\n MemberSid:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename \n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n )\n| lookup EventIDLookup on EventID\n| extend UpdatedPropertyName = EventSubType\n| invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n| lookup UserTypeLookup on ActorOriginalUserType\n| extend \n DvcId = coalesce(_ResourceId, SourceComputerId),\n EventOriginalType = tostring(EventID)\n| project-rename \n EventUid = _ItemId\n| extend \n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n Dvc = DvcHostname,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceID\", \"\"),\n DvcOs = \"Windows\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'Security Events',\n EventResult = \"Success\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventSeverity = \"Informational\",\n EventStartTime = TimeGenerated,\n EventVendor = 'Microsoft',\n Hostname = DvcHostname, \n ActorUserIdType=\"SID\"\n| project-away Subject*, Computer, _ResourceId, SourceComputerId,EventID\n| extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),\n GroupNameType = _ASIM_GetUsernameType(GroupName),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId),\n User = ActorUsername\n};\n parser (\n disabled = disabled\n )", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagementMicrosoftWindowsEvent/ASimUserManagementMicrosoftWindowsEvent.json b/Parsers/ASimUserManagement/ARM/ASimUserManagementMicrosoftWindowsEvent/ASimUserManagementMicrosoftWindowsEvent.json index b0687706173..219ba7433cd 100644 --- a/Parsers/ASimUserManagement/ARM/ASimUserManagementMicrosoftWindowsEvent/ASimUserManagementMicrosoftWindowsEvent.json +++ b/Parsers/ASimUserManagement/ARM/ASimUserManagementMicrosoftWindowsEvent/ASimUserManagementMicrosoftWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimUserManagementMicrosoftWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimUserManagementMicrosoftWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management ASIM parser for Microsoft Windows Event logs", - "category": "ASIM", - "FunctionAlias": "ASimUserManagementMicrosoftWindowsEvent", - "query": "let parser = (\n disabled:bool = false\n) {\n let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string)\n [ \n \"4720\", \"UserCreated\", \"UserCreated\", \"\", \n \"4722\", \"UserEnabled\", \"UserModified\", \"\", \n \"4723\", \"PasswordChanged\", \"UserModified\", \"\", \n \"4724\", \"PasswordReset\", \"UserModified\", \"\", \n \"4725\", \"UserDisabled\", \"UserModified\", \"\", \n \"4726\", \"UserDeleted\", \"UserModified\", \"\", \n \"4727\", \"GroupCreated\", \"GroupCreated\", \"Global Security Enabled\", \n \"4728\", \"UserAddedToGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4729\", \"UserRemovedFromGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4730\", \"GroupDeleted\", \"GroupModified\", \"Global Security Enabled\", \n \"4731\", \"GroupCreated\", \"GroupCreated\", \"Local Security Enabled\", \n \"4732\", \"UserAddedToGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4733\", \"UserRemovedFromGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4734\", \"GroupDeleted\", \"GroupModified\", \"Local Security Enabled\", \n \"4738\", \"UserModified\", \"UserModified\", \"\", \n \"4740\", \"UserLocked\", \"UserModified\", \"\", \n \"4744\", \"GroupCreated\", \"GroupCreated\", \"Local Distribution\", \n \"4748\", \"GroupDeleted\", \"GroupModified\", \"Local Distribution\", \n \"4749\", \"GroupCreated\", \"GroupCreated\", \"Global Distribution\", \n \"4753\", \"GroupDeleted\", \"GroupModified\", \"Global Distribution\", \n \"4754\", \"GroupCreated\", \"GroupCreated\", \"Universal Security Enabled\", \n \"4756\", \"UserAddedToGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4757\", \"UserRemovedFromGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4758\", \"GroupDeleted\", \"GroupModified\", \"Universal Security Enabled\", \n \"4759\", \"GroupCreated\", \"GroupCreated\", \"Universal Distribution\", \n \"4763\", \"GroupDeleted\", \"GroupModified\", \"Universal Distribution\", \n \"4767\", \"UserLocked\", \"UserModified\", \"\", \n \"4781\", \"UserModified\", \"UserModified\", \"\" \n ];\n let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string)\n [\n 'Machine', 'Machine',\n 'User', 'Regular'\n ]; \n let UserEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where EventSubType in(\"UserCreated\",\"UserModified\") \n | summarize make_set(EventID)\n );\n let GroupEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where EventSubType in(\"GroupCreated\",\"GroupModified\") \n | summarize make_set(EventID)\n );\n union (\n WindowsEvent\n | where not(disabled)\n | where EventID in(UserEventID)\n | extend\n ActorOriginalUserType = tostring(EventData.AccountType),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n NewTargetUserName = tostring(EventData.NewTargetUserName),\n OldTargetUserName = tostring(EventData.OldTargetUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectUserName = tostring(EventData.SubjectUserName),\n TargetDomain = tostring(EventData.TargetDomainName),\n TargetUserId = tostring(EventData.TargetSid),\n TargetUsername = tostring(EventData.TargetUserName),\n EventMessage = tostring(EventData.Activity)\n | project-rename\n NewPropertyValue = NewTargetUserName,\n PreviousPropertyValue = OldTargetUserName\n | extend \n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, EventMessage\n | extend\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\n | project-away TargetDomain\n ),(\n WindowsEvent\n | where not(disabled)\n | where EventID in(GroupEventID)\n | extend \n ActorOriginalUserType = tostring(EventData.AccountType),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n GroupDomain = tostring(EventData.TargetDomainName),\n GroupId = tostring(EventData.TargetSid),\n GroupName = tostring(EventData.TargetUserName),\n MemberName = tostring(EventData.MemberName),\n MemberSid = tostring(EventData.MemberSid),\n NewTargetUserName = tostring(EventData.NewTargetUserName),\n OldTargetUserName = tostring(EventData.OldTargetUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectUserName = tostring(EventData.SubjectUserName),\n EventMessage = tostring(EventData.Activity)\n | extend \n GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName)),\n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n )\n| lookup EventIDLookup on EventID\n| extend UpdatedPropertyName = EventSubType\n| invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n| lookup UserTypeLookup on ActorOriginalUserType\n| extend EventOriginalType = tostring(EventID)\n| project-rename \n EventUid = _ItemId\n| extend \n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n Dvc = DvcHostname,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceID\", \"\"),\n DvcOs = \"Windows\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'Security Events',\n EventResult = \"Success\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventSeverity = \"Informational\",\n EventStartTime = TimeGenerated,\n EventVendor = 'Microsoft',\n Hostname = DvcHostname,\n ActorUserIdType=\"SID\"\n| project-away Subject*, Computer, _ResourceId,EventID\n| extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),\n GroupNameType = _ASIM_GetUsernameType(GroupName),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId),\n User = ActorUsername\n};\n parser (disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management ASIM parser for Microsoft Windows Event logs", + "category": "ASIM", + "FunctionAlias": "ASimUserManagementMicrosoftWindowsEvent", + "query": "let parser = (\n disabled:bool = false\n) {\n let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string)\n [ \n \"4720\", \"UserCreated\", \"UserCreated\", \"\", \n \"4722\", \"UserEnabled\", \"UserModified\", \"\", \n \"4723\", \"PasswordChanged\", \"UserModified\", \"\", \n \"4724\", \"PasswordReset\", \"UserModified\", \"\", \n \"4725\", \"UserDisabled\", \"UserModified\", \"\", \n \"4726\", \"UserDeleted\", \"UserModified\", \"\", \n \"4727\", \"GroupCreated\", \"GroupCreated\", \"Global Security Enabled\", \n \"4728\", \"UserAddedToGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4729\", \"UserRemovedFromGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4730\", \"GroupDeleted\", \"GroupModified\", \"Global Security Enabled\", \n \"4731\", \"GroupCreated\", \"GroupCreated\", \"Local Security Enabled\", \n \"4732\", \"UserAddedToGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4733\", \"UserRemovedFromGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4734\", \"GroupDeleted\", \"GroupModified\", \"Local Security Enabled\", \n \"4738\", \"UserModified\", \"UserModified\", \"\", \n \"4740\", \"UserLocked\", \"UserModified\", \"\", \n \"4744\", \"GroupCreated\", \"GroupCreated\", \"Local Distribution\", \n \"4748\", \"GroupDeleted\", \"GroupModified\", \"Local Distribution\", \n \"4749\", \"GroupCreated\", \"GroupCreated\", \"Global Distribution\", \n \"4753\", \"GroupDeleted\", \"GroupModified\", \"Global Distribution\", \n \"4754\", \"GroupCreated\", \"GroupCreated\", \"Universal Security Enabled\", \n \"4756\", \"UserAddedToGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4757\", \"UserRemovedFromGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4758\", \"GroupDeleted\", \"GroupModified\", \"Universal Security Enabled\", \n \"4759\", \"GroupCreated\", \"GroupCreated\", \"Universal Distribution\", \n \"4763\", \"GroupDeleted\", \"GroupModified\", \"Universal Distribution\", \n \"4767\", \"UserLocked\", \"UserModified\", \"\", \n \"4781\", \"UserModified\", \"UserModified\", \"\" \n ];\n let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string)\n [\n 'Machine', 'Machine',\n 'User', 'Regular'\n ]; \n let UserEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where EventSubType in(\"UserCreated\",\"UserModified\") \n | summarize make_set(EventID)\n );\n let GroupEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where EventSubType in(\"GroupCreated\",\"GroupModified\") \n | summarize make_set(EventID)\n );\n union (\n WindowsEvent\n | where not(disabled)\n | where EventID in(UserEventID)\n | extend\n ActorOriginalUserType = tostring(EventData.AccountType),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n NewTargetUserName = tostring(EventData.NewTargetUserName),\n OldTargetUserName = tostring(EventData.OldTargetUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectUserName = tostring(EventData.SubjectUserName),\n TargetDomain = tostring(EventData.TargetDomainName),\n TargetUserId = tostring(EventData.TargetSid),\n TargetUsername = tostring(EventData.TargetUserName),\n EventMessage = tostring(EventData.Activity)\n | project-rename\n NewPropertyValue = NewTargetUserName,\n PreviousPropertyValue = OldTargetUserName\n | extend \n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, EventMessage\n | extend\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\n | project-away TargetDomain\n ),(\n WindowsEvent\n | where not(disabled)\n | where EventID in(GroupEventID)\n | extend \n ActorOriginalUserType = tostring(EventData.AccountType),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n GroupDomain = tostring(EventData.TargetDomainName),\n GroupId = tostring(EventData.TargetSid),\n GroupName = tostring(EventData.TargetUserName),\n MemberName = tostring(EventData.MemberName),\n MemberSid = tostring(EventData.MemberSid),\n NewTargetUserName = tostring(EventData.NewTargetUserName),\n OldTargetUserName = tostring(EventData.OldTargetUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectUserName = tostring(EventData.SubjectUserName),\n EventMessage = tostring(EventData.Activity)\n | extend \n GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName)),\n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n )\n| lookup EventIDLookup on EventID\n| extend UpdatedPropertyName = EventSubType\n| invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n| lookup UserTypeLookup on ActorOriginalUserType\n| extend EventOriginalType = tostring(EventID)\n| project-rename \n EventUid = _ItemId\n| extend \n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n Dvc = DvcHostname,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceID\", \"\"),\n DvcOs = \"Windows\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'Security Events',\n EventResult = \"Success\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventSeverity = \"Informational\",\n EventStartTime = TimeGenerated,\n EventVendor = 'Microsoft',\n Hostname = DvcHostname,\n ActorUserIdType=\"SID\"\n| project-away Subject*, Computer, _ResourceId,EventID\n| extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),\n GroupNameType = _ASIM_GetUsernameType(GroupName),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId),\n User = ActorUsername\n};\n parser (disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagementNative/ASimUserManagementNative.json b/Parsers/ASimUserManagement/ARM/ASimUserManagementNative/ASimUserManagementNative.json index edadff7825a..c0b2e572372 100644 --- a/Parsers/ASimUserManagement/ARM/ASimUserManagementNative/ASimUserManagementNative.json +++ b/Parsers/ASimUserManagement/ARM/ASimUserManagementNative/ASimUserManagementNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimUserManagementNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimUserManagementNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management activity ASIM parser for Microsoft Sentinel native User Management activity table", - "category": "ASIM", - "FunctionAlias": "ASimUserManagementNative", - "query": "let parser = (\n disabled:bool = false\n)\n{\n ASimUserManagementActivityLogs\n | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"UserManagement\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = ActorUsername,\n Hostname = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = coalesce (SrcHostname,SrcIpAddr, SrcDvcId),\n UpdatedPropertyName = EventSubType\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (disabled = disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management activity ASIM parser for Microsoft Sentinel native User Management activity table", + "category": "ASIM", + "FunctionAlias": "ASimUserManagementNative", + "query": "let parser = (\n disabled:bool = false\n)\n{\n ASimUserManagementActivityLogs\n | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"UserManagement\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = ActorUsername,\n Hostname = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = coalesce (SrcHostname,SrcIpAddr, SrcDvcId),\n UpdatedPropertyName = EventSubType\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (disabled = disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagementSentinelOne/ASimUserManagementSentinelOne.json b/Parsers/ASimUserManagement/ARM/ASimUserManagementSentinelOne/ASimUserManagementSentinelOne.json index c252d8b13dc..c32a549e351 100644 --- a/Parsers/ASimUserManagement/ARM/ASimUserManagementSentinelOne/ASimUserManagementSentinelOne.json +++ b/Parsers/ASimUserManagement/ARM/ASimUserManagementSentinelOne/ASimUserManagementSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimUserManagementSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimUserManagementSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management ASIM parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "ASimUserManagementSentinelOne", - "query": "let EventTypeLookup = datatable (\n activityType_d: real,\n EventType: string,\n EventOriginalType: string,\n EventSubType: string\n)[\n 23, \"UserCreated\", \"User Added\", \"\",\n 24, \"UserModified\", \"User Modified\", \"MultipleProperties\",\n 25, \"UserDeleted\", \"User Deleted\", \"\",\n 37, \"UserModified\", \"User modified\", \"MultipleProperties\",\n 102, \"UserDeleted\", \"User Deleted\", \"\",\n 110, \"UserModified\", \"Enable API Token Generation\", \"NewPermissions\",\n 111, \"UserModified\", \"Disable API Token Generation\", \"PreviousPermissions\",\n 140, \"UserCreated\", \"Service User creation\", \"\",\n 141, \"UserModified\", \"Service User modification\", \"MultipleProperties\",\n 142, \"UserDeleted\", \"Service User deletion\", \"\",\n 3522, \"GroupCreated\", \"Ranger Deploy - Credential Group Created\", \"\",\n 3523, \"GroupModified\", \"Ranger Deploy -Credential Group Edited\", \"MultipleProperties\",\n 3524, \"GroupDeleted\", \"Ranger Deploy - Credential Group Deleted\", \"\",\n 3710, \"PasswordReset\", \"User Reset Password with Forgot Password from the Login\", \"\",\n 3711, \"PasswordChanged\", \"User Changed Their Password\", \"\",\n 3715, \"PasswordReset\", \"User Reset Password by Admin Request\", \"\",\n 5006, \"GroupDeleted\", \"Group Deleted\", \"\",\n 5008, \"GroupCreated\", \"User created a Manual or Pinned Group\", \"\",\n 5011, \"GroupModified\", \"Group Policy Reverted\", \"Newpolicy\",\n 67, \"\", \"User 2FA Modified\", \"\",\n 145, \"UserModified\", \"Enroll 2FA\", \"\",\n 146, \"UserModified\", \"Reset 2FA\", \"\",\n 42, \"\", \"Global 2FA modified\", \"\",\n 147, \"UserModified\", \"User Configured 2FA\", \"\"\n];\nlet UsermanagementactivityIds = dynamic([23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011, 67, 145, 146, 42, 147]);\nlet parser = (disabled: bool=false) {\n SentinelOne_CL\n | where not(disabled)\n | where event_name_s == \"Activities.\"\n and activityType_d in (UsermanagementactivityIds)\n | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string, newValue: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | parse modifiedFields with 'Modified fields: ' ModifiedFields: string\n | parse description_s with * \"with id=\" id: string \",\" restOfMessage\n | lookup EventTypeLookup on activityType_d\n | extend\n EventType = case (\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"UserEnabled\",\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"UserDisabled\",\n EventType\n ),\n PreviousPropertyValue = case(\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"disabled\",\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"enabled\",\n activityType_d == 141 and descriptionChanged == \"true\",\n oldDescription, \n activityType_d == 141 and descriptionChanged == \"false\",\n oldRole,\n \"\"\n ),\n NewPropertyValue = case(\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"enabled\", \n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"disabled\",\n activityType_d == 141 and descriptionChanged == \"true\",\n description, \n activityType_d == 141 and descriptionChanged == \"false\",\n role,\n \"\"\n ),\n ActorUsername = iff(activityType_d == 102, \"SentinelOne\", coalesce(byUser, username, email)), \n GroupName = coalesce(group, groupName, name),\n TargetUsername = iff(isnotempty(byUser) or activityType_d in (147, 42), username, \"\")\n | extend GroupName = iff(GroupName == \"null\", \"\", GroupName)\n | project-rename\n EventStartTime = createdAt_t,\n SrcIpAddr = ipAddress,\n EventUid = _ItemId,\n ActorUserId = id,\n GroupId = groupId_s,\n EventMessage = primaryDescription_s,\n EventOriginalUid = activityUuid_g\n | extend\n EventCount = int(1),\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSeverity = \"Informational\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventResultDetails = \"Other\"\n | extend\n Dvc = EventProduct,\n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n User = ActorUsername,\n UpdatedPropertyName = EventSubType,\n ActorUserIdType = iff(isnotempty(ActorUserId), \"Other\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n GroupIdType = iff(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iff(isnotempty(GroupName), \"Simple\", \"\"),\n GroupType = iff(isnotempty(groupType), \"Other\", \"\"),\n GroupOriginalType = groupType,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n AdditionalFields = bag_pack(\n \"userScope\", userScope,\n \"scopeLevelName\", scopeLevelName,\n \"scopeName\", scopeName,\n \"modifiedFields\", modifiedFields,\n \"roleName\", roleName,\n \"deactivationPeriodInDays\", deactivationPeriodInDays,\n \"descriptionChanged\", descriptionChanged\n )\n | project-away \n *_b,\n *_d,\n *_g,\n *_s,\n *_t,\n byUser,\n username,\n email,\n group,\n groupName,\n groupType,\n name,\n oldDescription,\n oldRole,\n description,\n role,\n userScope,\n scopeLevelName,\n scopeName,\n roleName,\n modifiedFields,\n ModifiedFields,\n deactivationPeriodInDays,\n descriptionChanged,\n restOfMessage,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n newValue\n};\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management ASIM parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "ASimUserManagementSentinelOne", + "query": "let EventTypeLookup = datatable (\n activityType_d: real,\n EventType: string,\n EventOriginalType: string,\n EventSubType: string\n)[\n 23, \"UserCreated\", \"User Added\", \"\",\n 24, \"UserModified\", \"User Modified\", \"MultipleProperties\",\n 25, \"UserDeleted\", \"User Deleted\", \"\",\n 37, \"UserModified\", \"User modified\", \"MultipleProperties\",\n 102, \"UserDeleted\", \"User Deleted\", \"\",\n 110, \"UserModified\", \"Enable API Token Generation\", \"NewPermissions\",\n 111, \"UserModified\", \"Disable API Token Generation\", \"PreviousPermissions\",\n 140, \"UserCreated\", \"Service User creation\", \"\",\n 141, \"UserModified\", \"Service User modification\", \"MultipleProperties\",\n 142, \"UserDeleted\", \"Service User deletion\", \"\",\n 3522, \"GroupCreated\", \"Ranger Deploy - Credential Group Created\", \"\",\n 3523, \"GroupModified\", \"Ranger Deploy -Credential Group Edited\", \"MultipleProperties\",\n 3524, \"GroupDeleted\", \"Ranger Deploy - Credential Group Deleted\", \"\",\n 3710, \"PasswordReset\", \"User Reset Password with Forgot Password from the Login\", \"\",\n 3711, \"PasswordChanged\", \"User Changed Their Password\", \"\",\n 3715, \"PasswordReset\", \"User Reset Password by Admin Request\", \"\",\n 5006, \"GroupDeleted\", \"Group Deleted\", \"\",\n 5008, \"GroupCreated\", \"User created a Manual or Pinned Group\", \"\",\n 5011, \"GroupModified\", \"Group Policy Reverted\", \"Newpolicy\",\n 67, \"\", \"User 2FA Modified\", \"\",\n 145, \"UserModified\", \"Enroll 2FA\", \"\",\n 146, \"UserModified\", \"Reset 2FA\", \"\",\n 42, \"\", \"Global 2FA modified\", \"\",\n 147, \"UserModified\", \"User Configured 2FA\", \"\"\n];\nlet UsermanagementactivityIds = dynamic([23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011, 67, 145, 146, 42, 147]);\nlet parser = (disabled: bool=false) {\n SentinelOne_CL\n | where not(disabled)\n | where event_name_s == \"Activities.\"\n and activityType_d in (UsermanagementactivityIds)\n | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string, newValue: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | parse modifiedFields with 'Modified fields: ' ModifiedFields: string\n | parse description_s with * \"with id=\" id: string \",\" restOfMessage\n | lookup EventTypeLookup on activityType_d\n | extend\n EventType = case (\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"UserEnabled\",\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"UserDisabled\",\n EventType\n ),\n PreviousPropertyValue = case(\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"disabled\",\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"enabled\",\n activityType_d == 141 and descriptionChanged == \"true\",\n oldDescription, \n activityType_d == 141 and descriptionChanged == \"false\",\n oldRole,\n \"\"\n ),\n NewPropertyValue = case(\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"enabled\", \n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"disabled\",\n activityType_d == 141 and descriptionChanged == \"true\",\n description, \n activityType_d == 141 and descriptionChanged == \"false\",\n role,\n \"\"\n ),\n ActorUsername = iff(activityType_d == 102, \"SentinelOne\", coalesce(byUser, username, email)), \n GroupName = coalesce(group, groupName, name),\n TargetUsername = iff(isnotempty(byUser) or activityType_d in (147, 42), username, \"\")\n | extend GroupName = iff(GroupName == \"null\", \"\", GroupName)\n | project-rename\n EventStartTime = createdAt_t,\n SrcIpAddr = ipAddress,\n EventUid = _ItemId,\n ActorUserId = id,\n GroupId = groupId_s,\n EventMessage = primaryDescription_s,\n EventOriginalUid = activityUuid_g\n | extend\n EventCount = int(1),\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSeverity = \"Informational\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventResultDetails = \"Other\"\n | extend\n Dvc = EventProduct,\n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n User = ActorUsername,\n UpdatedPropertyName = EventSubType,\n ActorUserIdType = iff(isnotempty(ActorUserId), \"Other\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n GroupIdType = iff(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iff(isnotempty(GroupName), \"Simple\", \"\"),\n GroupType = iff(isnotempty(groupType), \"Other\", \"\"),\n GroupOriginalType = groupType,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n AdditionalFields = bag_pack(\n \"userScope\", userScope,\n \"scopeLevelName\", scopeLevelName,\n \"scopeName\", scopeName,\n \"modifiedFields\", modifiedFields,\n \"roleName\", roleName,\n \"deactivationPeriodInDays\", deactivationPeriodInDays,\n \"descriptionChanged\", descriptionChanged\n )\n | project-away \n *_b,\n *_d,\n *_g,\n *_s,\n *_t,\n byUser,\n username,\n email,\n group,\n groupName,\n groupType,\n name,\n oldDescription,\n oldRole,\n description,\n role,\n userScope,\n scopeLevelName,\n scopeName,\n roleName,\n modifiedFields,\n ModifiedFields,\n deactivationPeriodInDays,\n descriptionChanged,\n restOfMessage,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n newValue\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/imUserManagement/imUserManagement.json b/Parsers/ASimUserManagement/ARM/imUserManagement/imUserManagement.json index 77b8084b591..ba7b0a4098a 100644 --- a/Parsers/ASimUserManagement/ARM/imUserManagement/imUserManagement.json +++ b/Parsers/ASimUserManagement/ARM/imUserManagement/imUserManagement.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/imUserManagement')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "imUserManagement", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management ASIM filtering parser", - "category": "ASIM", - "FunctionAlias": "imUserManagement", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n | where SearchKey in ('Any', 'ExcludevimUserManagement')\n | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n | distinct SourceSpecificParser\n | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludevimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n pack: bool=false) {\n union isfuzzy=true\n vimUserManagementEmpty,\n vimUserManagementMicrosoftSecurityEvent(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementMicrosoftSecurityEvent' in (DisabledParsers)))),\n vimUserManagementMicrosoftWindowsEvent(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementMicrosoftWindowsEvent' in (DisabledParsers)))),\n vimUserManagementCiscoISE(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementCiscoISE' in (DisabledParsers)))),\n vimUserManagementSentinelOne(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementSentinelOne' in (DisabledParsers)))),\n vimUserManagementLinuxAuthpriv(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementLinuxAuthpriv' in (DisabledParsers)))),\n vimUserManagementNative(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementNative' in (DisabledParsers))))\n}; \nparser (\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any, \n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n pack=pack\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management ASIM filtering parser", + "category": "ASIM", + "FunctionAlias": "imUserManagement", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n | where SearchKey in ('Any', 'ExcludevimUserManagement')\n | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n | distinct SourceSpecificParser\n | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludevimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n pack: bool=false) {\n union isfuzzy=true\n vimUserManagementEmpty,\n vimUserManagementMicrosoftSecurityEvent(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementMicrosoftSecurityEvent' in (DisabledParsers)))),\n vimUserManagementMicrosoftWindowsEvent(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementMicrosoftWindowsEvent' in (DisabledParsers)))),\n vimUserManagementCiscoISE(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementCiscoISE' in (DisabledParsers)))),\n vimUserManagementSentinelOne(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementSentinelOne' in (DisabledParsers)))),\n vimUserManagementLinuxAuthpriv(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementLinuxAuthpriv' in (DisabledParsers)))),\n vimUserManagementNative(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementNative' in (DisabledParsers))))\n}; \nparser (\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any, \n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n pack=pack\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementCiscoISE/vimUserManagementCiscoISE.json b/Parsers/ASimUserManagement/ARM/vimUserManagementCiscoISE/vimUserManagementCiscoISE.json index ec869750b60..9adbe52ec43 100644 --- a/Parsers/ASimUserManagement/ARM/vimUserManagementCiscoISE/vimUserManagementCiscoISE.json +++ b/Parsers/ASimUserManagement/ARM/vimUserManagementCiscoISE/vimUserManagementCiscoISE.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimUserManagementCiscoISE')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimUserManagementCiscoISE", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management ASIM filtering parser for Cisco ISE", - "category": "ASIM", - "FunctionAlias": "vimUserManagementCiscoISE", - "query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventResult: string,\nEventType: string,\nEventResultDetails: string,\nEventSubType: string,\nEventSeverity: string,\nEventOriginalSeverity: string,\nEventMessage: string\n)[\n\"25000\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"ISE server password update succeeded\",\n\"25001\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"AD: ISE account password update failed.\",\n\"51101\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password is too short\",\n\"51102\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Too many repeating characters\",\n\"51103\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Missing required character type\",\n\"51104\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains username\",\n\"51105\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains reserved word\",\n\"51107\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password\",\n\"51115\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"The new password is invalid. This password has been previously used.\",\n\"51116\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password must not contain dictionary words or their characters in reverse order\",\n\"58019\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"ISE administrator password reset\",\n\"60460\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to inactivity\",\n\"60461\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to user level date expiry\",\n\"60462\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level date expiry\",\n\"60463\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level days expiry\",\n\"10013\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set as 'never disabled'\",\n\"10014\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set to change password on next login\",\n\"5415\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Change password failed\",\n\"86002\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has suspended a guest user account\",\n\"86003\", \"Success\", \"UserEnabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has enabled a guest user account\",\n\"86004\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user has changed the password\",\n\"86006\", \"Success\", \"UserCreated\", \"\", \"UserCreated\", \"Informational\", \"INFO\", \"Guest user account is created\",\n\"86007\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is updated\",\n\"86008\", \"Success\", \"UserDeleted\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is deleted\",\n\"86015\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"INFO\", \"Invalid Password Change\",\n\"24059\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User password change ended with an error\",\n\"24064\", \"Failure\", \"PasswordChanged\", \"NotAuthorized\", \"UserModified\", \"Low\", \"WARN\", \"The user doesn't have sufficient rights to change password\",\n\"24065\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"WARN\", \"The new password does not conform to LDAP password policy\",\n\"24066\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User password change succeeded\",\n\"24205\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Could not change password to new password\",\n\"24206\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User disabled\",\n\"24347\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account disabled\",\n\"24348\", \"Success\", \"UserLocked\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account locked\",\n\"24370\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"User credentials have been revoked.\",\n\"24425\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User change password against Active Directory succeeded\",\n\"24426\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User change password against Active Directory failed\",\n\"24455\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Change password against Active Directory failed because of a timeout error\",\n\"33108\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Reset admin password to its default value\",\n\"5204\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"Change password succeeded\"\n];\nlet CiscoISEUsrMgmtParser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetusername_has_any: dynamic=dynamic([]),\n disabled: bool = false\n) {\n let EventOriginalTypeList = toscalar(EventFieldsLookup\n | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n | summarize make_set(EventOriginalType));\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType(\"CiscoISE\"))\n | where not(disabled)\n //***************************** **************************\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or SyslogMessage has_any (actorusername_has_any))\n and (array_length(targetusername_has_any) == 0)\n //***************************** *************************\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n | where EventOriginalType in (EventOriginalTypeList)\n | project\n TimeGenerated,\n EventTime,\n EventOriginalType,\n Computer,\n SyslogMessage,\n HostName,\n HostIP\n | lookup EventFieldsLookup on EventOriginalType\n | parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n SrcIpAddr=['Remote-Address']\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | extend dvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend ActorUsername = coalesce(['User-Name'], UserName, User)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n | where (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any)) \n | extend\n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"UserManagement\"\n , EventSchemaVersion = \"0.1.1\"\n // ***************** ********************\n | invoke _ASIM_ResolveDvcFQDN('dvcHostname')\n | extend \n Hostname = DvcHostname\n , IpAddr = SrcIpAddr\n , Src = SrcIpAddr\n , UpdatedPropertyName = EventSubType\n , User = ActorUsername\n // ***************** *******************\n | project-away\n Computer,\n SyslogMessage,\n HostIP,\n NetworkDeviceName,\n HostName,\n dvcHostname,\n ['User-Name'],\n UserName\n}; \nCiscoISEUsrMgmtParser(\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n targetusername_has_any = targetusername_has_any,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management ASIM filtering parser for Cisco ISE", + "category": "ASIM", + "FunctionAlias": "vimUserManagementCiscoISE", + "query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventResult: string,\nEventType: string,\nEventResultDetails: string,\nEventSubType: string,\nEventSeverity: string,\nEventOriginalSeverity: string,\nEventMessage: string\n)[\n\"25000\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"ISE server password update succeeded\",\n\"25001\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"AD: ISE account password update failed.\",\n\"51101\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password is too short\",\n\"51102\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Too many repeating characters\",\n\"51103\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Missing required character type\",\n\"51104\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains username\",\n\"51105\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains reserved word\",\n\"51107\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password\",\n\"51115\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"The new password is invalid. This password has been previously used.\",\n\"51116\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password must not contain dictionary words or their characters in reverse order\",\n\"58019\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"ISE administrator password reset\",\n\"60460\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to inactivity\",\n\"60461\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to user level date expiry\",\n\"60462\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level date expiry\",\n\"60463\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level days expiry\",\n\"10013\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set as 'never disabled'\",\n\"10014\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set to change password on next login\",\n\"5415\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Change password failed\",\n\"86002\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has suspended a guest user account\",\n\"86003\", \"Success\", \"UserEnabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has enabled a guest user account\",\n\"86004\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user has changed the password\",\n\"86006\", \"Success\", \"UserCreated\", \"\", \"UserCreated\", \"Informational\", \"INFO\", \"Guest user account is created\",\n\"86007\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is updated\",\n\"86008\", \"Success\", \"UserDeleted\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is deleted\",\n\"86015\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"INFO\", \"Invalid Password Change\",\n\"24059\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User password change ended with an error\",\n\"24064\", \"Failure\", \"PasswordChanged\", \"NotAuthorized\", \"UserModified\", \"Low\", \"WARN\", \"The user doesn't have sufficient rights to change password\",\n\"24065\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"WARN\", \"The new password does not conform to LDAP password policy\",\n\"24066\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User password change succeeded\",\n\"24205\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Could not change password to new password\",\n\"24206\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User disabled\",\n\"24347\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account disabled\",\n\"24348\", \"Success\", \"UserLocked\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account locked\",\n\"24370\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"User credentials have been revoked.\",\n\"24425\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User change password against Active Directory succeeded\",\n\"24426\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User change password against Active Directory failed\",\n\"24455\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Change password against Active Directory failed because of a timeout error\",\n\"33108\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Reset admin password to its default value\",\n\"5204\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"Change password succeeded\"\n];\nlet CiscoISEUsrMgmtParser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetusername_has_any: dynamic=dynamic([]),\n disabled: bool = false\n) {\n let EventOriginalTypeList = toscalar(EventFieldsLookup\n | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n | summarize make_set(EventOriginalType));\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType(\"CiscoISE\"))\n | where not(disabled)\n //***************************** **************************\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or SyslogMessage has_any (actorusername_has_any))\n and (array_length(targetusername_has_any) == 0)\n //***************************** *************************\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n | where EventOriginalType in (EventOriginalTypeList)\n | project\n TimeGenerated,\n EventTime,\n EventOriginalType,\n Computer,\n SyslogMessage,\n HostName,\n HostIP\n | lookup EventFieldsLookup on EventOriginalType\n | parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n SrcIpAddr=['Remote-Address']\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | extend dvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend ActorUsername = coalesce(['User-Name'], UserName, User)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n | where (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any)) \n | extend\n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"UserManagement\"\n , EventSchemaVersion = \"0.1.1\"\n // ***************** ********************\n | invoke _ASIM_ResolveDvcFQDN('dvcHostname')\n | extend \n Hostname = DvcHostname\n , IpAddr = SrcIpAddr\n , Src = SrcIpAddr\n , UpdatedPropertyName = EventSubType\n , User = ActorUsername\n // ***************** *******************\n | project-away\n Computer,\n SyslogMessage,\n HostIP,\n NetworkDeviceName,\n HostName,\n dvcHostname,\n ['User-Name'],\n UserName\n}; \nCiscoISEUsrMgmtParser(\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n targetusername_has_any = targetusername_has_any,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementEmpty/vimUserManagementEmpty.json b/Parsers/ASimUserManagement/ARM/vimUserManagementEmpty/vimUserManagementEmpty.json index 1eb97d0db03..b165547f5d1 100644 --- a/Parsers/ASimUserManagement/ARM/vimUserManagementEmpty/vimUserManagementEmpty.json +++ b/Parsers/ASimUserManagement/ARM/vimUserManagementEmpty/vimUserManagementEmpty.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimUserManagementEmpty')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimUserManagementEmpty", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management ASIM schema function", - "category": "ASIM", - "FunctionAlias": "vimUserManagementEmpty", - "query": "let parser=datatable(\n TimeGenerated:datetime,\n _ResourceId:string,\n Type:string,\n //****** Event fields ******\n EventCount:int,\n EventEndTime:datetime,\n EventProduct:string,\n EventResult:string,\n EventSchema:string,\n EventSchemaVersion:string,\n EventSeverity:string,\n EventStartTime:datetime,\n EventType:string,\n EventVendor:string,\n EventResultDetails:string,\n EventUid:string,\n EventMessage:string,\n EventOriginalResultDetails:string,\n EventOriginalSeverity:string,\n EventOriginalSubType:string,\n EventOriginalType:string,\n EventOriginalUid:string,\n EventOwner:string,\n EventProductVersion:string,\n EventReportUrl:string,\n EventSubType:string,\n AdditionalFields:dynamic,\n // ****** Device fields ******\n Dvc:string,\n DvcAction:string,\n DvcDomain:string,\n DvcDomainType:string,\n DvcFQDN:string,\n DvcHostname:string,\n DvcId:string,\n DvcIdType:string,\n DvcIpAddr:string,\n DvcDescription:string,\n DvcInterface:string,\n DvcMacAddr:string,\n DvcOriginalAction:string,\n DvcOs:string,\n DvcOsVersion:string,\n DvcScope:string,\n DvcScopeId:string,\n DvcZone:string,\n Src:string,\n SrcDomain:string,\n SrcDomainType:string,\n SrcHostname:string,\n SrcIpAddr:string,\n //****** Actor fields ******\n ActorUsername:string,\n ActorUsernameType:string,\n ActorOriginalUserType:string,\n ActorSessionId:string,\n ActorUserId:string,\n ActorUserIdType:string,\n ActorUserType:string,\n ActingAppId:string,\n ActingAppType:string,\n ActingOriginalAppType:string,\n ActingAppName:string,\n ActorUserAadId:string,\n ActorUserSid:string,\n ActorScopeId:string,\n ActorScope:string,\n //****** Group fields ******\n GroupId:string,\n GroupIdType:string,\n GroupName:string,\n GroupNameType:string,\n GroupOriginalType:string,\n GroupType:string,\n HttpUserAgent:string,\n NewPropertyValue:string,\n PreviousPropertyValue:string,\n SrcDeviceType:string,\n SrcDvcId:string,\n SrcDvcIdType:string,\n SrcDvcScope:string,\n SrcDvcScopeId:string,\n SrcFQDN:string,\n SrcGeoCity:string,\n SrcGeoCountry:string,\n SrcGeoLatitude:real,\n SrcGeoLongitude:real,\n SrcGeoRegion:string,\n SrcMacAddr:string,\n SrcPortNumber :int,\n SrcDescription:string,\n SrcRiskLevel:int,\n SrcOriginalRiskLevel:string,\n //****** Target fields ******\n TargetOriginalUserType:string,\n TargetUserId:string,\n TargetUserIdType:string,\n TargetUsername:string,\n TargetUsernameType:string,\n TargetUserType:string,\n TargetUserUid:string,\n TargetUserScopeId:string,\n TargetUserScope:string,\n TargetUserSessionId:string,\n // ****** Inspection fields ******\n RuleName:string,\n RuleNumber:int,\n ThreatId:string,\n ThreatName:string,\n ThreatCategory:string,\n ThreatRiskLevel:int,\n ThreatOriginalRiskLevel:string,\n ThreatConfidence:int,\n ThreatOriginalConfidence:string,\n ThreatIsActive:bool,\n ThreatFirstReportedTime:datetime,\n ThreatLastReportedTime:datetime,\n ThreatField:string,\n //****** aliases ******\n Hostname:string,\n IpAddr:string,\n UpdatedPropertyName:string,\n User:string,\n Dst:string\n )[];\n parser", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management ASIM schema function", + "category": "ASIM", + "FunctionAlias": "vimUserManagementEmpty", + "query": "let parser=datatable(\n TimeGenerated:datetime,\n _ResourceId:string,\n Type:string,\n //****** Event fields ******\n EventCount:int,\n EventEndTime:datetime,\n EventProduct:string,\n EventResult:string,\n EventSchema:string,\n EventSchemaVersion:string,\n EventSeverity:string,\n EventStartTime:datetime,\n EventType:string,\n EventVendor:string,\n EventResultDetails:string,\n EventUid:string,\n EventMessage:string,\n EventOriginalResultDetails:string,\n EventOriginalSeverity:string,\n EventOriginalSubType:string,\n EventOriginalType:string,\n EventOriginalUid:string,\n EventOwner:string,\n EventProductVersion:string,\n EventReportUrl:string,\n EventSubType:string,\n AdditionalFields:dynamic,\n // ****** Device fields ******\n Dvc:string,\n DvcAction:string,\n DvcDomain:string,\n DvcDomainType:string,\n DvcFQDN:string,\n DvcHostname:string,\n DvcId:string,\n DvcIdType:string,\n DvcIpAddr:string,\n DvcDescription:string,\n DvcInterface:string,\n DvcMacAddr:string,\n DvcOriginalAction:string,\n DvcOs:string,\n DvcOsVersion:string,\n DvcScope:string,\n DvcScopeId:string,\n DvcZone:string,\n Src:string,\n SrcDomain:string,\n SrcDomainType:string,\n SrcHostname:string,\n SrcIpAddr:string,\n //****** Actor fields ******\n ActorUsername:string,\n ActorUsernameType:string,\n ActorOriginalUserType:string,\n ActorSessionId:string,\n ActorUserId:string,\n ActorUserIdType:string,\n ActorUserType:string,\n ActingAppId:string,\n ActingAppType:string,\n ActingOriginalAppType:string,\n ActingAppName:string,\n ActorUserAadId:string,\n ActorUserSid:string,\n ActorScopeId:string,\n ActorScope:string,\n //****** Group fields ******\n GroupId:string,\n GroupIdType:string,\n GroupName:string,\n GroupNameType:string,\n GroupOriginalType:string,\n GroupType:string,\n HttpUserAgent:string,\n NewPropertyValue:string,\n PreviousPropertyValue:string,\n SrcDeviceType:string,\n SrcDvcId:string,\n SrcDvcIdType:string,\n SrcDvcScope:string,\n SrcDvcScopeId:string,\n SrcFQDN:string,\n SrcGeoCity:string,\n SrcGeoCountry:string,\n SrcGeoLatitude:real,\n SrcGeoLongitude:real,\n SrcGeoRegion:string,\n SrcMacAddr:string,\n SrcPortNumber :int,\n SrcDescription:string,\n SrcRiskLevel:int,\n SrcOriginalRiskLevel:string,\n //****** Target fields ******\n TargetOriginalUserType:string,\n TargetUserId:string,\n TargetUserIdType:string,\n TargetUsername:string,\n TargetUsernameType:string,\n TargetUserType:string,\n TargetUserUid:string,\n TargetUserScopeId:string,\n TargetUserScope:string,\n TargetUserSessionId:string,\n // ****** Inspection fields ******\n RuleName:string,\n RuleNumber:int,\n ThreatId:string,\n ThreatName:string,\n ThreatCategory:string,\n ThreatRiskLevel:int,\n ThreatOriginalRiskLevel:string,\n ThreatConfidence:int,\n ThreatOriginalConfidence:string,\n ThreatIsActive:bool,\n ThreatFirstReportedTime:datetime,\n ThreatLastReportedTime:datetime,\n ThreatField:string,\n //****** aliases ******\n Hostname:string,\n IpAddr:string,\n UpdatedPropertyName:string,\n User:string,\n Dst:string\n )[];\n parser", + "version": 1 + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementLinuxAuthpriv/vimUserManagementLinuxAuthpriv.json b/Parsers/ASimUserManagement/ARM/vimUserManagementLinuxAuthpriv/vimUserManagementLinuxAuthpriv.json index 2e7e36b99f4..c5a66bae9b5 100644 --- a/Parsers/ASimUserManagement/ARM/vimUserManagementLinuxAuthpriv/vimUserManagementLinuxAuthpriv.json +++ b/Parsers/ASimUserManagement/ARM/vimUserManagementLinuxAuthpriv/vimUserManagementLinuxAuthpriv.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimUserManagementLinuxAuthpriv')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimUserManagementLinuxAuthpriv", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management ASIM parser for Linux Authpriv logs", - "category": "ASIM", - "FunctionAlias": "vimUserManagementLinuxAuthpriv", - "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled:bool=false\n ) {\nlet ActionLookup = datatable (Action:string, EventType:string)\n[\n \"added\", \"UserAddedToGroup\",\n \"removed\",\"UserRemovedFromGroup\"\n];\nlet SeverityLookup = datatable (SeverityLevel:string, EventSeverity:string)\n[\n \"info\", \"Informational\",\n \"warn\", \"Low\",\n \"err\", \"Medium\",\n \"crit\", \"High\"\n]; \nlet ItemParser = (T:(SyslogMessage:string,SeverityLevel:string,ProcessID:int)) {\n T\n | lookup SeverityLookup on SeverityLevel\n | extend ActingAppId = tostring(ProcessID)\n | project-away SyslogMessage,SeverityLevel, ProcessID\n};\nlet SyslogParsed = (\n Syslog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix)) and\n (array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (SyslogMessage has_any(actorusername_has_any)))\n | where Computer in (_ASIM_GetSourceBySourceType('LinuxAuthpriv'))\n | where Facility == \"authpriv\"\n and ProcessName in (\"useradd\",\"usermod\",\"userdel\",\"groupadd\",\"groupmod\",\"groupdel\",\"gpasswd\")\n | project-away EventTime,Facility,MG,CollectorHostName,SourceSystem,TenantId\n);\nunion (\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new user: name=\"\n | parse SyslogMessage with \"new user: name=\" TargetUsername \", UID=\" TargetUserId \", GID=\" GroupId \", \" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"failed adding user '\"\n | parse SyslogMessage with \"failed adding user '\" TargetUsername \"', exit code: \" EventOriginalResultDetails\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"Other\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new user: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName ==\"useradd\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserModified\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user name '\"\n | parse SyslogMessage with \"change user name '\" TargetUsername \"'\" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserAddedToGroup\" in (eventtype_in)))\n | where ProcessName ==\"usermod\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserAddedToGroup\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDisabled\" in (eventtype_in)) or (\"UserEnabled\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and not (SyslogMessage endswith \"' password\")\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType \" from '\" PreviousPropertyValue \"' to '\" NewPropertyValue \"'\"\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = case (\n EventSubType == \"expiration\" and PreviousPropertyValue == \"never\", \"UserDisabled\",\n EventSubType == \"expiration\" and NewPropertyValue == \"never\", \"UserEnabled\",\n \"UserModified\"\n ),\n EventResult = \"Success\"\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"PasswordChanged\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and SyslogMessage endswith \"password\"\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"PasswordChanged\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserLocked\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"lock user '\"\n and SyslogMessage endswith \"' password\"\n | parse SyslogMessage with \"lock user '\" TargetUsername \"' password\"\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserLocked\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDeleted\" in (eventtype_in)))\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete '\"\n | parse SyslogMessage with \"delete '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDeleted\" in (eventtype_in)))\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete user '\"\n | parse SyslogMessage with \"delete user '\" TargetUsername \"'\" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDeleted\" in (eventtype_in)))\n | where ProcessName == \"userdel\"\n and (SyslogMessage startswith \"removed group '\" \n or SyslogMessage startswith \"removed shadow group '\")\n | parse SyslogMessage with \"removed\" * \"group '\" GroupName \"' owned by '\" TargetUsername \"'\"\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and SyslogMessage has \"GID=\"\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and not(SyslogMessage has \"GID=\")\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new group: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"GroupCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupModified\" in (eventtype_in)))\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"group changed in \"\n | parse SyslogMessage with \"group changed in \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend \n split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupModified\" in (eventtype_in)))\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"failed to change \"\n | parse SyslogMessage with \"failed to change \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Failure\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupDeleted\" in (eventtype_in)))\n | where ProcessName == \"groupdel\"\n | parse SyslogMessage with \"group '\" GroupName \"' removed\" *\n | extend \n EventType = \"GroupDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(eventtype_in) == 0 or (\"UserAddedToGroup\" in (eventtype_in)) or (\"UserRemovedFromGroup\" in (eventtype_in)))\n | where ProcessName == \"gpasswd\"\n | parse SyslogMessage with \"user \" TargetUsername \" \" Action \" by \" ActorUsername \" \" * \" group \" GroupName\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (ActorUsername has_any(actorusername_has_any)))\n | lookup ActionLookup on Action\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | project-away Action\n | extend \n EventResult = \"Success\"\n | invoke ItemParser()\n)\n| invoke _ASIM_ResolveDvcFQDN (\"HostName\")\n| project-rename \n ActingAppName = ProcessName,\n DvcId = _ResourceId,\n EventUid = _ItemId\n| extend\n ActingAppType = \"Process\",\n ActorUsernameType = iif(isnotempty(ActorUsername), \"Simple\", \"\"),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n DvcIpAddr = iif(HostIP == \"Unknown IP\",\"\",HostIP),\n DvcOs = \"Linux\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = \"Authpriv\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventStartTime = TimeGenerated,\n EventVendor = \"Linux\",\n GroupIdType = iif(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iif(isnotempty(GroupName), \"Simple\", \"\"),\n Hostname = DvcHostname,\n TargetUserIdType = iif(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = iif(isnotempty(TargetUsername), \"Simple\", \"\"),\n UpdatedPropertyName = EventSubType,\n User = ActorUsername\n | extend SrcIpAddr = DvcIpAddr\n| project-away Computer, HostIP, HostName\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management ASIM parser for Linux Authpriv logs", + "category": "ASIM", + "FunctionAlias": "vimUserManagementLinuxAuthpriv", + "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled:bool=false\n ) {\nlet ActionLookup = datatable (Action:string, EventType:string)\n[\n \"added\", \"UserAddedToGroup\",\n \"removed\",\"UserRemovedFromGroup\"\n];\nlet SeverityLookup = datatable (SeverityLevel:string, EventSeverity:string)\n[\n \"info\", \"Informational\",\n \"warn\", \"Low\",\n \"err\", \"Medium\",\n \"crit\", \"High\"\n]; \nlet ItemParser = (T:(SyslogMessage:string,SeverityLevel:string,ProcessID:int)) {\n T\n | lookup SeverityLookup on SeverityLevel\n | extend ActingAppId = tostring(ProcessID)\n | project-away SyslogMessage,SeverityLevel, ProcessID\n};\nlet SyslogParsed = (\n Syslog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix)) and\n (array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (SyslogMessage has_any(actorusername_has_any)))\n | where Computer in (_ASIM_GetSourceBySourceType('LinuxAuthpriv'))\n | where Facility == \"authpriv\"\n and ProcessName in (\"useradd\",\"usermod\",\"userdel\",\"groupadd\",\"groupmod\",\"groupdel\",\"gpasswd\")\n | project-away EventTime,Facility,MG,CollectorHostName,SourceSystem,TenantId\n);\nunion (\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new user: name=\"\n | parse SyslogMessage with \"new user: name=\" TargetUsername \", UID=\" TargetUserId \", GID=\" GroupId \", \" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"failed adding user '\"\n | parse SyslogMessage with \"failed adding user '\" TargetUsername \"', exit code: \" EventOriginalResultDetails\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"Other\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new user: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName ==\"useradd\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserModified\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user name '\"\n | parse SyslogMessage with \"change user name '\" TargetUsername \"'\" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserAddedToGroup\" in (eventtype_in)))\n | where ProcessName ==\"usermod\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserAddedToGroup\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDisabled\" in (eventtype_in)) or (\"UserEnabled\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and not (SyslogMessage endswith \"' password\")\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType \" from '\" PreviousPropertyValue \"' to '\" NewPropertyValue \"'\"\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = case (\n EventSubType == \"expiration\" and PreviousPropertyValue == \"never\", \"UserDisabled\",\n EventSubType == \"expiration\" and NewPropertyValue == \"never\", \"UserEnabled\",\n \"UserModified\"\n ),\n EventResult = \"Success\"\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"PasswordChanged\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and SyslogMessage endswith \"password\"\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"PasswordChanged\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserLocked\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"lock user '\"\n and SyslogMessage endswith \"' password\"\n | parse SyslogMessage with \"lock user '\" TargetUsername \"' password\"\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserLocked\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDeleted\" in (eventtype_in)))\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete '\"\n | parse SyslogMessage with \"delete '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDeleted\" in (eventtype_in)))\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete user '\"\n | parse SyslogMessage with \"delete user '\" TargetUsername \"'\" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDeleted\" in (eventtype_in)))\n | where ProcessName == \"userdel\"\n and (SyslogMessage startswith \"removed group '\" \n or SyslogMessage startswith \"removed shadow group '\")\n | parse SyslogMessage with \"removed\" * \"group '\" GroupName \"' owned by '\" TargetUsername \"'\"\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and SyslogMessage has \"GID=\"\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and not(SyslogMessage has \"GID=\")\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new group: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"GroupCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupModified\" in (eventtype_in)))\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"group changed in \"\n | parse SyslogMessage with \"group changed in \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend \n split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupModified\" in (eventtype_in)))\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"failed to change \"\n | parse SyslogMessage with \"failed to change \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Failure\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupDeleted\" in (eventtype_in)))\n | where ProcessName == \"groupdel\"\n | parse SyslogMessage with \"group '\" GroupName \"' removed\" *\n | extend \n EventType = \"GroupDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(eventtype_in) == 0 or (\"UserAddedToGroup\" in (eventtype_in)) or (\"UserRemovedFromGroup\" in (eventtype_in)))\n | where ProcessName == \"gpasswd\"\n | parse SyslogMessage with \"user \" TargetUsername \" \" Action \" by \" ActorUsername \" \" * \" group \" GroupName\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (ActorUsername has_any(actorusername_has_any)))\n | lookup ActionLookup on Action\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | project-away Action\n | extend \n EventResult = \"Success\"\n | invoke ItemParser()\n)\n| invoke _ASIM_ResolveDvcFQDN (\"HostName\")\n| project-rename \n ActingAppName = ProcessName,\n DvcId = _ResourceId,\n EventUid = _ItemId\n| extend\n ActingAppType = \"Process\",\n ActorUsernameType = iif(isnotempty(ActorUsername), \"Simple\", \"\"),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n DvcIpAddr = iif(HostIP == \"Unknown IP\",\"\",HostIP),\n DvcOs = \"Linux\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = \"Authpriv\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventStartTime = TimeGenerated,\n EventVendor = \"Linux\",\n GroupIdType = iif(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iif(isnotempty(GroupName), \"Simple\", \"\"),\n Hostname = DvcHostname,\n TargetUserIdType = iif(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = iif(isnotempty(TargetUsername), \"Simple\", \"\"),\n UpdatedPropertyName = EventSubType,\n User = ActorUsername\n | extend SrcIpAddr = DvcIpAddr\n| project-away Computer, HostIP, HostName\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftSecurityEvent/vimUserManagementMicrosoftSecurityEvent.json b/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftSecurityEvent/vimUserManagementMicrosoftSecurityEvent.json index 5b9ecf96e53..eb7168ddd4f 100644 --- a/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftSecurityEvent/vimUserManagementMicrosoftSecurityEvent.json +++ b/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftSecurityEvent/vimUserManagementMicrosoftSecurityEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimUserManagementMicrosoftSecurityEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimUserManagementMicrosoftSecurityEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management ASIM parser for Microsoft Security Event logs", - "category": "ASIM", - "FunctionAlias": "vimUserManagementMicrosoftSecurityEvent", - "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled:bool=false\n ) {\n let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string)\n [ \n \"4720\", \"UserCreated\", \"UserCreated\", \"\", \n \"4722\", \"UserEnabled\", \"UserModified\", \"\", \n \"4723\", \"PasswordChanged\", \"UserModified\", \"\", \n \"4724\", \"PasswordReset\", \"UserModified\", \"\", \n \"4725\", \"UserDisabled\", \"UserModified\", \"\", \n \"4726\", \"UserDeleted\", \"UserModified\", \"\", \n \"4727\", \"GroupCreated\", \"GroupCreated\", \"Global Security Enabled\", \n \"4728\", \"UserAddedToGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4729\", \"UserRemovedFromGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4730\", \"GroupDeleted\", \"GroupModified\", \"Global Security Enabled\", \n \"4731\", \"GroupCreated\", \"GroupCreated\", \"Local Security Enabled\", \n \"4732\", \"UserAddedToGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4733\", \"UserRemovedFromGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4734\", \"GroupDeleted\", \"GroupModified\", \"Local Security Enabled\", \n \"4738\", \"UserModified\", \"UserModified\", \"\", \n \"4740\", \"UserLocked\", \"UserModified\", \"\", \n \"4744\", \"GroupCreated\", \"GroupCreated\", \"Local Distribution\", \n \"4748\", \"GroupDeleted\", \"GroupModified\", \"Local Distribution\", \n \"4749\", \"GroupCreated\", \"GroupCreated\", \"Global Distribution\", \n \"4753\", \"GroupDeleted\", \"GroupModified\", \"Global Distribution\", \n \"4754\", \"GroupCreated\", \"GroupCreated\", \"Universal Security Enabled\", \n \"4756\", \"UserAddedToGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4757\", \"UserRemovedFromGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4758\", \"GroupDeleted\", \"GroupModified\", \"Universal Security Enabled\", \n \"4759\", \"GroupCreated\", \"GroupCreated\", \"Universal Distribution\", \n \"4763\", \"GroupDeleted\", \"GroupModified\", \"Universal Distribution\", \n \"4767\", \"UserLocked\", \"UserModified\", \"\", \n \"4781\", \"UserModified\", \"UserModified\", \"\" \n ];\n let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string)\n [\n 'Machine', 'Machine',\n 'User', 'Regular'\n ]; \n let UserEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | where EventSubType in(\"UserCreated\",\"UserModified\") \n | summarize make_set(EventID)\n );\n let GroupEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | where EventSubType in(\"GroupCreated\",\"GroupModified\") \n | summarize make_set(EventID)\n );\n union (\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID in(UserEventID)\n | where (array_length(targetusername_has_any) == 0 or (TargetDomainName has_any (targetusername_has_any)) or (TargetUserName has_any (targetusername_has_any)) or (strcat(TargetDomainName,\"\\\\\",TargetUserName) has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,\"\\\\\",SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n TargetDomain = TargetDomainName,\n TargetUserId = TargetSid,\n TargetUsername = TargetUserName,\n EventMessage = Activity\n | parse-kv EventData as \n (\n OldTargetUserName:string,\n NewTargetUserName:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename\n NewPropertyValue = NewTargetUserName,\n PreviousPropertyValue = OldTargetUserName\n | extend \n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, SourceComputerId, EventMessage\n | extend\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\n | project-away TargetDomain\n ),(\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where not (EventID in (4744, 4748, 4749, 4753, 4759, 4763))\n | where EventID in(GroupEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,\"\\\\\",SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n GroupDomain = TargetDomainName,\n GroupId = TargetSid,\n GroupName = TargetUserName,\n EventMessage = Activity\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\n | parse-kv EventData as \n (\n MemberName:string,\n MemberSid:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (MemberName has_any (targetusername_has_any)))\n | project-rename \n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n ),(\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where EventID in (4744, 4748, 4749, 4753, 4759, 4763)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | parse-kv EventData as \n (\n TargetUserName:string,\n TargetDomainName:string,\n TargetSid:string,\n SubjectUserSid:string,\n AccountType:string,\n SubjectLogonId:string,\n SubjectDomainName:string,\n SubjectUserName:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (TargetDomainName has_any (targetusername_has_any)) or (TargetUserName has_any (targetusername_has_any)) or (strcat(TargetDomainName,\"\\\\\",TargetUserName) has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,\"\\\\\",SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n GroupDomain = TargetDomainName,\n GroupId = TargetSid,\n GroupName = TargetUserName,\n EventMessage = Activity\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\n | parse-kv EventData as \n (\n MemberName:string,\n MemberSid:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (MemberName has_any (targetusername_has_any)))\n | project-rename \n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n )\n| lookup EventIDLookup on EventID\n| extend UpdatedPropertyName = EventSubType\n| invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n| lookup UserTypeLookup on ActorOriginalUserType\n| extend \n DvcId = coalesce(_ResourceId, SourceComputerId),\n EventOriginalType = tostring(EventID)\n| project-rename \n EventUid = _ItemId\n| extend \n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n Dvc = DvcHostname,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceID\", \"\"),\n DvcOs = \"Windows\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'Security Events',\n EventResult = \"Success\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventSeverity = \"Informational\",\n EventStartTime = TimeGenerated,\n EventVendor = 'Microsoft',\n Hostname = DvcHostname, \n ActorUserIdType=\"SID\"\n| project-away Subject*, Computer, _ResourceId, SourceComputerId,EventID\n| extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),\n GroupNameType = _ASIM_GetUsernameType(GroupName),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId),\n User = ActorUsername\n};\n parser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n )", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management ASIM parser for Microsoft Security Event logs", + "category": "ASIM", + "FunctionAlias": "vimUserManagementMicrosoftSecurityEvent", + "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled:bool=false\n ) {\n let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string)\n [ \n \"4720\", \"UserCreated\", \"UserCreated\", \"\", \n \"4722\", \"UserEnabled\", \"UserModified\", \"\", \n \"4723\", \"PasswordChanged\", \"UserModified\", \"\", \n \"4724\", \"PasswordReset\", \"UserModified\", \"\", \n \"4725\", \"UserDisabled\", \"UserModified\", \"\", \n \"4726\", \"UserDeleted\", \"UserModified\", \"\", \n \"4727\", \"GroupCreated\", \"GroupCreated\", \"Global Security Enabled\", \n \"4728\", \"UserAddedToGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4729\", \"UserRemovedFromGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4730\", \"GroupDeleted\", \"GroupModified\", \"Global Security Enabled\", \n \"4731\", \"GroupCreated\", \"GroupCreated\", \"Local Security Enabled\", \n \"4732\", \"UserAddedToGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4733\", \"UserRemovedFromGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4734\", \"GroupDeleted\", \"GroupModified\", \"Local Security Enabled\", \n \"4738\", \"UserModified\", \"UserModified\", \"\", \n \"4740\", \"UserLocked\", \"UserModified\", \"\", \n \"4744\", \"GroupCreated\", \"GroupCreated\", \"Local Distribution\", \n \"4748\", \"GroupDeleted\", \"GroupModified\", \"Local Distribution\", \n \"4749\", \"GroupCreated\", \"GroupCreated\", \"Global Distribution\", \n \"4753\", \"GroupDeleted\", \"GroupModified\", \"Global Distribution\", \n \"4754\", \"GroupCreated\", \"GroupCreated\", \"Universal Security Enabled\", \n \"4756\", \"UserAddedToGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4757\", \"UserRemovedFromGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4758\", \"GroupDeleted\", \"GroupModified\", \"Universal Security Enabled\", \n \"4759\", \"GroupCreated\", \"GroupCreated\", \"Universal Distribution\", \n \"4763\", \"GroupDeleted\", \"GroupModified\", \"Universal Distribution\", \n \"4767\", \"UserLocked\", \"UserModified\", \"\", \n \"4781\", \"UserModified\", \"UserModified\", \"\" \n ];\n let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string)\n [\n 'Machine', 'Machine',\n 'User', 'Regular'\n ]; \n let UserEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | where EventSubType in(\"UserCreated\",\"UserModified\") \n | summarize make_set(EventID)\n );\n let GroupEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | where EventSubType in(\"GroupCreated\",\"GroupModified\") \n | summarize make_set(EventID)\n );\n union (\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID in(UserEventID)\n | where (array_length(targetusername_has_any) == 0 or (TargetDomainName has_any (targetusername_has_any)) or (TargetUserName has_any (targetusername_has_any)) or (strcat(TargetDomainName,\"\\\\\",TargetUserName) has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,\"\\\\\",SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n TargetDomain = TargetDomainName,\n TargetUserId = TargetSid,\n TargetUsername = TargetUserName,\n EventMessage = Activity\n | parse-kv EventData as \n (\n OldTargetUserName:string,\n NewTargetUserName:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename\n NewPropertyValue = NewTargetUserName,\n PreviousPropertyValue = OldTargetUserName\n | extend \n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, SourceComputerId, EventMessage\n | extend\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\n | project-away TargetDomain\n ),(\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where not (EventID in (4744, 4748, 4749, 4753, 4759, 4763))\n | where EventID in(GroupEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,\"\\\\\",SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n GroupDomain = TargetDomainName,\n GroupId = TargetSid,\n GroupName = TargetUserName,\n EventMessage = Activity\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\n | parse-kv EventData as \n (\n MemberName:string,\n MemberSid:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (MemberName has_any (targetusername_has_any)))\n | project-rename \n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n ),(\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where EventID in (4744, 4748, 4749, 4753, 4759, 4763)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | parse-kv EventData as \n (\n TargetUserName:string,\n TargetDomainName:string,\n TargetSid:string,\n SubjectUserSid:string,\n AccountType:string,\n SubjectLogonId:string,\n SubjectDomainName:string,\n SubjectUserName:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (TargetDomainName has_any (targetusername_has_any)) or (TargetUserName has_any (targetusername_has_any)) or (strcat(TargetDomainName,\"\\\\\",TargetUserName) has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,\"\\\\\",SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n GroupDomain = TargetDomainName,\n GroupId = TargetSid,\n GroupName = TargetUserName,\n EventMessage = Activity\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\n | parse-kv EventData as \n (\n MemberName:string,\n MemberSid:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (MemberName has_any (targetusername_has_any)))\n | project-rename \n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n )\n| lookup EventIDLookup on EventID\n| extend UpdatedPropertyName = EventSubType\n| invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n| lookup UserTypeLookup on ActorOriginalUserType\n| extend \n DvcId = coalesce(_ResourceId, SourceComputerId),\n EventOriginalType = tostring(EventID)\n| project-rename \n EventUid = _ItemId\n| extend \n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n Dvc = DvcHostname,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceID\", \"\"),\n DvcOs = \"Windows\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'Security Events',\n EventResult = \"Success\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventSeverity = \"Informational\",\n EventStartTime = TimeGenerated,\n EventVendor = 'Microsoft',\n Hostname = DvcHostname, \n ActorUserIdType=\"SID\"\n| project-away Subject*, Computer, _ResourceId, SourceComputerId,EventID\n| extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),\n GroupNameType = _ASIM_GetUsernameType(GroupName),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId),\n User = ActorUsername\n};\n parser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n )", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftWindowsEvent/vimUserManagementMicrosoftWindowsEvent.json b/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftWindowsEvent/vimUserManagementMicrosoftWindowsEvent.json index 24f033e5594..5a5c2db5ad3 100644 --- a/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftWindowsEvent/vimUserManagementMicrosoftWindowsEvent.json +++ b/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftWindowsEvent/vimUserManagementMicrosoftWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimUserManagementMicrosoftWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimUserManagementMicrosoftWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management ASIM parser for Microsoft Windows Event logs", - "category": "ASIM", - "FunctionAlias": "vimUserManagementMicrosoftWindowsEvent", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let EventIDLookup = datatable(\n EventID: int,\n EventType: string,\n EventSubType: string,\n GroupType: string\n )\n [ \n \"4720\", \"UserCreated\", \"UserCreated\", \"\", \n \"4722\", \"UserEnabled\", \"UserModified\", \"\", \n \"4723\", \"PasswordChanged\", \"UserModified\", \"\", \n \"4724\", \"PasswordReset\", \"UserModified\", \"\", \n \"4725\", \"UserDisabled\", \"UserModified\", \"\", \n \"4726\", \"UserDeleted\", \"UserModified\", \"\", \n \"4727\", \"GroupCreated\", \"GroupCreated\", \"Global Security Enabled\", \n \"4728\", \"UserAddedToGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4729\", \"UserRemovedFromGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4730\", \"GroupDeleted\", \"GroupModified\", \"Global Security Enabled\", \n \"4731\", \"GroupCreated\", \"GroupCreated\", \"Local Security Enabled\", \n \"4732\", \"UserAddedToGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4733\", \"UserRemovedFromGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4734\", \"GroupDeleted\", \"GroupModified\", \"Local Security Enabled\", \n \"4738\", \"UserModified\", \"UserModified\", \"\", \n \"4740\", \"UserLocked\", \"UserModified\", \"\", \n \"4744\", \"GroupCreated\", \"GroupCreated\", \"Local Distribution\", \n \"4748\", \"GroupDeleted\", \"GroupModified\", \"Local Distribution\", \n \"4749\", \"GroupCreated\", \"GroupCreated\", \"Global Distribution\", \n \"4753\", \"GroupDeleted\", \"GroupModified\", \"Global Distribution\", \n \"4754\", \"GroupCreated\", \"GroupCreated\", \"Universal Security Enabled\", \n \"4756\", \"UserAddedToGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4757\", \"UserRemovedFromGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4758\", \"GroupDeleted\", \"GroupModified\", \"Universal Security Enabled\", \n \"4759\", \"GroupCreated\", \"GroupCreated\", \"Universal Distribution\", \n \"4763\", \"GroupDeleted\", \"GroupModified\", \"Universal Distribution\", \n \"4767\", \"UserLocked\", \"UserModified\", \"\", \n \"4781\", \"UserModified\", \"UserModified\", \"\" \n ];\n let UserTypeLookup = datatable (ActorOriginalUserType: string, ActorUserType: string)\n [\n 'Machine', 'Machine',\n 'User', 'Regular'\n ]; \n let UserEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | where EventSubType in(\"UserCreated\", \"UserModified\") \n | summarize make_set(EventID)\n );\n let GroupEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | where EventSubType in(\"GroupCreated\", \"GroupModified\") \n | summarize make_set(EventID)\n );\n union\n (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID in(UserEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | extend\n ActorOriginalUserType = tostring(EventData.AccountType),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n NewTargetUserName = tostring(EventData.NewTargetUserName),\n OldTargetUserName = tostring(EventData.OldTargetUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectUserName = tostring(EventData.SubjectUserName),\n TargetDomain = tostring(EventData.TargetDomainName),\n TargetUserId = tostring(EventData.TargetSid),\n TargetUsername = tostring(EventData.TargetUserName),\n EventMessage = tostring(EventData.Activity)\n | where (array_length(targetusername_has_any) == 0 or (TargetDomain has_any (targetusername_has_any)) or (TargetUsername has_any (targetusername_has_any)) or (strcat(TargetDomain, \"\\\\\", TargetUsername) has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or (strcat(SubjectDomainName, \"\\\\\", SubjectUserName) has_any (actorusername_has_any)))\n | project-rename\n NewPropertyValue = NewTargetUserName,\n PreviousPropertyValue = OldTargetUserName\n | extend \n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\n | project\n TimeGenerated,\n EventID,\n Computer,\n _ResourceId,\n TargetDomain,\n TargetUserId,\n TargetUsername,\n ActorUserId,\n SubjectDomainName,\n SubjectUserName,\n ActorOriginalUserType,\n ActorSessionId,\n NewPropertyValue,\n PreviousPropertyValue,\n EventMessage\n | extend\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\", \"\"),\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\n | project-away TargetDomain\n ),\n (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where EventID in(GroupEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | extend \n ActorOriginalUserType = tostring(EventData.AccountType),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n GroupDomain = tostring(EventData.TargetDomainName),\n GroupId = tostring(EventData.TargetSid),\n GroupName = tostring(EventData.TargetUserName),\n MemberName = tostring(EventData.MemberName),\n MemberSid = tostring(EventData.MemberSid),\n NewTargetUserName = tostring(EventData.NewTargetUserName),\n OldTargetUserName = tostring(EventData.OldTargetUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectUserName = tostring(EventData.SubjectUserName),\n EventMessage = tostring(EventData.Activity)\n | where (array_length(targetusername_has_any) == 0 or (NewTargetUserName has_any (targetusername_has_any)) or (OldTargetUserName has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any)))\n | extend \n GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\", GroupName)),\n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project\n TimeGenerated,\n EventID,\n Computer,\n _ResourceId,\n GroupId,\n GroupName,\n ActorUserId,\n SubjectDomainName,\n SubjectUserName,\n ActorOriginalUserType,\n ActorSessionId,\n TargetUsername,\n TargetUserId,\n EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\", \"\")\n )\n | lookup EventIDLookup on EventID\n | extend UpdatedPropertyName = EventSubType\n | invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n | lookup UserTypeLookup on ActorOriginalUserType\n | extend EventOriginalType = tostring(EventID)\n | extend \n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n Dvc = DvcHostname,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceID\", \"\"),\n DvcOs = \"Windows\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'Security Events',\n EventResult = \"Success\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventSeverity = \"Informational\",\n EventStartTime = TimeGenerated,\n EventVendor = 'Microsoft',\n Hostname = DvcHostname,\n ActorUserIdType=\"SID\"\n | project-away Subject*, Computer, _ResourceId, EventID\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\n GroupNameType = _ASIM_GetUsernameType(GroupName),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, TargetUserId),\n User = ActorUsername\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management ASIM parser for Microsoft Windows Event logs", + "category": "ASIM", + "FunctionAlias": "vimUserManagementMicrosoftWindowsEvent", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let EventIDLookup = datatable(\n EventID: int,\n EventType: string,\n EventSubType: string,\n GroupType: string\n )\n [ \n \"4720\", \"UserCreated\", \"UserCreated\", \"\", \n \"4722\", \"UserEnabled\", \"UserModified\", \"\", \n \"4723\", \"PasswordChanged\", \"UserModified\", \"\", \n \"4724\", \"PasswordReset\", \"UserModified\", \"\", \n \"4725\", \"UserDisabled\", \"UserModified\", \"\", \n \"4726\", \"UserDeleted\", \"UserModified\", \"\", \n \"4727\", \"GroupCreated\", \"GroupCreated\", \"Global Security Enabled\", \n \"4728\", \"UserAddedToGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4729\", \"UserRemovedFromGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4730\", \"GroupDeleted\", \"GroupModified\", \"Global Security Enabled\", \n \"4731\", \"GroupCreated\", \"GroupCreated\", \"Local Security Enabled\", \n \"4732\", \"UserAddedToGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4733\", \"UserRemovedFromGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4734\", \"GroupDeleted\", \"GroupModified\", \"Local Security Enabled\", \n \"4738\", \"UserModified\", \"UserModified\", \"\", \n \"4740\", \"UserLocked\", \"UserModified\", \"\", \n \"4744\", \"GroupCreated\", \"GroupCreated\", \"Local Distribution\", \n \"4748\", \"GroupDeleted\", \"GroupModified\", \"Local Distribution\", \n \"4749\", \"GroupCreated\", \"GroupCreated\", \"Global Distribution\", \n \"4753\", \"GroupDeleted\", \"GroupModified\", \"Global Distribution\", \n \"4754\", \"GroupCreated\", \"GroupCreated\", \"Universal Security Enabled\", \n \"4756\", \"UserAddedToGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4757\", \"UserRemovedFromGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4758\", \"GroupDeleted\", \"GroupModified\", \"Universal Security Enabled\", \n \"4759\", \"GroupCreated\", \"GroupCreated\", \"Universal Distribution\", \n \"4763\", \"GroupDeleted\", \"GroupModified\", \"Universal Distribution\", \n \"4767\", \"UserLocked\", \"UserModified\", \"\", \n \"4781\", \"UserModified\", \"UserModified\", \"\" \n ];\n let UserTypeLookup = datatable (ActorOriginalUserType: string, ActorUserType: string)\n [\n 'Machine', 'Machine',\n 'User', 'Regular'\n ]; \n let UserEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | where EventSubType in(\"UserCreated\", \"UserModified\") \n | summarize make_set(EventID)\n );\n let GroupEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | where EventSubType in(\"GroupCreated\", \"GroupModified\") \n | summarize make_set(EventID)\n );\n union\n (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID in(UserEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | extend\n ActorOriginalUserType = tostring(EventData.AccountType),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n NewTargetUserName = tostring(EventData.NewTargetUserName),\n OldTargetUserName = tostring(EventData.OldTargetUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectUserName = tostring(EventData.SubjectUserName),\n TargetDomain = tostring(EventData.TargetDomainName),\n TargetUserId = tostring(EventData.TargetSid),\n TargetUsername = tostring(EventData.TargetUserName),\n EventMessage = tostring(EventData.Activity)\n | where (array_length(targetusername_has_any) == 0 or (TargetDomain has_any (targetusername_has_any)) or (TargetUsername has_any (targetusername_has_any)) or (strcat(TargetDomain, \"\\\\\", TargetUsername) has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or (strcat(SubjectDomainName, \"\\\\\", SubjectUserName) has_any (actorusername_has_any)))\n | project-rename\n NewPropertyValue = NewTargetUserName,\n PreviousPropertyValue = OldTargetUserName\n | extend \n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\n | project\n TimeGenerated,\n EventID,\n Computer,\n _ResourceId,\n TargetDomain,\n TargetUserId,\n TargetUsername,\n ActorUserId,\n SubjectDomainName,\n SubjectUserName,\n ActorOriginalUserType,\n ActorSessionId,\n NewPropertyValue,\n PreviousPropertyValue,\n EventMessage\n | extend\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\", \"\"),\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\n | project-away TargetDomain\n ),\n (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where EventID in(GroupEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | extend \n ActorOriginalUserType = tostring(EventData.AccountType),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n GroupDomain = tostring(EventData.TargetDomainName),\n GroupId = tostring(EventData.TargetSid),\n GroupName = tostring(EventData.TargetUserName),\n MemberName = tostring(EventData.MemberName),\n MemberSid = tostring(EventData.MemberSid),\n NewTargetUserName = tostring(EventData.NewTargetUserName),\n OldTargetUserName = tostring(EventData.OldTargetUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectUserName = tostring(EventData.SubjectUserName),\n EventMessage = tostring(EventData.Activity)\n | where (array_length(targetusername_has_any) == 0 or (NewTargetUserName has_any (targetusername_has_any)) or (OldTargetUserName has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any)))\n | extend \n GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\", GroupName)),\n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project\n TimeGenerated,\n EventID,\n Computer,\n _ResourceId,\n GroupId,\n GroupName,\n ActorUserId,\n SubjectDomainName,\n SubjectUserName,\n ActorOriginalUserType,\n ActorSessionId,\n TargetUsername,\n TargetUserId,\n EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\", \"\")\n )\n | lookup EventIDLookup on EventID\n | extend UpdatedPropertyName = EventSubType\n | invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n | lookup UserTypeLookup on ActorOriginalUserType\n | extend EventOriginalType = tostring(EventID)\n | extend \n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n Dvc = DvcHostname,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceID\", \"\"),\n DvcOs = \"Windows\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'Security Events',\n EventResult = \"Success\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventSeverity = \"Informational\",\n EventStartTime = TimeGenerated,\n EventVendor = 'Microsoft',\n Hostname = DvcHostname,\n ActorUserIdType=\"SID\"\n | project-away Subject*, Computer, _ResourceId, EventID\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\n GroupNameType = _ASIM_GetUsernameType(GroupName),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, TargetUserId),\n User = ActorUsername\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementNative/vimUserManagementNative.json b/Parsers/ASimUserManagement/ARM/vimUserManagementNative/vimUserManagementNative.json index 39cbda3482a..da1cce6aea7 100644 --- a/Parsers/ASimUserManagement/ARM/vimUserManagementNative/vimUserManagementNative.json +++ b/Parsers/ASimUserManagement/ARM/vimUserManagementNative/vimUserManagementNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimUserManagementNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimUserManagementNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management activity ASIM filtering parser for Microsoft Sentinel native User Management activity table", - "category": "ASIM", - "FunctionAlias": "vimUserManagementNative", - "query": "let parser = (\n starttime:datetime = datetime(null)\n , endtime:datetime = datetime(null)\n , srcipaddr_has_any_prefix:dynamic = dynamic([])\n , targetusername_has_any:dynamic = dynamic([])\n , actorusername_has_any:dynamic = dynamic([])\n , eventtype_in:dynamic = dynamic([])\n , disabled:bool = false\n)\n{\n ASimUserManagementActivityLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr,srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))\n and (array_length(targetusername_has_any) == 0 or TargetUsername has_any (targetusername_has_any))\n and (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"UserManagement\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = ActorUsername,\n Hostname = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = coalesce (SrcHostname,SrcIpAddr, SrcDvcId),\n UpdatedPropertyName = EventSubType\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (\n starttime = starttime\n , endtime = endtime\n , srcipaddr_has_any_prefix = srcipaddr_has_any_prefix\n , targetusername_has_any = targetusername_has_any\n , actorusername_has_any = actorusername_has_any\n , eventtype_in = eventtype_in\n , disabled = disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management activity ASIM filtering parser for Microsoft Sentinel native User Management activity table", + "category": "ASIM", + "FunctionAlias": "vimUserManagementNative", + "query": "let parser = (\n starttime:datetime = datetime(null)\n , endtime:datetime = datetime(null)\n , srcipaddr_has_any_prefix:dynamic = dynamic([])\n , targetusername_has_any:dynamic = dynamic([])\n , actorusername_has_any:dynamic = dynamic([])\n , eventtype_in:dynamic = dynamic([])\n , disabled:bool = false\n)\n{\n ASimUserManagementActivityLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr,srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))\n and (array_length(targetusername_has_any) == 0 or TargetUsername has_any (targetusername_has_any))\n and (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"UserManagement\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = ActorUsername,\n Hostname = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = coalesce (SrcHostname,SrcIpAddr, SrcDvcId),\n UpdatedPropertyName = EventSubType\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (\n starttime = starttime\n , endtime = endtime\n , srcipaddr_has_any_prefix = srcipaddr_has_any_prefix\n , targetusername_has_any = targetusername_has_any\n , actorusername_has_any = actorusername_has_any\n , eventtype_in = eventtype_in\n , disabled = disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementSentinelOne/vimUserManagementSentinelOne.json b/Parsers/ASimUserManagement/ARM/vimUserManagementSentinelOne/vimUserManagementSentinelOne.json index 910a97a20a8..53d86dbc780 100644 --- a/Parsers/ASimUserManagement/ARM/vimUserManagementSentinelOne/vimUserManagementSentinelOne.json +++ b/Parsers/ASimUserManagement/ARM/vimUserManagementSentinelOne/vimUserManagementSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimUserManagementSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimUserManagementSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management ASIM parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "vimUserManagementSentinelOne", - "query": "let EventTypeLookup = datatable (\n activityType_d: real,\n EventType: string,\n EventOriginalType: string,\n EventSubType: string\n)[\n 23, \"UserCreated\", \"User Added\", \"\",\n 24, \"UserModified\", \"User Modified\", \"MultipleProperties\",\n 25, \"UserDeleted\", \"User Deleted\", \"\",\n 37, \"UserModified\", \"User modified\", \"MultipleProperties\",\n 102, \"UserDeleted\", \"User Deleted\", \"\",\n 110, \"UserModified\", \"Enable API Token Generation\", \"NewPermissions\",\n 111, \"UserModified\", \"Disable API Token Generation\", \"PreviousPermissions\",\n 140, \"UserCreated\", \"Service User creation\", \"\",\n 141, \"UserModified\", \"Service User modification\", \"MultipleProperties\",\n 142, \"UserDeleted\", \"Service User deletion\", \"\",\n 3522, \"GroupCreated\", \"Ranger Deploy - Credential Group Created\", \"\",\n 3523, \"GroupModified\", \"Ranger Deploy -Credential Group Edited\", \"MultipleProperties\",\n 3524, \"GroupDeleted\", \"Ranger Deploy - Credential Group Deleted\", \"\",\n 3710, \"PasswordReset\", \"User Reset Password with Forgot Password from the Login\", \"\",\n 3711, \"PasswordChanged\", \"User Changed Their Password\", \"\",\n 3715, \"PasswordReset\", \"User Reset Password by Admin Request\", \"\",\n 5006, \"GroupDeleted\", \"Group Deleted\", \"\",\n 5008, \"GroupCreated\", \"User created a Manual or Pinned Group\", \"\",\n 5011, \"GroupModified\", \"Group Policy Reverted\", \"Newpolicy\",\n 67, \"\", \"User 2FA Modified\", \"\",\n 145, \"UserModified\", \"Enroll 2FA\", \"\",\n 146, \"UserModified\", \"Reset 2FA\", \"\",\n 42, \"\", \"Global 2FA modified\", \"\",\n 147, \"UserModified\", \"User Configured 2FA\", \"\"\n];\nlet UsermanagementactivityIds = dynamic([23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011, 67, 145, 146, 42, 147]);\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n SentinelOne_CL\n | where not(disabled)\n | where event_name_s == \"Activities.\"\n and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and activityType_d in (UsermanagementactivityIds)\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DataFields_s, srcipaddr_has_any_prefix))\n and (array_length(targetusername_has_any) == 0 or DataFields_s has_any (targetusername_has_any))\n and (array_length(actorusername_has_any) == 0 or DataFields_s has_any (actorusername_has_any))\n | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string, newValue: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | where array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix)\n | parse modifiedFields with 'Modified fields: ' ModifiedFields: string\n | parse description_s with * \"with id=\" id: string \",\" restOfMessage\n | lookup EventTypeLookup on activityType_d\n | extend\n EventType = case (\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"UserEnabled\",\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"UserDisabled\",\n EventType\n )\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | extend \n PreviousPropertyValue = case(\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"disabled\",\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"enabled\",\n activityType_d == 141 and descriptionChanged == \"true\",\n oldDescription, \n activityType_d == 141 and descriptionChanged == \"false\",\n oldRole,\n \"\"\n ),\n NewPropertyValue = case(\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"enabled\", \n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"disabled\",\n activityType_d == 141 and descriptionChanged == \"true\",\n description, \n activityType_d == 141 and descriptionChanged == \"false\",\n role,\n \"\"\n ),\n ActorUsername = iff(activityType_d == 102, \"SentinelOne\", coalesce(byUser, username, email)), \n GroupName = coalesce(group, groupName, name),\n TargetUsername = iff(isnotempty(byUser) or activityType_d in (147, 42), username, \"\")\n | where (array_length(targetusername_has_any) == 0 or TargetUsername has_any (targetusername_has_any))\n and (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))\n | extend GroupName = iff(GroupName == \"null\", \"\", GroupName)\n | project-rename\n EventStartTime = createdAt_t,\n SrcIpAddr = ipAddress,\n EventUid = _ItemId,\n ActorUserId = id,\n GroupId = groupId_s,\n EventMessage = primaryDescription_s,\n EventOriginalUid = activityUuid_g\n | extend\n EventCount = int(1),\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSeverity = \"Informational\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventResultDetails = \"Other\"\n | extend\n Dvc = EventProduct,\n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n User = ActorUsername,\n UpdatedPropertyName = EventSubType,\n ActorUserIdType = iff(isnotempty(ActorUserId), \"Other\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n GroupIdType = iff(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iff(isnotempty(GroupName), \"Simple\", \"\"),\n GroupType = iff(isnotempty(groupType), \"Other\", \"\"),\n GroupOriginalType = groupType,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n AdditionalFields = bag_pack(\n \"userScope\", userScope,\n \"scopeLevelName\", scopeLevelName,\n \"scopeName\", scopeName,\n \"modifiedFields\", modifiedFields,\n \"roleName\", roleName,\n \"deactivationPeriodInDays\", deactivationPeriodInDays,\n \"descriptionChanged\", descriptionChanged\n )\n | project-away \n *_b,\n *_d,\n *_g,\n *_s,\n *_t,\n byUser,\n username,\n email,\n group,\n groupName,\n groupType,\n name,\n oldDescription,\n oldRole,\n description,\n role,\n userScope,\n scopeLevelName,\n scopeName,\n roleName,\n modifiedFields,\n ModifiedFields,\n deactivationPeriodInDays,\n descriptionChanged,\n restOfMessage,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n newValue\n};\nparser(\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management ASIM parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "vimUserManagementSentinelOne", + "query": "let EventTypeLookup = datatable (\n activityType_d: real,\n EventType: string,\n EventOriginalType: string,\n EventSubType: string\n)[\n 23, \"UserCreated\", \"User Added\", \"\",\n 24, \"UserModified\", \"User Modified\", \"MultipleProperties\",\n 25, \"UserDeleted\", \"User Deleted\", \"\",\n 37, \"UserModified\", \"User modified\", \"MultipleProperties\",\n 102, \"UserDeleted\", \"User Deleted\", \"\",\n 110, \"UserModified\", \"Enable API Token Generation\", \"NewPermissions\",\n 111, \"UserModified\", \"Disable API Token Generation\", \"PreviousPermissions\",\n 140, \"UserCreated\", \"Service User creation\", \"\",\n 141, \"UserModified\", \"Service User modification\", \"MultipleProperties\",\n 142, \"UserDeleted\", \"Service User deletion\", \"\",\n 3522, \"GroupCreated\", \"Ranger Deploy - Credential Group Created\", \"\",\n 3523, \"GroupModified\", \"Ranger Deploy -Credential Group Edited\", \"MultipleProperties\",\n 3524, \"GroupDeleted\", \"Ranger Deploy - Credential Group Deleted\", \"\",\n 3710, \"PasswordReset\", \"User Reset Password with Forgot Password from the Login\", \"\",\n 3711, \"PasswordChanged\", \"User Changed Their Password\", \"\",\n 3715, \"PasswordReset\", \"User Reset Password by Admin Request\", \"\",\n 5006, \"GroupDeleted\", \"Group Deleted\", \"\",\n 5008, \"GroupCreated\", \"User created a Manual or Pinned Group\", \"\",\n 5011, \"GroupModified\", \"Group Policy Reverted\", \"Newpolicy\",\n 67, \"\", \"User 2FA Modified\", \"\",\n 145, \"UserModified\", \"Enroll 2FA\", \"\",\n 146, \"UserModified\", \"Reset 2FA\", \"\",\n 42, \"\", \"Global 2FA modified\", \"\",\n 147, \"UserModified\", \"User Configured 2FA\", \"\"\n];\nlet UsermanagementactivityIds = dynamic([23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011, 67, 145, 146, 42, 147]);\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n SentinelOne_CL\n | where not(disabled)\n | where event_name_s == \"Activities.\"\n and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and activityType_d in (UsermanagementactivityIds)\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DataFields_s, srcipaddr_has_any_prefix))\n and (array_length(targetusername_has_any) == 0 or DataFields_s has_any (targetusername_has_any))\n and (array_length(actorusername_has_any) == 0 or DataFields_s has_any (actorusername_has_any))\n | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string, newValue: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | where array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix)\n | parse modifiedFields with 'Modified fields: ' ModifiedFields: string\n | parse description_s with * \"with id=\" id: string \",\" restOfMessage\n | lookup EventTypeLookup on activityType_d\n | extend\n EventType = case (\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"UserEnabled\",\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"UserDisabled\",\n EventType\n )\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | extend \n PreviousPropertyValue = case(\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"disabled\",\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"enabled\",\n activityType_d == 141 and descriptionChanged == \"true\",\n oldDescription, \n activityType_d == 141 and descriptionChanged == \"false\",\n oldRole,\n \"\"\n ),\n NewPropertyValue = case(\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"enabled\", \n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"disabled\",\n activityType_d == 141 and descriptionChanged == \"true\",\n description, \n activityType_d == 141 and descriptionChanged == \"false\",\n role,\n \"\"\n ),\n ActorUsername = iff(activityType_d == 102, \"SentinelOne\", coalesce(byUser, username, email)), \n GroupName = coalesce(group, groupName, name),\n TargetUsername = iff(isnotempty(byUser) or activityType_d in (147, 42), username, \"\")\n | where (array_length(targetusername_has_any) == 0 or TargetUsername has_any (targetusername_has_any))\n and (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))\n | extend GroupName = iff(GroupName == \"null\", \"\", GroupName)\n | project-rename\n EventStartTime = createdAt_t,\n SrcIpAddr = ipAddress,\n EventUid = _ItemId,\n ActorUserId = id,\n GroupId = groupId_s,\n EventMessage = primaryDescription_s,\n EventOriginalUid = activityUuid_g\n | extend\n EventCount = int(1),\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSeverity = \"Informational\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventResultDetails = \"Other\"\n | extend\n Dvc = EventProduct,\n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n User = ActorUsername,\n UpdatedPropertyName = EventSubType,\n ActorUserIdType = iff(isnotempty(ActorUserId), \"Other\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n GroupIdType = iff(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iff(isnotempty(GroupName), \"Simple\", \"\"),\n GroupType = iff(isnotempty(groupType), \"Other\", \"\"),\n GroupOriginalType = groupType,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n AdditionalFields = bag_pack(\n \"userScope\", userScope,\n \"scopeLevelName\", scopeLevelName,\n \"scopeName\", scopeName,\n \"modifiedFields\", modifiedFields,\n \"roleName\", roleName,\n \"deactivationPeriodInDays\", deactivationPeriodInDays,\n \"descriptionChanged\", descriptionChanged\n )\n | project-away \n *_b,\n *_d,\n *_g,\n *_s,\n *_t,\n byUser,\n username,\n email,\n group,\n groupName,\n groupType,\n name,\n oldDescription,\n oldRole,\n description,\n role,\n userScope,\n scopeLevelName,\n scopeName,\n roleName,\n modifiedFields,\n ModifiedFields,\n deactivationPeriodInDays,\n descriptionChanged,\n restOfMessage,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n newValue\n};\nparser(\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSession/ASimWebSession.json b/Parsers/ASimWebSession/ARM/ASimWebSession/ASimWebSession.json index 65c35823283..a8ef61ad367 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSession/ASimWebSession.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSession/ASimWebSession.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSession')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSession", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser", - "category": "ASIM", - "FunctionAlias": "ASimWebSession", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimWebSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimWebSessionEmpty,\n ASimWebSessionSquidProxy (ASimBuiltInDisabled or ('ExcludeASimWebSessionSquidProxy' in (DisabledParsers))),\n ASimWebSessionZscalerZIA (ASimBuiltInDisabled or ('ExcludeASimWebSessionZscalerZIA' in (DisabledParsers))),\n ASimWebSessionNative (disabled=(ASimBuiltInDisabled or ('ExcludeASimWebSessionNative' in (DisabledParsers)))),\n ASimWebSessionVectraAI (pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludeASimWebSessionVectraAI' in (DisabledParsers)))),\n ASimWebSessionIIS (disabled=(ASimBuiltInDisabled or ('ExcludeASimWebSessionIIS' in (DisabledParsers)))),\n ASimWebSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimWebSessionPaloAltoCEF' in (DisabledParsers))),\n ASimWebSessionApacheHTTPServer (ASimBuiltInDisabled or ('ExcludeASimWebSessionApacheHTTPServer' in (DisabledParsers))),\n ASimWebSessionFortinetFortiGate (ASimBuiltInDisabled or ('ExcludeASimWebSessionFortinetFortiGate' in (DisabledParsers))),\n ASimWebSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimWebSessionCiscoMeraki' in (DisabledParsers))),\n ASimWebSessionBarracudaWAF (ASimBuiltInDisabled or ('ExcludeASimWebSessionBarracudaWAF' in (DisabledParsers))),\n ASimWebSessionBarracudaCEF (ASimBuiltInDisabled or ('ExcludeASimWebSessionBarracudaCEF' in (DisabledParsers))),\n ASimWebSessionCitrixNetScaler (ASimBuiltInDisabled or ('ExcludeASimWebSessionCitrixNetScaler' in (DisabledParsers))),\n ASimWebSessionCiscoFirepower (ASimBuiltInDisabled or ('ExcludeASimWebSessionCiscoFirepower' in (DisabledParsers))),\n ASimWebSessionF5ASM (ASimBuiltInDisabled or ('ExcludeASimWebSessionF5ASM' in (DisabledParsers))),\n ASimWebSessionPaloAltoCortexDataLake (ASimBuiltInDisabled or ('ExcludeASimWebSessionPaloAltoCortexDataLake' in (DisabledParsers))),\n ASimWebSessionSonicWallFirewall (ASimBuiltInDisabled or ('ExcludeASimWebSessionSonicWallFirewall' in (DisabledParsers)))\n}; \nparser(pack=pack)\n", - "version": 1, - "functionParameters": "pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser", + "category": "ASIM", + "FunctionAlias": "ASimWebSession", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimWebSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimWebSessionEmpty,\n ASimWebSessionSquidProxy (ASimBuiltInDisabled or ('ExcludeASimWebSessionSquidProxy' in (DisabledParsers))),\n ASimWebSessionZscalerZIA (ASimBuiltInDisabled or ('ExcludeASimWebSessionZscalerZIA' in (DisabledParsers))),\n ASimWebSessionNative (disabled=(ASimBuiltInDisabled or ('ExcludeASimWebSessionNative' in (DisabledParsers)))),\n ASimWebSessionVectraAI (pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludeASimWebSessionVectraAI' in (DisabledParsers)))),\n ASimWebSessionIIS (disabled=(ASimBuiltInDisabled or ('ExcludeASimWebSessionIIS' in (DisabledParsers)))),\n ASimWebSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimWebSessionPaloAltoCEF' in (DisabledParsers))),\n ASimWebSessionApacheHTTPServer (ASimBuiltInDisabled or ('ExcludeASimWebSessionApacheHTTPServer' in (DisabledParsers))),\n ASimWebSessionFortinetFortiGate (ASimBuiltInDisabled or ('ExcludeASimWebSessionFortinetFortiGate' in (DisabledParsers))),\n ASimWebSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimWebSessionCiscoMeraki' in (DisabledParsers))),\n ASimWebSessionBarracudaWAF (ASimBuiltInDisabled or ('ExcludeASimWebSessionBarracudaWAF' in (DisabledParsers))),\n ASimWebSessionBarracudaCEF (ASimBuiltInDisabled or ('ExcludeASimWebSessionBarracudaCEF' in (DisabledParsers))),\n ASimWebSessionCitrixNetScaler (ASimBuiltInDisabled or ('ExcludeASimWebSessionCitrixNetScaler' in (DisabledParsers))),\n ASimWebSessionCiscoFirepower (ASimBuiltInDisabled or ('ExcludeASimWebSessionCiscoFirepower' in (DisabledParsers))),\n ASimWebSessionF5ASM (ASimBuiltInDisabled or ('ExcludeASimWebSessionF5ASM' in (DisabledParsers))),\n ASimWebSessionPaloAltoCortexDataLake (ASimBuiltInDisabled or ('ExcludeASimWebSessionPaloAltoCortexDataLake' in (DisabledParsers))),\n ASimWebSessionSonicWallFirewall (ASimBuiltInDisabled or ('ExcludeASimWebSessionSonicWallFirewall' in (DisabledParsers)))\n}; \nparser(pack=pack)\n", + "version": 1, + "functionParameters": "pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionApacheHTTPServer/ASimWebSessionApacheHTTPServer.json b/Parsers/ASimWebSession/ARM/ASimWebSessionApacheHTTPServer/ASimWebSessionApacheHTTPServer.json index 31f99abbd1d..9618187d598 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionApacheHTTPServer/ASimWebSessionApacheHTTPServer.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionApacheHTTPServer/ASimWebSessionApacheHTTPServer.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionApacheHTTPServer')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionApacheHTTPServer", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Apache HTTP Server", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionApacheHTTPServer", - "query": "let Parser=(disabled:bool=false){\n ApacheHTTPServer_CL\n | where not(disabled)\n | project RawData, TimeGenerated, Computer, _ResourceId, Type, _ItemId\n | where not (RawData startswith \"[\") \n | where RawData has_any (\"GET\", \"HEAD\", \"POST\", \"PUT\", \"DELETE\", \"CONNECT\", \"OPTIONS\", \"TRACE\", \"PATCH\")\n | parse RawData with * '] ' Temp'\"' *\n | extend DstHostname = tostring(split(trim_end(\" \",Temp),\":\",0)[0])\n | parse RawData with SrcIpAddr \" \" ClientIdentity \" \" SrcUsername \" [\" Date ']' * '\"' HttpRequestMethod \" \" Url \" \" Protocol '\" ' EventResultDetails \" \" DstBytes:long ' \"' HttpReferrer '\" \"' HttpUserAgent '\"' *\n | project-away RawData, Date, ClientIdentity, Temp\n | parse _ResourceId with * \"/subscriptions/\" DvcScopeId \"/\" *\n | project-rename \n DvcHostname = Computer,\n DvcId = _ResourceId,\n EventUid = _ItemId\n | extend \n HttpVersion = tostring(split(Protocol,\"/\")[1]),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\")\n | extend \n HttpStatusCode = EventResultDetails,\n UserAgent = HttpUserAgent,\n EventResult = iff (\n toint(EventResultDetails) < 400, \"Success\", \n \"Failure\"\n ),\n IpAddr = SrcIpAddr,\n Dvc = DvcHostname,\n User = SrcUsername,\n SrcUsername = case(SrcUsername == \"-\", \"\", SrcUsername),\n HttpReferrer = case(HttpReferrer == \"-\", \"\", HttpReferrer),\n HttpUserAgent = case(HttpUserAgent == \"-\", \"\", HttpUserAgent),\n DstHostname = case(DstHostname == \"-\", \"\", DstHostname)\n | extend SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)\n | project-away Protocol\n | extend\n EventType = \"WebServerSession\", \n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventCount = int(1),\n EventVendor = \"Apache\",\n EventProduct = \"HTTP Server\",\n EventSeverity = \"Informational\"\n};\nParser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Apache HTTP Server", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionApacheHTTPServer", + "query": "let Parser=(disabled:bool=false){\n ApacheHTTPServer_CL\n | where not(disabled)\n | project RawData, TimeGenerated, Computer, _ResourceId, Type, _ItemId\n | where not (RawData startswith \"[\") \n | where RawData has_any (\"GET\", \"HEAD\", \"POST\", \"PUT\", \"DELETE\", \"CONNECT\", \"OPTIONS\", \"TRACE\", \"PATCH\")\n | parse RawData with * '] ' Temp'\"' *\n | extend DstHostname = tostring(split(trim_end(\" \",Temp),\":\",0)[0])\n | parse RawData with SrcIpAddr \" \" ClientIdentity \" \" SrcUsername \" [\" Date ']' * '\"' HttpRequestMethod \" \" Url \" \" Protocol '\" ' EventResultDetails \" \" DstBytes:long ' \"' HttpReferrer '\" \"' HttpUserAgent '\"' *\n | project-away RawData, Date, ClientIdentity, Temp\n | parse _ResourceId with * \"/subscriptions/\" DvcScopeId \"/\" *\n | project-rename \n DvcHostname = Computer,\n DvcId = _ResourceId,\n EventUid = _ItemId\n | extend \n HttpVersion = tostring(split(Protocol,\"/\")[1]),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\")\n | extend \n HttpStatusCode = EventResultDetails,\n UserAgent = HttpUserAgent,\n EventResult = iff (\n toint(EventResultDetails) < 400, \"Success\", \n \"Failure\"\n ),\n IpAddr = SrcIpAddr,\n Dvc = DvcHostname,\n User = SrcUsername,\n SrcUsername = case(SrcUsername == \"-\", \"\", SrcUsername),\n HttpReferrer = case(HttpReferrer == \"-\", \"\", HttpReferrer),\n HttpUserAgent = case(HttpUserAgent == \"-\", \"\", HttpUserAgent),\n DstHostname = case(DstHostname == \"-\", \"\", DstHostname)\n | extend SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)\n | project-away Protocol\n | extend\n EventType = \"WebServerSession\", \n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventCount = int(1),\n EventVendor = \"Apache\",\n EventProduct = \"HTTP Server\",\n EventSeverity = \"Informational\"\n};\nParser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionBarracudaCEF/ASimWebSessionBarracudaCEF.json b/Parsers/ASimWebSession/ARM/ASimWebSessionBarracudaCEF/ASimWebSessionBarracudaCEF.json index 959cec1b450..4247a7e964e 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionBarracudaCEF/ASimWebSessionBarracudaCEF.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionBarracudaCEF/ASimWebSessionBarracudaCEF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionBarracudaCEF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionBarracudaCEF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Barracuda CEF", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionBarracudaCEF", - "query": "let SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventResultWFLookup = datatable (\n Action_s: string,\n EventResult_WF: string,\n DvcAction: string\n)\n [\n \"LOG\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\",\n \"WARNING\", \"Success\", \"Allow\"\n];\nlet EventTypeLookup = datatable (\n LogType_s: string,\n EventType_lookup: string,\n EventOriginalType: string\n)\n [\n \"WF\", \"HTTPsession\", \"Web Firewall\",\n \"TR\", \"WebServerSession\", \"Access\"\n];\nlet parser = (disabled: bool=false)\n{\nlet BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory in (\"WF\", \"TR\")\n | lookup EventResultWFLookup on $left.DeviceAction == $right.Action_s\n | lookup EventTypeLookup on $left.DeviceEventCategory == $right.LogType_s\n | extend\n EventType = EventType_lookup,\n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | extend\n Dst = DestinationIP,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"Barracuda\",\n status_code = toint(EventOutcome)\n | extend\n EventResult_TR = case(\n status_code between (200 .. 299),\n \"Success\", \n status_code between (400 .. 599),\n \"Failure\",\n status_code between (300 .. 399),\n \"Partial\",\n \"NA\"\n ),\n RuleName = iff(DeviceEventCategory == \"WF\", DeviceCustomString3, \"\")\n | extend\n Dvc = DeviceName,\n EventResult = iff(DeviceEventCategory == \"TR\", EventResult_TR, EventResult_WF),\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n DstIpAddr = DestinationIP,\n SrcIpAddr = SourceIP,\n DstBytes = tolong(ReceivedBytes),\n DstPortNumber = toint(coalesce(DestinationPort,FieldDeviceCustomNumber1)),\n HttpCookie = RequestCookies,\n HttpReferrer = RequestContext,\n HttpRequestBodyBytes = tolong(ReceivedBytes),\n HttpRequestMethod = RequestMethod,\n HttpResponseBodyBytes = tolong(SentBytes),\n NetworkDuration = toint(FlexNumber2),\n HttpUserAgent = RequestClientApplication,\n NetworkSessionId = SourceUserID,\n Rule = RuleName,\n SrcPortNumber = toint(SourcePort),\n SrcUsername = SourceUserName,\n DstUsername = DestinationUserName,\n Url = RequestURL,\n HttpResponseCacheControl = iff(\n FieldDeviceCustomNumber2 == 0,\n \"Response from the server\",\n \"Response from the cache\"\n ),\n AdditionalFields = bag_pack(\n \"ProxyIP\",\n iff(DeviceEventCategory == \"WF\", DeviceCustomString5, DeviceCustomString3),\n \"ProxyPort\",\n FieldDeviceCustomNumber3\n ),\n DvcHostname = DeviceName,\n DvcIpAddr = DeviceAddress,\n EventResultDetails = EventOutcome,\n HttpVersion = FlexString1\n | extend \n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\"),\n DstUsernameType = iff(isnotempty(DstUsername), \"Simple\", \"\")\n | extend\n Duration = NetworkDuration,\n SessionId = NetworkSessionId,\n EventEndTime = EventStartTime,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n HttpStatusCode = EventResultDetails\n | project-away\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n EventResult_*,\n status_code,\n EventType_lookup,\n TenantId,\n CollectorHostName;\n BarracudaCEF\n};\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Barracuda CEF", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionBarracudaCEF", + "query": "let SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventResultWFLookup = datatable (\n Action_s: string,\n EventResult_WF: string,\n DvcAction: string\n)\n [\n \"LOG\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\",\n \"WARNING\", \"Success\", \"Allow\"\n];\nlet EventTypeLookup = datatable (\n LogType_s: string,\n EventType_lookup: string,\n EventOriginalType: string\n)\n [\n \"WF\", \"HTTPsession\", \"Web Firewall\",\n \"TR\", \"WebServerSession\", \"Access\"\n];\nlet parser = (disabled: bool=false)\n{\nlet BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory in (\"WF\", \"TR\")\n | lookup EventResultWFLookup on $left.DeviceAction == $right.Action_s\n | lookup EventTypeLookup on $left.DeviceEventCategory == $right.LogType_s\n | extend\n EventType = EventType_lookup,\n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | extend\n Dst = DestinationIP,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"Barracuda\",\n status_code = toint(EventOutcome)\n | extend\n EventResult_TR = case(\n status_code between (200 .. 299),\n \"Success\", \n status_code between (400 .. 599),\n \"Failure\",\n status_code between (300 .. 399),\n \"Partial\",\n \"NA\"\n ),\n RuleName = iff(DeviceEventCategory == \"WF\", DeviceCustomString3, \"\")\n | extend\n Dvc = DeviceName,\n EventResult = iff(DeviceEventCategory == \"TR\", EventResult_TR, EventResult_WF),\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n DstIpAddr = DestinationIP,\n SrcIpAddr = SourceIP,\n DstBytes = tolong(ReceivedBytes),\n DstPortNumber = toint(coalesce(DestinationPort,FieldDeviceCustomNumber1)),\n HttpCookie = RequestCookies,\n HttpReferrer = RequestContext,\n HttpRequestBodyBytes = tolong(ReceivedBytes),\n HttpRequestMethod = RequestMethod,\n HttpResponseBodyBytes = tolong(SentBytes),\n NetworkDuration = toint(FlexNumber2),\n HttpUserAgent = RequestClientApplication,\n NetworkSessionId = SourceUserID,\n Rule = RuleName,\n SrcPortNumber = toint(SourcePort),\n SrcUsername = SourceUserName,\n DstUsername = DestinationUserName,\n Url = RequestURL,\n HttpResponseCacheControl = iff(\n FieldDeviceCustomNumber2 == 0,\n \"Response from the server\",\n \"Response from the cache\"\n ),\n AdditionalFields = bag_pack(\n \"ProxyIP\",\n iff(DeviceEventCategory == \"WF\", DeviceCustomString5, DeviceCustomString3),\n \"ProxyPort\",\n FieldDeviceCustomNumber3\n ),\n DvcHostname = DeviceName,\n DvcIpAddr = DeviceAddress,\n EventResultDetails = EventOutcome,\n HttpVersion = FlexString1\n | extend \n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\"),\n DstUsernameType = iff(isnotempty(DstUsername), \"Simple\", \"\")\n | extend\n Duration = NetworkDuration,\n SessionId = NetworkSessionId,\n EventEndTime = EventStartTime,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n HttpStatusCode = EventResultDetails\n | project-away\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n EventResult_*,\n status_code,\n EventType_lookup,\n TenantId,\n CollectorHostName;\n BarracudaCEF\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionBarracudaWAF/ASimWebSessionBarracudaWAF.json b/Parsers/ASimWebSession/ARM/ASimWebSessionBarracudaWAF/ASimWebSessionBarracudaWAF.json index 2a05b43f882..d737b1894d1 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionBarracudaWAF/ASimWebSessionBarracudaWAF.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionBarracudaWAF/ASimWebSessionBarracudaWAF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionBarracudaWAF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionBarracudaWAF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Barracuda WAF", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionBarracudaWAF", - "query": "let barracudaSchema = datatable(\n ServerIP_s: string,\n UnitName_s: string,\n HTTPStatus_s: string,\n Action_s: string,\n Severity_s: string,\n DeviceReceiptTime_s: string,\n LogType_s: string,\n ClientIP_s: string,\n host_s: string,\n HostIP_s: string,\n BytesReceived_d: real,\n ServerPort_d: real,\n Cookie_s: string,\n Referer_s: string,\n Method_s: string,\n BytesSent_d: real,\n SessionID_s: string,\n ClientPort_d: real,\n AuthenticatedUser_s: string,\n CertificateUser_s: string,\n UserAgent_s: string,\n URL_s: string,\n CacheHit_d: real,\n ProxyIP_s: string,\n ProxyPort_d: real,\n RuleType_s: string,\n ServiceIP_s: string,\n TimeTaken_d: real,\n ServicePort_d: real,\n ProtocolVersion_s: string,\n _ResourceId: string,\n RawData: string,\n SourceIP: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string\n)[];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventResultWFLookup = datatable (\n Action_s: string,\n EventResult_WF: string,\n DvcAction: string\n)\n [\n \"LOG\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\",\n \"WARNING\", \"Success\", \"Allow\"\n];\nlet EventTypeLookup = datatable (\n LogType_s: string,\n EventType_lookup: string,\n EventOriginalType: string\n)\n [\n \"WF\", \"HTTPsession\", \"Web Firewall\",\n \"TR\", \"WebServerSession\", \"Access\"\n];\nlet parser = (disabled: bool=false)\n{\nlet BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled) and (LogType_s in (\"WF\", \"TR\"))\n | lookup EventResultWFLookup on Action_s\n | lookup EventTypeLookup on LogType_s\n | extend\n EventType = EventType_lookup,\n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | extend\n Dst = iff(LogType_s == \"WF\", ServiceIP_s, ServerIP_s),\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"Barracuda\",\n status_code = toint(HTTPStatus_s)\n | extend\n EventResult_TR = case(\n status_code between (200 .. 299),\n \"Success\", \n status_code between (400 .. 599),\n \"Failure\",\n status_code between (300 .. 399),\n \"Partial\",\n \"NA\"\n ),\n RuleName = RuleType_s\n | extend\n Dvc = UnitName_s,\n EventResult = iff(LogType_s == \"TR\", EventResult_TR, EventResult_WF),\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s))),\n DstIpAddr = ServerIP_s,\n SrcIpAddr = ClientIP_s,\n DstBytes = tolong(BytesReceived_d),\n DstPortNumber = toint(coalesce(ServerPort_d,ServicePort_d)),\n HttpCookie = Cookie_s,\n HttpReferrer = Referer_s,\n HttpRequestBodyBytes = tolong(BytesReceived_d),\n HttpRequestMethod = Method_s,\n HttpResponseBodyBytes = tolong(BytesSent_d),\n NetworkDuration = toint(TimeTaken_d),\n HttpUserAgent = UserAgent_s,\n NetworkSessionId = SessionID_s,\n Rule = RuleName,\n SrcPortNumber = toint(ClientPort_d),\n SrcUsername = CertificateUser_s,\n DstUsername = AuthenticatedUser_s,\n Url = URL_s,\n HttpResponseCacheControl = iff(\n CacheHit_d == 0,\n \"Response from the server\",\n \"Response from the cache\"\n ),\n AdditionalFields = bag_pack(\n \"ProxyIP\",\n ProxyIP_s,\n \"ProxyPort\",\n ProxyPort_d\n ),\n DvcHostname = host_s,\n DvcIpAddr = HostIP_s,\n EventResultDetails = HTTPStatus_s,\n HttpVersion = ProtocolVersion_s\n | extend \n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\"),\n DstUsernameType = iff(isnotempty(DstUsername), \"Simple\", \"\")\n | extend\n Duration = NetworkDuration,\n SessionId = NetworkSessionId,\n EventEndTime = EventStartTime,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n HttpStatusCode = EventResultDetails\n | project-away\n *_d,\n *_s,\n _ResourceId,\n severity,\n status_code,\n RawData,\n EventResult_*,\n SourceIP,\n Message,\n EventType_lookup,\n Computer,\n MG,\n ManagementGroupName,\n TenantId,\n SourceSystem;\n BarracudaCustom\n};\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionBarracudaWAF", + "query": "let barracudaSchema = datatable(\n ServerIP_s: string,\n UnitName_s: string,\n HTTPStatus_s: string,\n Action_s: string,\n Severity_s: string,\n DeviceReceiptTime_s: string,\n LogType_s: string,\n ClientIP_s: string,\n host_s: string,\n HostIP_s: string,\n BytesReceived_d: real,\n ServerPort_d: real,\n Cookie_s: string,\n Referer_s: string,\n Method_s: string,\n BytesSent_d: real,\n SessionID_s: string,\n ClientPort_d: real,\n AuthenticatedUser_s: string,\n CertificateUser_s: string,\n UserAgent_s: string,\n URL_s: string,\n CacheHit_d: real,\n ProxyIP_s: string,\n ProxyPort_d: real,\n RuleType_s: string,\n ServiceIP_s: string,\n TimeTaken_d: real,\n ServicePort_d: real,\n ProtocolVersion_s: string,\n _ResourceId: string,\n RawData: string,\n SourceIP: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string\n)[];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventResultWFLookup = datatable (\n Action_s: string,\n EventResult_WF: string,\n DvcAction: string\n)\n [\n \"LOG\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\",\n \"WARNING\", \"Success\", \"Allow\"\n];\nlet EventTypeLookup = datatable (\n LogType_s: string,\n EventType_lookup: string,\n EventOriginalType: string\n)\n [\n \"WF\", \"HTTPsession\", \"Web Firewall\",\n \"TR\", \"WebServerSession\", \"Access\"\n];\nlet parser = (disabled: bool=false)\n{\nlet BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled) and (LogType_s in (\"WF\", \"TR\"))\n | lookup EventResultWFLookup on Action_s\n | lookup EventTypeLookup on LogType_s\n | extend\n EventType = EventType_lookup,\n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | extend\n Dst = iff(LogType_s == \"WF\", ServiceIP_s, ServerIP_s),\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"Barracuda\",\n status_code = toint(HTTPStatus_s)\n | extend\n EventResult_TR = case(\n status_code between (200 .. 299),\n \"Success\", \n status_code between (400 .. 599),\n \"Failure\",\n status_code between (300 .. 399),\n \"Partial\",\n \"NA\"\n ),\n RuleName = RuleType_s\n | extend\n Dvc = UnitName_s,\n EventResult = iff(LogType_s == \"TR\", EventResult_TR, EventResult_WF),\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s))),\n DstIpAddr = ServerIP_s,\n SrcIpAddr = ClientIP_s,\n DstBytes = tolong(BytesReceived_d),\n DstPortNumber = toint(coalesce(ServerPort_d,ServicePort_d)),\n HttpCookie = Cookie_s,\n HttpReferrer = Referer_s,\n HttpRequestBodyBytes = tolong(BytesReceived_d),\n HttpRequestMethod = Method_s,\n HttpResponseBodyBytes = tolong(BytesSent_d),\n NetworkDuration = toint(TimeTaken_d),\n HttpUserAgent = UserAgent_s,\n NetworkSessionId = SessionID_s,\n Rule = RuleName,\n SrcPortNumber = toint(ClientPort_d),\n SrcUsername = CertificateUser_s,\n DstUsername = AuthenticatedUser_s,\n Url = URL_s,\n HttpResponseCacheControl = iff(\n CacheHit_d == 0,\n \"Response from the server\",\n \"Response from the cache\"\n ),\n AdditionalFields = bag_pack(\n \"ProxyIP\",\n ProxyIP_s,\n \"ProxyPort\",\n ProxyPort_d\n ),\n DvcHostname = host_s,\n DvcIpAddr = HostIP_s,\n EventResultDetails = HTTPStatus_s,\n HttpVersion = ProtocolVersion_s\n | extend \n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\"),\n DstUsernameType = iff(isnotempty(DstUsername), \"Simple\", \"\")\n | extend\n Duration = NetworkDuration,\n SessionId = NetworkSessionId,\n EventEndTime = EventStartTime,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n HttpStatusCode = EventResultDetails\n | project-away\n *_d,\n *_s,\n _ResourceId,\n severity,\n status_code,\n RawData,\n EventResult_*,\n SourceIP,\n Message,\n EventType_lookup,\n Computer,\n MG,\n ManagementGroupName,\n TenantId,\n SourceSystem;\n BarracudaCustom\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionCiscoFirepower/ASimWebSessionCiscoFirepower.json b/Parsers/ASimWebSession/ARM/ASimWebSessionCiscoFirepower/ASimWebSessionCiscoFirepower.json index e8bbf61fc43..cdfce8d3a23 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionCiscoFirepower/ASimWebSessionCiscoFirepower.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionCiscoFirepower/ASimWebSessionCiscoFirepower.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionCiscoFirepower')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionCiscoFirepower", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Cisco Firepower", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionCiscoFirepower", - "query": "let EventFieldsLookup = datatable(\n DeviceAction: string, \n DvcAction: string,\n EventResult: string\n )\n [\n \"Detect\", \"Allow\", \"Partial\",\n \"Block\", \"Deny\", \"Failure\",\n \"Malware Cloud Lookup\", \"Deny\", \"Failure\",\n \"Malware Block\", \"Deny\", \"Failure\",\n \"Malware Allow List\", \"Allow\", \"Success\",\n \"Cloud Lookup Timeout\", \"Deny\", \"Failure\",\n \"Custom Detection\", \"Allow\", \"Partial\",\n \"Custom Detection Block\", \"Deny\", \"Failure\",\n \"Archive Block-Depth Exceeded\", \"Deny\", \"Failure\",\n \"Archive Block-Encrypted\", \"Encrypt\", \"Failure\",\n \"Archive Block-Failed to Inspect\", \"Deny\", \"Failure\"\n ];\n let DirectionLookup = datatable (CommunicationDirection: string, NetworkDirection: string)[\n \"1\", \"Inbound\",\n \"2\", \"Outbound\"\n ];\n let parser=(disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled) \n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"Firepower\"\n and DeviceEventClassID in(\"File:500:1\", \"FileMalware:502:1\", \"FireAMP:125:1\")\n | parse-kv AdditionalExtensions as (start: long) with (pair_delimiter=';', kv_delimiter='=')\n | extend\n EventMessage = iff(DeviceEventClassID == \"FireAMP:125:1\", DeviceCustomString5, \"\"),\n ThreatName = iff(DeviceEventClassID == \"FireAMP:125:1\", DeviceCustomString2, \"\"),\n Disposition = case(\n DeviceEventClassID == \"FireAMP:125:1\",\n DeviceCustomString3,\n DeviceEventClassID in (\"File:500:1\", \"FileMalware:502:1\"),\n DeviceCustomString2,\n \"\"\n ),\n AdditionalFields = todynamic(\n case(\n DeviceEventClassID == \"FireAMP:125:1\",\n bag_pack(\n \"policy\", DeviceCustomString1,\n \"process\", SourceProcessName,\n \"connectionInstance\", ProcessID,\n \"disposition\", DeviceCustomString3,\n \"event type id\", EventOutcome\n ),\n DeviceEventClassID in (\"File:500:1\", \"FileMalware:502:1\"),\n bag_pack(\n \"connectionInstance\", ProcessID,\n \"signaturedata\", DeviceCustomString4,\n \"disposition\", DeviceCustomString2\n ),\n \"\"\n )\n )\n | invoke _ASIM_ResolveNetworkProtocol('Protocol')\n | extend NetworkProtocol = iff(NetworkProtocol == \"Unassigned\" and Protocol !in (63, 68, 99, 114, 253, 254), Protocol, NetworkProtocol)\n | lookup DirectionLookup on CommunicationDirection\n | lookup EventFieldsLookup on DeviceAction\n | extend\n EventStartTime = coalesce(unixtime_milliseconds_todatetime(start), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n EventSeverity = case(\n DvcAction == \"Allow\" and Disposition =~ \"Malware\",\n \"High\",\n DvcAction == \"Deny\" and Disposition =~ \"Malware\",\n \"Medium\",\n DvcAction == \"Deny\" and Disposition !~ \"Malware\",\n \"Low\",\n \"Informational\"\n ),\n EventOriginalType = case(\n DeviceEventClassID has \"File:500:1\",\n \"File Event\",\n DeviceEventClassID has \"FileMalware:502:1\",\n \"FileMalware Event\",\n Activity\n ),\n FileContentType = FileType,\n HttpContentType = FileType,\n FileSize = tolong(FileSize),\n ThreatCategory = iff(Disposition =~ \"Malware\", Disposition, \"\")\n | extend Ip_device = iff(DeviceName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", DeviceName, \"\")\n | extend\n DvcIpAddr = Ip_device,\n DeviceName = iff(isempty(Ip_device), DeviceName, \"\")\n | extend host = coalesce(DeviceName, Computer)\n | invoke _ASIM_ResolveDvcFQDN('host')\n | extend \n EventCount = int(1),\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-rename\n EventVendor = DeviceVendor,\n EventProduct = DeviceProduct,\n EventProductVersion = DeviceVersion,\n DstPortNumber = DestinationPort,\n SrcUsername = SourceUserName,\n DstUsername = DestinationUserName,\n Url = RequestURL,\n FileSHA256 = FileHash,\n SrcPortNumber = SourcePort,\n EventOriginalSeverity = LogSeverity,\n EventOriginalUid = ExtID,\n NetworkApplicationProtocol = ApplicationProtocol,\n EventUid = _ItemId,\n DvcId = DeviceExternalID,\n DvcOriginalAction = DeviceAction,\n HttpUserAgent = RequestClientApplication\n | extend\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\"),\n HashType = \"SHA256\",\n DvcIdType = \"Other\",\n NetworkProtocolVersion=case(DstIpAddr has \".\", \"IPv4\", DstIpAddr has \":\", \"IPv6\", \"\"),\n IpAddr = SrcIpAddr,\n Hash = FileSHA256,\n User = SrcUsername,\n UserAgent = HttpUserAgent,\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr)\n | project-away\n Source*,\n Destination*,\n Device*,\n start,\n AdditionalExtensions,\n Activity,\n CommunicationDirection,\n Computer,\n EndTime,\n EventOutcome,\n FieldDevice*,\n Flex*,\n FileID,\n FileModificationTime,\n Old*,\n FileCreateTime,\n FilePermission,\n IndicatorThreatType,\n MaliciousIP*,\n Message,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n ThreatDescription,\n ThreatSeverity,\n FilePath,\n FileType,\n Reason,\n ReceiptTime,\n ExternalID,\n ReportReferenceLink,\n Ip_*,\n host*,\n _ResourceId,\n NetworkProtocolNumber,\n Disposition,\n ThreatConfidence\n };\n parser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Cisco Firepower", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionCiscoFirepower", + "query": "let EventFieldsLookup = datatable(\n DeviceAction: string, \n DvcAction: string,\n EventResult: string\n )\n [\n \"Detect\", \"Allow\", \"Partial\",\n \"Block\", \"Deny\", \"Failure\",\n \"Malware Cloud Lookup\", \"Deny\", \"Failure\",\n \"Malware Block\", \"Deny\", \"Failure\",\n \"Malware Allow List\", \"Allow\", \"Success\",\n \"Cloud Lookup Timeout\", \"Deny\", \"Failure\",\n \"Custom Detection\", \"Allow\", \"Partial\",\n \"Custom Detection Block\", \"Deny\", \"Failure\",\n \"Archive Block-Depth Exceeded\", \"Deny\", \"Failure\",\n \"Archive Block-Encrypted\", \"Encrypt\", \"Failure\",\n \"Archive Block-Failed to Inspect\", \"Deny\", \"Failure\"\n ];\n let DirectionLookup = datatable (CommunicationDirection: string, NetworkDirection: string)[\n \"1\", \"Inbound\",\n \"2\", \"Outbound\"\n ];\n let parser=(disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled) \n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"Firepower\"\n and DeviceEventClassID in(\"File:500:1\", \"FileMalware:502:1\", \"FireAMP:125:1\")\n | parse-kv AdditionalExtensions as (start: long) with (pair_delimiter=';', kv_delimiter='=')\n | extend\n EventMessage = iff(DeviceEventClassID == \"FireAMP:125:1\", DeviceCustomString5, \"\"),\n ThreatName = iff(DeviceEventClassID == \"FireAMP:125:1\", DeviceCustomString2, \"\"),\n Disposition = case(\n DeviceEventClassID == \"FireAMP:125:1\",\n DeviceCustomString3,\n DeviceEventClassID in (\"File:500:1\", \"FileMalware:502:1\"),\n DeviceCustomString2,\n \"\"\n ),\n AdditionalFields = todynamic(\n case(\n DeviceEventClassID == \"FireAMP:125:1\",\n bag_pack(\n \"policy\", DeviceCustomString1,\n \"process\", SourceProcessName,\n \"connectionInstance\", ProcessID,\n \"disposition\", DeviceCustomString3,\n \"event type id\", EventOutcome\n ),\n DeviceEventClassID in (\"File:500:1\", \"FileMalware:502:1\"),\n bag_pack(\n \"connectionInstance\", ProcessID,\n \"signaturedata\", DeviceCustomString4,\n \"disposition\", DeviceCustomString2\n ),\n \"\"\n )\n )\n | invoke _ASIM_ResolveNetworkProtocol('Protocol')\n | extend NetworkProtocol = iff(NetworkProtocol == \"Unassigned\" and Protocol !in (63, 68, 99, 114, 253, 254), Protocol, NetworkProtocol)\n | lookup DirectionLookup on CommunicationDirection\n | lookup EventFieldsLookup on DeviceAction\n | extend\n EventStartTime = coalesce(unixtime_milliseconds_todatetime(start), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n EventSeverity = case(\n DvcAction == \"Allow\" and Disposition =~ \"Malware\",\n \"High\",\n DvcAction == \"Deny\" and Disposition =~ \"Malware\",\n \"Medium\",\n DvcAction == \"Deny\" and Disposition !~ \"Malware\",\n \"Low\",\n \"Informational\"\n ),\n EventOriginalType = case(\n DeviceEventClassID has \"File:500:1\",\n \"File Event\",\n DeviceEventClassID has \"FileMalware:502:1\",\n \"FileMalware Event\",\n Activity\n ),\n FileContentType = FileType,\n HttpContentType = FileType,\n FileSize = tolong(FileSize),\n ThreatCategory = iff(Disposition =~ \"Malware\", Disposition, \"\")\n | extend Ip_device = iff(DeviceName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", DeviceName, \"\")\n | extend\n DvcIpAddr = Ip_device,\n DeviceName = iff(isempty(Ip_device), DeviceName, \"\")\n | extend host = coalesce(DeviceName, Computer)\n | invoke _ASIM_ResolveDvcFQDN('host')\n | extend \n EventCount = int(1),\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-rename\n EventVendor = DeviceVendor,\n EventProduct = DeviceProduct,\n EventProductVersion = DeviceVersion,\n DstPortNumber = DestinationPort,\n SrcUsername = SourceUserName,\n DstUsername = DestinationUserName,\n Url = RequestURL,\n FileSHA256 = FileHash,\n SrcPortNumber = SourcePort,\n EventOriginalSeverity = LogSeverity,\n EventOriginalUid = ExtID,\n NetworkApplicationProtocol = ApplicationProtocol,\n EventUid = _ItemId,\n DvcId = DeviceExternalID,\n DvcOriginalAction = DeviceAction,\n HttpUserAgent = RequestClientApplication\n | extend\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\"),\n HashType = \"SHA256\",\n DvcIdType = \"Other\",\n NetworkProtocolVersion=case(DstIpAddr has \".\", \"IPv4\", DstIpAddr has \":\", \"IPv6\", \"\"),\n IpAddr = SrcIpAddr,\n Hash = FileSHA256,\n User = SrcUsername,\n UserAgent = HttpUserAgent,\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr)\n | project-away\n Source*,\n Destination*,\n Device*,\n start,\n AdditionalExtensions,\n Activity,\n CommunicationDirection,\n Computer,\n EndTime,\n EventOutcome,\n FieldDevice*,\n Flex*,\n FileID,\n FileModificationTime,\n Old*,\n FileCreateTime,\n FilePermission,\n IndicatorThreatType,\n MaliciousIP*,\n Message,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n ThreatDescription,\n ThreatSeverity,\n FilePath,\n FileType,\n Reason,\n ReceiptTime,\n ExternalID,\n ReportReferenceLink,\n Ip_*,\n host*,\n _ResourceId,\n NetworkProtocolNumber,\n Disposition,\n ThreatConfidence\n };\n parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionCiscoMeraki/ASimWebSessionCiscoMeraki.json b/Parsers/ASimWebSession/ARM/ASimWebSessionCiscoMeraki/ASimWebSessionCiscoMeraki.json index 3493ec240ff..1d1d0829534 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionCiscoMeraki/ASimWebSessionCiscoMeraki.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionCiscoMeraki/ASimWebSessionCiscoMeraki.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionCiscoMeraki')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionCiscoMeraki", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM filtering parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionCiscoMeraki", - "query": "let ActionLookup = datatable (action: string, DvcAction: string, EventResult: string, EventSeverity: string) [\n 'allow', 'Allow', 'Success', 'Informational',\n 'log', 'Allow', 'Success', 'Informational',\n 'accept', 'Allow', 'Success', 'Informational',\n 'block', 'Deny', 'Failure', 'Low',\n 'deny', 'Deny', 'Failure', 'Low',\n 'quarantine', 'Deny', 'Failure', 'Low'\n ];\n let parser=(disabled: bool=false) {\n let allData = union isfuzzy=true\n (\n meraki_CL\n | project-rename LogMessage = Message\n ),\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\n let PreFilteredData = allData\n | where not(disabled) and (LogMessage has \"urls\" or LogMessage has_all(\"security_event\", \"security_filtering_file_scanned\"))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType in (\"security_event\", \"urls\");\n let SecurityEventData = PreFilteredData\n | where LogType == \"security_event\"\n | parse Substring with LogSubType: string \" \" temp_RestMessage: string\n | where LogSubType == \"security_filtering_file_scanned\"\n | parse-kv Substring as (disposition: string, action: string, sha256: string, name: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | parse Substring with * \" sha256\" fsha256: string \" \"restmessage: string\n | extend\n disposition = trim('\"', disposition),\n action = trim('\"', action),\n sha256 = trim('\"', sha256),\n fsha256 = trim('\"', fsha256),\n name = trim('\"', name)\n | lookup ActionLookup on action;\n let UrlsData = PreFilteredData\n | where LogType == \"urls\"\n | parse Substring with * \"request:\" request: string \" \" urls: string;\n union SecurityEventData, UrlsData\n | parse-kv Substring as (src: string, dst: string, url: string, mac: string, agent: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend\n src = trim('\"', src),\n dst = trim('\"', dst)\n | parse src with * \"[\" temp_srcip: string \"]:\" temp_srcport: string\n | parse dst with * \"[\" temp_dstip: string \"]:\" temp_dstport: string\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1])\n | extend\n EventStartTime = unixtime_seconds_todatetime(tolong(split(Epoch, \".\")[0]))\n | extend agent = trim(\"'\", agent)\n | extend\n agent= trim('\"', agent),\n mac = trim('\"', mac),\n url = trim('\"', url),\n urls = trim('\"', urls)\n | extend Url = coalesce(url, urls)\n | extend\n EventResult=case(\n LogType == \"urls\", \"Success\",\n isempty(EventResult), \"NA\",\n EventResult \n ),\n EventSeverity=case(\n DvcAction == \"Deny\" and disposition == \"malicious\",\n \"Medium\",\n DvcAction == \"Allow\" and disposition == \"malicious\",\n \"High\",\n isnotempty(EventSeverity), EventSeverity,\n \"Informational\"\n )\n | extend SrcIpAddr = iff(\n src has \".\",\n split(src, \":\")[0], \n coalesce(temp_srcip, src)\n )\n | extend SrcPortNumber = toint(\n iff (\n src has \".\",\n split(src, \":\")[1],\n temp_srcport\n )\n )\n | extend DstIpAddr = iff(\n dst has \".\",\n split(dst, \":\")[0], \n coalesce(temp_dstip, dst)\n )\n | extend DstPortNumber = toint(\n iff (\n dst has \".\",\n split(dst, \":\")[1],\n temp_dstport\n )\n )\n | extend\n EventType = \"HTTPsession\",\n HttpUserAgent = agent,\n HttpRequestMethod = request,\n FileSHA256 = coalesce(sha256, fsha256),\n FileName = name,\n DvcMacAddr = mac,\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n EventUid = _ResourceId \n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n UserAgent = HttpUserAgent,\n EventEndTime = EventStartTime\n | extend\n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\"\n | project-away\n LogMessage,\n Parser,\n LogType,\n LogSubType,\n Epoch,\n Device,\n src,\n dst,\n mac,\n url,\n urls,\n disposition,\n action,\n request,\n name,\n sha256,\n fsha256,\n agent,\n restmessage,\n temp*,\n Substring,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n ManagementGroupName,\n RawData,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName\n };\n parser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM filtering parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionCiscoMeraki", + "query": "let ActionLookup = datatable (action: string, DvcAction: string, EventResult: string, EventSeverity: string) [\n 'allow', 'Allow', 'Success', 'Informational',\n 'log', 'Allow', 'Success', 'Informational',\n 'accept', 'Allow', 'Success', 'Informational',\n 'block', 'Deny', 'Failure', 'Low',\n 'deny', 'Deny', 'Failure', 'Low',\n 'quarantine', 'Deny', 'Failure', 'Low'\n ];\n let parser=(disabled: bool=false) {\n let allData = union isfuzzy=true\n (\n meraki_CL\n | project-rename LogMessage = Message\n ),\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\n let PreFilteredData = allData\n | where not(disabled) and (LogMessage has \"urls\" or LogMessage has_all(\"security_event\", \"security_filtering_file_scanned\"))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType in (\"security_event\", \"urls\");\n let SecurityEventData = PreFilteredData\n | where LogType == \"security_event\"\n | parse Substring with LogSubType: string \" \" temp_RestMessage: string\n | where LogSubType == \"security_filtering_file_scanned\"\n | parse-kv Substring as (disposition: string, action: string, sha256: string, name: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | parse Substring with * \" sha256\" fsha256: string \" \"restmessage: string\n | extend\n disposition = trim('\"', disposition),\n action = trim('\"', action),\n sha256 = trim('\"', sha256),\n fsha256 = trim('\"', fsha256),\n name = trim('\"', name)\n | lookup ActionLookup on action;\n let UrlsData = PreFilteredData\n | where LogType == \"urls\"\n | parse Substring with * \"request:\" request: string \" \" urls: string;\n union SecurityEventData, UrlsData\n | parse-kv Substring as (src: string, dst: string, url: string, mac: string, agent: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend\n src = trim('\"', src),\n dst = trim('\"', dst)\n | parse src with * \"[\" temp_srcip: string \"]:\" temp_srcport: string\n | parse dst with * \"[\" temp_dstip: string \"]:\" temp_dstport: string\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1])\n | extend\n EventStartTime = unixtime_seconds_todatetime(tolong(split(Epoch, \".\")[0]))\n | extend agent = trim(\"'\", agent)\n | extend\n agent= trim('\"', agent),\n mac = trim('\"', mac),\n url = trim('\"', url),\n urls = trim('\"', urls)\n | extend Url = coalesce(url, urls)\n | extend\n EventResult=case(\n LogType == \"urls\", \"Success\",\n isempty(EventResult), \"NA\",\n EventResult \n ),\n EventSeverity=case(\n DvcAction == \"Deny\" and disposition == \"malicious\",\n \"Medium\",\n DvcAction == \"Allow\" and disposition == \"malicious\",\n \"High\",\n isnotempty(EventSeverity), EventSeverity,\n \"Informational\"\n )\n | extend SrcIpAddr = iff(\n src has \".\",\n split(src, \":\")[0], \n coalesce(temp_srcip, src)\n )\n | extend SrcPortNumber = toint(\n iff (\n src has \".\",\n split(src, \":\")[1],\n temp_srcport\n )\n )\n | extend DstIpAddr = iff(\n dst has \".\",\n split(dst, \":\")[0], \n coalesce(temp_dstip, dst)\n )\n | extend DstPortNumber = toint(\n iff (\n dst has \".\",\n split(dst, \":\")[1],\n temp_dstport\n )\n )\n | extend\n EventType = \"HTTPsession\",\n HttpUserAgent = agent,\n HttpRequestMethod = request,\n FileSHA256 = coalesce(sha256, fsha256),\n FileName = name,\n DvcMacAddr = mac,\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n EventUid = _ResourceId \n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n UserAgent = HttpUserAgent,\n EventEndTime = EventStartTime\n | extend\n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\"\n | project-away\n LogMessage,\n Parser,\n LogType,\n LogSubType,\n Epoch,\n Device,\n src,\n dst,\n mac,\n url,\n urls,\n disposition,\n action,\n request,\n name,\n sha256,\n fsha256,\n agent,\n restmessage,\n temp*,\n Substring,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n ManagementGroupName,\n RawData,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName\n };\n parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionCitrixNetScaler/ASimWebSessionCitrixNetScaler.json b/Parsers/ASimWebSession/ARM/ASimWebSessionCitrixNetScaler/ASimWebSessionCitrixNetScaler.json index bb4374f4254..d5d3d2e9c98 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionCitrixNetScaler/ASimWebSessionCitrixNetScaler.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionCitrixNetScaler/ASimWebSessionCitrixNetScaler.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionCitrixNetScaler')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionCitrixNetScaler", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Citrix NetScaler(Web App Firewall)", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionCitrixNetScaler", - "query": "let EventSeverityLookup = datatable (DeviceCustomString4: string, EventSeverity: string)\n[\n \"EMERGENCY\", \"High\",\n \"ALERT\", \"High\",\n \"CRITICAL\", \"High\",\n \"ERROR\", \"Medium\",\n \"WARNING\", \"Low\",\n \"NOTICE\", \"Low\",\n \"INFORMATIONAL\", \"Informational\",\n \"DEBUG\", \"Informational\",\n \"INFO\", \"Informationl\",\n \"WARN\", \"Low\",\n \"ERR\", \"Medium\"\n];\nlet EventFieldsLookup = datatable(\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n[\n \"blocked\", \"Deny\", \"Failure\",\n \"not blocked\", \"Allow\", \"Success\",\n \"transformed\", \"Allow\", \"Success\"\n];\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Citrix\" and DeviceProduct == \"NetScaler\"\n | where DeviceEventClassID == \"APPFW\" and Activity has_any (\"APPFW_STARTURL\", \"APPFW_XML_cross-site scripting\", \"APPFW_SAFECOMMERCE\", \"APPFW_SAFECOMMERCE_XFORM\", \"APPFW_SIGNATURE_MATCH\", \"APPFW_XML_ERR_NOT_WELLFORMED\", \"APPFW_FIELDCONSISTENCY\", \"APPFW_SQL\", \"APPFW_BUFFEROVERFLOW_URL\", \"APPFW_BUFFEROVERFLOW_COOKIE\", \"APPFW_cross-site scripting\", \"APPFW_FIELDFORMAT\", \"APPFW_REFERER_HEADER\", \"APPFW_XSS\")\n | parse-kv AdditionalExtensions as (method: string, geolocation: string, script: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | parse RequestURL with * \"://\" host: string \"/\" *\n | extend\n DeviceAction = trim(\"[*]+\", DeviceAction),\n Ip_host = iff(host matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", host, \"\"),\n Ip_computer = iff(Computer matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", Computer, \"\"),\n HttpHost = host\n | lookup EventFieldsLookup on DeviceAction\n | lookup EventSeverityLookup on DeviceCustomString4\n | extend\n host = iff(isempty(Ip_host), host, \"\"),\n Computer = iff(isempty(Ip_computer), Computer, \"\"),\n AdditionalFields = bag_pack(\n \"Script\", script,\n \"Event ID\", FieldDeviceCustomNumber1,\n \"HTTP Transaction ID\", FieldDeviceCustomNumber2,\n \"Profile Name\", DeviceCustomString1,\n \"PPE ID\", DeviceCustomString2,\n \"Signature Violation Category\", DeviceCustomString6\n )\n | invoke _ASIM_ResolveDvcFQDN('Computer')\n | invoke _ASIM_ResolveDstFQDN('host')\n | extend\n DstIpAddr = tostring(split(Ip_host, \":\")[0]),\n DstPortNumber = toint(split(Ip_host, \":\")[1]),\n DvcIpAddr = tostring(split(Ip_computer, \":\")[0])\n | extend \n DstHostname = coalesce(DstIpAddr, DstHostname)\n | extend\n EventProduct = \"NetScaler\",\n EventVendor = \"Citrix\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-rename\n EventUid = _ItemId,\n SrcIpAddr = SourceIP,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n EventOriginalSeverity = DeviceCustomString4,\n EventProductVersion = DeviceVersion,\n HttpRequestMethod = method,\n NetworkSessionId = DeviceCustomString3,\n SrcPortNumber = SourcePort,\n Url = RequestURL,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSubType = Activity,\n SrcGeoCountry = geolocation\n | extend\n EventEndTime = EventStartTime,\n Dvc = coalesce(DvcFQDN, DvcHostname, DvcIpAddr),\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n SessionId = NetworkSessionId\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n EventOutcome,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n Indicator*,\n Ip_*,\n LogSeverity,\n _ResourceId,\n host,\n script,\n ExtID\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Citrix NetScaler(Web App Firewall)", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionCitrixNetScaler", + "query": "let EventSeverityLookup = datatable (DeviceCustomString4: string, EventSeverity: string)\n[\n \"EMERGENCY\", \"High\",\n \"ALERT\", \"High\",\n \"CRITICAL\", \"High\",\n \"ERROR\", \"Medium\",\n \"WARNING\", \"Low\",\n \"NOTICE\", \"Low\",\n \"INFORMATIONAL\", \"Informational\",\n \"DEBUG\", \"Informational\",\n \"INFO\", \"Informationl\",\n \"WARN\", \"Low\",\n \"ERR\", \"Medium\"\n];\nlet EventFieldsLookup = datatable(\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n[\n \"blocked\", \"Deny\", \"Failure\",\n \"not blocked\", \"Allow\", \"Success\",\n \"transformed\", \"Allow\", \"Success\"\n];\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Citrix\" and DeviceProduct == \"NetScaler\"\n | where DeviceEventClassID == \"APPFW\" and Activity has_any (\"APPFW_STARTURL\", \"APPFW_XML_cross-site scripting\", \"APPFW_SAFECOMMERCE\", \"APPFW_SAFECOMMERCE_XFORM\", \"APPFW_SIGNATURE_MATCH\", \"APPFW_XML_ERR_NOT_WELLFORMED\", \"APPFW_FIELDCONSISTENCY\", \"APPFW_SQL\", \"APPFW_BUFFEROVERFLOW_URL\", \"APPFW_BUFFEROVERFLOW_COOKIE\", \"APPFW_cross-site scripting\", \"APPFW_FIELDFORMAT\", \"APPFW_REFERER_HEADER\", \"APPFW_XSS\")\n | parse-kv AdditionalExtensions as (method: string, geolocation: string, script: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | parse RequestURL with * \"://\" host: string \"/\" *\n | extend\n DeviceAction = trim(\"[*]+\", DeviceAction),\n Ip_host = iff(host matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", host, \"\"),\n Ip_computer = iff(Computer matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", Computer, \"\"),\n HttpHost = host\n | lookup EventFieldsLookup on DeviceAction\n | lookup EventSeverityLookup on DeviceCustomString4\n | extend\n host = iff(isempty(Ip_host), host, \"\"),\n Computer = iff(isempty(Ip_computer), Computer, \"\"),\n AdditionalFields = bag_pack(\n \"Script\", script,\n \"Event ID\", FieldDeviceCustomNumber1,\n \"HTTP Transaction ID\", FieldDeviceCustomNumber2,\n \"Profile Name\", DeviceCustomString1,\n \"PPE ID\", DeviceCustomString2,\n \"Signature Violation Category\", DeviceCustomString6\n )\n | invoke _ASIM_ResolveDvcFQDN('Computer')\n | invoke _ASIM_ResolveDstFQDN('host')\n | extend\n DstIpAddr = tostring(split(Ip_host, \":\")[0]),\n DstPortNumber = toint(split(Ip_host, \":\")[1]),\n DvcIpAddr = tostring(split(Ip_computer, \":\")[0])\n | extend \n DstHostname = coalesce(DstIpAddr, DstHostname)\n | extend\n EventProduct = \"NetScaler\",\n EventVendor = \"Citrix\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-rename\n EventUid = _ItemId,\n SrcIpAddr = SourceIP,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n EventOriginalSeverity = DeviceCustomString4,\n EventProductVersion = DeviceVersion,\n HttpRequestMethod = method,\n NetworkSessionId = DeviceCustomString3,\n SrcPortNumber = SourcePort,\n Url = RequestURL,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSubType = Activity,\n SrcGeoCountry = geolocation\n | extend\n EventEndTime = EventStartTime,\n Dvc = coalesce(DvcFQDN, DvcHostname, DvcIpAddr),\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n SessionId = NetworkSessionId\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n EventOutcome,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n Indicator*,\n Ip_*,\n LogSeverity,\n _ResourceId,\n host,\n script,\n ExtID\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionF5ASM/ASimWebSessionF5ASM.json b/Parsers/ASimWebSession/ARM/ASimWebSessionF5ASM/ASimWebSessionF5ASM.json index 99b0c091136..ca3d27502b5 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionF5ASM/ASimWebSessionF5ASM.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionF5ASM/ASimWebSessionF5ASM.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionF5ASM')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionF5ASM", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for F5 BIG-IP Application Security Manager (ASM)", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionF5ASM", - "query": "let DvcActionLookup = datatable (DeviceAction: string, DvcAction: string)\n[\n \"Blocked\", \"Deny\",\n \"blocked\", \"Deny\",\n \"Passed\", \"Allow\",\n \"passed\", \"Allow\",\n \"Alerted\", \"Deny\",\n \"alerted\", \"Deny\"\n];\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Medium\",\n \"5\", \"Medium\",\n \"6\", \"Medium\",\n \"7\", \"High\",\n \"8\", \"High\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet parser=(disabled: bool=false) {\n let DeviceEventClassIDList = dynamic([\"Brute Force Attack\", \"IP Enforcer Attack\", \"Web Scraping Attack\", \"DoS Attack\"]);\n let AllData = CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"F5\" and DeviceProduct == \"ASM\"\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | project-rename DvcIpAddr = DeviceAddress;\n let GeneralEnforcementData = AllData\n | where ((substring(DeviceEventClassID, 0, 1) == \"2\" and strlen(DeviceEventClassID) == 9) or DeviceEventClassID == Activity) \n and DeviceEventClassID !in (DeviceEventClassIDList)\n | parse-kv DeviceCustomString3 as (Host: string, [\"User-Agent\"]: string, Cookie: string, Referer: string) with (pair_delimiter=\"\\\\r\\\\n\", kv_delimiter=\":\")\n | parse DeviceCustomString3 with * \"HTTP/\" HttpVersion: string \"\\\\r\\\\n\" rest: string\n | extend\n EventResultDetails = tostring(FieldDeviceCustomNumber1)\n | project-rename \n DstIpAddr = DestinationIP,\n DstPortNumber = DestinationPort,\n EventOriginalUid = ExtID,\n HttpRequestMethod = RequestMethod,\n NetworkApplicationProtocol = ApplicationProtocol,\n HttpCookie = Cookie,\n HttpHost = Host,\n HttpReferrer = Referer,\n HttpUserAgent = ['User-Agent'],\n HttpRequestXff = DeviceCustomString5\n | extend\n EventResult = iff(toint(EventResultDetails) >= 400 or DeviceAction =~ \"blocked\", \"Failure\", \"Success\"),\n HttpStatusCode = EventResultDetails,\n AdditionalFields = bag_pack(\n \"Full Request\", DeviceCustomString3, \n \"Policy Name\", DeviceCustomString1,\n \"Attack Type\", DeviceCustomString4,\n \"Policy Apply Date\", DeviceCustomDate1,\n \"Web Application Name\", DeviceCustomString2\n ),\n Dst = DstIpAddr;\n let AnomalyDetectionData = AllData\n | where DeviceEventClassID in (DeviceEventClassIDList)\n | extend\n EventResult = iff(DeviceAction =~ \"passed\", \"Success\", \"Failure\"),\n AdditionalFields = bag_pack(\n \"Detection Average\", FieldDeviceCustomNumber1,\n \"Dropped Requests\", FieldDeviceCustomNumber2,\n \"Attack Status\", DeviceCustomString4,\n \"Detection Mode\", DeviceCustomString5,\n \"Web Application Name\", DeviceCustomString2\n ),\n ThreatId = tostring(FieldDeviceCustomNumber3)\n | project-away ApplicationProtocol, ExtID;\n union GeneralEnforcementData, AnomalyDetectionData\n | lookup DvcActionLookup on DeviceAction\n | lookup EventSeverityLookup on LogSeverity\n | extend \n EventStartTime = todatetime(ReceiptTime),\n EventOriginalType = iff(isempty(toint(DeviceEventClassID)), DeviceEventClassID, Activity)\n | extend\n EventCount = int(1),\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-rename \n EventProduct = DeviceProduct,\n EventVendor = DeviceVendor,\n EventUid = _ItemId,\n EventOriginalSeverity = LogSeverity,\n DvcOriginalAction = DeviceAction,\n Url = RequestURL,\n SrcIpAddr = SourceIP,\n SrcGeoCountry = DeviceCustomString6,\n SrcPortNumber = SourcePort,\n SrcUserId = SourceUserID,\n SrcUsername = SourceUserName,\n EventMessage = Message,\n EventProductVersion = DeviceVersion,\n RuleName = DeviceCustomString1\n | extend \n SrcUserIdType = iff(isnotempty(SrcUserId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, SrcUserId),\n Dvc = coalesce(DvcFQDN, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n Rule = RuleName\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n Activity,\n CommunicationDirection,\n Computer,\n EndTime,\n EventOutcome,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n IndicatorThreatType,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n ThreatDescription,\n ThreatSeverity,\n ThreatConfidence,\n Reason,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n rest,\n _ResourceId\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for F5 BIG-IP Application Security Manager (ASM)", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionF5ASM", + "query": "let DvcActionLookup = datatable (DeviceAction: string, DvcAction: string)\n[\n \"Blocked\", \"Deny\",\n \"blocked\", \"Deny\",\n \"Passed\", \"Allow\",\n \"passed\", \"Allow\",\n \"Alerted\", \"Deny\",\n \"alerted\", \"Deny\"\n];\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Medium\",\n \"5\", \"Medium\",\n \"6\", \"Medium\",\n \"7\", \"High\",\n \"8\", \"High\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet parser=(disabled: bool=false) {\n let DeviceEventClassIDList = dynamic([\"Brute Force Attack\", \"IP Enforcer Attack\", \"Web Scraping Attack\", \"DoS Attack\"]);\n let AllData = CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"F5\" and DeviceProduct == \"ASM\"\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | project-rename DvcIpAddr = DeviceAddress;\n let GeneralEnforcementData = AllData\n | where ((substring(DeviceEventClassID, 0, 1) == \"2\" and strlen(DeviceEventClassID) == 9) or DeviceEventClassID == Activity) \n and DeviceEventClassID !in (DeviceEventClassIDList)\n | parse-kv DeviceCustomString3 as (Host: string, [\"User-Agent\"]: string, Cookie: string, Referer: string) with (pair_delimiter=\"\\\\r\\\\n\", kv_delimiter=\":\")\n | parse DeviceCustomString3 with * \"HTTP/\" HttpVersion: string \"\\\\r\\\\n\" rest: string\n | extend\n EventResultDetails = tostring(FieldDeviceCustomNumber1)\n | project-rename \n DstIpAddr = DestinationIP,\n DstPortNumber = DestinationPort,\n EventOriginalUid = ExtID,\n HttpRequestMethod = RequestMethod,\n NetworkApplicationProtocol = ApplicationProtocol,\n HttpCookie = Cookie,\n HttpHost = Host,\n HttpReferrer = Referer,\n HttpUserAgent = ['User-Agent'],\n HttpRequestXff = DeviceCustomString5\n | extend\n EventResult = iff(toint(EventResultDetails) >= 400 or DeviceAction =~ \"blocked\", \"Failure\", \"Success\"),\n HttpStatusCode = EventResultDetails,\n AdditionalFields = bag_pack(\n \"Full Request\", DeviceCustomString3, \n \"Policy Name\", DeviceCustomString1,\n \"Attack Type\", DeviceCustomString4,\n \"Policy Apply Date\", DeviceCustomDate1,\n \"Web Application Name\", DeviceCustomString2\n ),\n Dst = DstIpAddr;\n let AnomalyDetectionData = AllData\n | where DeviceEventClassID in (DeviceEventClassIDList)\n | extend\n EventResult = iff(DeviceAction =~ \"passed\", \"Success\", \"Failure\"),\n AdditionalFields = bag_pack(\n \"Detection Average\", FieldDeviceCustomNumber1,\n \"Dropped Requests\", FieldDeviceCustomNumber2,\n \"Attack Status\", DeviceCustomString4,\n \"Detection Mode\", DeviceCustomString5,\n \"Web Application Name\", DeviceCustomString2\n ),\n ThreatId = tostring(FieldDeviceCustomNumber3)\n | project-away ApplicationProtocol, ExtID;\n union GeneralEnforcementData, AnomalyDetectionData\n | lookup DvcActionLookup on DeviceAction\n | lookup EventSeverityLookup on LogSeverity\n | extend \n EventStartTime = todatetime(ReceiptTime),\n EventOriginalType = iff(isempty(toint(DeviceEventClassID)), DeviceEventClassID, Activity)\n | extend\n EventCount = int(1),\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-rename \n EventProduct = DeviceProduct,\n EventVendor = DeviceVendor,\n EventUid = _ItemId,\n EventOriginalSeverity = LogSeverity,\n DvcOriginalAction = DeviceAction,\n Url = RequestURL,\n SrcIpAddr = SourceIP,\n SrcGeoCountry = DeviceCustomString6,\n SrcPortNumber = SourcePort,\n SrcUserId = SourceUserID,\n SrcUsername = SourceUserName,\n EventMessage = Message,\n EventProductVersion = DeviceVersion,\n RuleName = DeviceCustomString1\n | extend \n SrcUserIdType = iff(isnotempty(SrcUserId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, SrcUserId),\n Dvc = coalesce(DvcFQDN, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n Rule = RuleName\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n Activity,\n CommunicationDirection,\n Computer,\n EndTime,\n EventOutcome,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n IndicatorThreatType,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n ThreatDescription,\n ThreatSeverity,\n ThreatConfidence,\n Reason,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n rest,\n _ResourceId\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionFortinetFortiGate/ASimWebSessionFortinetFortiGate.json b/Parsers/ASimWebSession/ARM/ASimWebSessionFortinetFortiGate/ASimWebSessionFortinetFortiGate.json index 28c18873cda..cac7468486c 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionFortinetFortiGate/ASimWebSessionFortinetFortiGate.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionFortinetFortiGate/ASimWebSessionFortinetFortiGate.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionFortinetFortiGate')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionFortinetFortiGate", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Fortinet FortiGate", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionFortinetFortiGate", - "query": "let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string)\n[\n \"passthrough\",\"Allow\",\"Success\"\n , \"blocked\",\"Deny\",\"Failure\"\n];\n// -- See https://docs.fortinet.com/document/fortigate/7.2.4/fortios-log-message-reference/671442/cef-priority-levels\nlet SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n[\n \"1\", \"Informational\", // Debug\n \"2\", \"Informational\", // Information\n \"3\", \"Informational\", // Notification\n \"4\", \"Low\", // Warning\n \"5\", \"Low\", // Error\n \"6\", \"High\", // Critical\n \"7\", \"Medium\", // Alert\n \"8\", \"High\" // Emergency\n];\nlet parser=(disabled:bool=false){\n CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Fortinet\" \n and DeviceProduct startswith \"Fortigate\"\n and Activity has_all ('webfilter', 'utm')\n | extend \n EventResultDetails = \"NA\"\n | lookup EventLookup on DeviceAction \n | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, EventResultDetails, DvcAction, RequestURL, RequestContext, DestinationHostName, SourceHostName, SourceUserName, DestinationUserName\n | project-rename \n Url = RequestURL\n , UrlCategory = RequestContext\n , DstBytes = ReceivedBytes\n , DstInterfaceName = DeviceOutboundInterface\n , DstIpAddr = DestinationIP\n , DstPortNumber = DestinationPort\n , DvcHostname = Computer\n , EventMessage = Activity\n , EventOriginalSeverity = LogSeverity\n , EventProduct = DeviceProduct\n , EventProductVersion = DeviceVersion\n , SrcBytes = SentBytes\n , SrcInterfaceName = DeviceInboundInterface\n , SrcIpAddr = SourceIP\n , SrcPortNumber = SourcePort\n , DvcId = DeviceExternalID\n , EventUid = _ItemId\n , DstHostname = DestinationHostName\n , SrcHostname = SourceHostName\n , SrcUsername = SourceUserName\n , DstUsername = DestinationUserName\n | invoke _ASIM_ResolveNetworkProtocol ('Protocol')\n | extend \n DstUsernameType = _ASIM_GetUsernameType(DstUsername)\n , SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)\n | project-rename DvcOriginalAction = DeviceAction\n | parse-kv AdditionalExtensions as (\n FortinetFortiGatestart:datetime,\n FortinetFortiGatesrcintfrole:string,\n FortinetFortiGatedstintfrole:string,\n FortinetFortiGateexternalID:string,\n FortinetFortiGatepolicyid:int,\n FortinetFortiGatedstcountry:string,\n FortinetFortiGatesrccountry:string,\n FortinetFortiGatecrscore:string,\n FortinetFortiGateduration:int,\n FortinetFortiGatesentpkt:long,\n FortinetFortiGatercvdpkt:long,\n ['ad.referralurl']:string,\n ['ad.httpmethod']:string,\n ['ad.agent']:string\n ) with (pair_delimiter=';', kv_delimiter='=')\n | parse AdditionalExtensions with * \"x-forwarded-for=\" HttpRequestXff:string \";\" *\n | project-rename\n HttpReferrer = ['ad.referralurl'],\n HttpRequestMethod = ['ad.httpmethod'],\n HttpUserAgent = ['ad.agent'],\n EventStartTime = FortinetFortiGatestart,\n SrcZone = FortinetFortiGatesrcintfrole,\n DstZone = FortinetFortiGatedstintfrole,\n NetworkSessionId = FortinetFortiGateexternalID,\n RuleNumber = FortinetFortiGatepolicyid,\n NetworkDuration = FortinetFortiGateduration,\n DstGeoCountry = FortinetFortiGatedstcountry,\n SrcGeoCountry = FortinetFortiGatesrccountry,\n ThreatOriginalRiskLevel = FortinetFortiGatecrscore,\n SrcPackets = FortinetFortiGatesentpkt,\n DstPackets = FortinetFortiGatercvdpkt\n | parse AdditionalExtensions with * \"Method=\" temp_HttpRequestMethod \"|User-Agent=\" temp_HttpUserAgent \";\" *\n | extend \n HttpRequestMethod = coalesce(temp_HttpRequestMethod,HttpRequestMethod),\n HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent)\n | project-away temp_*\n | extend \n EventCount = int(1)\n , EventSchema = \"WebSession\"\n , EventSchemaVersion = \"0.2.6\"\n , EventType = \"HTTPsession\"\n , EventVendor = \"Fortinet\"\n , DvcIdType = \"Other\"\n , NetworkBytes = DstBytes + SrcBytes\n , EventEndTime = TimeGenerated\n , EventStartTime = coalesce(EventStartTime, TimeGenerated)\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkPackets = DstPackets + SrcPackets\n , UserAgent = HttpUserAgent\n , Dvc = DvcHostname\n , User = SrcUsername\n , Hostname = DstHostname\n | lookup SeverityLookup on EventOriginalSeverity\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Duration = NetworkDuration,\n Rule = tostring(RuleNumber)\n | project-away Protocol, AdditionalExtensions, NetworkProtocolNumber\n};\nparser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Fortinet FortiGate", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionFortinetFortiGate", + "query": "let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string)\n[\n \"passthrough\",\"Allow\",\"Success\"\n , \"blocked\",\"Deny\",\"Failure\"\n];\n// -- See https://docs.fortinet.com/document/fortigate/7.2.4/fortios-log-message-reference/671442/cef-priority-levels\nlet SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n[\n \"1\", \"Informational\", // Debug\n \"2\", \"Informational\", // Information\n \"3\", \"Informational\", // Notification\n \"4\", \"Low\", // Warning\n \"5\", \"Low\", // Error\n \"6\", \"High\", // Critical\n \"7\", \"Medium\", // Alert\n \"8\", \"High\" // Emergency\n];\nlet parser=(disabled:bool=false){\n CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Fortinet\" \n and DeviceProduct startswith \"Fortigate\"\n and Activity has_all ('webfilter', 'utm')\n | extend \n EventResultDetails = \"NA\"\n | lookup EventLookup on DeviceAction \n | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, EventResultDetails, DvcAction, RequestURL, RequestContext, DestinationHostName, SourceHostName, SourceUserName, DestinationUserName\n | project-rename \n Url = RequestURL\n , UrlCategory = RequestContext\n , DstBytes = ReceivedBytes\n , DstInterfaceName = DeviceOutboundInterface\n , DstIpAddr = DestinationIP\n , DstPortNumber = DestinationPort\n , DvcHostname = Computer\n , EventMessage = Activity\n , EventOriginalSeverity = LogSeverity\n , EventProduct = DeviceProduct\n , EventProductVersion = DeviceVersion\n , SrcBytes = SentBytes\n , SrcInterfaceName = DeviceInboundInterface\n , SrcIpAddr = SourceIP\n , SrcPortNumber = SourcePort\n , DvcId = DeviceExternalID\n , EventUid = _ItemId\n , DstHostname = DestinationHostName\n , SrcHostname = SourceHostName\n , SrcUsername = SourceUserName\n , DstUsername = DestinationUserName\n | invoke _ASIM_ResolveNetworkProtocol ('Protocol')\n | extend \n DstUsernameType = _ASIM_GetUsernameType(DstUsername)\n , SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)\n | project-rename DvcOriginalAction = DeviceAction\n | parse-kv AdditionalExtensions as (\n FortinetFortiGatestart:datetime,\n FortinetFortiGatesrcintfrole:string,\n FortinetFortiGatedstintfrole:string,\n FortinetFortiGateexternalID:string,\n FortinetFortiGatepolicyid:int,\n FortinetFortiGatedstcountry:string,\n FortinetFortiGatesrccountry:string,\n FortinetFortiGatecrscore:string,\n FortinetFortiGateduration:int,\n FortinetFortiGatesentpkt:long,\n FortinetFortiGatercvdpkt:long,\n ['ad.referralurl']:string,\n ['ad.httpmethod']:string,\n ['ad.agent']:string\n ) with (pair_delimiter=';', kv_delimiter='=')\n | parse AdditionalExtensions with * \"x-forwarded-for=\" HttpRequestXff:string \";\" *\n | project-rename\n HttpReferrer = ['ad.referralurl'],\n HttpRequestMethod = ['ad.httpmethod'],\n HttpUserAgent = ['ad.agent'],\n EventStartTime = FortinetFortiGatestart,\n SrcZone = FortinetFortiGatesrcintfrole,\n DstZone = FortinetFortiGatedstintfrole,\n NetworkSessionId = FortinetFortiGateexternalID,\n RuleNumber = FortinetFortiGatepolicyid,\n NetworkDuration = FortinetFortiGateduration,\n DstGeoCountry = FortinetFortiGatedstcountry,\n SrcGeoCountry = FortinetFortiGatesrccountry,\n ThreatOriginalRiskLevel = FortinetFortiGatecrscore,\n SrcPackets = FortinetFortiGatesentpkt,\n DstPackets = FortinetFortiGatercvdpkt\n | parse AdditionalExtensions with * \"Method=\" temp_HttpRequestMethod \"|User-Agent=\" temp_HttpUserAgent \";\" *\n | extend \n HttpRequestMethod = coalesce(temp_HttpRequestMethod,HttpRequestMethod),\n HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent)\n | project-away temp_*\n | extend \n EventCount = int(1)\n , EventSchema = \"WebSession\"\n , EventSchemaVersion = \"0.2.6\"\n , EventType = \"HTTPsession\"\n , EventVendor = \"Fortinet\"\n , DvcIdType = \"Other\"\n , NetworkBytes = DstBytes + SrcBytes\n , EventEndTime = TimeGenerated\n , EventStartTime = coalesce(EventStartTime, TimeGenerated)\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkPackets = DstPackets + SrcPackets\n , UserAgent = HttpUserAgent\n , Dvc = DvcHostname\n , User = SrcUsername\n , Hostname = DstHostname\n | lookup SeverityLookup on EventOriginalSeverity\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Duration = NetworkDuration,\n Rule = tostring(RuleNumber)\n | project-away Protocol, AdditionalExtensions, NetworkProtocolNumber\n};\nparser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionIIS/ASimWebSessionIIS.json b/Parsers/ASimWebSession/ARM/ASimWebSessionIIS/ASimWebSessionIIS.json index e0aac9ac627..9370d9722a1 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionIIS/ASimWebSessionIIS.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionIIS/ASimWebSessionIIS.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionIIS')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionIIS", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Windows IIS logs", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionIIS", - "query": "let parser = (disabled: bool = false)\n {\n W3CIISLog\n | where not(disabled)\n | extend\n EventResult = iff ( toint(scStatus) < 400, \"Success\", \"Failure\"),\n EventResultDetails = tostring(scStatus), \n csUriQuery = iff(csUriQuery == \"-\", \"\", csUriQuery),\n csUserName = iff(csUserName == \"-\", \"\", csUserName),\n HttpVersion = iff((csVersion has \"HTTP\"), split(csVersion, \"/\")[1], \"\"), // there is a limited chance that something connects over non-HTTP\n HttpHost = iff (sSiteName in (\"Default Web Site\", \"-\"), \"\", sSiteName)\n | project-rename \n HttpRequestMethod = csMethod,\n User = csUserName, //probably won't have this one often\n Dvc = Computer,\n Dst = sIP,\n Src = cIP,\n UserAgent = csUserAgent,\n ThreatCategory = IndicatorThreatType,\n SrcGeoCountry = RemoteIPCountry,\n SrcGeoLatitude = RemoteIPLatitude,\n SrcGeoLongitude = RemoteIPLongitude,\n ThreatOriginalConfidence = Confidence,\n ThreatIpAddr = MaliciousIP,\n EventReportUrl = ReportReferenceLink,\n EventUid = _ItemId,\n DvcId = _ResourceId\n | extend\n EventOriginalSeverity = tostring(Severity),\n ThreatIsActive = tobool(IsActive),\n ThreatFirstReportedTime = todatetime(FirstReportedDateTime),\n ThreatLastReportedTime = todatetime(LastReportedDateTime),\n SrcUsername = iff ( User == \"-\", \"\", User),\n HttpReferrer = iff ( csReferer == \"-\", \"\", csReferer),\n DvcIdType = \"AzureResourceId\"\n | project-away IsActive, FirstReportedDateTime, LastReportedDateTime, Severity, sSiteName\n | extend \n SrcUsernameType = _ASIM_GetUsernameType (SrcUsername),\n DstNatIpAddr = iff(csHost <> \"\", Dst, \"\"),\n EventType = 'WebServerSession', \n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.6',\n EventSchema = 'WebSession', \n EventProduct = 'IIS',\n DvcOs = 'Windows',\n EventCount = int(1),\n SrcIpAddr = Src,\n IpAddr = Src,\n HttpUserAgent = UserAgent,\n HttpStatusCode = tostring(EventResultDetails),\n EventStartTime = ( (TimeGenerated) - (TimeTaken * 1ms)), // TimeTaken field is in Milliseconds \n EventEndTime = TimeGenerated,\n EventSeverity = iff(EventResult == \"Success\", \"Low\", \"Informational\"),\n Url = iff(csUriQuery == \"\", csUriStem, strcat(csUriStem,\"?\",csUriQuery)),\n sPort = tostring(sPort),\n HttpHost = iff ( HttpHost == \"-\", \"\", HttpHost),\n csHost = iff ( csHost == \"-\", \"\", csHost), //remove empty values\n EventOriginalResultDetails = iff(scSubStatus <> \"0\", strcat (scStatus, \".\", scSubStatus), scStatus)\n | extend \n ipv6_parts = extract_all (@'^\\[(.+)\\](?:\\:(\\d+))?$',csHost)[0],\n ipv4_parts = extract_all (@'^(\\d+\\.\\d+\\.\\d+\\.\\d+)(?:\\:(\\d+))?$',csHost)[0],\n host_parts = extract_all (@'^([^\\\\\\d:]+)(?:\\:(\\d+))?$',csHost)[0]\n | extend \n DstIpAddr = tostring(coalesce(ipv4_parts[0], ipv6_parts[0])),\n DstPortNumber = toint(coalesce(ipv4_parts[1], ipv6_parts[1], host_parts[1])),\n HttpHost = tostring(coalesce(host_parts[0], HttpHost))\n | project-away ipv4_parts, ipv6_parts, host_parts \n | extend\n DstHostname = HttpHost,\n Hostname = HttpHost\n | extend \n ThreatField = case(\n ThreatIpAddr <> \"\" and ThreatIpAddr == SrcIpAddr, \"SrcIpAddr\"\n ,ThreatIpAddr <> \"\" and ThreatIpAddr == DstIpAddr, \"DstIpAddr\"\n ,\"\")\n | project-away \n AdditionalInformation,\n AzureDeploymentID,\n Date,\n Description,\n DvcOs,\n FileOffset,\n FileUri,\n MG, \n ManagementGroupName,\n Role*,\n sComputerName,\n SourceSystem,\n TLPLevel,\n TenantId,\n TimeTaken,\n Time,\n cs*,\n sPort,\n sc*,\n StorageAccount\n };\n parser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Windows IIS logs", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionIIS", + "query": "let parser = (disabled: bool = false)\n {\n W3CIISLog\n | where not(disabled)\n | extend\n EventResult = iff ( toint(scStatus) < 400, \"Success\", \"Failure\"),\n EventResultDetails = tostring(scStatus), \n csUriQuery = iff(csUriQuery == \"-\", \"\", csUriQuery),\n csUserName = iff(csUserName == \"-\", \"\", csUserName),\n HttpVersion = iff((csVersion has \"HTTP\"), split(csVersion, \"/\")[1], \"\"), // there is a limited chance that something connects over non-HTTP\n HttpHost = iff (sSiteName in (\"Default Web Site\", \"-\"), \"\", sSiteName)\n | project-rename \n HttpRequestMethod = csMethod,\n User = csUserName, //probably won't have this one often\n Dvc = Computer,\n Dst = sIP,\n Src = cIP,\n UserAgent = csUserAgent,\n ThreatCategory = IndicatorThreatType,\n SrcGeoCountry = RemoteIPCountry,\n SrcGeoLatitude = RemoteIPLatitude,\n SrcGeoLongitude = RemoteIPLongitude,\n ThreatOriginalConfidence = Confidence,\n ThreatIpAddr = MaliciousIP,\n EventReportUrl = ReportReferenceLink,\n EventUid = _ItemId,\n DvcId = _ResourceId\n | extend\n EventOriginalSeverity = tostring(Severity),\n ThreatIsActive = tobool(IsActive),\n ThreatFirstReportedTime = todatetime(FirstReportedDateTime),\n ThreatLastReportedTime = todatetime(LastReportedDateTime),\n SrcUsername = iff ( User == \"-\", \"\", User),\n HttpReferrer = iff ( csReferer == \"-\", \"\", csReferer),\n DvcIdType = \"AzureResourceId\"\n | project-away IsActive, FirstReportedDateTime, LastReportedDateTime, Severity, sSiteName\n | extend \n SrcUsernameType = _ASIM_GetUsernameType (SrcUsername),\n DstNatIpAddr = iff(csHost <> \"\", Dst, \"\"),\n EventType = 'WebServerSession', \n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.6',\n EventSchema = 'WebSession', \n EventProduct = 'IIS',\n DvcOs = 'Windows',\n EventCount = int(1),\n SrcIpAddr = Src,\n IpAddr = Src,\n HttpUserAgent = UserAgent,\n HttpStatusCode = tostring(EventResultDetails),\n EventStartTime = ( (TimeGenerated) - (TimeTaken * 1ms)), // TimeTaken field is in Milliseconds \n EventEndTime = TimeGenerated,\n EventSeverity = iff(EventResult == \"Success\", \"Low\", \"Informational\"),\n Url = iff(csUriQuery == \"\", csUriStem, strcat(csUriStem,\"?\",csUriQuery)),\n sPort = tostring(sPort),\n HttpHost = iff ( HttpHost == \"-\", \"\", HttpHost),\n csHost = iff ( csHost == \"-\", \"\", csHost), //remove empty values\n EventOriginalResultDetails = iff(scSubStatus <> \"0\", strcat (scStatus, \".\", scSubStatus), scStatus)\n | extend \n ipv6_parts = extract_all (@'^\\[(.+)\\](?:\\:(\\d+))?$',csHost)[0],\n ipv4_parts = extract_all (@'^(\\d+\\.\\d+\\.\\d+\\.\\d+)(?:\\:(\\d+))?$',csHost)[0],\n host_parts = extract_all (@'^([^\\\\\\d:]+)(?:\\:(\\d+))?$',csHost)[0]\n | extend \n DstIpAddr = tostring(coalesce(ipv4_parts[0], ipv6_parts[0])),\n DstPortNumber = toint(coalesce(ipv4_parts[1], ipv6_parts[1], host_parts[1])),\n HttpHost = tostring(coalesce(host_parts[0], HttpHost))\n | project-away ipv4_parts, ipv6_parts, host_parts \n | extend\n DstHostname = HttpHost,\n Hostname = HttpHost\n | extend \n ThreatField = case(\n ThreatIpAddr <> \"\" and ThreatIpAddr == SrcIpAddr, \"SrcIpAddr\"\n ,ThreatIpAddr <> \"\" and ThreatIpAddr == DstIpAddr, \"DstIpAddr\"\n ,\"\")\n | project-away \n AdditionalInformation,\n AzureDeploymentID,\n Date,\n Description,\n DvcOs,\n FileOffset,\n FileUri,\n MG, \n ManagementGroupName,\n Role*,\n sComputerName,\n SourceSystem,\n TLPLevel,\n TenantId,\n TimeTaken,\n Time,\n cs*,\n sPort,\n sc*,\n StorageAccount\n };\n parser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionNative/ASimWebSessionNative.json b/Parsers/ASimWebSession/ARM/ASimWebSessionNative/ASimWebSessionNative.json index 23583d10f0d..95830e320a8 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionNative/ASimWebSessionNative.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionNative/ASimWebSessionNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Microsoft Sentinel native Network Session table", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionNative", - "query": "let parser=(disabled:bool=false) \n{\n ASimWebSessionLogs | where not(disabled)\n // \n // -- Schema fixed\n | extend\n FileSize = tolong(FileSize)\n //\n // -- Log Analytics global fields renaming\n | project-rename\n EventUid = _ItemId,\n DvcScopeId = _SubscriptionId\n //\n // -- ASIM Global fields\n | extend \n EventSchema = \"WebSession\"\n | extend\n //\n // -- Default values\n EventEndTime = coalesce (EventEndTime, TimeGenerated),\n EventStartTime = coalesce (EventStartTime, TimeGenerated),\n //\n // -- Multi-source aliases\n Dvc = iff (EventType == 'HTTPSession',\n coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, DstMacAddr, _ResourceId, strcat (EventVendor,'/', EventProduct)),\n coalesce (DvcFQDN, DvcHostname, DstFQDN, DstHostname, DvcIpAddr, DstIpAddr, DvcId, DstDvcId, DstMacAddr, _ResourceId, strcat (EventVendor,'/', EventProduct))\n ),\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n //\n // -- Aliases which depend on EventType\n Hostname = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), SrcHostname, DstHostname),\n IpAddr = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), DstIpAddr, SrcIpAddr),\n //\n // -- Simple aliases\n Duration = NetworkDuration,\n SessionId = NetworkSessionId,\n User = SrcUsername,\n HttpStatusCode = EventResultDetails,\n UserAgent = HttpUserAgent\n // --\n // -- Aliased fields not implemented in ASimWebSessionLogs yet \n //InnerVlanId = SrcVlanId,\n //OuterVlanId = DstVlanId,\n //DvcInterface = coalesce(DvcInterface, DvcInboundInterface, DvcOutboundInterface), \n | project-away\n TenantId, SourceSystem, _ResourceId\n};\nparser (disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Microsoft Sentinel native Network Session table", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionNative", + "query": "let parser=(disabled:bool=false) \n{\n ASimWebSessionLogs | where not(disabled)\n // \n // -- Schema fixed\n | extend\n FileSize = tolong(FileSize)\n //\n // -- Log Analytics global fields renaming\n | project-rename\n EventUid = _ItemId,\n DvcScopeId = _SubscriptionId\n //\n // -- ASIM Global fields\n | extend \n EventSchema = \"WebSession\"\n | extend\n //\n // -- Default values\n EventEndTime = coalesce (EventEndTime, TimeGenerated),\n EventStartTime = coalesce (EventStartTime, TimeGenerated),\n //\n // -- Multi-source aliases\n Dvc = iff (EventType == 'HTTPSession',\n coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, DstMacAddr, _ResourceId, strcat (EventVendor,'/', EventProduct)),\n coalesce (DvcFQDN, DvcHostname, DstFQDN, DstHostname, DvcIpAddr, DstIpAddr, DvcId, DstDvcId, DstMacAddr, _ResourceId, strcat (EventVendor,'/', EventProduct))\n ),\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n //\n // -- Aliases which depend on EventType\n Hostname = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), SrcHostname, DstHostname),\n IpAddr = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), DstIpAddr, SrcIpAddr),\n //\n // -- Simple aliases\n Duration = NetworkDuration,\n SessionId = NetworkSessionId,\n User = SrcUsername,\n HttpStatusCode = EventResultDetails,\n UserAgent = HttpUserAgent\n // --\n // -- Aliased fields not implemented in ASimWebSessionLogs yet \n //InnerVlanId = SrcVlanId,\n //OuterVlanId = DstVlanId,\n //DvcInterface = coalesce(DvcInterface, DvcInboundInterface, DvcOutboundInterface), \n | project-away\n TenantId, SourceSystem, _ResourceId\n};\nparser (disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionPaloAltoCEF/ASimWebSessionPaloAltoCEF.json b/Parsers/ASimWebSession/ARM/ASimWebSessionPaloAltoCEF/ASimWebSessionPaloAltoCEF.json index dea480c4233..3b08ecb73b0 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionPaloAltoCEF/ASimWebSessionPaloAltoCEF.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionPaloAltoCEF/ASimWebSessionPaloAltoCEF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionPaloAltoCEF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionPaloAltoCEF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Palo Alto Networks URL Filtering", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionPaloAltoCEF", - "query": "let parser=(disabled:bool=false){\n let EventLookup=datatable(DeviceAction:string, DvcAction:string,EventResult:string,HttpStatusCode:string)\n [\n \"alert\", \"Allow\", \"Success\",\"200\"\n , \"allow\", \"Allow\", \"Success\", \"200\"\n , \"continue\", \"Allow\", \"Success\", \"200\"\n , \"override\", \"Allow\", \"Success\", \"200\"\n , \"block-continue\", \"Allow\", \"Partial\", \"200\"\n , \"block-url\", \"Deny\", \"Failure\", \"503\"\n , \"block-override\", \"Deny\", \"Failure\", \"302\"\n , \"override-lockout\", \"Deny\", \"Failure\",\"503\"\n , \"reset client\", \"Reset Source\", \"Failure\", \"503\"\n , \"reset server\", \"Reset Destination\", \"Failure\", \"503\"\n , \"reset both\", \"Reset\", \"Failure\", \"503\"\n , \"deny\", \"Deny\", \"Failure\", \"503\"\n , \"drop\", \"Drop\", \"Failure\", \"503\"\n , \"drop ICMP\", \"Drop ICMP\", \"Failure\", \"503\"\n ];\n let SeverityLookup=datatable(LogSeverity:string,EventSeverity:string)\n [ 1, \"Informational\" \n , 2, \"Low\" \n , 3, \"Medium\"\n , 4, \"Medium\" \n , 5, \"High\"\n ];\n CommonSecurityLog\n | where DeviceVendor == \"Palo Alto Networks\"\n and DeviceProduct == \"PAN-OS\"\n and Activity == \"THREAT\"\n and DeviceEventClassID == \"url\"\n | parse-kv AdditionalExtensions as (PanOSXForwarderfor:string, PanXFFIP:string, PanOSReferer:string, PanOSRuleUUID:string, PanSrcHostname:string, PanSrcMac:string, PanSrcDeviceCat:string, PanSrcDAG:string, PanOSSrcUUID:string, PanSrcDeviceProf:string, PanSrcDeviceModel:string, PanSrcDeviceVendor:string, PanSrcDeviceOS:string, PanSrcDeviceOSv:string, PanDstHostname:string, PanDstMac:string, PanDstDeviceCat:string, PanDstDAG:string, PanOSDstUUID:string, PanDstDeviceProf:string, PanDstDeviceModel:string, PanDstDeviceVendor:string, PanDstDeviceOS:string, PanDstDeviceOSv:string) with (pair_delimiter=';', kv_delimiter='=')\n | extend \n HttpRequestXff = coalesce(PanOSXForwarderfor, PanXFFIP)\n | lookup EventLookup on DeviceAction\n | lookup SeverityLookup on LogSeverity\n | project-rename \n DvcHostname = Computer\n , HttpReferrer = PanOSReferer\n , DstMacAddr = PanDstMac\n , SrcMacAddr = PanSrcMac\n , DstHostname = PanDstHostname\n , SrcHostname = PanSrcHostname\n , Url = RequestURL\n , DvcId = DeviceExternalID\n , SrcZone = DeviceCustomString4\n , DstZone = DeviceCustomString5\n , UrlCategory = DeviceCustomString2\n , DvcOriginalAction = DeviceAction\n , EventUid = _ItemId\n , EventOriginalSeverity = LogSeverity\n , EventProductVersion = DeviceVersion\n , DvcInboundInterface = DeviceInboundInterface\n , DvcOutboundInterface = DeviceOutboundInterface\n , DstIpAddr = DestinationIP\n , DstPortNumber = DestinationPort\n , SrcIpAddr = SourceIP\n , SrcPortNumber = SourcePort\n , SrcUsername = SourceUserName\n , DstUsername = DestinationUserName\n , NetworkRuleName = DeviceCustomString1\n , ThreatOriginalConfidence = ThreatConfidence\n , DstNatIpAddr = DestinationTranslatedAddress\n , DstNatPortNumber = DestinationTranslatedPort\n , SrcNatIpAddr = SourceTranslatedAddress\n , SrcNatPortNumber = SourceTranslatedPort\n , HttpUserAgent = RequestClientApplication\n | extend\n Dvc = DvcHostname\n , DvcIdType = \"Other\"\n , EventType = \"HTTPsession\"\n , EventSchema = \"WebSession\"\n , EventSchemaVersion = \"0.2.5\"\n , EventVendor = \"Palo Alto\"\n , EventProduct = \"PanOS\"\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , HttpRequestMethod = toupper(RequestMethod)\n , EventResultDetails = \"NA\"\n , HttpContentFormat = RequestContext\n , DstFQDN = iif(Url contains \":\", split(tostring(split(trim('\"',Url),\"/\")[0]),\":\")[0],tostring(split(trim('\"',Url),\"/\")[0]))\n , DstDomainType = \"FQDN\"\n , Src = SrcIpAddr\n , SrcUsernameType = \"Windows\"\n , DstUsernameType = \"Windows\"\n , NetworkProtocolVersion = case(\n DstIpAddr contains \".\" , \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkDirection = case(\n FlexString2 == \"client-to-server\", \"Outbound\"\n , FlexString2 == \"server-to-client\", \"Inbound\"\n , \"\")\n , IpAddr = SrcIpAddr\n , NetworkProtocol = toupper(Protocol)\n , User = SrcUsername\n , Rule = NetworkRuleName\n , NetworkSessionId = tostring(DeviceCustomNumber1)\n , DvcInterface = DvcInboundInterface\n , Hostname = DstHostname\n , UserAgent = HttpUserAgent\n | extend \n SessionId = NetworkSessionId\n , ThreatField = case(\n isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\"\n , isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\"\n , \"\")\n , Dst = DstFQDN\n | extend \n ThreatIpAddr = case(\n ThreatField == \"SrcIpAddr\", SrcIpAddr\n , ThreatField == \"DstIpAddr\", DstIpAddr\n , \"\")\n | project DeviceVendor, Dst, DstDomainType, DstFQDN, DstHostname, DstIpAddr, DstMacAddr, DstNatIpAddr, DstNatPortNumber, DstPortNumber, DstUsername, DstUsernameType, DstZone, Dvc, DvcAction, DvcHostname, DvcId, DvcIdType, DvcInboundInterface, DvcInterface, DvcOriginalAction, DvcOutboundInterface, EventCount, EventEndTime, EventOriginalSeverity, EventProduct, EventProductVersion, EventResult, EventResultDetails, EventSchema, EventSchemaVersion, EventSeverity, EventStartTime, EventType, EventUid, EventVendor, Hostname, HttpContentFormat, HttpRequestMethod, HttpRequestXff, HttpStatusCode, IpAddr, NetworkDirection, NetworkProtocol, NetworkProtocolVersion, NetworkRuleName, NetworkSessionId, Protocol, RequestContext, RequestMethod, Rule, SessionId, Src, SrcHostname, SrcIpAddr, SrcMacAddr, SrcNatIpAddr, SrcNatPortNumber, SrcPortNumber, SrcUsername, SrcUsernameType, SrcZone, ThreatField, ThreatIpAddr, ThreatOriginalConfidence, TimeGenerated, Type, Url, UrlCategory, User, HttpUserAgent, UserAgent\n};\nparser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Palo Alto Networks URL Filtering", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionPaloAltoCEF", + "query": "let parser=(disabled:bool=false){\n let EventLookup=datatable(DeviceAction:string, DvcAction:string,EventResult:string,HttpStatusCode:string)\n [\n \"alert\", \"Allow\", \"Success\",\"200\"\n , \"allow\", \"Allow\", \"Success\", \"200\"\n , \"continue\", \"Allow\", \"Success\", \"200\"\n , \"override\", \"Allow\", \"Success\", \"200\"\n , \"block-continue\", \"Allow\", \"Partial\", \"200\"\n , \"block-url\", \"Deny\", \"Failure\", \"503\"\n , \"block-override\", \"Deny\", \"Failure\", \"302\"\n , \"override-lockout\", \"Deny\", \"Failure\",\"503\"\n , \"reset client\", \"Reset Source\", \"Failure\", \"503\"\n , \"reset server\", \"Reset Destination\", \"Failure\", \"503\"\n , \"reset both\", \"Reset\", \"Failure\", \"503\"\n , \"deny\", \"Deny\", \"Failure\", \"503\"\n , \"drop\", \"Drop\", \"Failure\", \"503\"\n , \"drop ICMP\", \"Drop ICMP\", \"Failure\", \"503\"\n ];\n let SeverityLookup=datatable(LogSeverity:string,EventSeverity:string)\n [ 1, \"Informational\" \n , 2, \"Low\" \n , 3, \"Medium\"\n , 4, \"Medium\" \n , 5, \"High\"\n ];\n CommonSecurityLog\n | where DeviceVendor == \"Palo Alto Networks\"\n and DeviceProduct == \"PAN-OS\"\n and Activity == \"THREAT\"\n and DeviceEventClassID == \"url\"\n | parse-kv AdditionalExtensions as (PanOSXForwarderfor:string, PanXFFIP:string, PanOSReferer:string, PanOSRuleUUID:string, PanSrcHostname:string, PanSrcMac:string, PanSrcDeviceCat:string, PanSrcDAG:string, PanOSSrcUUID:string, PanSrcDeviceProf:string, PanSrcDeviceModel:string, PanSrcDeviceVendor:string, PanSrcDeviceOS:string, PanSrcDeviceOSv:string, PanDstHostname:string, PanDstMac:string, PanDstDeviceCat:string, PanDstDAG:string, PanOSDstUUID:string, PanDstDeviceProf:string, PanDstDeviceModel:string, PanDstDeviceVendor:string, PanDstDeviceOS:string, PanDstDeviceOSv:string) with (pair_delimiter=';', kv_delimiter='=')\n | extend \n HttpRequestXff = coalesce(PanOSXForwarderfor, PanXFFIP)\n | lookup EventLookup on DeviceAction\n | lookup SeverityLookup on LogSeverity\n | project-rename \n DvcHostname = Computer\n , HttpReferrer = PanOSReferer\n , DstMacAddr = PanDstMac\n , SrcMacAddr = PanSrcMac\n , DstHostname = PanDstHostname\n , SrcHostname = PanSrcHostname\n , Url = RequestURL\n , DvcId = DeviceExternalID\n , SrcZone = DeviceCustomString4\n , DstZone = DeviceCustomString5\n , UrlCategory = DeviceCustomString2\n , DvcOriginalAction = DeviceAction\n , EventUid = _ItemId\n , EventOriginalSeverity = LogSeverity\n , EventProductVersion = DeviceVersion\n , DvcInboundInterface = DeviceInboundInterface\n , DvcOutboundInterface = DeviceOutboundInterface\n , DstIpAddr = DestinationIP\n , DstPortNumber = DestinationPort\n , SrcIpAddr = SourceIP\n , SrcPortNumber = SourcePort\n , SrcUsername = SourceUserName\n , DstUsername = DestinationUserName\n , NetworkRuleName = DeviceCustomString1\n , ThreatOriginalConfidence = ThreatConfidence\n , DstNatIpAddr = DestinationTranslatedAddress\n , DstNatPortNumber = DestinationTranslatedPort\n , SrcNatIpAddr = SourceTranslatedAddress\n , SrcNatPortNumber = SourceTranslatedPort\n , HttpUserAgent = RequestClientApplication\n | extend\n Dvc = DvcHostname\n , DvcIdType = \"Other\"\n , EventType = \"HTTPsession\"\n , EventSchema = \"WebSession\"\n , EventSchemaVersion = \"0.2.5\"\n , EventVendor = \"Palo Alto\"\n , EventProduct = \"PanOS\"\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , HttpRequestMethod = toupper(RequestMethod)\n , EventResultDetails = \"NA\"\n , HttpContentFormat = RequestContext\n , DstFQDN = iif(Url contains \":\", split(tostring(split(trim('\"',Url),\"/\")[0]),\":\")[0],tostring(split(trim('\"',Url),\"/\")[0]))\n , DstDomainType = \"FQDN\"\n , Src = SrcIpAddr\n , SrcUsernameType = \"Windows\"\n , DstUsernameType = \"Windows\"\n , NetworkProtocolVersion = case(\n DstIpAddr contains \".\" , \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkDirection = case(\n FlexString2 == \"client-to-server\", \"Outbound\"\n , FlexString2 == \"server-to-client\", \"Inbound\"\n , \"\")\n , IpAddr = SrcIpAddr\n , NetworkProtocol = toupper(Protocol)\n , User = SrcUsername\n , Rule = NetworkRuleName\n , NetworkSessionId = tostring(DeviceCustomNumber1)\n , DvcInterface = DvcInboundInterface\n , Hostname = DstHostname\n , UserAgent = HttpUserAgent\n | extend \n SessionId = NetworkSessionId\n , ThreatField = case(\n isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\"\n , isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\"\n , \"\")\n , Dst = DstFQDN\n | extend \n ThreatIpAddr = case(\n ThreatField == \"SrcIpAddr\", SrcIpAddr\n , ThreatField == \"DstIpAddr\", DstIpAddr\n , \"\")\n | project DeviceVendor, Dst, DstDomainType, DstFQDN, DstHostname, DstIpAddr, DstMacAddr, DstNatIpAddr, DstNatPortNumber, DstPortNumber, DstUsername, DstUsernameType, DstZone, Dvc, DvcAction, DvcHostname, DvcId, DvcIdType, DvcInboundInterface, DvcInterface, DvcOriginalAction, DvcOutboundInterface, EventCount, EventEndTime, EventOriginalSeverity, EventProduct, EventProductVersion, EventResult, EventResultDetails, EventSchema, EventSchemaVersion, EventSeverity, EventStartTime, EventType, EventUid, EventVendor, Hostname, HttpContentFormat, HttpRequestMethod, HttpRequestXff, HttpStatusCode, IpAddr, NetworkDirection, NetworkProtocol, NetworkProtocolVersion, NetworkRuleName, NetworkSessionId, Protocol, RequestContext, RequestMethod, Rule, SessionId, Src, SrcHostname, SrcIpAddr, SrcMacAddr, SrcNatIpAddr, SrcNatPortNumber, SrcPortNumber, SrcUsername, SrcUsernameType, SrcZone, ThreatField, ThreatIpAddr, ThreatOriginalConfidence, TimeGenerated, Type, Url, UrlCategory, User, HttpUserAgent, UserAgent\n};\nparser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionPaloAltoCortexDataLake/ASimWebSessionPaloAltoCortexDataLake.json b/Parsers/ASimWebSession/ARM/ASimWebSessionPaloAltoCortexDataLake/ASimWebSessionPaloAltoCortexDataLake.json index 2a3ddcae4f5..43cf95fd725 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionPaloAltoCortexDataLake/ASimWebSessionPaloAltoCortexDataLake.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionPaloAltoCortexDataLake/ASimWebSessionPaloAltoCortexDataLake.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionPaloAltoCortexDataLake')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionPaloAltoCortexDataLake", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Palo Alto Cortex Data Lake", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionPaloAltoCortexDataLake", - "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventLookup=datatable(\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"alert\", \"Allow\", \"Success\",\n \"continue\", \"Allow\", \"Success\",\n \"override\", \"Allow\", \"Success\",\n \"block-continue\", \"Allow\", \"Partial\",\n \"block-url\", \"Deny\", \"Failure\",\n \"block-override\", \"Deny\", \"Failure\",\n \"override-lockout\", \"Deny\", \"Failure\",\n];\nlet ThreatRiskLevelLookup = datatable(PanOSApplicationRisk: string, ThreatRiskLevel: int)\n [\n \"1\", 20,\n \"2\", 40,\n \"3\", 60,\n \"4\", 80,\n \"5\", 100\n];\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"THREAT\" and Activity == \"url\"\n | parse-kv AdditionalExtensions as (PanOSDestinationUUID: string, PanOSDestinationLocation: string, PanOSDestinationDeviceMac: string, PanOSSourceUUID: string, PanOSSourceDeviceMac: string, PanOSReferer: string, PanOSIsClienttoServer: string, PanOSSourceDeviceHost: string, PanOSDestinationDeviceHost: string, start: string, PanOSApplicationCategory: string, PanOSApplicationSubcategory: string, PanOSApplicationTechnology: string, PanOSDestinationDeviceOS: string, PanOSDestinationDeviceOSFamily: string, PanOSDestinationDeviceOSVersion: string, PanOSHostID: string, PanOSHTTPHeaders: string, PanOSInlineMLVerdict: string, PanOSInboundInterfaceDetailsType: string, PanOSOutboundInterfaceDetailsType: string, PanOSParentSessionID: string, PanOSContainerName: string, PanOSContainerNameSpace: string, PanOSHTTPRefererFQDN: string, PanOSHTTPRefererPort: string, PanOSHTTPRefererProtocol: string, PanOSHTTPRefererURLPath: string, PanOSRuleUUID: string, PanOSURLCategoryList: string, PanOSURLDomain: string, PanOSURLCounter: string, PanOSUsers: string, PanOSVendorSeverity: string, [\"PanOSX-Forwarded-For\"]: string, [\"PanOSX-Forwarded-ForIP\"]: string, PanOSIsSaaSApplication: string, PanOSLogSource: string, PanOSSourceLocation: string, PanOSCortexDataLakeTenantID: string, PanOSApplicationRisk: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | invoke _ASIM_ResolveDstFQDN('PanOSDestinationDeviceHost')\n | lookup EventSeverityLookup on LogSeverity\n | lookup EventLookup on DeviceAction\n | lookup ThreatRiskLevelLookup on PanOSApplicationRisk\n | extend\n EventStartTime = todatetime(coalesce(start, ReceiptTime)),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n HttpRequestMethod = toupper(RequestMethod),\n NetworkProtocol = toupper(Protocol),\n NetworkSessionId = tostring(FieldDeviceCustomNumber1),\n SrcDomain = coalesce(SourceNTDomain, SrcDomain),\n DstDomain = coalesce(DestinationNTDomain, DstDomain),\n AdditionalFields = bag_pack(\n \"DirectionOfAttack\",\n FlexString2,\n \"VirtualLocation\",\n DeviceCustomString3,\n \"PanOSApplicationCategory\",\n PanOSApplicationCategory,\n \"PanOSApplicationSubcategory\",\n PanOSApplicationSubcategory,\n \"PanOSApplicationTechnology\",\n PanOSApplicationTechnology,\n \"PanOSDestinationDeviceOS\",\n PanOSDestinationDeviceOS,\n \"PanOSDestinationDeviceOSFamily\",\n PanOSDestinationDeviceOSFamily,\n \"PanOSDestinationDeviceOSVersion\",\n PanOSDestinationDeviceOSVersion,\n \"PanOSHostID\",\n PanOSHostID,\n \"PanOSHTTPHeaders\",\n PanOSHTTPHeaders,\n \"PanOSInlineMLVerdict\",\n PanOSInlineMLVerdict,\n \"PanOSInboundInterfaceDetailsType\",\n PanOSInboundInterfaceDetailsType,\n \"PanOSOutboundInterfaceDetailsType\",\n PanOSOutboundInterfaceDetailsType,\n \"PanOSParentSessionID\",\n PanOSParentSessionID,\n \"PanOSContainerName\",\n PanOSContainerName,\n \"PanOSContainerNameSpace\",\n PanOSContainerNameSpace,\n \"PanOSHTTPRefererFQDN\",\n PanOSHTTPRefererFQDN,\n \"PanOSHTTPRefererPort\",\n PanOSHTTPRefererPort,\n \"PanOSHTTPRefererProtocol\",\n PanOSHTTPRefererProtocol,\n \"PanOSHTTPRefererURLPath\",\n PanOSHTTPRefererURLPath,\n \"PanOSRuleUUID\",\n PanOSRuleUUID,\n \"PanOSURLCategoryList\",\n PanOSURLCategoryList,\n \"PanOSURLDomain\",\n PanOSURLDomain,\n \"PanOSURLCounter\",\n PanOSURLCounter,\n \"PanOSUsers\",\n PanOSUsers,\n \"PanOSVendorSeverity\",\n PanOSVendorSeverity,\n \"PanOSX-Forwarded-For\",\n [\"PanOSX-Forwarded-For\"],\n \"PanOSX-Forwarded-ForIP\",\n [\"PanOSX-Forwarded-ForIP\"],\n \"PanOSLogSource\",\n PanOSLogSource\n ),\n HttpContentType = RequestContext\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DstDvcId = PanOSDestinationUUID,\n DstGeoCountry = PanOSDestinationLocation,\n DstMacAddr = PanOSDestinationDeviceMac,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n DstPortNumber = DestinationPort,\n DstUsername = DestinationUserName,\n DstZone = DeviceCustomString5,\n DvcId = DeviceExternalID,\n DvcOriginalAction = DeviceAction,\n EventOriginalSeverity = LogSeverity,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n HttpContentFormat = RequestContext,\n HttpReferrer = PanOSReferer,\n RuleName = DeviceCustomString1,\n SrcDvcId = PanOSSourceUUID,\n SrcMacAddr = PanOSSourceDeviceMac,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n SrcPortNumber = SourcePort,\n SrcUsername = SourceUserName,\n SrcZone = DeviceCustomString4,\n Url = RequestURL,\n UrlCategory = DeviceCustomString2,\n EventOriginalSubType = Activity,\n DvcOutboundInterface = DeviceOutboundInterface,\n DvcInboundInterface = DeviceInboundInterface,\n DstUserId = DestinationUserID,\n SrcUserId = SourceUserID,\n HttpUserAgent = RequestClientApplication,\n SrcGeoCountry = PanOSSourceLocation,\n DvcScopeId = PanOSCortexDataLakeTenantID,\n SrcAppName = ApplicationProtocol,\n ThreatOriginalRiskLevel = PanOSApplicationRisk\n | extend\n Dst = coalesce(DstFQDN, DstDvcId, DstHostname, DstIpAddr),\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Src = coalesce(SrcFQDN, SrcDvcId, SrcHostname, SrcIpAddr),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n ),\n NetworkDirection = iff(PanOSIsClienttoServer == \"true\", \"Outbound\", \"Inbound\"),\n Rule = RuleName,\n SrcUserType = _ASIM_GetUserType(SrcUsername, SrcUserId),\n DstUserType = _ASIM_GetUserType(DstUsername, DstUserId),\n User = SrcUsername,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n SessionId = NetworkSessionId,\n UserAgent = HttpUserAgent,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\"),\n DstDvcIdType = iff(isnotempty(DstDvcId), \"Other\", \"\"),\n SrcDomainType = iff(isnotempty(SourceNTDomain), \"Windows\", SrcDomainType),\n DstDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", DstDomainType),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n SrcUserIdType = iff(isnotempty(SrcUserId), \"UID\", \"\"),\n DstUserIdType = iff(isnotempty(DstUserId), \"UID\", \"\"),\n SrcAppType = case(\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"true\",\n \"SaaS Application\",\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"false\",\n \"Other\",\n \"\"\n )\n | extend\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n Protocol,\n ExternalID,\n Message,\n start,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n Indicator*,\n _ResourceId,\n ThreatConfidence,\n ThreatDescription,\n ThreatSeverity\n};\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Palo Alto Cortex Data Lake", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionPaloAltoCortexDataLake", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventLookup=datatable(\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"alert\", \"Allow\", \"Success\",\n \"continue\", \"Allow\", \"Success\",\n \"override\", \"Allow\", \"Success\",\n \"block-continue\", \"Allow\", \"Partial\",\n \"block-url\", \"Deny\", \"Failure\",\n \"block-override\", \"Deny\", \"Failure\",\n \"override-lockout\", \"Deny\", \"Failure\",\n];\nlet ThreatRiskLevelLookup = datatable(PanOSApplicationRisk: string, ThreatRiskLevel: int)\n [\n \"1\", 20,\n \"2\", 40,\n \"3\", 60,\n \"4\", 80,\n \"5\", 100\n];\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"THREAT\" and Activity == \"url\"\n | parse-kv AdditionalExtensions as (PanOSDestinationUUID: string, PanOSDestinationLocation: string, PanOSDestinationDeviceMac: string, PanOSSourceUUID: string, PanOSSourceDeviceMac: string, PanOSReferer: string, PanOSIsClienttoServer: string, PanOSSourceDeviceHost: string, PanOSDestinationDeviceHost: string, start: string, PanOSApplicationCategory: string, PanOSApplicationSubcategory: string, PanOSApplicationTechnology: string, PanOSDestinationDeviceOS: string, PanOSDestinationDeviceOSFamily: string, PanOSDestinationDeviceOSVersion: string, PanOSHostID: string, PanOSHTTPHeaders: string, PanOSInlineMLVerdict: string, PanOSInboundInterfaceDetailsType: string, PanOSOutboundInterfaceDetailsType: string, PanOSParentSessionID: string, PanOSContainerName: string, PanOSContainerNameSpace: string, PanOSHTTPRefererFQDN: string, PanOSHTTPRefererPort: string, PanOSHTTPRefererProtocol: string, PanOSHTTPRefererURLPath: string, PanOSRuleUUID: string, PanOSURLCategoryList: string, PanOSURLDomain: string, PanOSURLCounter: string, PanOSUsers: string, PanOSVendorSeverity: string, [\"PanOSX-Forwarded-For\"]: string, [\"PanOSX-Forwarded-ForIP\"]: string, PanOSIsSaaSApplication: string, PanOSLogSource: string, PanOSSourceLocation: string, PanOSCortexDataLakeTenantID: string, PanOSApplicationRisk: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | invoke _ASIM_ResolveDstFQDN('PanOSDestinationDeviceHost')\n | lookup EventSeverityLookup on LogSeverity\n | lookup EventLookup on DeviceAction\n | lookup ThreatRiskLevelLookup on PanOSApplicationRisk\n | extend\n EventStartTime = todatetime(coalesce(start, ReceiptTime)),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n HttpRequestMethod = toupper(RequestMethod),\n NetworkProtocol = toupper(Protocol),\n NetworkSessionId = tostring(FieldDeviceCustomNumber1),\n SrcDomain = coalesce(SourceNTDomain, SrcDomain),\n DstDomain = coalesce(DestinationNTDomain, DstDomain),\n AdditionalFields = bag_pack(\n \"DirectionOfAttack\",\n FlexString2,\n \"VirtualLocation\",\n DeviceCustomString3,\n \"PanOSApplicationCategory\",\n PanOSApplicationCategory,\n \"PanOSApplicationSubcategory\",\n PanOSApplicationSubcategory,\n \"PanOSApplicationTechnology\",\n PanOSApplicationTechnology,\n \"PanOSDestinationDeviceOS\",\n PanOSDestinationDeviceOS,\n \"PanOSDestinationDeviceOSFamily\",\n PanOSDestinationDeviceOSFamily,\n \"PanOSDestinationDeviceOSVersion\",\n PanOSDestinationDeviceOSVersion,\n \"PanOSHostID\",\n PanOSHostID,\n \"PanOSHTTPHeaders\",\n PanOSHTTPHeaders,\n \"PanOSInlineMLVerdict\",\n PanOSInlineMLVerdict,\n \"PanOSInboundInterfaceDetailsType\",\n PanOSInboundInterfaceDetailsType,\n \"PanOSOutboundInterfaceDetailsType\",\n PanOSOutboundInterfaceDetailsType,\n \"PanOSParentSessionID\",\n PanOSParentSessionID,\n \"PanOSContainerName\",\n PanOSContainerName,\n \"PanOSContainerNameSpace\",\n PanOSContainerNameSpace,\n \"PanOSHTTPRefererFQDN\",\n PanOSHTTPRefererFQDN,\n \"PanOSHTTPRefererPort\",\n PanOSHTTPRefererPort,\n \"PanOSHTTPRefererProtocol\",\n PanOSHTTPRefererProtocol,\n \"PanOSHTTPRefererURLPath\",\n PanOSHTTPRefererURLPath,\n \"PanOSRuleUUID\",\n PanOSRuleUUID,\n \"PanOSURLCategoryList\",\n PanOSURLCategoryList,\n \"PanOSURLDomain\",\n PanOSURLDomain,\n \"PanOSURLCounter\",\n PanOSURLCounter,\n \"PanOSUsers\",\n PanOSUsers,\n \"PanOSVendorSeverity\",\n PanOSVendorSeverity,\n \"PanOSX-Forwarded-For\",\n [\"PanOSX-Forwarded-For\"],\n \"PanOSX-Forwarded-ForIP\",\n [\"PanOSX-Forwarded-ForIP\"],\n \"PanOSLogSource\",\n PanOSLogSource\n ),\n HttpContentType = RequestContext\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DstDvcId = PanOSDestinationUUID,\n DstGeoCountry = PanOSDestinationLocation,\n DstMacAddr = PanOSDestinationDeviceMac,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n DstPortNumber = DestinationPort,\n DstUsername = DestinationUserName,\n DstZone = DeviceCustomString5,\n DvcId = DeviceExternalID,\n DvcOriginalAction = DeviceAction,\n EventOriginalSeverity = LogSeverity,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n HttpContentFormat = RequestContext,\n HttpReferrer = PanOSReferer,\n RuleName = DeviceCustomString1,\n SrcDvcId = PanOSSourceUUID,\n SrcMacAddr = PanOSSourceDeviceMac,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n SrcPortNumber = SourcePort,\n SrcUsername = SourceUserName,\n SrcZone = DeviceCustomString4,\n Url = RequestURL,\n UrlCategory = DeviceCustomString2,\n EventOriginalSubType = Activity,\n DvcOutboundInterface = DeviceOutboundInterface,\n DvcInboundInterface = DeviceInboundInterface,\n DstUserId = DestinationUserID,\n SrcUserId = SourceUserID,\n HttpUserAgent = RequestClientApplication,\n SrcGeoCountry = PanOSSourceLocation,\n DvcScopeId = PanOSCortexDataLakeTenantID,\n SrcAppName = ApplicationProtocol,\n ThreatOriginalRiskLevel = PanOSApplicationRisk\n | extend\n Dst = coalesce(DstFQDN, DstDvcId, DstHostname, DstIpAddr),\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Src = coalesce(SrcFQDN, SrcDvcId, SrcHostname, SrcIpAddr),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n ),\n NetworkDirection = iff(PanOSIsClienttoServer == \"true\", \"Outbound\", \"Inbound\"),\n Rule = RuleName,\n SrcUserType = _ASIM_GetUserType(SrcUsername, SrcUserId),\n DstUserType = _ASIM_GetUserType(DstUsername, DstUserId),\n User = SrcUsername,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n SessionId = NetworkSessionId,\n UserAgent = HttpUserAgent,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\"),\n DstDvcIdType = iff(isnotempty(DstDvcId), \"Other\", \"\"),\n SrcDomainType = iff(isnotempty(SourceNTDomain), \"Windows\", SrcDomainType),\n DstDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", DstDomainType),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n SrcUserIdType = iff(isnotempty(SrcUserId), \"UID\", \"\"),\n DstUserIdType = iff(isnotempty(DstUserId), \"UID\", \"\"),\n SrcAppType = case(\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"true\",\n \"SaaS Application\",\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"false\",\n \"Other\",\n \"\"\n )\n | extend\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n Protocol,\n ExternalID,\n Message,\n start,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n Indicator*,\n _ResourceId,\n ThreatConfidence,\n ThreatDescription,\n ThreatSeverity\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionSonicWallFirewall/ASimWebSessionSonicWallFirewall.json b/Parsers/ASimWebSession/ARM/ASimWebSessionSonicWallFirewall/ASimWebSessionSonicWallFirewall.json index 4276cd16a17..fb21d93a990 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionSonicWallFirewall/ASimWebSessionSonicWallFirewall.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionSonicWallFirewall/ASimWebSessionSonicWallFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionSonicWallFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionSonicWallFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for SonicWall firewalls", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionSonicWallFirewall", - "query": "let parser=(disabled:bool=false){\n let Actions=datatable(fw_action:string, DvcAction:string, EventSeverity:string)\n [ \"\\\"forward\\\"\", \"Allow\", \"Informational\"\n , \"\\\"mgmt\\\"\", \"Other\", \"Informational\"\n , \"\\\"NA\\\"\", \"Other\", \"Informational\"\n , \"\\\"drop\\\"\", \"Drop\", \"Low\"\n ];\n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"SonicWall\"\n and DeviceEventClassID in (14, 97)\n and Protocol has_any(dynamic([\"udp/http\", \"tcp/http\", \"udp/https\", \"tcp/https\"]))\n | parse-kv AdditionalExtensions as (['gcat']:string, ['app']:string, ['arg']:string, ['dstV6']:string, ['srcV6']:string, ['snpt']:string, ['dnpt']:string, ['susr']:string,['appName']:string, ['appcat']:string, ['appid']:string, ['sid']:string, ['catid']:string, ['ipscat']:string, ['ipspri']:string, ['spycat']:string, ['spypri']:string, ['fw_action']:string, ['dpi']:string, ['bid']:string, ['af_action']:string, ['af_polid']:string, ['af_policy']:string, ['af_type']:string, ['af_service']:string, ['af_object']:string, ['contentObject']:string, ['fileid']:string, ['uuid']:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | extend\n SrcIpAddr = coalesce(SourceIP, srcV6)\n , DstIpAddr = coalesce(DestinationIP, dstV6)\n | where (isnotempty(SrcIpAddr) or isnotempty(DstIpAddr))\n and isnotempty(fw_action)\n | extend RequestURL_ = extract(@\"(?:[.*;]+?)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)(?:;fw_action)\", 1, AdditionalExtensions)\n | extend RequestURL_ = iif(RequestURL_ startswith \"snpt\" or RequestURL_ startswith \"dnpt\" or RequestURL_ startswith \"appid\" or RequestURL_ startswith \"appName\", extract(@\"(?:\\d;|.{1}\\w.{1};)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)\", 1, RequestURL_), RequestURL_)\n | extend RequestURL_ = iif(RequestURL_ matches regex @\"^(.{2,6}=.{1,6})\", extract(@\"(?:\\d;|.{1}\\w.{1};)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)\", 1, RequestURL_), iif(RequestURL_ matches regex @\"^\\w=\\d$\", \"\", RequestURL_))\n | extend RequestURL_ = iif(RequestURL_ has_any(dynamic([\"af_polid=\", \"ipscat=\", \"snpt=\", \"dnpt=\"])), \"\", RequestURL_)\n | extend RequestURL = iif(isnotempty(RequestURL), RequestURL, iif(RequestURL_ contains \"/\" and RequestURL_ contains \".\", RequestURL_, \"\"))\n | where isnotempty(RequestURL)\n | lookup Actions on fw_action\n | extend EventResult = case(DvcAction == \"Allow\", \"Success\",\n DvcAction == \"Management\", \"NA\",\n DvcAction == \"NA\", \"NA\",\n DvcAction == \"Other\", \"NA\",\n \"Failure\"\n )\n | extend sosLogMsgSeverity = case(LogSeverity == 10, \"Emergency (0)\",\n LogSeverity == 9, \"Alert (1)\",\n LogSeverity == 8, \"Critical (2)\",\n LogSeverity == 7, \"Error (3)\",\n LogSeverity == 6, \"Warning (4)\",\n LogSeverity == 5, \"Notice (5)\",\n LogSeverity == 4, \"Info (6)/Debug (7)\",\n LogSeverity == 3, \"Not Mapped (3)\",\n LogSeverity == 2, \"Not Mapped (2)\",\n LogSeverity == 1, \"Not Mapped (1)\",\n \"Not Mapped\"\n )\n | extend EventSeverity = case(tolong(LogSeverity) <= 4, \"Informational\"\n , tolong(LogSeverity) <= 6, \"Low\"\n , tolong(LogSeverity) <= 8, \"Medium\"\n , tolong(LogSeverity) > 8, \"High\"\n , \"\"\n )\n | extend HttpRequestMethod = case(tolong(RequestMethod) == 0, \"\"\n , tolong(RequestMethod) == 1, \"GET\"\n , tolong(RequestMethod) == 2, \"POST\"\n , tolong(RequestMethod) == 3, \"HEAD\"\n , tolong(RequestMethod) == 4, \"PUT\"\n , tolong(RequestMethod) == 5, \"CONNECT\"\n , tolong(RequestMethod) == 6, \"\"\n , \"\"\n )\n | extend NetworkProtocolVersion = case(DestinationIP has \".\", \"IPv4\"\n , DestinationIP has \":\", \"IPv6\"\n , \"\"\n )\n , NetworkProtocol = toupper(iff(Protocol contains \"-\" and Protocol !contains \"/\", toupper(trim_start(@\".*-\", Protocol)), toupper(trim_end(@\"/.*\", Protocol))))\n , NetworkApplicationProtocol = tostring(toupper(trim_start(@\".*/\", Protocol)))\n , EventOriginalType = DeviceEventClassID\n | project-rename\n DstMacAddr = DestinationMACAddress\n , SrcMacAddr = SourceMACAddress\n , DstPortNumber = DestinationPort\n , SrcPortNumber = SourcePort\n , EventMessage = Activity\n , sosEventMessageDetail = Message\n , EventProductVersion = DeviceVersion\n , Dvc = Computer\n , DvcOutboundInterface = DeviceOutboundInterface\n , DvcInboundInterface = DeviceInboundInterface\n , sosApplicationID = ApplicationProtocol // Application ID number (when Flow Reporting is enabled).\n , sosCFSFullString = Reason // CFS Block Category ID and Name\n , RuleName = DeviceCustomString1 // Rule ID. Identify a policy or rule associated with an event.\n , sosSourceVPNPolicyName = DeviceCustomString2 // Displays the source VPN policy name associated with the event.\n , sosDestinationVPNPolicyName = DeviceCustomString3 // Displays the destination VPN policy name associated with the event.\n , sosLogMsgNote = DeviceCustomString6 // \"Note\" field. Additional information that is application-dependent.\n , SrcNatIpAddr = DeviceCustomString1Label // NAT'ed source IP4/IPv6 address.\n , DstNatIpAddr = DeviceCustomString2Label // NAT'ed destination IPv4/IPv6 address.\n , SrcZone = DeviceCustomString3Label // Source Zone on Gen7. Src Zone Type on Gen6.\n , DstZone = DeviceCustomString4Label // Destination Zone on Gen7. Dest Zone Type (Trusted/Untrusted, etc.) on Gen6.\n , sosUserSessionType = DeviceCustomString5Label // String indicating the user session type, determined by the auth mechanism.\n , sosUserSessionDuration = DeviceCustomString6Label // User session duration in seconds.\n , SrcUsername = SourceUserName\n , ThreatOriginalConfidence = ThreatConfidence\n , HttpUserAgent = RequestClientApplication\n , Url = RequestURL\n| extend sosLogMsgCategory = case(gcat == 1, \"System (1)\",\n gcat == 2, \"Log (2)\",\n gcat == 3, \"Security Services (3)\",\n gcat == 4, \"Users (4)\",\n gcat == 5, \"Firewall Settings (5)\",\n gcat == 6, \"Network (6)\",\n gcat == 7, \"VPN (7)\",\n gcat == 8, \"High Availability (8)\",\n gcat == 9, \"3G/4G, Modem, and Module (9)\",\n gcat == 10, \"Firewall (10)\",\n gcat == 11, \"Wireless (11)\",\n gcat == 12, \"VoIP (12)\",\n gcat == 13, \"SSL VPN (13)\",\n gcat == 14, \"Anti-Spam (14)\",\n gcat == 15, \"WAN Acceleration (15)\",\n gcat == 16, \"Object (16)\",\n gcat == 17, \"SD-WAN (17)\",\n gcat == 18, \"Multi-Instance (18)\",\n gcat == 19, \"Unified Policy Engine (19)\",\n \"Log Category Not Mapped\"\n )\n| extend EventOriginalSubType = case(DeviceEventCategory == 0, \"None (0)\",\n DeviceEventCategory == 1, \"System Maintenance (1)\",\n DeviceEventCategory == 2, \"System Errors (2)\",\n DeviceEventCategory == 4, \"Blocked Web Sites (4)\",\n DeviceEventCategory == 8, \"Blocked Java Etc. (8)\",\n DeviceEventCategory == 16, \"User Activity (16)\",\n DeviceEventCategory == 32, \"Attacks (32)\",\n DeviceEventCategory == 64, \"Dropped TCP (64)\",\n DeviceEventCategory == 128, \"Dropped UDP (128)\",\n DeviceEventCategory == 256, \"Dropped ICMP (256)\",\n DeviceEventCategory == 512, \"Network Debug (512)\",\n DeviceEventCategory == 1024, \"Connection Closed (1024)\",\n DeviceEventCategory == 2048, \"Dropped LAN TCP (2048)\",\n DeviceEventCategory == 4096, \"Dropped LAN UDP (4096)\",\n DeviceEventCategory == 8192, \"Dropped LAN ICMP (8192)\",\n DeviceEventCategory == 32768, \"Modem Debug (32768)\",\n DeviceEventCategory == 65536, \"VPN Tunnel Status (65536)\",\n DeviceEventCategory == 131072, \"IEEE 802.11 Management (131072)\",\n DeviceEventCategory == 262144, \"Connection Opened (262144)\",\n DeviceEventCategory == 524288, \"System Environment (524288)\",\n DeviceEventCategory == 1048576, \"Expanded - VoIP Activity (1048576)\",\n DeviceEventCategory == 2097152, \"Expanded - WLAN IDS Activity (2097152)\",\n DeviceEventCategory == 4194304, \"Expanded - SonicPoint Activity (4194304)\",\n DeviceEventCategory == 8388608, \"Expanded - Unified Policy Engine (8388608)\",\n \"Legacy Category Not Mapped\"\n )\n| extend sosIPSPriority = case(ipspri == 1, \"High (1)\",\n ipspri == 2, \"Medium (2)\",\n ipspri == 3, \"Low (3)\",\n \"\"\n )\n| extend sosAntiSpywarePriority = case(spypri == 1, \"High (1)\",\n spypri == 2, \"Medium (2)\",\n spypri == 3, \"Low (3)\",\n \"\"\n )\n| extend\n EventVendor = \"SonicWall\"\n , EventProduct = \"Firewall\"\n , DvcOs = \"SonicOS\"\n , DvcOsVersion = EventProductVersion\n , DvcIdType = \"Other\"\n , DvcDescription = DeviceProduct\n , Rule = RuleName\n , NetworkBytes = tolong(coalesce(toint(ReceivedBytes), 0) + coalesce(toint(SentBytes), 0))\n , sosIPSFullString = ipscat\n , ipscat = extract(@'^\"?([a-zA-Z-\\/]+)', 1, ipscat) // IPS Category/Signature\n , sosIPSSignatureName = extract(@'[ ](.*)\\S', 1, ipscat) // IPS Signature name\n , FileSize = tolong(coalesce(FileSize, long(null)))\n , sosAppControlFileName = extract(@'.*Filename: (.*)\\\"', 1, sosEventMessageDetail) // App Control Filename Logging\n , HttpReferrer = extract(@'Referer: (.*)\\\"$', 1, coalesce(sosLogMsgNote, \"\"))\n , sosHttpRequestMethod_ = extract(@'Command: (.\\w+)', 1, coalesce(sosLogMsgNote, \"\"))\n , sosCaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\\. ', 1, sosEventMessageDetail)\n , sosGAVSignatureName = extract(@'Gateway Anti-Virus Alert: (.*) blocked\\.', 1, sosEventMessageDetail)\n , sosASWSignatureName = extract(@'Anti-Spyware Detection Alert: (.*)\\. ', 1, sosEventMessageDetail)\n , sosCountry = extract(@'Country Name:(.*)\\\"$', 1, sosEventMessageDetail)\n , sosCFSCategoryID = extract(@'(\\d+)\\s', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSCategoryName = extract(@'.*-(\"(.*))', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSPolicyName = extract(@'Policy: (.*), Info:', 1, coalesce(sosLogMsgNote, \"\"))\n , EventOriginalSeverity = LogSeverity\n , Dst = DstIpAddr\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = \"HTTPsession\"\n , EventSchemaVersion = \"0.2.5\"\n , EventSchema = \"WebSession\"\n , EventCount = toint(1)\n , EventUid = _ItemId\n , EventResultDetails = \"\"\n , ASimMatchingIpAddr = \"-\"\n , UserAgent = HttpUserAgent\n , ThreatConfidence = coalesce(toint(ThreatOriginalConfidence), int(null))\n| extend\n UrlCategory = sosCFSCategoryName\n , HttpRequestMethod = coalesce(HttpRequestMethod, sosHttpRequestMethod_)\n , HttpStatusCode = EventResultDetails\n , SrcUsername = coalesce(susr, SrcUsername)\n , FileName = coalesce(FileName, sosAppControlFileName)\n , NetworkDirection = case(SrcZone == \"\" and DstZone == \"\", \"NA\"\n , SrcZone == \"WAN\" and (DstZone == \"WAN\" and DstIpAddr !has \".255\"), \"Inbound\"\n , SrcZone == \"WAN\" and DstZone == \"WAN\", \"External\"\n , SrcZone == \"WAN\" and DstZone != \"WAN\", \"Inbound\"\n , SrcZone == \"VPN\" and DstZone == \"WAN\", \"Outbound\"\n , SrcZone == \"VPN\" and DstZone != \"WAN\", \"Inbound\"\n , DstZone == \"MULTICAST\", \"NA\"\n , DstZone == \"WAN\", \"Outbound\"\n , \"Local\"\n )\n| extend\n SrcUsernameType = case(SrcUsername has \"=\", \"DN\",\n SrcUsername has \"\\\\\", \"Windows\",\n SrcUsername has \"@\", \"UPN\",\n SrcUsername == \"Unknown (external IP)\", \"\",\n SrcUsername == \"Unknown (SSO bypassed)\", \"\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"\n )\n , User = SrcUsername\n , ThreatField = case(isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\"\n , isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\"\n , \"\"\n )\n| extend\n ThreatIpAddr = case(ThreatField == \"SrcIpAddr\", SrcIpAddr\n , ThreatField == \"DstIpAddr\", DstIpAddr\n , \"\"\n )\n| extend\n SrcGeoCountry = iff(NetworkDirection == \"Inbound\", sosCountry, \"\")\n , DstGeoCountry = iff(NetworkDirection == \"Outbound\", sosCountry, \"\")\n , SrcAppName = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , DstAppName = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , SrcAppId = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), sid, \"\")\n , DstAppId = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), sid, \"\")\n , SrcBytes = case(NetworkDirection == \"Outbound\", tolong(SentBytes)\n , NetworkDirection == \"Inbound\", tolong(ReceivedBytes)\n , NetworkDirection == \"Local\" and SrcZone == \"WAN\", tolong(ReceivedBytes)\n , NetworkDirection == \"Local\" and SrcZone != \"WAN\", tolong(SentBytes)\n , tolong(long(null))\n )\n , DstBytes = case(NetworkDirection == \"Outbound\", tolong(ReceivedBytes)\n , NetworkDirection == \"Inbound\", tolong(SentBytes)\n , NetworkDirection == \"Local\" and DstZone == \"WAN\", tolong(SentBytes)\n , NetworkDirection == \"Local\" and DstZone != \"WAN\", tolong(ReceivedBytes)\n , tolong(long(null))\n )\n| extend\n SrcAppType = case(isempty(SrcAppName), \"\"\n , SrcAppName contains \"\\'General \" or SrcAppName contains \"\\'Service \", \"Service\", \"Other\")\n , DstAppType = case(isempty(DstAppName), \"\"\n , DstAppName contains \"\\'General \" or DstAppName contains \"\\'Service \", \"Service\", \"Other\")\n| project-rename\n sosReceivedPackets = DeviceCustomNumber1Label // DeviceCustomNumberXLabel (cnXLabel=)\n , sosSentPackets = DeviceCustomNumber2Label // DeviceCustomNumberXLabel (cnXLabel=)\n| extend\n DstPackets = case(NetworkDirection == \"Outbound\", tolong(sosReceivedPackets)\n , NetworkDirection == \"Inbound\", tolong(sosSentPackets)\n , tolong(long(null))\n )\n , SrcPackets = case(NetworkDirection == \"Outbound\", tolong(sosSentPackets)\n , NetworkDirection == \"Inbound\", tolong(sosReceivedPackets)\n , tolong(long(null))\n )\n| project-rename\n sosConnectionDuration = DeviceCustomNumber3Label // Applies to \"Connection Closed\"\n , sosUser = susr // Logged-in username associated with the log event.\n , sosAppRulePolicyId = af_polid // App Rule Policy ID.\n , sosAppRulePolicyName = af_policy // App Rule Policy Name.\n , sosAppRuleService = af_service // App Rule Service Name.\n , sosAppRuleType = af_type // App Rule Policy Type.\n , sosAppRuleObject = af_object // App Rule Object Name.\n , sosAppRuleObjectContent = contentObject // App Rule Object Content.\n , sosAppRuleAction = af_action\n , sosSourceIPv6Address = srcV6\n , sosDestinationIPv6Address = dstV6\n , sosAppFullString = appcat // The full \" -- \" string.\n , sosAppIDNumber = app // Numeric Application ID. Not the same as \"ApplicationProtocol\".\n , sosAppID = appid // Application ID from App Control\n , sosAppCategoryID = catid // Application Category ID\n , sosAppSignatureID = sid // Application Signature ID\n , sosIPSCategoryName = ipscat // IPS Category Name\n , sosAntiSpywareCategory = spycat // Anti-Spyware Category\n , sosURLPathName = arg // URL. Represents the URL path name.\n , sosFileIdentifier = fileid // File hash or URL\n , sosDPIInspectedFlow = dpi // Indicates a flow was inspected by DPI. Applies only to Connection Closed messages.\n , DstNatPortNumber = dnpt\n , SrcNatPortNumber = snpt\n , sosBladeID = bid // Blade ID\n , sosUUID = uuid\n , sosFileName = FileName\n , DvcOriginalAction = fw_action\n| extend\n ThreatName = coalesce(sosASWSignatureName, sosGAVSignatureName, sosIPSSignatureName, \"\")\n , ThreatId = coalesce(sosAppSignatureID, \"\")\n , ThreatCategory = coalesce(sosIPSCategoryName, sosAntiSpywareCategory, \"\")\n , DstNatPortNumber = toint(DstNatPortNumber)\n , SrcNatPortNumber = toint(SrcNatPortNumber)\n| extend AdditionalFields = bag_pack(\n \"AppRulePolicyId\", sosAppRulePolicyId\n , \"AppRulePolicyName\", sosAppRulePolicyName\n , \"AppRuleService\", sosAppRuleService\n , \"AppRuleType\", sosAppRuleType\n , \"AppRuleObject\", sosAppRuleObject\n , \"AppRuleObjectContent\", sosAppRuleObjectContent\n , \"AppRuleAction\", sosAppRuleAction\n , \"AppID\", sosAppID\n , \"AppCategoryID\", sosAppCategoryID\n , \"IPSCategoryName\", sosIPSCategoryName\n , \"AntiSpywareCategory\", sosAntiSpywareCategory\n , \"URLPathName\", sosURLPathName\n , \"FileIdentifier\", sosFileIdentifier\n , \"DPIInspectedFlow\", sosDPIInspectedFlow\n , \"BladeID\", sosBladeID\n , \"UUID\", sosUUID\n , \"FileName\", sosFileName\n , \"FileSize\", FileSize\n , \"CaptureATPVerdict\", sosCaptureATPVerdict\n , \"CFSCategoryID\", sosCFSCategoryID\n , \"CFSCategoryName\", sosCFSCategoryName\n , \"CFSPolicyName\", sosCFSPolicyName\n , \"AppControlFileName\", sosAppControlFileName\n , \"IPSFullString\", sosIPSFullString\n , \"IPSSignatureName\", sosIPSSignatureName\n , \"LogMsgCategory\", sosLogMsgCategory\n , \"LogMsgNote\", sosLogMsgNote\n , \"LogMsgSeverity\", sosLogMsgSeverity\n , \"SourceVPNPolicyName\", sosSourceVPNPolicyName\n , \"DestinationVPNPolicyName\", sosDestinationVPNPolicyName\n , \"EventMessageDetail\", sosEventMessageDetail\n , \"UserSessionType\", sosUserSessionType\n , \"UserSessionDuration\", sosUserSessionDuration\n )\n| project-away\n DeviceEventCategory\n , gcat\n , RequestMethod\n , RequestURL_\n , ipspri\n , spypri\n , sos*\n , Protocol\n , appName\n , AdditionalExtensions\n , Flex*\n , Indicator*\n , Malicious*\n , Field*\n , DeviceCustom*\n , Old*\n , File*\n , Source*\n , Destination*\n , Device*\n , SimplifiedDeviceAction\n , ExternalID\n , ExtID\n , TenantId\n , ProcessName\n , ProcessID\n , ExtID\n , OriginalLogSeverity\n , LogSeverity\n , EventOutcome\n , StartTime\n , EndTime\n , ReceiptTime\n , Remote*\n , ThreatDescription\n , ThreatSeverity\n , RequestContext\n , RequestCookies\n , CommunicationDirection\n , ReportReferenceLink\n , ReceivedBytes\n , SentBytes\n , _ResourceId\n , _ItemId\n| project-reorder\n TimeGenerated\n , EventVendor\n , EventProduct\n , DvcDescription\n , Dvc\n , DvcOs\n , DvcOsVersion\n};\nparser(disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for SonicWall firewalls", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionSonicWallFirewall", + "query": "let parser=(disabled:bool=false){\n let Actions=datatable(fw_action:string, DvcAction:string, EventSeverity:string)\n [ \"\\\"forward\\\"\", \"Allow\", \"Informational\"\n , \"\\\"mgmt\\\"\", \"Other\", \"Informational\"\n , \"\\\"NA\\\"\", \"Other\", \"Informational\"\n , \"\\\"drop\\\"\", \"Drop\", \"Low\"\n ];\n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"SonicWall\"\n and DeviceEventClassID in (14, 97)\n and Protocol has_any(dynamic([\"udp/http\", \"tcp/http\", \"udp/https\", \"tcp/https\"]))\n | parse-kv AdditionalExtensions as (['gcat']:string, ['app']:string, ['arg']:string, ['dstV6']:string, ['srcV6']:string, ['snpt']:string, ['dnpt']:string, ['susr']:string,['appName']:string, ['appcat']:string, ['appid']:string, ['sid']:string, ['catid']:string, ['ipscat']:string, ['ipspri']:string, ['spycat']:string, ['spypri']:string, ['fw_action']:string, ['dpi']:string, ['bid']:string, ['af_action']:string, ['af_polid']:string, ['af_policy']:string, ['af_type']:string, ['af_service']:string, ['af_object']:string, ['contentObject']:string, ['fileid']:string, ['uuid']:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | extend\n SrcIpAddr = coalesce(SourceIP, srcV6)\n , DstIpAddr = coalesce(DestinationIP, dstV6)\n | where (isnotempty(SrcIpAddr) or isnotempty(DstIpAddr))\n and isnotempty(fw_action)\n | extend RequestURL_ = extract(@\"(?:[.*;]+?)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)(?:;fw_action)\", 1, AdditionalExtensions)\n | extend RequestURL_ = iif(RequestURL_ startswith \"snpt\" or RequestURL_ startswith \"dnpt\" or RequestURL_ startswith \"appid\" or RequestURL_ startswith \"appName\", extract(@\"(?:\\d;|.{1}\\w.{1};)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)\", 1, RequestURL_), RequestURL_)\n | extend RequestURL_ = iif(RequestURL_ matches regex @\"^(.{2,6}=.{1,6})\", extract(@\"(?:\\d;|.{1}\\w.{1};)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)\", 1, RequestURL_), iif(RequestURL_ matches regex @\"^\\w=\\d$\", \"\", RequestURL_))\n | extend RequestURL_ = iif(RequestURL_ has_any(dynamic([\"af_polid=\", \"ipscat=\", \"snpt=\", \"dnpt=\"])), \"\", RequestURL_)\n | extend RequestURL = iif(isnotempty(RequestURL), RequestURL, iif(RequestURL_ contains \"/\" and RequestURL_ contains \".\", RequestURL_, \"\"))\n | where isnotempty(RequestURL)\n | lookup Actions on fw_action\n | extend EventResult = case(DvcAction == \"Allow\", \"Success\",\n DvcAction == \"Management\", \"NA\",\n DvcAction == \"NA\", \"NA\",\n DvcAction == \"Other\", \"NA\",\n \"Failure\"\n )\n | extend sosLogMsgSeverity = case(LogSeverity == 10, \"Emergency (0)\",\n LogSeverity == 9, \"Alert (1)\",\n LogSeverity == 8, \"Critical (2)\",\n LogSeverity == 7, \"Error (3)\",\n LogSeverity == 6, \"Warning (4)\",\n LogSeverity == 5, \"Notice (5)\",\n LogSeverity == 4, \"Info (6)/Debug (7)\",\n LogSeverity == 3, \"Not Mapped (3)\",\n LogSeverity == 2, \"Not Mapped (2)\",\n LogSeverity == 1, \"Not Mapped (1)\",\n \"Not Mapped\"\n )\n | extend EventSeverity = case(tolong(LogSeverity) <= 4, \"Informational\"\n , tolong(LogSeverity) <= 6, \"Low\"\n , tolong(LogSeverity) <= 8, \"Medium\"\n , tolong(LogSeverity) > 8, \"High\"\n , \"\"\n )\n | extend HttpRequestMethod = case(tolong(RequestMethod) == 0, \"\"\n , tolong(RequestMethod) == 1, \"GET\"\n , tolong(RequestMethod) == 2, \"POST\"\n , tolong(RequestMethod) == 3, \"HEAD\"\n , tolong(RequestMethod) == 4, \"PUT\"\n , tolong(RequestMethod) == 5, \"CONNECT\"\n , tolong(RequestMethod) == 6, \"\"\n , \"\"\n )\n | extend NetworkProtocolVersion = case(DestinationIP has \".\", \"IPv4\"\n , DestinationIP has \":\", \"IPv6\"\n , \"\"\n )\n , NetworkProtocol = toupper(iff(Protocol contains \"-\" and Protocol !contains \"/\", toupper(trim_start(@\".*-\", Protocol)), toupper(trim_end(@\"/.*\", Protocol))))\n , NetworkApplicationProtocol = tostring(toupper(trim_start(@\".*/\", Protocol)))\n , EventOriginalType = DeviceEventClassID\n | project-rename\n DstMacAddr = DestinationMACAddress\n , SrcMacAddr = SourceMACAddress\n , DstPortNumber = DestinationPort\n , SrcPortNumber = SourcePort\n , EventMessage = Activity\n , sosEventMessageDetail = Message\n , EventProductVersion = DeviceVersion\n , Dvc = Computer\n , DvcOutboundInterface = DeviceOutboundInterface\n , DvcInboundInterface = DeviceInboundInterface\n , sosApplicationID = ApplicationProtocol // Application ID number (when Flow Reporting is enabled).\n , sosCFSFullString = Reason // CFS Block Category ID and Name\n , RuleName = DeviceCustomString1 // Rule ID. Identify a policy or rule associated with an event.\n , sosSourceVPNPolicyName = DeviceCustomString2 // Displays the source VPN policy name associated with the event.\n , sosDestinationVPNPolicyName = DeviceCustomString3 // Displays the destination VPN policy name associated with the event.\n , sosLogMsgNote = DeviceCustomString6 // \"Note\" field. Additional information that is application-dependent.\n , SrcNatIpAddr = DeviceCustomString1Label // NAT'ed source IP4/IPv6 address.\n , DstNatIpAddr = DeviceCustomString2Label // NAT'ed destination IPv4/IPv6 address.\n , SrcZone = DeviceCustomString3Label // Source Zone on Gen7. Src Zone Type on Gen6.\n , DstZone = DeviceCustomString4Label // Destination Zone on Gen7. Dest Zone Type (Trusted/Untrusted, etc.) on Gen6.\n , sosUserSessionType = DeviceCustomString5Label // String indicating the user session type, determined by the auth mechanism.\n , sosUserSessionDuration = DeviceCustomString6Label // User session duration in seconds.\n , SrcUsername = SourceUserName\n , ThreatOriginalConfidence = ThreatConfidence\n , HttpUserAgent = RequestClientApplication\n , Url = RequestURL\n| extend sosLogMsgCategory = case(gcat == 1, \"System (1)\",\n gcat == 2, \"Log (2)\",\n gcat == 3, \"Security Services (3)\",\n gcat == 4, \"Users (4)\",\n gcat == 5, \"Firewall Settings (5)\",\n gcat == 6, \"Network (6)\",\n gcat == 7, \"VPN (7)\",\n gcat == 8, \"High Availability (8)\",\n gcat == 9, \"3G/4G, Modem, and Module (9)\",\n gcat == 10, \"Firewall (10)\",\n gcat == 11, \"Wireless (11)\",\n gcat == 12, \"VoIP (12)\",\n gcat == 13, \"SSL VPN (13)\",\n gcat == 14, \"Anti-Spam (14)\",\n gcat == 15, \"WAN Acceleration (15)\",\n gcat == 16, \"Object (16)\",\n gcat == 17, \"SD-WAN (17)\",\n gcat == 18, \"Multi-Instance (18)\",\n gcat == 19, \"Unified Policy Engine (19)\",\n \"Log Category Not Mapped\"\n )\n| extend EventOriginalSubType = case(DeviceEventCategory == 0, \"None (0)\",\n DeviceEventCategory == 1, \"System Maintenance (1)\",\n DeviceEventCategory == 2, \"System Errors (2)\",\n DeviceEventCategory == 4, \"Blocked Web Sites (4)\",\n DeviceEventCategory == 8, \"Blocked Java Etc. (8)\",\n DeviceEventCategory == 16, \"User Activity (16)\",\n DeviceEventCategory == 32, \"Attacks (32)\",\n DeviceEventCategory == 64, \"Dropped TCP (64)\",\n DeviceEventCategory == 128, \"Dropped UDP (128)\",\n DeviceEventCategory == 256, \"Dropped ICMP (256)\",\n DeviceEventCategory == 512, \"Network Debug (512)\",\n DeviceEventCategory == 1024, \"Connection Closed (1024)\",\n DeviceEventCategory == 2048, \"Dropped LAN TCP (2048)\",\n DeviceEventCategory == 4096, \"Dropped LAN UDP (4096)\",\n DeviceEventCategory == 8192, \"Dropped LAN ICMP (8192)\",\n DeviceEventCategory == 32768, \"Modem Debug (32768)\",\n DeviceEventCategory == 65536, \"VPN Tunnel Status (65536)\",\n DeviceEventCategory == 131072, \"IEEE 802.11 Management (131072)\",\n DeviceEventCategory == 262144, \"Connection Opened (262144)\",\n DeviceEventCategory == 524288, \"System Environment (524288)\",\n DeviceEventCategory == 1048576, \"Expanded - VoIP Activity (1048576)\",\n DeviceEventCategory == 2097152, \"Expanded - WLAN IDS Activity (2097152)\",\n DeviceEventCategory == 4194304, \"Expanded - SonicPoint Activity (4194304)\",\n DeviceEventCategory == 8388608, \"Expanded - Unified Policy Engine (8388608)\",\n \"Legacy Category Not Mapped\"\n )\n| extend sosIPSPriority = case(ipspri == 1, \"High (1)\",\n ipspri == 2, \"Medium (2)\",\n ipspri == 3, \"Low (3)\",\n \"\"\n )\n| extend sosAntiSpywarePriority = case(spypri == 1, \"High (1)\",\n spypri == 2, \"Medium (2)\",\n spypri == 3, \"Low (3)\",\n \"\"\n )\n| extend\n EventVendor = \"SonicWall\"\n , EventProduct = \"Firewall\"\n , DvcOs = \"SonicOS\"\n , DvcOsVersion = EventProductVersion\n , DvcIdType = \"Other\"\n , DvcDescription = DeviceProduct\n , Rule = RuleName\n , NetworkBytes = tolong(coalesce(toint(ReceivedBytes), 0) + coalesce(toint(SentBytes), 0))\n , sosIPSFullString = ipscat\n , ipscat = extract(@'^\"?([a-zA-Z-\\/]+)', 1, ipscat) // IPS Category/Signature\n , sosIPSSignatureName = extract(@'[ ](.*)\\S', 1, ipscat) // IPS Signature name\n , FileSize = tolong(coalesce(FileSize, long(null)))\n , sosAppControlFileName = extract(@'.*Filename: (.*)\\\"', 1, sosEventMessageDetail) // App Control Filename Logging\n , HttpReferrer = extract(@'Referer: (.*)\\\"$', 1, coalesce(sosLogMsgNote, \"\"))\n , sosHttpRequestMethod_ = extract(@'Command: (.\\w+)', 1, coalesce(sosLogMsgNote, \"\"))\n , sosCaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\\. ', 1, sosEventMessageDetail)\n , sosGAVSignatureName = extract(@'Gateway Anti-Virus Alert: (.*) blocked\\.', 1, sosEventMessageDetail)\n , sosASWSignatureName = extract(@'Anti-Spyware Detection Alert: (.*)\\. ', 1, sosEventMessageDetail)\n , sosCountry = extract(@'Country Name:(.*)\\\"$', 1, sosEventMessageDetail)\n , sosCFSCategoryID = extract(@'(\\d+)\\s', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSCategoryName = extract(@'.*-(\"(.*))', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSPolicyName = extract(@'Policy: (.*), Info:', 1, coalesce(sosLogMsgNote, \"\"))\n , EventOriginalSeverity = LogSeverity\n , Dst = DstIpAddr\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = \"HTTPsession\"\n , EventSchemaVersion = \"0.2.5\"\n , EventSchema = \"WebSession\"\n , EventCount = toint(1)\n , EventUid = _ItemId\n , EventResultDetails = \"\"\n , ASimMatchingIpAddr = \"-\"\n , UserAgent = HttpUserAgent\n , ThreatConfidence = coalesce(toint(ThreatOriginalConfidence), int(null))\n| extend\n UrlCategory = sosCFSCategoryName\n , HttpRequestMethod = coalesce(HttpRequestMethod, sosHttpRequestMethod_)\n , HttpStatusCode = EventResultDetails\n , SrcUsername = coalesce(susr, SrcUsername)\n , FileName = coalesce(FileName, sosAppControlFileName)\n , NetworkDirection = case(SrcZone == \"\" and DstZone == \"\", \"NA\"\n , SrcZone == \"WAN\" and (DstZone == \"WAN\" and DstIpAddr !has \".255\"), \"Inbound\"\n , SrcZone == \"WAN\" and DstZone == \"WAN\", \"External\"\n , SrcZone == \"WAN\" and DstZone != \"WAN\", \"Inbound\"\n , SrcZone == \"VPN\" and DstZone == \"WAN\", \"Outbound\"\n , SrcZone == \"VPN\" and DstZone != \"WAN\", \"Inbound\"\n , DstZone == \"MULTICAST\", \"NA\"\n , DstZone == \"WAN\", \"Outbound\"\n , \"Local\"\n )\n| extend\n SrcUsernameType = case(SrcUsername has \"=\", \"DN\",\n SrcUsername has \"\\\\\", \"Windows\",\n SrcUsername has \"@\", \"UPN\",\n SrcUsername == \"Unknown (external IP)\", \"\",\n SrcUsername == \"Unknown (SSO bypassed)\", \"\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"\n )\n , User = SrcUsername\n , ThreatField = case(isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\"\n , isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\"\n , \"\"\n )\n| extend\n ThreatIpAddr = case(ThreatField == \"SrcIpAddr\", SrcIpAddr\n , ThreatField == \"DstIpAddr\", DstIpAddr\n , \"\"\n )\n| extend\n SrcGeoCountry = iff(NetworkDirection == \"Inbound\", sosCountry, \"\")\n , DstGeoCountry = iff(NetworkDirection == \"Outbound\", sosCountry, \"\")\n , SrcAppName = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , DstAppName = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , SrcAppId = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), sid, \"\")\n , DstAppId = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), sid, \"\")\n , SrcBytes = case(NetworkDirection == \"Outbound\", tolong(SentBytes)\n , NetworkDirection == \"Inbound\", tolong(ReceivedBytes)\n , NetworkDirection == \"Local\" and SrcZone == \"WAN\", tolong(ReceivedBytes)\n , NetworkDirection == \"Local\" and SrcZone != \"WAN\", tolong(SentBytes)\n , tolong(long(null))\n )\n , DstBytes = case(NetworkDirection == \"Outbound\", tolong(ReceivedBytes)\n , NetworkDirection == \"Inbound\", tolong(SentBytes)\n , NetworkDirection == \"Local\" and DstZone == \"WAN\", tolong(SentBytes)\n , NetworkDirection == \"Local\" and DstZone != \"WAN\", tolong(ReceivedBytes)\n , tolong(long(null))\n )\n| extend\n SrcAppType = case(isempty(SrcAppName), \"\"\n , SrcAppName contains \"\\'General \" or SrcAppName contains \"\\'Service \", \"Service\", \"Other\")\n , DstAppType = case(isempty(DstAppName), \"\"\n , DstAppName contains \"\\'General \" or DstAppName contains \"\\'Service \", \"Service\", \"Other\")\n| project-rename\n sosReceivedPackets = DeviceCustomNumber1Label // DeviceCustomNumberXLabel (cnXLabel=)\n , sosSentPackets = DeviceCustomNumber2Label // DeviceCustomNumberXLabel (cnXLabel=)\n| extend\n DstPackets = case(NetworkDirection == \"Outbound\", tolong(sosReceivedPackets)\n , NetworkDirection == \"Inbound\", tolong(sosSentPackets)\n , tolong(long(null))\n )\n , SrcPackets = case(NetworkDirection == \"Outbound\", tolong(sosSentPackets)\n , NetworkDirection == \"Inbound\", tolong(sosReceivedPackets)\n , tolong(long(null))\n )\n| project-rename\n sosConnectionDuration = DeviceCustomNumber3Label // Applies to \"Connection Closed\"\n , sosUser = susr // Logged-in username associated with the log event.\n , sosAppRulePolicyId = af_polid // App Rule Policy ID.\n , sosAppRulePolicyName = af_policy // App Rule Policy Name.\n , sosAppRuleService = af_service // App Rule Service Name.\n , sosAppRuleType = af_type // App Rule Policy Type.\n , sosAppRuleObject = af_object // App Rule Object Name.\n , sosAppRuleObjectContent = contentObject // App Rule Object Content.\n , sosAppRuleAction = af_action\n , sosSourceIPv6Address = srcV6\n , sosDestinationIPv6Address = dstV6\n , sosAppFullString = appcat // The full \" -- \" string.\n , sosAppIDNumber = app // Numeric Application ID. Not the same as \"ApplicationProtocol\".\n , sosAppID = appid // Application ID from App Control\n , sosAppCategoryID = catid // Application Category ID\n , sosAppSignatureID = sid // Application Signature ID\n , sosIPSCategoryName = ipscat // IPS Category Name\n , sosAntiSpywareCategory = spycat // Anti-Spyware Category\n , sosURLPathName = arg // URL. Represents the URL path name.\n , sosFileIdentifier = fileid // File hash or URL\n , sosDPIInspectedFlow = dpi // Indicates a flow was inspected by DPI. Applies only to Connection Closed messages.\n , DstNatPortNumber = dnpt\n , SrcNatPortNumber = snpt\n , sosBladeID = bid // Blade ID\n , sosUUID = uuid\n , sosFileName = FileName\n , DvcOriginalAction = fw_action\n| extend\n ThreatName = coalesce(sosASWSignatureName, sosGAVSignatureName, sosIPSSignatureName, \"\")\n , ThreatId = coalesce(sosAppSignatureID, \"\")\n , ThreatCategory = coalesce(sosIPSCategoryName, sosAntiSpywareCategory, \"\")\n , DstNatPortNumber = toint(DstNatPortNumber)\n , SrcNatPortNumber = toint(SrcNatPortNumber)\n| extend AdditionalFields = bag_pack(\n \"AppRulePolicyId\", sosAppRulePolicyId\n , \"AppRulePolicyName\", sosAppRulePolicyName\n , \"AppRuleService\", sosAppRuleService\n , \"AppRuleType\", sosAppRuleType\n , \"AppRuleObject\", sosAppRuleObject\n , \"AppRuleObjectContent\", sosAppRuleObjectContent\n , \"AppRuleAction\", sosAppRuleAction\n , \"AppID\", sosAppID\n , \"AppCategoryID\", sosAppCategoryID\n , \"IPSCategoryName\", sosIPSCategoryName\n , \"AntiSpywareCategory\", sosAntiSpywareCategory\n , \"URLPathName\", sosURLPathName\n , \"FileIdentifier\", sosFileIdentifier\n , \"DPIInspectedFlow\", sosDPIInspectedFlow\n , \"BladeID\", sosBladeID\n , \"UUID\", sosUUID\n , \"FileName\", sosFileName\n , \"FileSize\", FileSize\n , \"CaptureATPVerdict\", sosCaptureATPVerdict\n , \"CFSCategoryID\", sosCFSCategoryID\n , \"CFSCategoryName\", sosCFSCategoryName\n , \"CFSPolicyName\", sosCFSPolicyName\n , \"AppControlFileName\", sosAppControlFileName\n , \"IPSFullString\", sosIPSFullString\n , \"IPSSignatureName\", sosIPSSignatureName\n , \"LogMsgCategory\", sosLogMsgCategory\n , \"LogMsgNote\", sosLogMsgNote\n , \"LogMsgSeverity\", sosLogMsgSeverity\n , \"SourceVPNPolicyName\", sosSourceVPNPolicyName\n , \"DestinationVPNPolicyName\", sosDestinationVPNPolicyName\n , \"EventMessageDetail\", sosEventMessageDetail\n , \"UserSessionType\", sosUserSessionType\n , \"UserSessionDuration\", sosUserSessionDuration\n )\n| project-away\n DeviceEventCategory\n , gcat\n , RequestMethod\n , RequestURL_\n , ipspri\n , spypri\n , sos*\n , Protocol\n , appName\n , AdditionalExtensions\n , Flex*\n , Indicator*\n , Malicious*\n , Field*\n , DeviceCustom*\n , Old*\n , File*\n , Source*\n , Destination*\n , Device*\n , SimplifiedDeviceAction\n , ExternalID\n , ExtID\n , TenantId\n , ProcessName\n , ProcessID\n , ExtID\n , OriginalLogSeverity\n , LogSeverity\n , EventOutcome\n , StartTime\n , EndTime\n , ReceiptTime\n , Remote*\n , ThreatDescription\n , ThreatSeverity\n , RequestContext\n , RequestCookies\n , CommunicationDirection\n , ReportReferenceLink\n , ReceivedBytes\n , SentBytes\n , _ResourceId\n , _ItemId\n| project-reorder\n TimeGenerated\n , EventVendor\n , EventProduct\n , DvcDescription\n , Dvc\n , DvcOs\n , DvcOsVersion\n};\nparser(disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionSquidProxy/ASimWebSessionSquidProxy.json b/Parsers/ASimWebSession/ARM/ASimWebSessionSquidProxy/ASimWebSessionSquidProxy.json index 0cafc2433b5..3aec2f4b054 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionSquidProxy/ASimWebSessionSquidProxy.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionSquidProxy/ASimWebSessionSquidProxy.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionSquidProxy')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionSquidProxy", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Squid Proxy", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionSquidProxy", - "query": "let parser=(disabled:bool=false){\nSquidProxy_CL | where not(disabled)\n | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\n | project-rename\n Dvc = Computer\n | extend\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \n NetworkDuration = toint(AccessRawLog[1]), \n SrcIpAddr = tostring(AccessRawLog[2]), \n EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9])), \n EventResultDetails = tostring(AccessRawLog[4]), \n DstBytes = tolong(AccessRawLog[5]), \n HttpRequestMethod = tostring(AccessRawLog[6]), \n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\n Url = tostring(AccessRawLog[7]), \n SrcUsername = tostring(AccessRawLog[8]), \n DstIpAddr = tostring(AccessRawLog[10]), \n HttpContentType = tostring(AccessRawLog[11]) \n // -- Constant fields\n | extend \n EventCount = int(1), \n EventProduct = 'Squid Proxy', \n EventVendor = 'Squid', \n EventSchema = 'WebSession', \n EventSchemaVersion = '0.2.3', \n EventType = 'HTTPsession' \n // -- Value normalization\n | extend\n SrcUsernameType = \"Unknown\",\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \n EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\n | extend \n FQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\n | extend \n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\")\n | invoke _ASIM_ResolveDstFQDN ('FQDN')\n // -- aliases\n | extend \n EventStartTime = EventEndTime,\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname\n | project-away AccessRawLog, RawData, *_s, MG, ManagementGroupName, SourceSystem, TenantId, DstIpAddrIsHost\n};\nparser (disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Squid Proxy", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionSquidProxy", + "query": "let parser=(disabled:bool=false){\nSquidProxy_CL | where not(disabled)\n | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\n | project-rename\n Dvc = Computer\n | extend\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \n NetworkDuration = toint(AccessRawLog[1]), \n SrcIpAddr = tostring(AccessRawLog[2]), \n EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9])), \n EventResultDetails = tostring(AccessRawLog[4]), \n DstBytes = tolong(AccessRawLog[5]), \n HttpRequestMethod = tostring(AccessRawLog[6]), \n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\n Url = tostring(AccessRawLog[7]), \n SrcUsername = tostring(AccessRawLog[8]), \n DstIpAddr = tostring(AccessRawLog[10]), \n HttpContentType = tostring(AccessRawLog[11]) \n // -- Constant fields\n | extend \n EventCount = int(1), \n EventProduct = 'Squid Proxy', \n EventVendor = 'Squid', \n EventSchema = 'WebSession', \n EventSchemaVersion = '0.2.3', \n EventType = 'HTTPsession' \n // -- Value normalization\n | extend\n SrcUsernameType = \"Unknown\",\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \n EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\n | extend \n FQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\n | extend \n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\")\n | invoke _ASIM_ResolveDstFQDN ('FQDN')\n // -- aliases\n | extend \n EventStartTime = EventEndTime,\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname\n | project-away AccessRawLog, RawData, *_s, MG, ManagementGroupName, SourceSystem, TenantId, DstIpAddrIsHost\n};\nparser (disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionVectraAI/ASimWebSessionVectraAI.json b/Parsers/ASimWebSession/ARM/ASimWebSessionVectraAI/ASimWebSessionVectraAI.json index cc05f07fdfc..89eeb9599dc 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionVectraAI/ASimWebSessionVectraAI.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionVectraAI/ASimWebSessionVectraAI.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionVectraAI')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionVectraAI", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Vectra AI streams", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionVectraAI", - "query": "let parser = (disabled: bool = false, pack:bool = false)\n{\n let NetworkDirectionLookup = datatable(local_orig_b:bool, local_resp_b:bool, NetworkDirection:string)\n [\n false, true, 'Inbound',\n true, false, 'Outbound',\n true, true, 'Local',\n false, false, 'Local'\n ];\n let NetworkProtocolVersionLookup = datatable(id_ip_ver_s:string, NetworkApplicationProtocol:string)\n [\n 'ipv4', 'IPv4',\n 'ipv6', 'IPv6'\n ];\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\n VectraStream_CL\n | where metadata_type_s == 'metadata_httpsessioninfo'\n | extend EventResult = iff(tolong(status_code_d) >= 400, \"Failure\", \"Success\")\n | project-rename\n DvcDescription = hostname_s,\n DstDescription = resp_hostname_s,\n SrcDescription = orig_hostname_s,\n DstIpAddr = id_resp_h_s,\n EventOriginalUid = uid_s,\n HttpContentType = resp_mime_types_s,\n HttpReferrer = referrer_s,\n HttpRequestMethod = method_s,\n HttpUserAgent = user_agent_s,\n DvcId = sensor_uid_s,\n // -- community id is just a hash of addresses and ports, and not unique for the session\n // NetworkSessionId = community_id_s,\n SrcIpAddr = id_orig_h_s,\n SrcSessionId = orig_sluid_s,\n DstSessionId = resp_sluid_s,\n HttpResponseCacheControl = response_cache_control_s,\n HttpRequestCacheControl = request_cache_control_s,\n HttpCookie = cookie_s,\n HttpResponseExpires = response_expires_s,\n HttpIsProxied = is_proxied_b,\n EventOriginalResultDetails = status_msg_s\n | extend\n DstHostname = iff (DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\", DstDescription),\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\n DstBytes = tolong(resp_ip_bytes_d),\n DstPackets = tolong(resp_pkts_d),\n DstPortNumber = toint(id_resp_p_d),\n EventCount = toint(1),\n EventStartTime = unixtime_milliseconds_todatetime(ts_d),\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\n EventProduct = 'Vectra Stream',\n EventResultDetails = tostring(toint(status_code_d)),\n HttpRequestBodyBytes = tolong(request_body_len_d),\n HttpResponseBodyBytes = tolong(response_body_len_d),\n HttpRequestHeaderCount = toint(request_header_count_d),\n HttpResponseHeaderCount = toint(response_header_count_d),\n EventSchema = 'WebSession',\n EventSchemaVersion='0.2.3',\n DvcIdType = 'VectraId',\n EventSeverity = iff (EventResult == 'Success', 'Informational', 'Low'),\n EventType = 'HTTPsession',\n EventVendor = 'Vectra AI',\n SrcBytes = tolong(orig_ip_bytes_d),\n SrcPackets = tolong(orig_pkts_d),\n SrcPortNumber = toint(id_orig_p_d),\n Url = strcat('http://', host_s, uri_s)\n | lookup NetworkDirectionLookup on local_orig_b, local_resp_b\n | lookup NetworkProtocolVersionLookup on id_ip_ver_s\n // -- preserving non-normalized important fields\n | extend AdditionalFields = iff (\n pack, \n bag_pack (\n \"first_orig_resp_data_pkt\", first_orig_resp_data_pkt_s,\n \"first_resp_orig_data_pkt\", first_resp_orig_data_pkt_s,\n \"orig_huid\", orig_huid_s,\n \"resp_huid\", resp_huid_s,\n \"community_id\", community_id_s,\n \"resp_multihome\", resp_multihomed_b,\n \"host_multihomed\", host_multihomed_b,\n \"first_orig_resp_data_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_data_pkt_time_d),\n \"first_orig_resp_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_pkt_time_d),\n \"first_resp_orig_data_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_data_pkt_time_d),\n \"first_resp_orig_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_pkt_time_d)\n ),\n dynamic([])\n )\n | project-away\n *_d, *_s, *_b, *_g, Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n | extend\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventEndTime = EventStartTime,\n Hostname = DstHostname,\n HttpStatusCode = EventResultDetails,\n IpAddr = SrcIpAddr,\n NetworkBytes = SrcBytes + DstBytes,\n NetworkPackets = SrcPackets + DstPackets,\n //SessionId = NetworkSessionId,\n Src = SrcIpAddr,\n UserAgent = HttpUserAgent \n};\nparser (disabled=disabled, pack=pack)", - "version": 1, - "functionParameters": "disabled:bool=False,pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Vectra AI streams", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionVectraAI", + "query": "let parser = (disabled: bool = false, pack:bool = false)\n{\n let NetworkDirectionLookup = datatable(local_orig_b:bool, local_resp_b:bool, NetworkDirection:string)\n [\n false, true, 'Inbound',\n true, false, 'Outbound',\n true, true, 'Local',\n false, false, 'Local'\n ];\n let NetworkProtocolVersionLookup = datatable(id_ip_ver_s:string, NetworkApplicationProtocol:string)\n [\n 'ipv4', 'IPv4',\n 'ipv6', 'IPv6'\n ];\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\n VectraStream_CL\n | where metadata_type_s == 'metadata_httpsessioninfo'\n | extend EventResult = iff(tolong(status_code_d) >= 400, \"Failure\", \"Success\")\n | project-rename\n DvcDescription = hostname_s,\n DstDescription = resp_hostname_s,\n SrcDescription = orig_hostname_s,\n DstIpAddr = id_resp_h_s,\n EventOriginalUid = uid_s,\n HttpContentType = resp_mime_types_s,\n HttpReferrer = referrer_s,\n HttpRequestMethod = method_s,\n HttpUserAgent = user_agent_s,\n DvcId = sensor_uid_s,\n // -- community id is just a hash of addresses and ports, and not unique for the session\n // NetworkSessionId = community_id_s,\n SrcIpAddr = id_orig_h_s,\n SrcSessionId = orig_sluid_s,\n DstSessionId = resp_sluid_s,\n HttpResponseCacheControl = response_cache_control_s,\n HttpRequestCacheControl = request_cache_control_s,\n HttpCookie = cookie_s,\n HttpResponseExpires = response_expires_s,\n HttpIsProxied = is_proxied_b,\n EventOriginalResultDetails = status_msg_s\n | extend\n DstHostname = iff (DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\", DstDescription),\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\n DstBytes = tolong(resp_ip_bytes_d),\n DstPackets = tolong(resp_pkts_d),\n DstPortNumber = toint(id_resp_p_d),\n EventCount = toint(1),\n EventStartTime = unixtime_milliseconds_todatetime(ts_d),\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\n EventProduct = 'Vectra Stream',\n EventResultDetails = tostring(toint(status_code_d)),\n HttpRequestBodyBytes = tolong(request_body_len_d),\n HttpResponseBodyBytes = tolong(response_body_len_d),\n HttpRequestHeaderCount = toint(request_header_count_d),\n HttpResponseHeaderCount = toint(response_header_count_d),\n EventSchema = 'WebSession',\n EventSchemaVersion='0.2.3',\n DvcIdType = 'VectraId',\n EventSeverity = iff (EventResult == 'Success', 'Informational', 'Low'),\n EventType = 'HTTPsession',\n EventVendor = 'Vectra AI',\n SrcBytes = tolong(orig_ip_bytes_d),\n SrcPackets = tolong(orig_pkts_d),\n SrcPortNumber = toint(id_orig_p_d),\n Url = strcat('http://', host_s, uri_s)\n | lookup NetworkDirectionLookup on local_orig_b, local_resp_b\n | lookup NetworkProtocolVersionLookup on id_ip_ver_s\n // -- preserving non-normalized important fields\n | extend AdditionalFields = iff (\n pack, \n bag_pack (\n \"first_orig_resp_data_pkt\", first_orig_resp_data_pkt_s,\n \"first_resp_orig_data_pkt\", first_resp_orig_data_pkt_s,\n \"orig_huid\", orig_huid_s,\n \"resp_huid\", resp_huid_s,\n \"community_id\", community_id_s,\n \"resp_multihome\", resp_multihomed_b,\n \"host_multihomed\", host_multihomed_b,\n \"first_orig_resp_data_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_data_pkt_time_d),\n \"first_orig_resp_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_pkt_time_d),\n \"first_resp_orig_data_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_data_pkt_time_d),\n \"first_resp_orig_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_pkt_time_d)\n ),\n dynamic([])\n )\n | project-away\n *_d, *_s, *_b, *_g, Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n | extend\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventEndTime = EventStartTime,\n Hostname = DstHostname,\n HttpStatusCode = EventResultDetails,\n IpAddr = SrcIpAddr,\n NetworkBytes = SrcBytes + DstBytes,\n NetworkPackets = SrcPackets + DstPackets,\n //SessionId = NetworkSessionId,\n Src = SrcIpAddr,\n UserAgent = HttpUserAgent \n};\nparser (disabled=disabled, pack=pack)", + "version": 1, + "functionParameters": "disabled:bool=False,pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionzScalerZIA/ASimWebSessionzScalerZIA.json b/Parsers/ASimWebSession/ARM/ASimWebSessionzScalerZIA/ASimWebSessionzScalerZIA.json index cfcba2be16e..caa4a9f1cb3 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionzScalerZIA/ASimWebSessionzScalerZIA.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionzScalerZIA/ASimWebSessionzScalerZIA.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionZscalerZIA')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionZscalerZIA", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Zscaler ZIA", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionZscalerZIA", - "query": "let parser=(disabled:bool=false){\nlet DvcActionLookup = datatable (DeviceAction:string, DvcAction: string) \n[\n 'Allowed', 'Allow',\n 'Blocked', 'Deny'\n]; \nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSWeblog\"\n// Event fields\n| extend \n EventCount=int(1), \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Proxy\", \n EventSchema = \"WebSession\", \n EventSchemaVersion=\"0.2.3\", \n EventType = 'HTTPsession',\n EventEndTime=TimeGenerated\n| project-rename\n EventProductVersion = DeviceVersion,\n NetworkApplicationProtocol = ApplicationProtocol,\n HttpContentType = FileType,\n HttpUserAgent = RequestClientApplication,\n HttpRequestMethod = RequestMethod,\n DstAppName = DestinationServiceName,\n DstIpAddr = DestinationIP,\n DstFQDN = DestinationHostName,\n SrcIpAddr = SourceIP,\n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress,\n SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\n UrlCategory = DeviceCustomString2,\n ThreatName = DeviceCustomString5,\n FileMD5 = DeviceCustomString6,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message\n// -- Parse\n| parse AdditionalExtensions with \n * \"rulelabel=\" RuleName:string \";\"\n \"ruletype=\" ruletype:string \";\"\n \"urlclass=\" urlclass:string \";\"\n \"devicemodel=\" * \n// -- Calculated fields\n| lookup DvcActionLookup on DeviceAction\n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n ),\n EventResultDetails = coalesce(\n column_ifexists(\"EventOutcome\", \"\"),\n extract(@'outcome=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n ),\n ThreatRiskLevel = coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n DvcHostname = tostring(Computer),\n SrcBytes = tolong(SentBytes),\n DstBytes = tolong(ReceivedBytes),\n Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\n UrlCategory = strcat (urlclass, \"/\", UrlCategory),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\n RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\n FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\n HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\n DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\n DstFQDNparts = split (DstFQDN, \".\"),\n DstHostnameNotAddr = DstIpAddr != DstFQDN\n| extend\n DstHostname = iff (DstHostnameNotAddr, tostring(DstFQDNparts[0]), DstFQDN),\n DstDomain = iff (DstHostnameNotAddr, strcat_array(array_slice(DstFQDNparts,1,-1),\".\"), \"\"),\n DstFQDN = iff (DstHostnameNotAddr, DstFQDN, \"\") \n// -- Enrichment\n| extend\n EventResult = iff (EventResultDetails == \"NA\" or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\n EventSeverity = case (ThreatRiskLevel > 90, \"High\", ThreatRiskLevel > 60, \"Medium\", ThreatRiskLevel > 10, \"Low\", \"Informational\"),\n DstAppType = \"SaaS application\",\n DstDomainType = iff (DstHostnameNotAddr, \"FQDN\", \"\"),\n SrcUsernameType = \"UPN\"\n// -- Aliases\n| extend\n Dvc = DvcHostname,\n Hostname = DstHostname,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n HttpStatusCode = EventResultDetails,\n IpAddr = SrcNatIpAddr,\n Hash = FileMD5,\n FileHashType = iff(FileMD5 == \"\", \"\", \"MD5\")\n| project-away DstFQDNparts\n| project-away AdditionalExtensions, CommunicationDirection, Computer, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, Protocol, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, Activity, EventOutcome, FieldDevice*, ExtID, Reason, ReportReferenceLink, urlclass, ruletype, DstHostnameNotAddr\n};\nparser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Zscaler ZIA", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionZscalerZIA", + "query": "let parser=(disabled:bool=false){\nlet DvcActionLookup = datatable (DeviceAction:string, DvcAction: string) \n[\n 'Allowed', 'Allow',\n 'Blocked', 'Deny'\n]; \nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSWeblog\"\n// Event fields\n| extend \n EventCount=int(1), \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Proxy\", \n EventSchema = \"WebSession\", \n EventSchemaVersion=\"0.2.3\", \n EventType = 'HTTPsession',\n EventEndTime=TimeGenerated\n| project-rename\n EventProductVersion = DeviceVersion,\n NetworkApplicationProtocol = ApplicationProtocol,\n HttpContentType = FileType,\n HttpUserAgent = RequestClientApplication,\n HttpRequestMethod = RequestMethod,\n DstAppName = DestinationServiceName,\n DstIpAddr = DestinationIP,\n DstFQDN = DestinationHostName,\n SrcIpAddr = SourceIP,\n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress,\n SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\n UrlCategory = DeviceCustomString2,\n ThreatName = DeviceCustomString5,\n FileMD5 = DeviceCustomString6,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message\n// -- Parse\n| parse AdditionalExtensions with \n * \"rulelabel=\" RuleName:string \";\"\n \"ruletype=\" ruletype:string \";\"\n \"urlclass=\" urlclass:string \";\"\n \"devicemodel=\" * \n// -- Calculated fields\n| lookup DvcActionLookup on DeviceAction\n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n ),\n EventResultDetails = coalesce(\n column_ifexists(\"EventOutcome\", \"\"),\n extract(@'outcome=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n ),\n ThreatRiskLevel = coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n DvcHostname = tostring(Computer),\n SrcBytes = tolong(SentBytes),\n DstBytes = tolong(ReceivedBytes),\n Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\n UrlCategory = strcat (urlclass, \"/\", UrlCategory),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\n RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\n FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\n HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\n DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\n DstFQDNparts = split (DstFQDN, \".\"),\n DstHostnameNotAddr = DstIpAddr != DstFQDN\n| extend\n DstHostname = iff (DstHostnameNotAddr, tostring(DstFQDNparts[0]), DstFQDN),\n DstDomain = iff (DstHostnameNotAddr, strcat_array(array_slice(DstFQDNparts,1,-1),\".\"), \"\"),\n DstFQDN = iff (DstHostnameNotAddr, DstFQDN, \"\") \n// -- Enrichment\n| extend\n EventResult = iff (EventResultDetails == \"NA\" or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\n EventSeverity = case (ThreatRiskLevel > 90, \"High\", ThreatRiskLevel > 60, \"Medium\", ThreatRiskLevel > 10, \"Low\", \"Informational\"),\n DstAppType = \"SaaS application\",\n DstDomainType = iff (DstHostnameNotAddr, \"FQDN\", \"\"),\n SrcUsernameType = \"UPN\"\n// -- Aliases\n| extend\n Dvc = DvcHostname,\n Hostname = DstHostname,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n HttpStatusCode = EventResultDetails,\n IpAddr = SrcNatIpAddr,\n Hash = FileMD5,\n FileHashType = iff(FileMD5 == \"\", \"\", \"MD5\")\n| project-away DstFQDNparts\n| project-away AdditionalExtensions, CommunicationDirection, Computer, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, Protocol, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, Activity, EventOutcome, FieldDevice*, ExtID, Reason, ReportReferenceLink, urlclass, ruletype, DstHostnameNotAddr\n};\nparser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/imWebSession/imWebSession.json b/Parsers/ASimWebSession/ARM/imWebSession/imWebSession.json index 48ba0a4e598..d439f3d5a36 100644 --- a/Parsers/ASimWebSession/ARM/imWebSession/imWebSession.json +++ b/Parsers/ASimWebSession/ARM/imWebSession/imWebSession.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/imWebSession')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "imWebSession", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM filtering parser", - "category": "ASIM", - "FunctionAlias": "imWebSession", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimWebSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]),\n url_has_any:dynamic=dynamic([]), \n httpuseragent_has_any:dynamic=dynamic([]), \n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n pack:bool=false)\n{\nunion isfuzzy=true\n vimWebSessionEmpty,\n vimWebSessionSquidProxy (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionSquidProxy' in (DisabledParsers)))),\n vimWebSessionZscalerZIA (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionZscalerZIA' in (DisabledParsers)))),\n vimWebSessionNative (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionNative' in (DisabledParsers)))),\n vimWebSessionVectraAI (pack=pack, starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionVectraAI' in (DisabledParsers)))),\n vimWebSessionIIS (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionIIS' in (DisabledParsers)))),\n vimWebSessionPaloAltoCEF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionPaloAltoCEF' in (DisabledParsers)))),\n vimWebSessionApacheHTTPServer (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionApacheHTTPServer' in (DisabledParsers)))),\n vimWebSessionFortinetFortiGate (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionFortinetFortiGate' in (DisabledParsers)))),\n vimWebSessionCiscoMeraki (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionCiscoMeraki' in (DisabledParsers)))),\n vimWebSessionBarracudaWAF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionBarracudaWAF' in (DisabledParsers)))),\n vimWebSessionBarracudaCEF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionBarracudaCEF' in (DisabledParsers)))),\n vimWebSessionCitrixNetScaler (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionCitrixNetScaler' in (DisabledParsers)))),\n vimWebSessionCiscoFirepower (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionCiscoFirepower' in (DisabledParsers))))\n ,\n vimWebSessionF5ASM (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionF5ASM' in (DisabledParsers)))),\n vimWebSessionPaloAltoCortexDataLake (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionPaloAltoCortexDataLake' in (DisabledParsers)))),\n vimWebSessionSonicWallFirewall (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionSonicWallFirewall' in (DisabledParsers))))\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, pack=pack)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',eventresultdetails_has_any:dynamic=dynamic([]),disabled:bool=False,pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM filtering parser", + "category": "ASIM", + "FunctionAlias": "imWebSession", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimWebSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]),\n url_has_any:dynamic=dynamic([]), \n httpuseragent_has_any:dynamic=dynamic([]), \n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n pack:bool=false)\n{\nunion isfuzzy=true\n vimWebSessionEmpty,\n vimWebSessionSquidProxy (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionSquidProxy' in (DisabledParsers)))),\n vimWebSessionZscalerZIA (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionZscalerZIA' in (DisabledParsers)))),\n vimWebSessionNative (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionNative' in (DisabledParsers)))),\n vimWebSessionVectraAI (pack=pack, starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionVectraAI' in (DisabledParsers)))),\n vimWebSessionIIS (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionIIS' in (DisabledParsers)))),\n vimWebSessionPaloAltoCEF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionPaloAltoCEF' in (DisabledParsers)))),\n vimWebSessionApacheHTTPServer (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionApacheHTTPServer' in (DisabledParsers)))),\n vimWebSessionFortinetFortiGate (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionFortinetFortiGate' in (DisabledParsers)))),\n vimWebSessionCiscoMeraki (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionCiscoMeraki' in (DisabledParsers)))),\n vimWebSessionBarracudaWAF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionBarracudaWAF' in (DisabledParsers)))),\n vimWebSessionBarracudaCEF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionBarracudaCEF' in (DisabledParsers)))),\n vimWebSessionCitrixNetScaler (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionCitrixNetScaler' in (DisabledParsers)))),\n vimWebSessionCiscoFirepower (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionCiscoFirepower' in (DisabledParsers))))\n ,\n vimWebSessionF5ASM (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionF5ASM' in (DisabledParsers)))),\n vimWebSessionPaloAltoCortexDataLake (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionPaloAltoCortexDataLake' in (DisabledParsers)))),\n vimWebSessionSonicWallFirewall (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionSonicWallFirewall' in (DisabledParsers))))\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, pack=pack)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',eventresultdetails_has_any:dynamic=dynamic([]),disabled:bool=False,pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionApacheHTTPServer/vimWebSessionApacheHTTPServer.json b/Parsers/ASimWebSession/ARM/vimWebSessionApacheHTTPServer/vimWebSessionApacheHTTPServer.json index cca9983f47d..5b578118fb9 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionApacheHTTPServer/vimWebSessionApacheHTTPServer.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionApacheHTTPServer/vimWebSessionApacheHTTPServer.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionApacheHTTPServer')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionApacheHTTPServer", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM Filtering parser for Apache HTTP Server", - "category": "ASIM", - "FunctionAlias": "vimWebSessionApacheHTTPServer", - "query": "let Parser=(\n starttime:datetime = datetime(null), \n endtime:datetime = datetime(null),\n srcipaddr_has_any_prefix:dynamic = dynamic([]),\n ipaddr_has_any_prefix:dynamic = dynamic([]), \n url_has_any:dynamic = dynamic([]),\n httpuseragent_has_any:dynamic = dynamic([]),\n eventresultdetails_in:dynamic = dynamic([]),\n eventresult:string = '*',\n disabled:bool = false\n){\n let src_or_any = set_union(\n srcipaddr_has_any_prefix,\n ipaddr_has_any_prefix\n ); \n let remove_protocol_from_list = (list:dynamic)\n {\n print list\n | mv-apply l = print_0 to typeof(string) on\n ( extend l = substring(l,indexof(l,@'//')+2))\n | project l\n };\n ApacheHTTPServer_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime)\n | where (array_length(url_has_any) == 0 or RawData has_any (remove_protocol_from_list(url_has_any)))\n | where (array_length(httpuseragent_has_any) == 0 or RawData has_any (httpuseragent_has_any))\n | where (array_length(src_or_any) == 0 or RawData has_any (src_or_any))\n | where (array_length(eventresultdetails_in) == 0 or RawData has_any (eventresultdetails_in))\n | project RawData, TimeGenerated, Computer, _ResourceId, Type, _ItemId\n | where not (RawData startswith \"[\") \n | where RawData has_any (\"GET\", \"HEAD\", \"POST\", \"PUT\", \"DELETE\", \"CONNECT\", \"OPTIONS\", \"TRACE\", \"PATCH\")\n | parse RawData with * '] ' Temp'\"' *\n | where (array_length(url_has_any) == 0 or Temp has_any (remove_protocol_from_list(url_has_any)))\n | extend DstHostname = tostring(split(trim_end(\" \",Temp),\":\",0)[0])\n | parse RawData with SrcIpAddr \" \" ClientIdentity \" \" SrcUsername \" [\" Date ']' * '\"' HttpRequestMethod \" \" Url \" \" Protocol '\" ' EventResultDetails \" \" DstBytes:long ' \"' HttpReferrer '\" \"' HttpUserAgent '\"' *\n | project-away RawData, Date, ClientIdentity, Temp\n | where (array_length(url_has_any) == 0 or Url has_any (remove_protocol_from_list(url_has_any)))\n | where (array_length(httpuseragent_has_any) == 0 or HttpUserAgent has_any (httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or tostring(EventResultDetails) in (eventresultdetails_in))\n | extend \n temp_SrcMatch = has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0, \"-\",\n temp_SrcMatch , \"SrcIpAddr\",\n \"No match\") \n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | extend EventResult = iff (\n toint(EventResultDetails) < 400, \"Success\", \n \"Failure\"\n )\n | where (eventresult == '*' or EventResult =~ eventresult)\n | extend SrcUsername = case(SrcUsername == \"-\", \"\", SrcUsername),\n HttpReferrer = case(HttpReferrer == \"-\", \"\", HttpReferrer),\n HttpUserAgent = case(HttpUserAgent == \"-\", \"\", HttpUserAgent),\n DstHostname = case(DstHostname == \"-\", \"\", DstHostname) \n | extend SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)\n | parse _ResourceId with * \"/subscriptions/\" DvcScopeId \"/\" *\n | project-rename \n Dst = DstHostname,\n DvcHostname = Computer,\n DvcId = _ResourceId,\n EventUid = _ItemId\n | extend \n HttpVersion = tostring(split(Protocol,\"/\")[1]),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\")\n | extend \n HttpStatusCode = EventResultDetails,\n UserAgent = HttpUserAgent,\n IpAddr = SrcIpAddr,\n Dvc = DvcHostname,\n User = SrcUsername\n | project-away Protocol\n | extend\n EventType = \"WebServerSession\", \n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventCount = int(1),\n EventVendor = \"Apache\",\n EventProduct = \"HTTP Server\",\n EventSeverity = \"Informational\"\n};\nParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM Filtering parser for Apache HTTP Server", + "category": "ASIM", + "FunctionAlias": "vimWebSessionApacheHTTPServer", + "query": "let Parser=(\n starttime:datetime = datetime(null), \n endtime:datetime = datetime(null),\n srcipaddr_has_any_prefix:dynamic = dynamic([]),\n ipaddr_has_any_prefix:dynamic = dynamic([]), \n url_has_any:dynamic = dynamic([]),\n httpuseragent_has_any:dynamic = dynamic([]),\n eventresultdetails_in:dynamic = dynamic([]),\n eventresult:string = '*',\n disabled:bool = false\n){\n let src_or_any = set_union(\n srcipaddr_has_any_prefix,\n ipaddr_has_any_prefix\n ); \n let remove_protocol_from_list = (list:dynamic)\n {\n print list\n | mv-apply l = print_0 to typeof(string) on\n ( extend l = substring(l,indexof(l,@'//')+2))\n | project l\n };\n ApacheHTTPServer_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime)\n | where (array_length(url_has_any) == 0 or RawData has_any (remove_protocol_from_list(url_has_any)))\n | where (array_length(httpuseragent_has_any) == 0 or RawData has_any (httpuseragent_has_any))\n | where (array_length(src_or_any) == 0 or RawData has_any (src_or_any))\n | where (array_length(eventresultdetails_in) == 0 or RawData has_any (eventresultdetails_in))\n | project RawData, TimeGenerated, Computer, _ResourceId, Type, _ItemId\n | where not (RawData startswith \"[\") \n | where RawData has_any (\"GET\", \"HEAD\", \"POST\", \"PUT\", \"DELETE\", \"CONNECT\", \"OPTIONS\", \"TRACE\", \"PATCH\")\n | parse RawData with * '] ' Temp'\"' *\n | where (array_length(url_has_any) == 0 or Temp has_any (remove_protocol_from_list(url_has_any)))\n | extend DstHostname = tostring(split(trim_end(\" \",Temp),\":\",0)[0])\n | parse RawData with SrcIpAddr \" \" ClientIdentity \" \" SrcUsername \" [\" Date ']' * '\"' HttpRequestMethod \" \" Url \" \" Protocol '\" ' EventResultDetails \" \" DstBytes:long ' \"' HttpReferrer '\" \"' HttpUserAgent '\"' *\n | project-away RawData, Date, ClientIdentity, Temp\n | where (array_length(url_has_any) == 0 or Url has_any (remove_protocol_from_list(url_has_any)))\n | where (array_length(httpuseragent_has_any) == 0 or HttpUserAgent has_any (httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or tostring(EventResultDetails) in (eventresultdetails_in))\n | extend \n temp_SrcMatch = has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0, \"-\",\n temp_SrcMatch , \"SrcIpAddr\",\n \"No match\") \n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | extend EventResult = iff (\n toint(EventResultDetails) < 400, \"Success\", \n \"Failure\"\n )\n | where (eventresult == '*' or EventResult =~ eventresult)\n | extend SrcUsername = case(SrcUsername == \"-\", \"\", SrcUsername),\n HttpReferrer = case(HttpReferrer == \"-\", \"\", HttpReferrer),\n HttpUserAgent = case(HttpUserAgent == \"-\", \"\", HttpUserAgent),\n DstHostname = case(DstHostname == \"-\", \"\", DstHostname) \n | extend SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)\n | parse _ResourceId with * \"/subscriptions/\" DvcScopeId \"/\" *\n | project-rename \n Dst = DstHostname,\n DvcHostname = Computer,\n DvcId = _ResourceId,\n EventUid = _ItemId\n | extend \n HttpVersion = tostring(split(Protocol,\"/\")[1]),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\")\n | extend \n HttpStatusCode = EventResultDetails,\n UserAgent = HttpUserAgent,\n IpAddr = SrcIpAddr,\n Dvc = DvcHostname,\n User = SrcUsername\n | project-away Protocol\n | extend\n EventType = \"WebServerSession\", \n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventCount = int(1),\n EventVendor = \"Apache\",\n EventProduct = \"HTTP Server\",\n EventSeverity = \"Informational\"\n};\nParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionBarracudaCEF/vimWebSessionBarracudaCEF.json b/Parsers/ASimWebSession/ARM/vimWebSessionBarracudaCEF/vimWebSessionBarracudaCEF.json index 2211a5e921a..8ae9d65619a 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionBarracudaCEF/vimWebSessionBarracudaCEF.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionBarracudaCEF/vimWebSessionBarracudaCEF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionBarracudaCEF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionBarracudaCEF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM filtering parser for Barracuda CEF", - "category": "ASIM", - "FunctionAlias": "vimWebSessionBarracudaCEF", - "query": "let SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventResultWFLookup = datatable (\n Action_s: string,\n EventResult_WF: string,\n DvcAction: string\n)\n [\n \"LOG\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\",\n \"WARNING\", \"Success\", \"Allow\"\n];\nlet EventTypeLookup = datatable (\n LogType_s: string,\n EventType_lookup: string,\n EventOriginalType: string\n)\n [\n \"WF\", \"HTTPsession\", \"Web Firewall\",\n \"TR\", \"WebServerSession\", \"Access\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n ipaddr_has_any_prefix: dynamic=dynamic([]), \n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false\n ) {\nlet src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);\nlet BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory in (\"WF\", \"TR\")\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(url_has_any) == 0 or RequestURL has_any (url_has_any))\n | where (array_length(httpuseragent_has_any) == 0 or RequestClientApplication has_any(httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or tostring(EventOutcome) has_any(eventresultdetails_in))\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(DestinationIP, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | lookup EventResultWFLookup on $left.DeviceAction == $right.Action_s\n | extend\n status_code = toint(EventOutcome)\n | extend EventResult_TR = case(\n status_code between (200 .. 299),\n \"Success\", \n status_code between (400 .. 599),\n \"Failure\",\n status_code between (300 .. 399),\n \"Partial\",\n \"NA\"\n )\n | extend EventResult = iff(DeviceEventCategory == \"TR\", EventResult_TR, EventResult_WF)\n | where (eventresult == '*' or EventResult =~ eventresult)\n | lookup EventTypeLookup on $left.DeviceEventCategory == $right.LogType_s\n | extend\n EventType = EventType_lookup,\n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | extend\n Dst = DestinationIP,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"Barracuda\"\n | extend\n Dvc = DeviceName,\n DstIpAddr = DestinationIP,\n SrcIpAddr = SourceIP,\n DstBytes = tolong(ReceivedBytes),\n DstPortNumber = toint(coalesce(DestinationPort,FieldDeviceCustomNumber1)),\n HttpCookie = RequestCookies,\n HttpReferrer = RequestContext,\n HttpRequestBodyBytes = tolong(ReceivedBytes),\n HttpRequestMethod = RequestMethod,\n HttpResponseBodyBytes = tolong(SentBytes),\n NetworkDuration = toint(FlexNumber2),\n HttpUserAgent = RequestClientApplication,\n NetworkSessionId = SourceUserID,\n RuleName = iff(DeviceEventCategory == \"WF\", DeviceCustomString3, \"\"),\n SrcPortNumber = toint(SourcePort),\n SrcUsername = SourceUserName,\n DstUsername = DestinationUserName,\n Url = RequestURL,\n HttpResponseCacheControl = iff(\n FieldDeviceCustomNumber2 == 0,\n \"Response from the server\",\n \"Response from the cache\"\n ),\n AdditionalFields = bag_pack(\n \"ProxyIP\",\n iff(DeviceEventCategory == \"WF\", DeviceCustomString5, DeviceCustomString3),\n \"ProxyPort\",\n FieldDeviceCustomNumber3\n ),\n DvcHostname = DeviceName,\n DvcIpAddr = DeviceAddress,\n EventResultDetails = EventOutcome,\n HttpVersion = FlexString1,\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime)))\n | extend \n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\"),\n DstUsernameType = iff(isnotempty(DstUsername), \"Simple\", \"\"),\n EventEndTime = EventStartTime\n | extend\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n Rule = RuleName,\n SessionId = NetworkSessionId,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n EventResult_*,\n temp_*,\n status_code,\n EventType_lookup,\n TenantId,\n CollectorHostName;\n BarracudaCEF\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM filtering parser for Barracuda CEF", + "category": "ASIM", + "FunctionAlias": "vimWebSessionBarracudaCEF", + "query": "let SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventResultWFLookup = datatable (\n Action_s: string,\n EventResult_WF: string,\n DvcAction: string\n)\n [\n \"LOG\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\",\n \"WARNING\", \"Success\", \"Allow\"\n];\nlet EventTypeLookup = datatable (\n LogType_s: string,\n EventType_lookup: string,\n EventOriginalType: string\n)\n [\n \"WF\", \"HTTPsession\", \"Web Firewall\",\n \"TR\", \"WebServerSession\", \"Access\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n ipaddr_has_any_prefix: dynamic=dynamic([]), \n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false\n ) {\nlet src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);\nlet BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory in (\"WF\", \"TR\")\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(url_has_any) == 0 or RequestURL has_any (url_has_any))\n | where (array_length(httpuseragent_has_any) == 0 or RequestClientApplication has_any(httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or tostring(EventOutcome) has_any(eventresultdetails_in))\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(DestinationIP, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | lookup EventResultWFLookup on $left.DeviceAction == $right.Action_s\n | extend\n status_code = toint(EventOutcome)\n | extend EventResult_TR = case(\n status_code between (200 .. 299),\n \"Success\", \n status_code between (400 .. 599),\n \"Failure\",\n status_code between (300 .. 399),\n \"Partial\",\n \"NA\"\n )\n | extend EventResult = iff(DeviceEventCategory == \"TR\", EventResult_TR, EventResult_WF)\n | where (eventresult == '*' or EventResult =~ eventresult)\n | lookup EventTypeLookup on $left.DeviceEventCategory == $right.LogType_s\n | extend\n EventType = EventType_lookup,\n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | extend\n Dst = DestinationIP,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"Barracuda\"\n | extend\n Dvc = DeviceName,\n DstIpAddr = DestinationIP,\n SrcIpAddr = SourceIP,\n DstBytes = tolong(ReceivedBytes),\n DstPortNumber = toint(coalesce(DestinationPort,FieldDeviceCustomNumber1)),\n HttpCookie = RequestCookies,\n HttpReferrer = RequestContext,\n HttpRequestBodyBytes = tolong(ReceivedBytes),\n HttpRequestMethod = RequestMethod,\n HttpResponseBodyBytes = tolong(SentBytes),\n NetworkDuration = toint(FlexNumber2),\n HttpUserAgent = RequestClientApplication,\n NetworkSessionId = SourceUserID,\n RuleName = iff(DeviceEventCategory == \"WF\", DeviceCustomString3, \"\"),\n SrcPortNumber = toint(SourcePort),\n SrcUsername = SourceUserName,\n DstUsername = DestinationUserName,\n Url = RequestURL,\n HttpResponseCacheControl = iff(\n FieldDeviceCustomNumber2 == 0,\n \"Response from the server\",\n \"Response from the cache\"\n ),\n AdditionalFields = bag_pack(\n \"ProxyIP\",\n iff(DeviceEventCategory == \"WF\", DeviceCustomString5, DeviceCustomString3),\n \"ProxyPort\",\n FieldDeviceCustomNumber3\n ),\n DvcHostname = DeviceName,\n DvcIpAddr = DeviceAddress,\n EventResultDetails = EventOutcome,\n HttpVersion = FlexString1,\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime)))\n | extend \n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\"),\n DstUsernameType = iff(isnotempty(DstUsername), \"Simple\", \"\"),\n EventEndTime = EventStartTime\n | extend\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n Rule = RuleName,\n SessionId = NetworkSessionId,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n EventResult_*,\n temp_*,\n status_code,\n EventType_lookup,\n TenantId,\n CollectorHostName;\n BarracudaCEF\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionBarracudaWAF/vimWebSessionBarracudaWAF.json b/Parsers/ASimWebSession/ARM/vimWebSessionBarracudaWAF/vimWebSessionBarracudaWAF.json index 4813869a62d..40b0f6bad29 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionBarracudaWAF/vimWebSessionBarracudaWAF.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionBarracudaWAF/vimWebSessionBarracudaWAF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionBarracudaWAF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionBarracudaWAF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM filtering parser for Barracuda WAF", - "category": "ASIM", - "FunctionAlias": "vimWebSessionBarracudaWAF", - "query": "let barracudaSchema = datatable(\n ServerIP_s: string,\n UnitName_s: string,\n HTTPStatus_s: string,\n Action_s: string,\n Severity_s: string,\n DeviceReceiptTime_s: string,\n LogType_s: string,\n ClientIP_s: string,\n host_s: string,\n HostIP_s: string,\n BytesReceived_d: real,\n ServerPort_d: real,\n Cookie_s: string,\n Referer_s: string,\n Method_s: string,\n BytesSent_d: real,\n SessionID_s: string,\n ClientPort_d: real,\n AuthenticatedUser_s: string,\n CertificateUser_s: string,\n UserAgent_s: string,\n URL_s: string,\n CacheHit_d: real,\n ProxyIP_s: string,\n ProxyPort_d: real,\n RuleType_s: string,\n ServiceIP_s: string,\n TimeTaken_d: real,\n ServicePort_d: real,\n ProtocolVersion_s: string,\n _ResourceId: string,\n RawData: string,\n SourceIP: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string,\n TimeGenerated: datetime\n )[];\n let SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n ];\n let EventResultWFLookup = datatable (\n Action_s: string,\n EventResult_WF: string,\n DvcAction: string\n )\n [\n \"LOG\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\",\n \"WARNING\", \"Success\", \"Allow\"\n ];\n let EventTypeLookup = datatable (\n LogType_s: string,\n EventType_lookup: string,\n EventOriginalType: string\n )\n [\n \"WF\", \"HTTPsession\", \"Web Firewall\",\n \"TR\", \"WebServerSession\", \"Access\"\n ];\n let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n ipaddr_has_any_prefix: dynamic=dynamic([]), \n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled) and (LogType_s in (\"WF\", \"TR\"))\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(url_has_any) == 0 or URL_s has_any (url_has_any))\n | where (array_length(httpuseragent_has_any) == 0 or UserAgent_s has_any(httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or tostring(HTTPStatus_s) has_any(eventresultdetails_in))\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(ClientIP_s, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(ServerIP_s, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | lookup EventResultWFLookup on Action_s\n | extend\n status_code = toint(HTTPStatus_s)\n | extend EventResult_TR = case(\n status_code between (200 .. 299),\n \"Success\", \n status_code between (400 .. 599),\n \"Failure\",\n status_code between (300 .. 399),\n \"Partial\",\n \"NA\"\n )\n | extend EventResult = iff(LogType_s == \"TR\", EventResult_TR, EventResult_WF)\n | where (eventresult == '*' or EventResult =~ eventresult)\n | lookup EventTypeLookup on LogType_s\n | extend\n EventType = EventType_lookup,\n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | extend\n Dst = iff(LogType_s == \"WF\", ServiceIP_s, ServerIP_s),\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"Barracuda\"\n | extend\n Dvc = UnitName_s,\n DstIpAddr = ServerIP_s,\n SrcIpAddr = ClientIP_s,\n DstBytes = tolong(BytesReceived_d),\n DstPortNumber = toint(coalesce(ServerPort_d,ServicePort_d)),\n HttpCookie = Cookie_s,\n HttpReferrer = Referer_s,\n HttpRequestBodyBytes = tolong(BytesReceived_d),\n HttpRequestMethod = Method_s,\n HttpResponseBodyBytes = tolong(BytesSent_d),\n NetworkDuration = toint(TimeTaken_d),\n HttpUserAgent = UserAgent_s,\n NetworkSessionId = SessionID_s,\n RuleName = RuleType_s,\n SrcPortNumber = toint(ClientPort_d),\n SrcUsername = CertificateUser_s,\n Url = URL_s,\n HttpResponseCacheControl = iff(\n CacheHit_d == 0,\n \"Response from the server\",\n \"Response from the cache\"\n ),\n AdditionalFields = bag_pack(\n \"ProxyIP\",\n ProxyIP_s,\n \"ProxyPort\",\n ProxyPort_d\n ),\n DvcHostname = host_s,\n DvcIpAddr = HostIP_s,\n EventResultDetails = HTTPStatus_s,\n DstUsername = AuthenticatedUser_s,\n HttpVersion = ProtocolVersion_s,\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)))\n | extend \n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\"),\n DstUsernameType = iff(isnotempty(DstUsername), \"Simple\", \"\"),\n EventEndTime = EventStartTime\n | extend\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n Rule = RuleName,\n SessionId = NetworkSessionId,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n *_d,\n *_s,\n _ResourceId,\n severity,\n EventType_lookup,\n status_code,\n RawData,\n EventResult_*,\n SourceIP,\n Message,\n Computer,\n MG,\n ManagementGroupName,\n TenantId,\n SourceSystem,\n temp_*;\n BarracudaCustom\n };\n parser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n )", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM filtering parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "vimWebSessionBarracudaWAF", + "query": "let barracudaSchema = datatable(\n ServerIP_s: string,\n UnitName_s: string,\n HTTPStatus_s: string,\n Action_s: string,\n Severity_s: string,\n DeviceReceiptTime_s: string,\n LogType_s: string,\n ClientIP_s: string,\n host_s: string,\n HostIP_s: string,\n BytesReceived_d: real,\n ServerPort_d: real,\n Cookie_s: string,\n Referer_s: string,\n Method_s: string,\n BytesSent_d: real,\n SessionID_s: string,\n ClientPort_d: real,\n AuthenticatedUser_s: string,\n CertificateUser_s: string,\n UserAgent_s: string,\n URL_s: string,\n CacheHit_d: real,\n ProxyIP_s: string,\n ProxyPort_d: real,\n RuleType_s: string,\n ServiceIP_s: string,\n TimeTaken_d: real,\n ServicePort_d: real,\n ProtocolVersion_s: string,\n _ResourceId: string,\n RawData: string,\n SourceIP: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string,\n TimeGenerated: datetime\n )[];\n let SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n ];\n let EventResultWFLookup = datatable (\n Action_s: string,\n EventResult_WF: string,\n DvcAction: string\n )\n [\n \"LOG\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\",\n \"WARNING\", \"Success\", \"Allow\"\n ];\n let EventTypeLookup = datatable (\n LogType_s: string,\n EventType_lookup: string,\n EventOriginalType: string\n )\n [\n \"WF\", \"HTTPsession\", \"Web Firewall\",\n \"TR\", \"WebServerSession\", \"Access\"\n ];\n let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n ipaddr_has_any_prefix: dynamic=dynamic([]), \n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled) and (LogType_s in (\"WF\", \"TR\"))\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(url_has_any) == 0 or URL_s has_any (url_has_any))\n | where (array_length(httpuseragent_has_any) == 0 or UserAgent_s has_any(httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or tostring(HTTPStatus_s) has_any(eventresultdetails_in))\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(ClientIP_s, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(ServerIP_s, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | lookup EventResultWFLookup on Action_s\n | extend\n status_code = toint(HTTPStatus_s)\n | extend EventResult_TR = case(\n status_code between (200 .. 299),\n \"Success\", \n status_code between (400 .. 599),\n \"Failure\",\n status_code between (300 .. 399),\n \"Partial\",\n \"NA\"\n )\n | extend EventResult = iff(LogType_s == \"TR\", EventResult_TR, EventResult_WF)\n | where (eventresult == '*' or EventResult =~ eventresult)\n | lookup EventTypeLookup on LogType_s\n | extend\n EventType = EventType_lookup,\n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | extend\n Dst = iff(LogType_s == \"WF\", ServiceIP_s, ServerIP_s),\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"Barracuda\"\n | extend\n Dvc = UnitName_s,\n DstIpAddr = ServerIP_s,\n SrcIpAddr = ClientIP_s,\n DstBytes = tolong(BytesReceived_d),\n DstPortNumber = toint(coalesce(ServerPort_d,ServicePort_d)),\n HttpCookie = Cookie_s,\n HttpReferrer = Referer_s,\n HttpRequestBodyBytes = tolong(BytesReceived_d),\n HttpRequestMethod = Method_s,\n HttpResponseBodyBytes = tolong(BytesSent_d),\n NetworkDuration = toint(TimeTaken_d),\n HttpUserAgent = UserAgent_s,\n NetworkSessionId = SessionID_s,\n RuleName = RuleType_s,\n SrcPortNumber = toint(ClientPort_d),\n SrcUsername = CertificateUser_s,\n Url = URL_s,\n HttpResponseCacheControl = iff(\n CacheHit_d == 0,\n \"Response from the server\",\n \"Response from the cache\"\n ),\n AdditionalFields = bag_pack(\n \"ProxyIP\",\n ProxyIP_s,\n \"ProxyPort\",\n ProxyPort_d\n ),\n DvcHostname = host_s,\n DvcIpAddr = HostIP_s,\n EventResultDetails = HTTPStatus_s,\n DstUsername = AuthenticatedUser_s,\n HttpVersion = ProtocolVersion_s,\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)))\n | extend \n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\"),\n DstUsernameType = iff(isnotempty(DstUsername), \"Simple\", \"\"),\n EventEndTime = EventStartTime\n | extend\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n Rule = RuleName,\n SessionId = NetworkSessionId,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n *_d,\n *_s,\n _ResourceId,\n severity,\n EventType_lookup,\n status_code,\n RawData,\n EventResult_*,\n SourceIP,\n Message,\n Computer,\n MG,\n ManagementGroupName,\n TenantId,\n SourceSystem,\n temp_*;\n BarracudaCustom\n };\n parser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n )", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionCiscoFirepower/vimWebSessionCiscoFirepower.json b/Parsers/ASimWebSession/ARM/vimWebSessionCiscoFirepower/vimWebSessionCiscoFirepower.json index 53a435acc1d..26d07669339 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionCiscoFirepower/vimWebSessionCiscoFirepower.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionCiscoFirepower/vimWebSessionCiscoFirepower.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionCiscoFirepower')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionCiscoFirepower", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM filtering parser for Cisco Firepower", - "category": "ASIM", - "FunctionAlias": "vimWebSessionCiscoFirepower", - "query": "let EventFieldsLookup = datatable(\n DeviceAction: string, \n DvcAction: string,\n EventResult: string\n)\n [\n \"Detect\", \"Allow\", \"Partial\",\n \"Block\", \"Deny\", \"Failure\",\n \"Malware Cloud Lookup\", \"Deny\", \"Failure\",\n \"Malware Block\", \"Deny\", \"Failure\",\n \"Malware Allow List\", \"Allow\", \"Success\",\n \"Cloud Lookup Timeout\", \"Deny\", \"Failure\",\n \"Custom Detection\", \"Allow\", \"Partial\",\n \"Custom Detection Block\", \"Deny\", \"Failure\",\n \"Archive Block-Depth Exceeded\", \"Deny\", \"Failure\",\n \"Archive Block-Encrypted\", \"Encrypt\", \"Failure\",\n \"Archive Block-Failed to Inspect\", \"Deny\", \"Failure\"\n];\nlet DirectionLookup = datatable (CommunicationDirection: string, NetworkDirection: string)[\n \"1\", \"Inbound\",\n \"2\", \"Outbound\"\n];\nlet parser=(starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]), \n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n CommonSecurityLog\n | where not(disabled) \n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Cisco\" and DeviceProduct == \"Firepower\"\n and DeviceEventClassID in(\"File:500:1\", \"FileMalware:502:1\", \"FireAMP:125:1\")\n and array_length(eventresultdetails_in) == 0\n and array_length(httpuseragent_has_any) == 0\n and ((array_length(url_has_any) == 0) or RequestURL has_any (url_has_any))\n | extend\n temp_isSrcMatch=has_any_ipv4_prefix(SourceIP, src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DestinationIP, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n (temp_isSrcMatch and temp_isDstMatch),\n \"Both\", \n temp_isSrcMatch,\n \"SrcIpAddr\",\n temp_isDstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | lookup EventFieldsLookup on DeviceAction\n | where eventresult == '*' or EventResult =~ eventresult\n | parse-kv AdditionalExtensions as (start: long) with (pair_delimiter=';', kv_delimiter='=')\n | extend\n EventMessage = iff(DeviceEventClassID == \"FireAMP:125:1\", DeviceCustomString5, \"\"),\n ThreatName = iff(DeviceEventClassID == \"FireAMP:125:1\", DeviceCustomString2, \"\"),\n Disposition = case(\n DeviceEventClassID == \"FireAMP:125:1\",\n DeviceCustomString3,\n DeviceEventClassID in (\"File:500:1\", \"FileMalware:502:1\"),\n DeviceCustomString2,\n \"\"\n ),\n AdditionalFields = todynamic(\n case(\n DeviceEventClassID == \"FireAMP:125:1\",\n bag_pack(\n \"policy\", DeviceCustomString1,\n \"process\", SourceProcessName,\n \"connectionInstance\", ProcessID,\n \"disposition\", DeviceCustomString3,\n \"event type id\", EventOutcome\n ),\n DeviceEventClassID in (\"File:500:1\", \"FileMalware:502:1\"),\n bag_pack(\n \"connectionInstance\", ProcessID,\n \"signaturedata\", DeviceCustomString4,\n \"disposition\", DeviceCustomString2\n ),\n \"\"\n )\n )\n | invoke _ASIM_ResolveNetworkProtocol('Protocol')\n | extend NetworkProtocol = iff(NetworkProtocol == \"Unassigned\" and Protocol !in (63, 68, 99, 114, 253, 254), Protocol, NetworkProtocol)\n | lookup DirectionLookup on CommunicationDirection\n | extend\n EventStartTime = coalesce(unixtime_milliseconds_todatetime(start), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n EventSeverity = case(\n DvcAction == \"Allow\" and Disposition =~ \"Malware\",\n \"High\",\n DvcAction == \"Deny\" and Disposition =~ \"Malware\",\n \"Medium\",\n DvcAction == \"Deny\" and Disposition !~ \"Malware\",\n \"Low\",\n \"Informational\"\n ),\n EventOriginalType = case(\n DeviceEventClassID has \"File:500:1\",\n \"File Event\",\n DeviceEventClassID has \"FileMalware:502:1\",\n \"FileMalware Event\",\n Activity\n ),\n FileContentType = FileType,\n HttpContentType = FileType,\n FileSize = tolong(FileSize),\n ThreatCategory = iff(Disposition =~ \"Malware\", Disposition, \"\")\n | extend Ip_device = iff(DeviceName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", DeviceName, \"\")\n | extend\n DvcIpAddr = Ip_device,\n DeviceName = iff(isempty(Ip_device), DeviceName, \"\")\n | extend host = coalesce(DeviceName, Computer)\n | invoke _ASIM_ResolveDvcFQDN('host')\n | extend \n EventCount = int(1),\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-rename\n EventVendor = DeviceVendor,\n EventProduct = DeviceProduct,\n EventProductVersion = DeviceVersion,\n DstPortNumber = DestinationPort,\n SrcUsername = SourceUserName,\n DstUsername = DestinationUserName,\n Url = RequestURL,\n FileSHA256 = FileHash,\n SrcPortNumber = SourcePort,\n EventOriginalSeverity = LogSeverity,\n EventOriginalUid = ExtID,\n NetworkApplicationProtocol = ApplicationProtocol,\n EventUid = _ItemId,\n DvcId = DeviceExternalID,\n DvcOriginalAction = DeviceAction,\n HttpUserAgent = RequestClientApplication\n | extend\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\"),\n HashType = \"SHA256\",\n DvcIdType = \"Other\",\n NetworkProtocolVersion=case(DstIpAddr has \".\", \"IPv4\", DstIpAddr has \":\", \"IPv6\", \"\"),\n IpAddr = SrcIpAddr,\n Hash = FileSHA256,\n User = SrcUsername,\n UserAgent = HttpUserAgent,\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr)\n | project-away\n Source*,\n Destination*,\n Device*,\n start,\n AdditionalExtensions,\n Activity,\n CommunicationDirection,\n Computer,\n EndTime,\n EventOutcome,\n FieldDevice*,\n Flex*,\n FileID,\n FileModificationTime,\n Old*,\n FileCreateTime,\n FilePermission,\n IndicatorThreatType,\n MaliciousIP*,\n Message,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n ThreatDescription,\n ThreatSeverity,\n FilePath,\n FileType,\n Reason,\n ReceiptTime,\n ExternalID,\n ReportReferenceLink,\n Ip_*,\n host*,\n _ResourceId,\n temp*,\n NetworkProtocolNumber,\n Disposition,\n ThreatConfidence\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM filtering parser for Cisco Firepower", + "category": "ASIM", + "FunctionAlias": "vimWebSessionCiscoFirepower", + "query": "let EventFieldsLookup = datatable(\n DeviceAction: string, \n DvcAction: string,\n EventResult: string\n)\n [\n \"Detect\", \"Allow\", \"Partial\",\n \"Block\", \"Deny\", \"Failure\",\n \"Malware Cloud Lookup\", \"Deny\", \"Failure\",\n \"Malware Block\", \"Deny\", \"Failure\",\n \"Malware Allow List\", \"Allow\", \"Success\",\n \"Cloud Lookup Timeout\", \"Deny\", \"Failure\",\n \"Custom Detection\", \"Allow\", \"Partial\",\n \"Custom Detection Block\", \"Deny\", \"Failure\",\n \"Archive Block-Depth Exceeded\", \"Deny\", \"Failure\",\n \"Archive Block-Encrypted\", \"Encrypt\", \"Failure\",\n \"Archive Block-Failed to Inspect\", \"Deny\", \"Failure\"\n];\nlet DirectionLookup = datatable (CommunicationDirection: string, NetworkDirection: string)[\n \"1\", \"Inbound\",\n \"2\", \"Outbound\"\n];\nlet parser=(starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]), \n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n CommonSecurityLog\n | where not(disabled) \n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Cisco\" and DeviceProduct == \"Firepower\"\n and DeviceEventClassID in(\"File:500:1\", \"FileMalware:502:1\", \"FireAMP:125:1\")\n and array_length(eventresultdetails_in) == 0\n and array_length(httpuseragent_has_any) == 0\n and ((array_length(url_has_any) == 0) or RequestURL has_any (url_has_any))\n | extend\n temp_isSrcMatch=has_any_ipv4_prefix(SourceIP, src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DestinationIP, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n (temp_isSrcMatch and temp_isDstMatch),\n \"Both\", \n temp_isSrcMatch,\n \"SrcIpAddr\",\n temp_isDstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | lookup EventFieldsLookup on DeviceAction\n | where eventresult == '*' or EventResult =~ eventresult\n | parse-kv AdditionalExtensions as (start: long) with (pair_delimiter=';', kv_delimiter='=')\n | extend\n EventMessage = iff(DeviceEventClassID == \"FireAMP:125:1\", DeviceCustomString5, \"\"),\n ThreatName = iff(DeviceEventClassID == \"FireAMP:125:1\", DeviceCustomString2, \"\"),\n Disposition = case(\n DeviceEventClassID == \"FireAMP:125:1\",\n DeviceCustomString3,\n DeviceEventClassID in (\"File:500:1\", \"FileMalware:502:1\"),\n DeviceCustomString2,\n \"\"\n ),\n AdditionalFields = todynamic(\n case(\n DeviceEventClassID == \"FireAMP:125:1\",\n bag_pack(\n \"policy\", DeviceCustomString1,\n \"process\", SourceProcessName,\n \"connectionInstance\", ProcessID,\n \"disposition\", DeviceCustomString3,\n \"event type id\", EventOutcome\n ),\n DeviceEventClassID in (\"File:500:1\", \"FileMalware:502:1\"),\n bag_pack(\n \"connectionInstance\", ProcessID,\n \"signaturedata\", DeviceCustomString4,\n \"disposition\", DeviceCustomString2\n ),\n \"\"\n )\n )\n | invoke _ASIM_ResolveNetworkProtocol('Protocol')\n | extend NetworkProtocol = iff(NetworkProtocol == \"Unassigned\" and Protocol !in (63, 68, 99, 114, 253, 254), Protocol, NetworkProtocol)\n | lookup DirectionLookup on CommunicationDirection\n | extend\n EventStartTime = coalesce(unixtime_milliseconds_todatetime(start), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n EventSeverity = case(\n DvcAction == \"Allow\" and Disposition =~ \"Malware\",\n \"High\",\n DvcAction == \"Deny\" and Disposition =~ \"Malware\",\n \"Medium\",\n DvcAction == \"Deny\" and Disposition !~ \"Malware\",\n \"Low\",\n \"Informational\"\n ),\n EventOriginalType = case(\n DeviceEventClassID has \"File:500:1\",\n \"File Event\",\n DeviceEventClassID has \"FileMalware:502:1\",\n \"FileMalware Event\",\n Activity\n ),\n FileContentType = FileType,\n HttpContentType = FileType,\n FileSize = tolong(FileSize),\n ThreatCategory = iff(Disposition =~ \"Malware\", Disposition, \"\")\n | extend Ip_device = iff(DeviceName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", DeviceName, \"\")\n | extend\n DvcIpAddr = Ip_device,\n DeviceName = iff(isempty(Ip_device), DeviceName, \"\")\n | extend host = coalesce(DeviceName, Computer)\n | invoke _ASIM_ResolveDvcFQDN('host')\n | extend \n EventCount = int(1),\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-rename\n EventVendor = DeviceVendor,\n EventProduct = DeviceProduct,\n EventProductVersion = DeviceVersion,\n DstPortNumber = DestinationPort,\n SrcUsername = SourceUserName,\n DstUsername = DestinationUserName,\n Url = RequestURL,\n FileSHA256 = FileHash,\n SrcPortNumber = SourcePort,\n EventOriginalSeverity = LogSeverity,\n EventOriginalUid = ExtID,\n NetworkApplicationProtocol = ApplicationProtocol,\n EventUid = _ItemId,\n DvcId = DeviceExternalID,\n DvcOriginalAction = DeviceAction,\n HttpUserAgent = RequestClientApplication\n | extend\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\"),\n HashType = \"SHA256\",\n DvcIdType = \"Other\",\n NetworkProtocolVersion=case(DstIpAddr has \".\", \"IPv4\", DstIpAddr has \":\", \"IPv6\", \"\"),\n IpAddr = SrcIpAddr,\n Hash = FileSHA256,\n User = SrcUsername,\n UserAgent = HttpUserAgent,\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr)\n | project-away\n Source*,\n Destination*,\n Device*,\n start,\n AdditionalExtensions,\n Activity,\n CommunicationDirection,\n Computer,\n EndTime,\n EventOutcome,\n FieldDevice*,\n Flex*,\n FileID,\n FileModificationTime,\n Old*,\n FileCreateTime,\n FilePermission,\n IndicatorThreatType,\n MaliciousIP*,\n Message,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n ThreatDescription,\n ThreatSeverity,\n FilePath,\n FileType,\n Reason,\n ReceiptTime,\n ExternalID,\n ReportReferenceLink,\n Ip_*,\n host*,\n _ResourceId,\n temp*,\n NetworkProtocolNumber,\n Disposition,\n ThreatConfidence\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionCiscoMeraki/vimWebSessionCiscoMeraki.json b/Parsers/ASimWebSession/ARM/vimWebSessionCiscoMeraki/vimWebSessionCiscoMeraki.json index 34fef7a9789..22726499ab9 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionCiscoMeraki/vimWebSessionCiscoMeraki.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionCiscoMeraki/vimWebSessionCiscoMeraki.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionCiscoMeraki')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionCiscoMeraki", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM filtering parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "vimWebSessionCiscoMeraki", - "query": "let ActionLookup = datatable (action: string, DvcAction: string, EventResult: string, EventSeverity: string) [\n 'allow', 'Allow', 'Success', 'Informational',\n 'log', 'Allow', 'Success', 'Informational',\n 'accept', 'Allow', 'Success', 'Informational',\n 'block', 'Deny', 'Failure', 'Low',\n 'deny', 'Deny', 'Failure', 'Low',\n 'quarantine', 'Deny', 'Failure', 'Low'\n ];\n let parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]), \n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false\n ) {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let allData = union isfuzzy=true\n (\n meraki_CL\n | project-rename LogMessage = Message\n ),\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\n let PreFilteredData = allData\n | where not(disabled) and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and (LogMessage has \"urls\" or LogMessage has_all(\"security_event\", \"security_filtering_file_scanned\")) and (array_length(eventresultdetails_in) == 0)\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0]),\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(split(Epoch, \".\")[0]))\n | where (array_length(url_has_any) == 0 or LogMessage has_any (url_has_any))\n and (array_length(httpuseragent_has_any) == 0 or LogMessage has_any(httpuseragent_has_any))\n | where LogType in (\"security_event\", \"urls\");\n let SecurityEventData = PreFilteredData\n | where LogType == \"security_event\"\n | parse Substring with LogSubType: string \" \" temp_RestMessage: string\n | where LogSubType == \"security_filtering_file_scanned\"\n | parse-kv Substring as (disposition: string, action: string, sha256: string, name: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | parse Substring with * \" sha256\" fsha256: string \" \"restmessage: string\n | extend disposition = trim('\"', disposition),\n action = trim('\"', action),\n sha256 = trim('\"', sha256),\n fsha256 = trim('\"', fsha256),\n name = trim('\"', name)\n | lookup ActionLookup on action;\n let UrlsData = PreFilteredData\n | where LogType == \"urls\"\n | parse Substring with * \"request:\" request: string \" \" urls: string;\n union SecurityEventData, UrlsData\n | parse-kv Substring as (src: string, dst: string, url: string, mac: string, agent: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | where (array_length(httpuseragent_has_any) == 0 or agent has_any(httpuseragent_has_any))\n | extend\n src = trim('\"', src),\n dst = trim('\"', dst),\n url = trim('\"', url),\n urls = trim('\"', urls)\n | extend Url = coalesce(url, urls)\n | where array_length(url_has_any) == 0 or Url has_any (url_has_any)\n | extend EventResult=case(\n LogType == \"urls\", \"Success\",\n isempty(EventResult), \"NA\",\n EventResult \n )\n | where (eventresult == '*' or EventResult =~ eventresult)\n | parse src with * \"[\" temp_srcip: string \"]:\" temp_srcport: string\n | parse dst with * \"[\" temp_dstip: string \"]:\" temp_dstport: string\n | extend\n agent= trim('\"', agent),\n mac = trim('\"', mac)\n | extend SrcIpAddr = iff(\n src has \".\",\n split(src, \":\")[0], \n coalesce(temp_srcip, src)\n )\n | extend DstIpAddr = iff(\n dst has \".\",\n split(dst, \":\")[0], \n coalesce(temp_dstip, dst)\n )\n | extend\n temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr, src_or_any),\n temp_DstMatch=has_any_ipv4_prefix(DstIpAddr, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend SrcPortNumber = toint(\n iff (\n src has \".\",\n split(src, \":\")[1],\n temp_srcport\n )\n )\n | extend DstPortNumber = toint(\n iff (\n dst has \".\",\n split(dst, \":\")[1],\n temp_dstport\n )\n )\n | extend\n EventSeverity=case(\n DvcAction == \"Deny\" and disposition == \"malicious\",\n \"Medium\",\n DvcAction == \"Allow\" and disposition == \"malicious\",\n \"High\",\n isnotempty(EventSeverity), EventSeverity,\n \"Informational\"\n )\n | extend\n EventType = \"HTTPsession\",\n HttpUserAgent = agent,\n HttpRequestMethod = request,\n FileSHA256 = coalesce(sha256, fsha256),\n FileName = name,\n DvcMacAddr = mac,\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n EventUid = _ResourceId\n | extend Device = tostring(Parser[1])\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend \n Dst = DstIpAddr,\n Src = SrcIpAddr,\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n UserAgent = HttpUserAgent,\n EventEndTime = EventStartTime\n | extend\n EventCount=int(1),\n EventProduct=\"Meraki\",\n EventVendor=\"Cisco\",\n EventSchema=\"WebSession\",\n EventSchemaVersion=\"0.2.6\"\n | project-away\n LogMessage,\n Parser,\n LogType,\n LogSubType,\n Epoch,\n Device,\n src,\n dst,\n mac,\n url,\n urls,\n disposition,\n action,\n request,\n name,\n sha256,\n fsha256,\n agent,\n restmessage,\n temp*,\n Substring,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n ManagementGroupName,\n RawData,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName\n };\n parser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n )", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM filtering parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "vimWebSessionCiscoMeraki", + "query": "let ActionLookup = datatable (action: string, DvcAction: string, EventResult: string, EventSeverity: string) [\n 'allow', 'Allow', 'Success', 'Informational',\n 'log', 'Allow', 'Success', 'Informational',\n 'accept', 'Allow', 'Success', 'Informational',\n 'block', 'Deny', 'Failure', 'Low',\n 'deny', 'Deny', 'Failure', 'Low',\n 'quarantine', 'Deny', 'Failure', 'Low'\n ];\n let parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]), \n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false\n ) {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let allData = union isfuzzy=true\n (\n meraki_CL\n | project-rename LogMessage = Message\n ),\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\n let PreFilteredData = allData\n | where not(disabled) and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and (LogMessage has \"urls\" or LogMessage has_all(\"security_event\", \"security_filtering_file_scanned\")) and (array_length(eventresultdetails_in) == 0)\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0]),\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(split(Epoch, \".\")[0]))\n | where (array_length(url_has_any) == 0 or LogMessage has_any (url_has_any))\n and (array_length(httpuseragent_has_any) == 0 or LogMessage has_any(httpuseragent_has_any))\n | where LogType in (\"security_event\", \"urls\");\n let SecurityEventData = PreFilteredData\n | where LogType == \"security_event\"\n | parse Substring with LogSubType: string \" \" temp_RestMessage: string\n | where LogSubType == \"security_filtering_file_scanned\"\n | parse-kv Substring as (disposition: string, action: string, sha256: string, name: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | parse Substring with * \" sha256\" fsha256: string \" \"restmessage: string\n | extend disposition = trim('\"', disposition),\n action = trim('\"', action),\n sha256 = trim('\"', sha256),\n fsha256 = trim('\"', fsha256),\n name = trim('\"', name)\n | lookup ActionLookup on action;\n let UrlsData = PreFilteredData\n | where LogType == \"urls\"\n | parse Substring with * \"request:\" request: string \" \" urls: string;\n union SecurityEventData, UrlsData\n | parse-kv Substring as (src: string, dst: string, url: string, mac: string, agent: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | where (array_length(httpuseragent_has_any) == 0 or agent has_any(httpuseragent_has_any))\n | extend\n src = trim('\"', src),\n dst = trim('\"', dst),\n url = trim('\"', url),\n urls = trim('\"', urls)\n | extend Url = coalesce(url, urls)\n | where array_length(url_has_any) == 0 or Url has_any (url_has_any)\n | extend EventResult=case(\n LogType == \"urls\", \"Success\",\n isempty(EventResult), \"NA\",\n EventResult \n )\n | where (eventresult == '*' or EventResult =~ eventresult)\n | parse src with * \"[\" temp_srcip: string \"]:\" temp_srcport: string\n | parse dst with * \"[\" temp_dstip: string \"]:\" temp_dstport: string\n | extend\n agent= trim('\"', agent),\n mac = trim('\"', mac)\n | extend SrcIpAddr = iff(\n src has \".\",\n split(src, \":\")[0], \n coalesce(temp_srcip, src)\n )\n | extend DstIpAddr = iff(\n dst has \".\",\n split(dst, \":\")[0], \n coalesce(temp_dstip, dst)\n )\n | extend\n temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr, src_or_any),\n temp_DstMatch=has_any_ipv4_prefix(DstIpAddr, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend SrcPortNumber = toint(\n iff (\n src has \".\",\n split(src, \":\")[1],\n temp_srcport\n )\n )\n | extend DstPortNumber = toint(\n iff (\n dst has \".\",\n split(dst, \":\")[1],\n temp_dstport\n )\n )\n | extend\n EventSeverity=case(\n DvcAction == \"Deny\" and disposition == \"malicious\",\n \"Medium\",\n DvcAction == \"Allow\" and disposition == \"malicious\",\n \"High\",\n isnotempty(EventSeverity), EventSeverity,\n \"Informational\"\n )\n | extend\n EventType = \"HTTPsession\",\n HttpUserAgent = agent,\n HttpRequestMethod = request,\n FileSHA256 = coalesce(sha256, fsha256),\n FileName = name,\n DvcMacAddr = mac,\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n EventUid = _ResourceId\n | extend Device = tostring(Parser[1])\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend \n Dst = DstIpAddr,\n Src = SrcIpAddr,\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n UserAgent = HttpUserAgent,\n EventEndTime = EventStartTime\n | extend\n EventCount=int(1),\n EventProduct=\"Meraki\",\n EventVendor=\"Cisco\",\n EventSchema=\"WebSession\",\n EventSchemaVersion=\"0.2.6\"\n | project-away\n LogMessage,\n Parser,\n LogType,\n LogSubType,\n Epoch,\n Device,\n src,\n dst,\n mac,\n url,\n urls,\n disposition,\n action,\n request,\n name,\n sha256,\n fsha256,\n agent,\n restmessage,\n temp*,\n Substring,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n ManagementGroupName,\n RawData,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName\n };\n parser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n )", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionCitrixNetScaler/vimWebSessionCitrixNetScaler.json b/Parsers/ASimWebSession/ARM/vimWebSessionCitrixNetScaler/vimWebSessionCitrixNetScaler.json index 46ea5ea5e9b..63bd88c5e15 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionCitrixNetScaler/vimWebSessionCitrixNetScaler.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionCitrixNetScaler/vimWebSessionCitrixNetScaler.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionCitrixNetScaler')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionCitrixNetScaler", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Citrix NetScaler(Web App Firewall)", - "category": "ASIM", - "FunctionAlias": "vimWebSessionCitrixNetScaler", - "query": "let EventSeverityLookup = datatable (DeviceCustomString4: string, EventSeverity: string)\n[\n \"EMERGENCY\", \"High\",\n \"ALERT\", \"High\",\n \"CRITICAL\", \"High\",\n \"ERROR\", \"Medium\",\n \"WARNING\", \"Low\",\n \"NOTICE\", \"Low\",\n \"INFORMATIONAL\", \"Informational\",\n \"DEBUG\", \"Informational\",\n \"INFO\", \"Informationl\",\n \"WARN\", \"Low\",\n \"ERR\", \"Medium\"\n];\nlet EventFieldsLookup = datatable(\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n[\n \"blocked\", \"Deny\", \"Failure\",\n \"not blocked\", \"Allow\", \"Success\",\n \"transformed\", \"Allow\", \"Success\"\n];\nlet parser = (starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]),\n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);\n CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (DeviceVendor == \"Citrix\" and DeviceProduct == \"NetScaler\")\n | where DeviceEventClassID == \"APPFW\" and Activity has_any (\"APPFW_STARTURL\", \"APPFW_XML_cross-site scripting\", \"APPFW_SAFECOMMERCE\", \"APPFW_SAFECOMMERCE_XFORM\", \"APPFW_SIGNATURE_MATCH\", \"APPFW_XML_ERR_NOT_WELLFORMED\", \"APPFW_FIELDCONSISTENCY\", \"APPFW_SQL\", \"APPFW_BUFFEROVERFLOW_URL\", \"APPFW_BUFFEROVERFLOW_COOKIE\", \"APPFW_cross-site scripting\", \"APPFW_FIELDFORMAT\", \"APPFW_REFERER_HEADER\", \"APPFW_XSS\")\n | where array_length(httpuseragent_has_any) == 0\n | where array_length(eventresultdetails_in) == 0\n | where (array_length(url_has_any) == 0 or RequestURL has_any (url_has_any))\n | parse-kv AdditionalExtensions as (method: string, geolocation: string, script: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | parse RequestURL with * \"://\" host: string \"/\" *\n | extend\n DeviceAction = trim(\"[*]+\", DeviceAction),\n temp_SrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(RequestURL, ipaddr_has_any_prefix)\n | lookup EventFieldsLookup on DeviceAction\n | lookup EventSeverityLookup on DeviceCustomString4\n | where eventresult == '*' or EventResult =~ eventresult\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend \n Ip_host = iff(host matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", host, \"\"),\n Ip_computer = iff(Computer matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", Computer, \"\"),\n HttpHost = host\n | extend\n host = iff(isempty(Ip_host), host, \"\"),\n Computer = iff(isempty(Ip_computer), Computer, \"\"),\n AdditionalFields = bag_pack(\n \"Script\", script,\n \"Event ID\", FieldDeviceCustomNumber1,\n \"HTTP Transaction ID\", FieldDeviceCustomNumber2,\n \"Profile Name\", DeviceCustomString1,\n \"PPE ID\", DeviceCustomString2,\n \"Signature Violation Category\", DeviceCustomString6\n )\n | invoke _ASIM_ResolveDvcFQDN('Computer')\n | invoke _ASIM_ResolveDstFQDN('host')\n | extend\n DstIpAddr = tostring(split(Ip_host, \":\")[0]),\n DstPortNumber = toint(split(Ip_host, \":\")[1]),\n DvcIpAddr = tostring(split(Ip_computer, \":\")[0])\n | extend \n DstHostname = coalesce(DstIpAddr, DstHostname)\n | extend\n EventProduct = \"NetScaler\",\n EventVendor = \"Citrix\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-rename\n EventUid = _ItemId,\n SrcIpAddr = SourceIP,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n EventOriginalSeverity = DeviceCustomString4,\n EventProductVersion = DeviceVersion,\n HttpRequestMethod = method,\n NetworkSessionId = DeviceCustomString3,\n SrcPortNumber = SourcePort,\n Url = RequestURL,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSubType = Activity,\n SrcGeoCountry = geolocation\n | extend\n EventEndTime = EventStartTime,\n Dvc = coalesce(DvcFQDN, DvcHostname, DvcIpAddr),\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n SessionId = NetworkSessionId\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n EventOutcome,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n Indicator*,\n Ip_*,\n LogSeverity,\n _ResourceId,\n host,\n script,\n temp*,\n ExtID\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Citrix NetScaler(Web App Firewall)", + "category": "ASIM", + "FunctionAlias": "vimWebSessionCitrixNetScaler", + "query": "let EventSeverityLookup = datatable (DeviceCustomString4: string, EventSeverity: string)\n[\n \"EMERGENCY\", \"High\",\n \"ALERT\", \"High\",\n \"CRITICAL\", \"High\",\n \"ERROR\", \"Medium\",\n \"WARNING\", \"Low\",\n \"NOTICE\", \"Low\",\n \"INFORMATIONAL\", \"Informational\",\n \"DEBUG\", \"Informational\",\n \"INFO\", \"Informationl\",\n \"WARN\", \"Low\",\n \"ERR\", \"Medium\"\n];\nlet EventFieldsLookup = datatable(\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n[\n \"blocked\", \"Deny\", \"Failure\",\n \"not blocked\", \"Allow\", \"Success\",\n \"transformed\", \"Allow\", \"Success\"\n];\nlet parser = (starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]),\n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);\n CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (DeviceVendor == \"Citrix\" and DeviceProduct == \"NetScaler\")\n | where DeviceEventClassID == \"APPFW\" and Activity has_any (\"APPFW_STARTURL\", \"APPFW_XML_cross-site scripting\", \"APPFW_SAFECOMMERCE\", \"APPFW_SAFECOMMERCE_XFORM\", \"APPFW_SIGNATURE_MATCH\", \"APPFW_XML_ERR_NOT_WELLFORMED\", \"APPFW_FIELDCONSISTENCY\", \"APPFW_SQL\", \"APPFW_BUFFEROVERFLOW_URL\", \"APPFW_BUFFEROVERFLOW_COOKIE\", \"APPFW_cross-site scripting\", \"APPFW_FIELDFORMAT\", \"APPFW_REFERER_HEADER\", \"APPFW_XSS\")\n | where array_length(httpuseragent_has_any) == 0\n | where array_length(eventresultdetails_in) == 0\n | where (array_length(url_has_any) == 0 or RequestURL has_any (url_has_any))\n | parse-kv AdditionalExtensions as (method: string, geolocation: string, script: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | parse RequestURL with * \"://\" host: string \"/\" *\n | extend\n DeviceAction = trim(\"[*]+\", DeviceAction),\n temp_SrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(RequestURL, ipaddr_has_any_prefix)\n | lookup EventFieldsLookup on DeviceAction\n | lookup EventSeverityLookup on DeviceCustomString4\n | where eventresult == '*' or EventResult =~ eventresult\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend \n Ip_host = iff(host matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", host, \"\"),\n Ip_computer = iff(Computer matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", Computer, \"\"),\n HttpHost = host\n | extend\n host = iff(isempty(Ip_host), host, \"\"),\n Computer = iff(isempty(Ip_computer), Computer, \"\"),\n AdditionalFields = bag_pack(\n \"Script\", script,\n \"Event ID\", FieldDeviceCustomNumber1,\n \"HTTP Transaction ID\", FieldDeviceCustomNumber2,\n \"Profile Name\", DeviceCustomString1,\n \"PPE ID\", DeviceCustomString2,\n \"Signature Violation Category\", DeviceCustomString6\n )\n | invoke _ASIM_ResolveDvcFQDN('Computer')\n | invoke _ASIM_ResolveDstFQDN('host')\n | extend\n DstIpAddr = tostring(split(Ip_host, \":\")[0]),\n DstPortNumber = toint(split(Ip_host, \":\")[1]),\n DvcIpAddr = tostring(split(Ip_computer, \":\")[0])\n | extend \n DstHostname = coalesce(DstIpAddr, DstHostname)\n | extend\n EventProduct = \"NetScaler\",\n EventVendor = \"Citrix\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-rename\n EventUid = _ItemId,\n SrcIpAddr = SourceIP,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n EventOriginalSeverity = DeviceCustomString4,\n EventProductVersion = DeviceVersion,\n HttpRequestMethod = method,\n NetworkSessionId = DeviceCustomString3,\n SrcPortNumber = SourcePort,\n Url = RequestURL,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSubType = Activity,\n SrcGeoCountry = geolocation\n | extend\n EventEndTime = EventStartTime,\n Dvc = coalesce(DvcFQDN, DvcHostname, DvcIpAddr),\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n SessionId = NetworkSessionId\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n EventOutcome,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n Indicator*,\n Ip_*,\n LogSeverity,\n _ResourceId,\n host,\n script,\n temp*,\n ExtID\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionEmpty/vimWebSessionEmpty.json b/Parsers/ASimWebSession/ARM/vimWebSessionEmpty/vimWebSessionEmpty.json index 40f00ad1c19..e34599ba292 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionEmpty/vimWebSessionEmpty.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionEmpty/vimWebSessionEmpty.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionEmpty')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionEmpty", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM schema function", - "category": "ASIM", - "FunctionAlias": "vimWebSessionEmpty", - "query": "let parser=datatable(\n TimeGenerated:datetime\n , _ResourceId:string\n , Type:string\n // -- Event Fields\n , EventMessage:string // Optional\n , EventCount:int // Mandatory\n , EventStartTime:datetime // Mandatory\n , EventEndTime:datetime // Alias\n , EventType:string // Mandatory\n , EventSubType:string // Optional\n , EventResult:string // Mandatory\n , EventResultDetails:string // Optional\n , EventOriginalResultDetails:string // Optional\n , EventSeverity:string // Mandatory\n , EventOriginalSeverity:string // Optional\n , EventOriginalUid:string // Optional\n , EventOriginalType:string // Optional\n , EventProduct:string // Mandatory\n , EventProductVersion:string // Optional\n , EventVendor:string // Mandatory\n , EventSchema:string // Mandatory\n , EventSchemaVersion:string // Mandatory\n , EventReportUrl:string // Mandatory\n , Dvc:string // Alias\n , DvcIpAddr:string // Mandatory\n , DvcHostname:string // Mandatory\n , DvcDomain:string // Recommended\n , DvcDomainType:string // Recommended\n , DvcFQDN:string // Optional\n , DvcId:string // Optional\n , DvcIdType:string // Optional\n , DvcMacAddr:string // Optional\n , DvcZone:string // Optional \n , DvcAction:string // Optional\n , DvcOriginalAction:string // Optional\n // -- Network Session Fields\n , Dst:string // Alias\n , DstIpAddr:string // Recommended\n , DstPortNumber:int // Optional\n , DstHostname:string // Recommended\n , Hostname:string // Alias\n , DstDomain:string // Recommended\n , DstDomainType:string // Recommended\n , DstFQDN:string // Optional\n , DstDvcId:string // Optional\n , DstDvcIdType:string // Optional\n , DstDeviceType:string // Optional\n , DstUserId:string // Optional\n , DstUserIdType:string // Optional\n , DstUsername:string // Optional\n , User:string // Alias\n , DstUsernameType:string // Alias\n , DstUserType:string // Optional\n , DstOriginalUserType:string // Optional\n , DstUserDomain:string // Optional\n , DstAppName:string // Optional\n , DstAppId:string // Optional\n , DstAppType:string // Optional\n , DstZone:string // Optional\n , DstInterfaceName:string // Optional\n , DstInterfaceGuid:string // Optional\n , DstMacAddr:string // Optional\n , DstGeoCountry:string // Optional\n , DstGeoCity:string // Optional\n , DstGeoLatitude:real // Optional\n , DstGeoLongitude:real // Optional\n , Src:string // Alias\n , SrcIpAddr:string // Recommended\n , SrcPortNumber:int // Optional\n , SrcHostname:string // Recommended\n , SrcDomain:string // Recommended\n , SrcDomainType:string // Recommended\n , SrcFQDN:string // Optional\n , SrcDvcId:string // Optional\n , SrcDvcIdType:string // Optional\n , SrcDeviceType:string // Optional\n , SrcUserId:string // Optional\n , SrcUserIdType:string // Optional\n , SrcUsername:string // Optional\n , SrcUsernameType:string // Alias\n , SrcUserType:string // Optional\n , SrcOriginalUserType:string // Optional\n , SrcUserDomain:string // Optional\n , SrcAppName:string // Optional\n , SrcAppId:string // Optional\n , IpAddr:string // Alias\n , SrcAppType:string // Optional\n , SrcZone:string // Optional\n , SrcInterfaceName:string // Optional\n , SrcInterfaceGuid:string // Optional\n , SrcMacAddr:string // Optional\n , SrcGeoCountry:string // Optional\n , SrcGeoCity:string // Optional\n , SrcGeoLatitude:real // Optional\n , SrcGeoLongitude:real // Optional\n , NetworkApplicationProtocol:string // Optional\n , NetworkProtocol:string // Optional\n , NetworkProtocolVersion:string // Optional\n , NetworkDirection:string // Optional\n , NetworkDuration:int // Optional\n , Duration:int // Alias\n , NetworkIcmpCode:int // Optional\n , NetworkIcmpType:string // Optional\n , DstBytes:long // Optional\n , SrcBytes:long // Optional\n , NetworkBytes:long // Optional\n , DstPackets:long // Optional\n , SrcPackets:long // Optional\n , NetworkPackets:long // Optional\n , NetworkSessionId:string // Optional\n , SessionId:string // Alias\n , NetworkConnectionHistory:string // Optional\n , SrcVlanId:string // Optional\n , DstVlanId:string // Alias\n , InnerVlanId:string // Optional\n , OuterVlanId: string // Alias\n // -- Intermediary device fields\n , DstNatIpAddr:string // Optional\n , DstNatPortNumber:int // Optional\n , SrcNatIpAddr:string // Optional\n , SrcNatPortNumber:int // Optional\n , DvcInboundInterface:string // Optional\n , DvcOutboundInterface:string // Optional\n , DvcInterface:string // Optional\n // -- HTTP session fields\n , Url:string // Mandatory\n , UrlCategory:string // Optional\n , UrlOriginal:string // Optional\n , HttpVersion:string // Optional\n , HttpRequestMethod:string // Optional\n , HttpStatusCode:string // Alias\n , HttpContentType:string // Optional\n , HttpContentFormat:string // Optional\n , HttpReferrer:string // Optional\n , HttpUserAgent:string // Optional\n , UserAgent:string // Alias\n , HttpRequestXff:string // Optional\n , HttpRequestTime:int // Optional\n , HttpResponseTime:int // Optional\n , FileName:string // Optional\n , FileMD5:string // Optional\n , FileSHA1:string // Optional \n , FileSHA256:string // Optional\n , FileSHA512:string // Optional\n , FileSize:long // Optional\n , FileContentType:string // Optional\n , RuleName:string // Optional\n , RuleNumber:int // Optional\n , Rule:string // Alias\n , ThreatId:string // Optional\n , ThreatName:string // Optional\n , ThreatCategory:string // Optional\n , ThreatRiskLevel:int // Optional\n , ThreatOriginalRiskLevel:string // Optional\n , DvcSubscriptionId:string // Optional\n , SrcSubscriptionId:string // Optional\n , DstSubscriptionId:string // Optional \n )[];\n parser", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM schema function", + "category": "ASIM", + "FunctionAlias": "vimWebSessionEmpty", + "query": "let parser=datatable(\n TimeGenerated:datetime\n , _ResourceId:string\n , Type:string\n // -- Event Fields\n , EventMessage:string // Optional\n , EventCount:int // Mandatory\n , EventStartTime:datetime // Mandatory\n , EventEndTime:datetime // Alias\n , EventType:string // Mandatory\n , EventSubType:string // Optional\n , EventResult:string // Mandatory\n , EventResultDetails:string // Optional\n , EventOriginalResultDetails:string // Optional\n , EventSeverity:string // Mandatory\n , EventOriginalSeverity:string // Optional\n , EventOriginalUid:string // Optional\n , EventOriginalType:string // Optional\n , EventProduct:string // Mandatory\n , EventProductVersion:string // Optional\n , EventVendor:string // Mandatory\n , EventSchema:string // Mandatory\n , EventSchemaVersion:string // Mandatory\n , EventReportUrl:string // Mandatory\n , Dvc:string // Alias\n , DvcIpAddr:string // Mandatory\n , DvcHostname:string // Mandatory\n , DvcDomain:string // Recommended\n , DvcDomainType:string // Recommended\n , DvcFQDN:string // Optional\n , DvcId:string // Optional\n , DvcIdType:string // Optional\n , DvcMacAddr:string // Optional\n , DvcZone:string // Optional \n , DvcAction:string // Optional\n , DvcOriginalAction:string // Optional\n // -- Network Session Fields\n , Dst:string // Alias\n , DstIpAddr:string // Recommended\n , DstPortNumber:int // Optional\n , DstHostname:string // Recommended\n , Hostname:string // Alias\n , DstDomain:string // Recommended\n , DstDomainType:string // Recommended\n , DstFQDN:string // Optional\n , DstDvcId:string // Optional\n , DstDvcIdType:string // Optional\n , DstDeviceType:string // Optional\n , DstUserId:string // Optional\n , DstUserIdType:string // Optional\n , DstUsername:string // Optional\n , User:string // Alias\n , DstUsernameType:string // Alias\n , DstUserType:string // Optional\n , DstOriginalUserType:string // Optional\n , DstUserDomain:string // Optional\n , DstAppName:string // Optional\n , DstAppId:string // Optional\n , DstAppType:string // Optional\n , DstZone:string // Optional\n , DstInterfaceName:string // Optional\n , DstInterfaceGuid:string // Optional\n , DstMacAddr:string // Optional\n , DstGeoCountry:string // Optional\n , DstGeoCity:string // Optional\n , DstGeoLatitude:real // Optional\n , DstGeoLongitude:real // Optional\n , Src:string // Alias\n , SrcIpAddr:string // Recommended\n , SrcPortNumber:int // Optional\n , SrcHostname:string // Recommended\n , SrcDomain:string // Recommended\n , SrcDomainType:string // Recommended\n , SrcFQDN:string // Optional\n , SrcDvcId:string // Optional\n , SrcDvcIdType:string // Optional\n , SrcDeviceType:string // Optional\n , SrcUserId:string // Optional\n , SrcUserIdType:string // Optional\n , SrcUsername:string // Optional\n , SrcUsernameType:string // Alias\n , SrcUserType:string // Optional\n , SrcOriginalUserType:string // Optional\n , SrcUserDomain:string // Optional\n , SrcAppName:string // Optional\n , SrcAppId:string // Optional\n , IpAddr:string // Alias\n , SrcAppType:string // Optional\n , SrcZone:string // Optional\n , SrcInterfaceName:string // Optional\n , SrcInterfaceGuid:string // Optional\n , SrcMacAddr:string // Optional\n , SrcGeoCountry:string // Optional\n , SrcGeoCity:string // Optional\n , SrcGeoLatitude:real // Optional\n , SrcGeoLongitude:real // Optional\n , NetworkApplicationProtocol:string // Optional\n , NetworkProtocol:string // Optional\n , NetworkProtocolVersion:string // Optional\n , NetworkDirection:string // Optional\n , NetworkDuration:int // Optional\n , Duration:int // Alias\n , NetworkIcmpCode:int // Optional\n , NetworkIcmpType:string // Optional\n , DstBytes:long // Optional\n , SrcBytes:long // Optional\n , NetworkBytes:long // Optional\n , DstPackets:long // Optional\n , SrcPackets:long // Optional\n , NetworkPackets:long // Optional\n , NetworkSessionId:string // Optional\n , SessionId:string // Alias\n , NetworkConnectionHistory:string // Optional\n , SrcVlanId:string // Optional\n , DstVlanId:string // Alias\n , InnerVlanId:string // Optional\n , OuterVlanId: string // Alias\n // -- Intermediary device fields\n , DstNatIpAddr:string // Optional\n , DstNatPortNumber:int // Optional\n , SrcNatIpAddr:string // Optional\n , SrcNatPortNumber:int // Optional\n , DvcInboundInterface:string // Optional\n , DvcOutboundInterface:string // Optional\n , DvcInterface:string // Optional\n // -- HTTP session fields\n , Url:string // Mandatory\n , UrlCategory:string // Optional\n , UrlOriginal:string // Optional\n , HttpVersion:string // Optional\n , HttpRequestMethod:string // Optional\n , HttpStatusCode:string // Alias\n , HttpContentType:string // Optional\n , HttpContentFormat:string // Optional\n , HttpReferrer:string // Optional\n , HttpUserAgent:string // Optional\n , UserAgent:string // Alias\n , HttpRequestXff:string // Optional\n , HttpRequestTime:int // Optional\n , HttpResponseTime:int // Optional\n , FileName:string // Optional\n , FileMD5:string // Optional\n , FileSHA1:string // Optional \n , FileSHA256:string // Optional\n , FileSHA512:string // Optional\n , FileSize:long // Optional\n , FileContentType:string // Optional\n , RuleName:string // Optional\n , RuleNumber:int // Optional\n , Rule:string // Alias\n , ThreatId:string // Optional\n , ThreatName:string // Optional\n , ThreatCategory:string // Optional\n , ThreatRiskLevel:int // Optional\n , ThreatOriginalRiskLevel:string // Optional\n , DvcSubscriptionId:string // Optional\n , SrcSubscriptionId:string // Optional\n , DstSubscriptionId:string // Optional \n )[];\n parser", + "version": 1 + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionF5ASM/vimWebSessionF5ASM.json b/Parsers/ASimWebSession/ARM/vimWebSessionF5ASM/vimWebSessionF5ASM.json index c2f0b378843..afa944a95bf 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionF5ASM/vimWebSessionF5ASM.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionF5ASM/vimWebSessionF5ASM.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionF5ASM')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionF5ASM", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for F5 BIG-IP Application Security Manager (ASM)", - "category": "ASIM", - "FunctionAlias": "vimWebSessionF5ASM", - "query": "let DvcActionLookup = datatable (DeviceAction: string, DvcAction: string)\n[\n \"Blocked\", \"Deny\",\n \"blocked\", \"Deny\",\n \"Passed\", \"Allow\",\n \"passed\", \"Allow\",\n \"Alerted\", \"Deny\",\n \"alerted\", \"Deny\"\n];\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Medium\",\n \"5\", \"Medium\",\n \"6\", \"Medium\",\n \"7\", \"High\",\n \"8\", \"High\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]),\n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let DeviceEventClassIDList = dynamic([\"Brute Force Attack\", \"IP Enforcer Attack\", \"Web Scraping Attack\", \"DoS Attack\"]);\n let AllData = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"F5\"\n and DeviceProduct == \"ASM\"\n | where ((substring(DeviceEventClassID, 0, 1) == \"2\" and strlen(DeviceEventClassID) == 9) or (DeviceEventClassID == Activity)) or (DeviceEventClassID in (DeviceEventClassIDList))\n | where (array_length(url_has_any) == 0 or RequestURL has_any (url_has_any))\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any)\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | project-rename DvcIpAddr = DeviceAddress;\n let GeneralEnforcementData = AllData\n | where ((substring(DeviceEventClassID, 0, 1) == \"2\" and strlen(DeviceEventClassID) == 9) or (DeviceEventClassID == Activity)) and (DeviceEventClassID !in (DeviceEventClassIDList))\n | where (array_length(httpuseragent_has_any) == 0 or DeviceCustomString3 has_any(httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or tostring(FieldDeviceCustomNumber1) has_any(eventresultdetails_in))\n | extend temp_DstMatch1 = has_any_ipv4_prefix(DestinationIP, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch1,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch1,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse-kv DeviceCustomString3 as (Host: string, [\"User-Agent\"]: string, Cookie: string, Referer: string) with (pair_delimiter=\"\\\\r\\\\n\", kv_delimiter=\":\")\n | parse DeviceCustomString3 with * \"HTTP/\" HttpVersion: string \"\\\\r\\\\n\" rest: string\n | extend\n EventResultDetails = tostring(FieldDeviceCustomNumber1)\n | extend\n EventResult = iff(toint(EventResultDetails) >= 400 or DeviceAction =~ \"blocked\", \"Failure\", \"Success\")\n | where eventresult == '*' or EventResult =~ eventresult\n | project-rename \n DstIpAddr = DestinationIP,\n DstPortNumber = DestinationPort,\n EventOriginalUid = ExtID,\n HttpRequestMethod = RequestMethod,\n NetworkApplicationProtocol = ApplicationProtocol,\n HttpCookie = Cookie,\n HttpHost = Host,\n HttpReferrer = Referer,\n HttpUserAgent = ['User-Agent'],\n HttpRequestXff = DeviceCustomString5\n | extend\n HttpStatusCode = EventResultDetails,\n AdditionalFields = bag_pack(\n \"Full Request\", DeviceCustomString3,\n \"Attack Type\", DeviceCustomString4,\n \"Policy Apply Date\", DeviceCustomDate1,\n \"Web Application Name\",\n DeviceCustomString2\n ),\n Dst = DstIpAddr;\n let AnomalyDetectionData = AllData\n | where DeviceEventClassID in (DeviceEventClassIDList)\n | where array_length(httpuseragent_has_any) == 0 \n | where array_length(eventresultdetails_in) == 0\n | extend temp_DstMatch2 = has_any_ipv4_prefix(DvcIpAddr, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch2,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch2,\n \"DstIpAddr\",\n \"No match\"\n ),\n EventResult = iff(DeviceAction =~ \"passed\", \"Success\", \"Failure\")\n | where ASimMatchingIpAddr != \"No match\"\n | where eventresult == '*' or EventResult =~ eventresult\n | extend\n AdditionalFields = bag_pack(\n \"Detection Average\",\n FieldDeviceCustomNumber1,\n \"Dropped Requests\",\n FieldDeviceCustomNumber2,\n \"Attack Status\",\n DeviceCustomString4,\n \"Detection Mode\",\n DeviceCustomString5,\n \"Web Application Name\",\n DeviceCustomString2\n ),\n ThreatId = tostring(FieldDeviceCustomNumber3)\n | project-away ApplicationProtocol, ExtID;\n union GeneralEnforcementData, AnomalyDetectionData\n | lookup DvcActionLookup on DeviceAction\n | lookup EventSeverityLookup on LogSeverity\n | extend \n EventStartTime = todatetime(ReceiptTime),\n EventOriginalType = iff(isempty(toint(DeviceEventClassID)), DeviceEventClassID, Activity)\n | extend\n EventCount = int(1),\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-rename \n EventProduct = DeviceProduct,\n EventVendor = DeviceVendor,\n EventUid = _ItemId,\n EventOriginalSeverity = LogSeverity,\n DvcOriginalAction = DeviceAction,\n Url = RequestURL,\n SrcIpAddr = SourceIP,\n SrcGeoCountry = DeviceCustomString6,\n SrcPortNumber = SourcePort,\n SrcUserId = SourceUserID,\n SrcUsername = SourceUserName,\n EventMessage = Message,\n EventProductVersion = DeviceVersion,\n RuleName = DeviceCustomString1\n | extend \n SrcUserIdType = iff(isnotempty(SrcUserId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, SrcUserId),\n Dvc = coalesce(DvcFQDN, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n Rule = RuleName\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n Activity,\n CommunicationDirection,\n Computer,\n EndTime,\n EventOutcome,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n IndicatorThreatType,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n ThreatDescription,\n ThreatSeverity,\n ThreatConfidence,\n Reason,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n rest,\n temp_*,\n _ResourceId\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for F5 BIG-IP Application Security Manager (ASM)", + "category": "ASIM", + "FunctionAlias": "vimWebSessionF5ASM", + "query": "let DvcActionLookup = datatable (DeviceAction: string, DvcAction: string)\n[\n \"Blocked\", \"Deny\",\n \"blocked\", \"Deny\",\n \"Passed\", \"Allow\",\n \"passed\", \"Allow\",\n \"Alerted\", \"Deny\",\n \"alerted\", \"Deny\"\n];\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Medium\",\n \"5\", \"Medium\",\n \"6\", \"Medium\",\n \"7\", \"High\",\n \"8\", \"High\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]),\n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let DeviceEventClassIDList = dynamic([\"Brute Force Attack\", \"IP Enforcer Attack\", \"Web Scraping Attack\", \"DoS Attack\"]);\n let AllData = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"F5\"\n and DeviceProduct == \"ASM\"\n | where ((substring(DeviceEventClassID, 0, 1) == \"2\" and strlen(DeviceEventClassID) == 9) or (DeviceEventClassID == Activity)) or (DeviceEventClassID in (DeviceEventClassIDList))\n | where (array_length(url_has_any) == 0 or RequestURL has_any (url_has_any))\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any)\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | project-rename DvcIpAddr = DeviceAddress;\n let GeneralEnforcementData = AllData\n | where ((substring(DeviceEventClassID, 0, 1) == \"2\" and strlen(DeviceEventClassID) == 9) or (DeviceEventClassID == Activity)) and (DeviceEventClassID !in (DeviceEventClassIDList))\n | where (array_length(httpuseragent_has_any) == 0 or DeviceCustomString3 has_any(httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or tostring(FieldDeviceCustomNumber1) has_any(eventresultdetails_in))\n | extend temp_DstMatch1 = has_any_ipv4_prefix(DestinationIP, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch1,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch1,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse-kv DeviceCustomString3 as (Host: string, [\"User-Agent\"]: string, Cookie: string, Referer: string) with (pair_delimiter=\"\\\\r\\\\n\", kv_delimiter=\":\")\n | parse DeviceCustomString3 with * \"HTTP/\" HttpVersion: string \"\\\\r\\\\n\" rest: string\n | extend\n EventResultDetails = tostring(FieldDeviceCustomNumber1)\n | extend\n EventResult = iff(toint(EventResultDetails) >= 400 or DeviceAction =~ \"blocked\", \"Failure\", \"Success\")\n | where eventresult == '*' or EventResult =~ eventresult\n | project-rename \n DstIpAddr = DestinationIP,\n DstPortNumber = DestinationPort,\n EventOriginalUid = ExtID,\n HttpRequestMethod = RequestMethod,\n NetworkApplicationProtocol = ApplicationProtocol,\n HttpCookie = Cookie,\n HttpHost = Host,\n HttpReferrer = Referer,\n HttpUserAgent = ['User-Agent'],\n HttpRequestXff = DeviceCustomString5\n | extend\n HttpStatusCode = EventResultDetails,\n AdditionalFields = bag_pack(\n \"Full Request\", DeviceCustomString3,\n \"Attack Type\", DeviceCustomString4,\n \"Policy Apply Date\", DeviceCustomDate1,\n \"Web Application Name\",\n DeviceCustomString2\n ),\n Dst = DstIpAddr;\n let AnomalyDetectionData = AllData\n | where DeviceEventClassID in (DeviceEventClassIDList)\n | where array_length(httpuseragent_has_any) == 0 \n | where array_length(eventresultdetails_in) == 0\n | extend temp_DstMatch2 = has_any_ipv4_prefix(DvcIpAddr, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch2,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch2,\n \"DstIpAddr\",\n \"No match\"\n ),\n EventResult = iff(DeviceAction =~ \"passed\", \"Success\", \"Failure\")\n | where ASimMatchingIpAddr != \"No match\"\n | where eventresult == '*' or EventResult =~ eventresult\n | extend\n AdditionalFields = bag_pack(\n \"Detection Average\",\n FieldDeviceCustomNumber1,\n \"Dropped Requests\",\n FieldDeviceCustomNumber2,\n \"Attack Status\",\n DeviceCustomString4,\n \"Detection Mode\",\n DeviceCustomString5,\n \"Web Application Name\",\n DeviceCustomString2\n ),\n ThreatId = tostring(FieldDeviceCustomNumber3)\n | project-away ApplicationProtocol, ExtID;\n union GeneralEnforcementData, AnomalyDetectionData\n | lookup DvcActionLookup on DeviceAction\n | lookup EventSeverityLookup on LogSeverity\n | extend \n EventStartTime = todatetime(ReceiptTime),\n EventOriginalType = iff(isempty(toint(DeviceEventClassID)), DeviceEventClassID, Activity)\n | extend\n EventCount = int(1),\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-rename \n EventProduct = DeviceProduct,\n EventVendor = DeviceVendor,\n EventUid = _ItemId,\n EventOriginalSeverity = LogSeverity,\n DvcOriginalAction = DeviceAction,\n Url = RequestURL,\n SrcIpAddr = SourceIP,\n SrcGeoCountry = DeviceCustomString6,\n SrcPortNumber = SourcePort,\n SrcUserId = SourceUserID,\n SrcUsername = SourceUserName,\n EventMessage = Message,\n EventProductVersion = DeviceVersion,\n RuleName = DeviceCustomString1\n | extend \n SrcUserIdType = iff(isnotempty(SrcUserId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, SrcUserId),\n Dvc = coalesce(DvcFQDN, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n Rule = RuleName\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n Activity,\n CommunicationDirection,\n Computer,\n EndTime,\n EventOutcome,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n IndicatorThreatType,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n ThreatDescription,\n ThreatSeverity,\n ThreatConfidence,\n Reason,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n rest,\n temp_*,\n _ResourceId\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionFortinetFortiGate/vimWebSessionFortinetFortiGate.json b/Parsers/ASimWebSession/ARM/vimWebSessionFortinetFortiGate/vimWebSessionFortinetFortiGate.json index 51c419d55c6..30186ecb1f6 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionFortinetFortiGate/vimWebSessionFortinetFortiGate.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionFortinetFortiGate/vimWebSessionFortinetFortiGate.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionFortinetFortiGate')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionFortinetFortiGate", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM filtering parser for Fortinet FortiGate", - "category": "ASIM", - "FunctionAlias": "vimWebSessionFortinetFortiGate", - "query": "let parser=(\n starttime:datetime = datetime(null), \n endtime:datetime = datetime(null),\n srcipaddr_has_any_prefix:dynamic = dynamic([]),\n ipaddr_has_any_prefix:dynamic = dynamic([]), \n url_has_any:dynamic = dynamic([]),\n httpuseragent_has_any:dynamic = dynamic([]),\n eventresultdetails_in:dynamic = dynamic([]),\n eventresult:string = '*',\n disabled:bool = false\n){\n let src_or_any = set_union(\n srcipaddr_has_any_prefix,\n ipaddr_has_any_prefix\n ); \n let remove_protocol_from_list = (list:dynamic)\n {\n print list\n | mv-apply l = print_0 to typeof(string) on\n ( extend l = substring(l,indexof(l,@'//')+2))\n | project l\n };\n let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string)\n [\n \"passthrough\",\"Allow\",\"Success\"\n , \"blocked\",\"Deny\",\"Failure\"\n ];\n // -- See https://docs.fortinet.com/document/fortigate/7.2.4/fortios-log-message-reference/671442/cef-priority-levels\n let SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n [\n \"1\", \"Informational\", // Debug\n \"2\", \"Informational\", // Information\n \"3\", \"Informational\", // Notification\n \"4\", \"Low\", // Warning\n \"5\", \"Low\", // Error\n \"6\", \"High\", // Critical\n \"7\", \"Medium\", // Alert\n \"8\", \"High\" // Emergency\n ]; \n CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime)\n | where DeviceVendor == \"Fortinet\" \n and DeviceProduct startswith \"Fortigate\"\n and Activity has_all ('webfilter', 'utm')\n | where (array_length(url_has_any) == 0 or RequestURL has_any (remove_protocol_from_list(url_has_any)))\n | where (array_length(httpuseragent_has_any) == 0 or AdditionalExtensions has_any(httpuseragent_has_any))\n | extend temp_SrcMatch = has_any_ipv4_prefix(SourceIP,src_or_any)\n | extend temp_DstMatch = has_any_ipv4_prefix(DestinationIP,ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0, \"-\",\n temp_DstMatch and temp_SrcMatch, \"Both\",\n temp_SrcMatch , \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\") \n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | extend \n EventResultDetails = \"NA\"\n | where (array_length(eventresultdetails_in) == 0 or tostring(EventResultDetails) has_any(eventresultdetails_in)) \n | lookup EventLookup on DeviceAction \n | where (eventresult == '*' or EventResult =~ eventresult)\n | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, EventResultDetails, DvcAction, RequestURL, RequestContext, DestinationHostName, SourceHostName, SourceUserName, DestinationUserName, ASimMatchingIpAddr\n | project-rename \n Url = RequestURL\n , UrlCategory = RequestContext\n , DstBytes = ReceivedBytes\n , DstInterfaceName = DeviceOutboundInterface\n , DstIpAddr = DestinationIP\n , DstPortNumber = DestinationPort\n , DvcHostname = Computer\n , EventMessage = Activity\n , EventOriginalSeverity = LogSeverity\n , EventProduct = DeviceProduct\n , EventProductVersion = DeviceVersion\n , SrcBytes = SentBytes\n , SrcInterfaceName = DeviceInboundInterface\n , SrcIpAddr = SourceIP\n , SrcPortNumber = SourcePort\n , DvcId = DeviceExternalID\n , EventUid = _ItemId\n , DstHostname = DestinationHostName\n , SrcHostname = SourceHostName\n , SrcUsername = SourceUserName\n , DstUsername = DestinationUserName\n | invoke _ASIM_ResolveNetworkProtocol ('Protocol')\n | extend \n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)\n | project-rename DvcOriginalAction = DeviceAction\n | parse-kv AdditionalExtensions as (\n FortinetFortiGatestart:datetime,\n FortinetFortiGatesrcintfrole:string,\n FortinetFortiGatedstintfrole:string,\n FortinetFortiGateexternalID:string,\n FortinetFortiGatepolicyid:int,\n FortinetFortiGatedstcountry:string,\n FortinetFortiGatesrccountry:string,\n FortinetFortiGatecrscore:string,\n FortinetFortiGateduration:int,\n FortinetFortiGatesentpkt:long,\n FortinetFortiGatercvdpkt:long,\n ['ad.referralurl']:string,\n ['ad.httpmethod']:string,\n ['ad.agent']:string\n ) with (pair_delimiter=';', kv_delimiter='=')\n | parse AdditionalExtensions with * \"x-forwarded-for=\" HttpRequestXff:string \";\" *\n | project-rename\n HttpReferrer = ['ad.referralurl'],\n HttpRequestMethod = ['ad.httpmethod'],\n HttpUserAgent = ['ad.agent'],\n EventStartTime = FortinetFortiGatestart,\n SrcZone = FortinetFortiGatesrcintfrole,\n DstZone = FortinetFortiGatedstintfrole,\n NetworkSessionId = FortinetFortiGateexternalID,\n RuleNumber = FortinetFortiGatepolicyid,\n NetworkDuration = FortinetFortiGateduration,\n DstGeoCountry = FortinetFortiGatedstcountry,\n SrcGeoCountry = FortinetFortiGatesrccountry,\n ThreatOriginalRiskLevel = FortinetFortiGatecrscore,\n SrcPackets = FortinetFortiGatesentpkt,\n DstPackets = FortinetFortiGatercvdpkt\n | parse AdditionalExtensions with * \"Method=\" temp_HttpRequestMethod \"|User-Agent=\" temp_HttpUserAgent \";\" *\n | extend \n HttpRequestMethod = coalesce(temp_HttpRequestMethod,HttpRequestMethod),\n HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent)\n | project-away temp_*\n | where (array_length(httpuseragent_has_any) == 0 or HttpUserAgent has_any(httpuseragent_has_any))\n | extend \n EventCount = int(1)\n , EventSchema = \"WebSession\"\n , EventSchemaVersion = \"0.2.6\"\n , EventType = \"HTTPsession\"\n , EventVendor = \"Fortinet\"\n , DvcIdType = \"Other\"\n , NetworkBytes = DstBytes + SrcBytes\n , EventEndTime = TimeGenerated\n , EventStartTime = coalesce(EventStartTime, TimeGenerated)\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkPackets = DstPackets + SrcPackets\n , UserAgent = HttpUserAgent\n , Dvc = DvcHostname\n , User = SrcUsername\n , Hostname = DstHostname\n | lookup SeverityLookup on EventOriginalSeverity\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Duration = NetworkDuration,\n Rule = tostring(RuleNumber)\n | project-away Protocol, AdditionalExtensions, NetworkProtocolNumber\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM filtering parser for Fortinet FortiGate", + "category": "ASIM", + "FunctionAlias": "vimWebSessionFortinetFortiGate", + "query": "let parser=(\n starttime:datetime = datetime(null), \n endtime:datetime = datetime(null),\n srcipaddr_has_any_prefix:dynamic = dynamic([]),\n ipaddr_has_any_prefix:dynamic = dynamic([]), \n url_has_any:dynamic = dynamic([]),\n httpuseragent_has_any:dynamic = dynamic([]),\n eventresultdetails_in:dynamic = dynamic([]),\n eventresult:string = '*',\n disabled:bool = false\n){\n let src_or_any = set_union(\n srcipaddr_has_any_prefix,\n ipaddr_has_any_prefix\n ); \n let remove_protocol_from_list = (list:dynamic)\n {\n print list\n | mv-apply l = print_0 to typeof(string) on\n ( extend l = substring(l,indexof(l,@'//')+2))\n | project l\n };\n let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string)\n [\n \"passthrough\",\"Allow\",\"Success\"\n , \"blocked\",\"Deny\",\"Failure\"\n ];\n // -- See https://docs.fortinet.com/document/fortigate/7.2.4/fortios-log-message-reference/671442/cef-priority-levels\n let SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n [\n \"1\", \"Informational\", // Debug\n \"2\", \"Informational\", // Information\n \"3\", \"Informational\", // Notification\n \"4\", \"Low\", // Warning\n \"5\", \"Low\", // Error\n \"6\", \"High\", // Critical\n \"7\", \"Medium\", // Alert\n \"8\", \"High\" // Emergency\n ]; \n CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime)\n | where DeviceVendor == \"Fortinet\" \n and DeviceProduct startswith \"Fortigate\"\n and Activity has_all ('webfilter', 'utm')\n | where (array_length(url_has_any) == 0 or RequestURL has_any (remove_protocol_from_list(url_has_any)))\n | where (array_length(httpuseragent_has_any) == 0 or AdditionalExtensions has_any(httpuseragent_has_any))\n | extend temp_SrcMatch = has_any_ipv4_prefix(SourceIP,src_or_any)\n | extend temp_DstMatch = has_any_ipv4_prefix(DestinationIP,ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0, \"-\",\n temp_DstMatch and temp_SrcMatch, \"Both\",\n temp_SrcMatch , \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\") \n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | extend \n EventResultDetails = \"NA\"\n | where (array_length(eventresultdetails_in) == 0 or tostring(EventResultDetails) has_any(eventresultdetails_in)) \n | lookup EventLookup on DeviceAction \n | where (eventresult == '*' or EventResult =~ eventresult)\n | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, EventResultDetails, DvcAction, RequestURL, RequestContext, DestinationHostName, SourceHostName, SourceUserName, DestinationUserName, ASimMatchingIpAddr\n | project-rename \n Url = RequestURL\n , UrlCategory = RequestContext\n , DstBytes = ReceivedBytes\n , DstInterfaceName = DeviceOutboundInterface\n , DstIpAddr = DestinationIP\n , DstPortNumber = DestinationPort\n , DvcHostname = Computer\n , EventMessage = Activity\n , EventOriginalSeverity = LogSeverity\n , EventProduct = DeviceProduct\n , EventProductVersion = DeviceVersion\n , SrcBytes = SentBytes\n , SrcInterfaceName = DeviceInboundInterface\n , SrcIpAddr = SourceIP\n , SrcPortNumber = SourcePort\n , DvcId = DeviceExternalID\n , EventUid = _ItemId\n , DstHostname = DestinationHostName\n , SrcHostname = SourceHostName\n , SrcUsername = SourceUserName\n , DstUsername = DestinationUserName\n | invoke _ASIM_ResolveNetworkProtocol ('Protocol')\n | extend \n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)\n | project-rename DvcOriginalAction = DeviceAction\n | parse-kv AdditionalExtensions as (\n FortinetFortiGatestart:datetime,\n FortinetFortiGatesrcintfrole:string,\n FortinetFortiGatedstintfrole:string,\n FortinetFortiGateexternalID:string,\n FortinetFortiGatepolicyid:int,\n FortinetFortiGatedstcountry:string,\n FortinetFortiGatesrccountry:string,\n FortinetFortiGatecrscore:string,\n FortinetFortiGateduration:int,\n FortinetFortiGatesentpkt:long,\n FortinetFortiGatercvdpkt:long,\n ['ad.referralurl']:string,\n ['ad.httpmethod']:string,\n ['ad.agent']:string\n ) with (pair_delimiter=';', kv_delimiter='=')\n | parse AdditionalExtensions with * \"x-forwarded-for=\" HttpRequestXff:string \";\" *\n | project-rename\n HttpReferrer = ['ad.referralurl'],\n HttpRequestMethod = ['ad.httpmethod'],\n HttpUserAgent = ['ad.agent'],\n EventStartTime = FortinetFortiGatestart,\n SrcZone = FortinetFortiGatesrcintfrole,\n DstZone = FortinetFortiGatedstintfrole,\n NetworkSessionId = FortinetFortiGateexternalID,\n RuleNumber = FortinetFortiGatepolicyid,\n NetworkDuration = FortinetFortiGateduration,\n DstGeoCountry = FortinetFortiGatedstcountry,\n SrcGeoCountry = FortinetFortiGatesrccountry,\n ThreatOriginalRiskLevel = FortinetFortiGatecrscore,\n SrcPackets = FortinetFortiGatesentpkt,\n DstPackets = FortinetFortiGatercvdpkt\n | parse AdditionalExtensions with * \"Method=\" temp_HttpRequestMethod \"|User-Agent=\" temp_HttpUserAgent \";\" *\n | extend \n HttpRequestMethod = coalesce(temp_HttpRequestMethod,HttpRequestMethod),\n HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent)\n | project-away temp_*\n | where (array_length(httpuseragent_has_any) == 0 or HttpUserAgent has_any(httpuseragent_has_any))\n | extend \n EventCount = int(1)\n , EventSchema = \"WebSession\"\n , EventSchemaVersion = \"0.2.6\"\n , EventType = \"HTTPsession\"\n , EventVendor = \"Fortinet\"\n , DvcIdType = \"Other\"\n , NetworkBytes = DstBytes + SrcBytes\n , EventEndTime = TimeGenerated\n , EventStartTime = coalesce(EventStartTime, TimeGenerated)\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkPackets = DstPackets + SrcPackets\n , UserAgent = HttpUserAgent\n , Dvc = DvcHostname\n , User = SrcUsername\n , Hostname = DstHostname\n | lookup SeverityLookup on EventOriginalSeverity\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Duration = NetworkDuration,\n Rule = tostring(RuleNumber)\n | project-away Protocol, AdditionalExtensions, NetworkProtocolNumber\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionIIS/vimWebSessionIIS.json b/Parsers/ASimWebSession/ARM/vimWebSessionIIS/vimWebSessionIIS.json index 9cced5a3fae..587f5ac494e 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionIIS/vimWebSessionIIS.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionIIS/vimWebSessionIIS.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionIIS')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionIIS", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM filtering parser for Windows IIS logs", - "category": "ASIM", - "FunctionAlias": "vimWebSessionIIS", - "query": "let parser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n W3CIISLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | extend\n EventResult = iff ( toint(scStatus) < 400, \"Success\", \"Failure\")\n | where (eventresult == '*' or EventResult =~ eventresult)\n | where (array_length(url_has_any) == 0 or csUriStem has_any (url_has_any) or csUriQuery has_any (url_has_any))\n | where (array_length(httpuseragent_has_any) == 0 or csUserAgent has_any(httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or scStatus has_any (eventresultdetails_in))\n | extend temp_SrcMatch=has_any_ipv4_prefix(cIP,src_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 ,\"-\",\n temp_SrcMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | extend\n EventResult = iff ( toint(scStatus) < 400, \"Success\", \"Failure\"),\n EventResultDetails = tostring(scStatus), \n csUriQuery = iff(csUriQuery == \"-\", \"\", csUriQuery),\n csUserName = iff(csUserName == \"-\", \"\", csUserName),\n HttpVersion = iff((csVersion has \"HTTP\"), split(csVersion, \"/\")[1], \"\"), // there is a limited chance that something connects over non-HTTP\n HttpHost = iff (sSiteName in (\"Default Web Site\", \"-\"), \"\", sSiteName)\n | project-rename \n HttpRequestMethod = csMethod,\n User = csUserName, //probably won't have this one often\n Dvc = Computer,\n Dst = sIP,\n Src = cIP,\n UserAgent = csUserAgent,\n ThreatCategory = IndicatorThreatType,\n SrcGeoCountry = RemoteIPCountry,\n SrcGeoLatitude = RemoteIPLatitude,\n SrcGeoLongitude = RemoteIPLongitude,\n ThreatOriginalConfidence = Confidence,\n ThreatIpAddr = MaliciousIP,\n EventReportUrl = ReportReferenceLink,\n EventUid = _ItemId,\n DvcId = _ResourceId\n | extend\n EventOriginalSeverity = tostring(Severity),\n ThreatIsActive = tobool(IsActive),\n ThreatFirstReportedTime = todatetime(FirstReportedDateTime),\n ThreatLastReportedTime = todatetime(LastReportedDateTime),\n SrcUsername = iff ( User == \"-\", \"\", User),\n HttpReferrer = iff ( csReferer == \"-\", \"\", csReferer),\n DvcIdType = \"AzureResourceId\"\n | project-away IsActive, FirstReportedDateTime, LastReportedDateTime, Severity, sSiteName\n | extend \n SrcUsernameType = _ASIM_GetUsernameType (SrcUsername),\n DstNatIpAddr = iff(csHost <> \"\", Dst, \"\"),\n EventType = 'WebServerSession', \n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.6',\n EventSchema = 'WebSession', \n EventProduct = 'IIS',\n DvcOs = 'Windows',\n EventCount = int(1),\n SrcIpAddr = Src,\n IpAddr = Src,\n HttpUserAgent = UserAgent,\n HttpStatusCode = tostring(EventResultDetails),\n EventStartTime = ( (TimeGenerated) - (TimeTaken * 1ms)), // TimeTaken field is in Milliseconds \n EventEndTime = TimeGenerated,\n EventSeverity = iff(EventResult == \"Success\", \"Low\", \"Informational\"),\n Url = iff(csUriQuery == \"\", csUriStem, strcat(csUriStem,\"?\",csUriQuery)),\n sPort = tostring(sPort),\n HttpHost = iff ( HttpHost == \"-\", \"\", HttpHost),\n csHost = iff ( csHost == \"-\", \"\", csHost), //remove empty values\n EventOriginalResultDetails = iff(scSubStatus <> \"0\", strcat (scStatus, \".\", scSubStatus), scStatus)\n | extend \n ipv6_parts = extract_all (@'^\\[(.+)\\](?:\\:(\\d+))?$',csHost)[0],\n ipv4_parts = extract_all (@'^(\\d+\\.\\d+\\.\\d+\\.\\d+)(?:\\:(\\d+))?$',csHost)[0],\n host_parts = extract_all (@'^([^\\\\\\d:]+)(?:\\:(\\d+))?$',csHost)[0]\n | extend \n DstIpAddr = tostring(coalesce(ipv4_parts[0], ipv6_parts[0])),\n DstPortNumber = toint(coalesce(ipv4_parts[1], ipv6_parts[1], host_parts[1])),\n HttpHost = tostring(coalesce(host_parts[0], HttpHost))\n | project-away ipv4_parts, ipv6_parts, host_parts \n | extend\n DstHostname = HttpHost,\n Hostname = HttpHost\n | extend \n ThreatField = case(\n ThreatIpAddr <> \"\" and ThreatIpAddr == SrcIpAddr, \"SrcIpAddr\"\n ,ThreatIpAddr <> \"\" and ThreatIpAddr == DstIpAddr, \"DstIpAddr\"\n ,\"\")\n | project-away \n AdditionalInformation,\n AzureDeploymentID,\n Date,\n Description,\n DvcOs,\n FileOffset,\n FileUri,\n MG, \n ManagementGroupName,\n Role*,\n sComputerName,\n SourceSystem,\n TLPLevel,\n TenantId,\n TimeTaken,\n Time,\n cs*,\n sPort,\n sc*,\n StorageAccount\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM filtering parser for Windows IIS logs", + "category": "ASIM", + "FunctionAlias": "vimWebSessionIIS", + "query": "let parser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n W3CIISLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | extend\n EventResult = iff ( toint(scStatus) < 400, \"Success\", \"Failure\")\n | where (eventresult == '*' or EventResult =~ eventresult)\n | where (array_length(url_has_any) == 0 or csUriStem has_any (url_has_any) or csUriQuery has_any (url_has_any))\n | where (array_length(httpuseragent_has_any) == 0 or csUserAgent has_any(httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or scStatus has_any (eventresultdetails_in))\n | extend temp_SrcMatch=has_any_ipv4_prefix(cIP,src_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 ,\"-\",\n temp_SrcMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | extend\n EventResult = iff ( toint(scStatus) < 400, \"Success\", \"Failure\"),\n EventResultDetails = tostring(scStatus), \n csUriQuery = iff(csUriQuery == \"-\", \"\", csUriQuery),\n csUserName = iff(csUserName == \"-\", \"\", csUserName),\n HttpVersion = iff((csVersion has \"HTTP\"), split(csVersion, \"/\")[1], \"\"), // there is a limited chance that something connects over non-HTTP\n HttpHost = iff (sSiteName in (\"Default Web Site\", \"-\"), \"\", sSiteName)\n | project-rename \n HttpRequestMethod = csMethod,\n User = csUserName, //probably won't have this one often\n Dvc = Computer,\n Dst = sIP,\n Src = cIP,\n UserAgent = csUserAgent,\n ThreatCategory = IndicatorThreatType,\n SrcGeoCountry = RemoteIPCountry,\n SrcGeoLatitude = RemoteIPLatitude,\n SrcGeoLongitude = RemoteIPLongitude,\n ThreatOriginalConfidence = Confidence,\n ThreatIpAddr = MaliciousIP,\n EventReportUrl = ReportReferenceLink,\n EventUid = _ItemId,\n DvcId = _ResourceId\n | extend\n EventOriginalSeverity = tostring(Severity),\n ThreatIsActive = tobool(IsActive),\n ThreatFirstReportedTime = todatetime(FirstReportedDateTime),\n ThreatLastReportedTime = todatetime(LastReportedDateTime),\n SrcUsername = iff ( User == \"-\", \"\", User),\n HttpReferrer = iff ( csReferer == \"-\", \"\", csReferer),\n DvcIdType = \"AzureResourceId\"\n | project-away IsActive, FirstReportedDateTime, LastReportedDateTime, Severity, sSiteName\n | extend \n SrcUsernameType = _ASIM_GetUsernameType (SrcUsername),\n DstNatIpAddr = iff(csHost <> \"\", Dst, \"\"),\n EventType = 'WebServerSession', \n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.6',\n EventSchema = 'WebSession', \n EventProduct = 'IIS',\n DvcOs = 'Windows',\n EventCount = int(1),\n SrcIpAddr = Src,\n IpAddr = Src,\n HttpUserAgent = UserAgent,\n HttpStatusCode = tostring(EventResultDetails),\n EventStartTime = ( (TimeGenerated) - (TimeTaken * 1ms)), // TimeTaken field is in Milliseconds \n EventEndTime = TimeGenerated,\n EventSeverity = iff(EventResult == \"Success\", \"Low\", \"Informational\"),\n Url = iff(csUriQuery == \"\", csUriStem, strcat(csUriStem,\"?\",csUriQuery)),\n sPort = tostring(sPort),\n HttpHost = iff ( HttpHost == \"-\", \"\", HttpHost),\n csHost = iff ( csHost == \"-\", \"\", csHost), //remove empty values\n EventOriginalResultDetails = iff(scSubStatus <> \"0\", strcat (scStatus, \".\", scSubStatus), scStatus)\n | extend \n ipv6_parts = extract_all (@'^\\[(.+)\\](?:\\:(\\d+))?$',csHost)[0],\n ipv4_parts = extract_all (@'^(\\d+\\.\\d+\\.\\d+\\.\\d+)(?:\\:(\\d+))?$',csHost)[0],\n host_parts = extract_all (@'^([^\\\\\\d:]+)(?:\\:(\\d+))?$',csHost)[0]\n | extend \n DstIpAddr = tostring(coalesce(ipv4_parts[0], ipv6_parts[0])),\n DstPortNumber = toint(coalesce(ipv4_parts[1], ipv6_parts[1], host_parts[1])),\n HttpHost = tostring(coalesce(host_parts[0], HttpHost))\n | project-away ipv4_parts, ipv6_parts, host_parts \n | extend\n DstHostname = HttpHost,\n Hostname = HttpHost\n | extend \n ThreatField = case(\n ThreatIpAddr <> \"\" and ThreatIpAddr == SrcIpAddr, \"SrcIpAddr\"\n ,ThreatIpAddr <> \"\" and ThreatIpAddr == DstIpAddr, \"DstIpAddr\"\n ,\"\")\n | project-away \n AdditionalInformation,\n AzureDeploymentID,\n Date,\n Description,\n DvcOs,\n FileOffset,\n FileUri,\n MG, \n ManagementGroupName,\n Role*,\n sComputerName,\n SourceSystem,\n TLPLevel,\n TenantId,\n TimeTaken,\n Time,\n cs*,\n sPort,\n sc*,\n StorageAccount\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionNative/vimWebSessionNative.json b/Parsers/ASimWebSession/ARM/vimWebSessionNative/vimWebSessionNative.json index 03ecedc3989..880f43b1375 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionNative/vimWebSessionNative.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionNative/vimWebSessionNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM filtering parser for Microsoft Sentinel native Network Session table", - "category": "ASIM", - "FunctionAlias": "vimWebSessionNative", - "query": "let parser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n ASimWebSessionLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(url_has_any) == 0 or Url has_any (url_has_any))\n | where (array_length(httpuseragent_has_any) == 0 or HttpUserAgent has_any(httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or tostring(EventResultDetails) has_any(eventresultdetails_in))\n | where (eventresult == '*' or EventResult =~ eventresult)\n | extend temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(DstIpAddr,ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n // \n // -- Schema fixed\n | extend\n FileSize = tolong(FileSize)\n //\n // -- Log Analytics global fields renaming\n | project-rename\n EventUid = _ItemId,\n DvcScopeId = _SubscriptionId\n //\n // -- ASIM Global fields\n | extend \n EventSchema = \"WebSession\"\n | extend\n //\n // -- Default values\n EventEndTime = coalesce (EventEndTime, TimeGenerated),\n EventStartTime = coalesce (EventStartTime, TimeGenerated),\n //\n // -- Multi-source aliases\n Dvc = iff (EventType == 'HTTPSession',\n coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, DstMacAddr, _ResourceId, strcat (EventVendor,'/', EventProduct)),\n coalesce (DvcFQDN, DvcHostname, DstFQDN, DstHostname, DvcIpAddr, DstIpAddr, DvcId, DstDvcId, DstMacAddr, _ResourceId, strcat (EventVendor,'/', EventProduct))\n ),\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n //\n // -- Aliases which depend on EventType\n Hostname = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), SrcHostname, DstHostname),\n IpAddr = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), DstIpAddr, SrcIpAddr),\n //\n // -- Simple aliases\n Duration = NetworkDuration,\n SessionId = NetworkSessionId,\n User = SrcUsername,\n HttpStatusCode = EventResultDetails,\n UserAgent = HttpUserAgent\n // --\n // -- Aliased fields not implemented in ASimWebSessionLogs yet \n //InnerVlanId = SrcVlanId,\n //OuterVlanId = DstVlanId,\n //DvcInterface = coalesce(DvcInterface, DvcInboundInterface, DvcOutboundInterface), \n | project-away\n TenantId, SourceSystem, _ResourceId\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM filtering parser for Microsoft Sentinel native Network Session table", + "category": "ASIM", + "FunctionAlias": "vimWebSessionNative", + "query": "let parser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n ASimWebSessionLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(url_has_any) == 0 or Url has_any (url_has_any))\n | where (array_length(httpuseragent_has_any) == 0 or HttpUserAgent has_any(httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or tostring(EventResultDetails) has_any(eventresultdetails_in))\n | where (eventresult == '*' or EventResult =~ eventresult)\n | extend temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(DstIpAddr,ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n // \n // -- Schema fixed\n | extend\n FileSize = tolong(FileSize)\n //\n // -- Log Analytics global fields renaming\n | project-rename\n EventUid = _ItemId,\n DvcScopeId = _SubscriptionId\n //\n // -- ASIM Global fields\n | extend \n EventSchema = \"WebSession\"\n | extend\n //\n // -- Default values\n EventEndTime = coalesce (EventEndTime, TimeGenerated),\n EventStartTime = coalesce (EventStartTime, TimeGenerated),\n //\n // -- Multi-source aliases\n Dvc = iff (EventType == 'HTTPSession',\n coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, DstMacAddr, _ResourceId, strcat (EventVendor,'/', EventProduct)),\n coalesce (DvcFQDN, DvcHostname, DstFQDN, DstHostname, DvcIpAddr, DstIpAddr, DvcId, DstDvcId, DstMacAddr, _ResourceId, strcat (EventVendor,'/', EventProduct))\n ),\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n //\n // -- Aliases which depend on EventType\n Hostname = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), SrcHostname, DstHostname),\n IpAddr = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), DstIpAddr, SrcIpAddr),\n //\n // -- Simple aliases\n Duration = NetworkDuration,\n SessionId = NetworkSessionId,\n User = SrcUsername,\n HttpStatusCode = EventResultDetails,\n UserAgent = HttpUserAgent\n // --\n // -- Aliased fields not implemented in ASimWebSessionLogs yet \n //InnerVlanId = SrcVlanId,\n //OuterVlanId = DstVlanId,\n //DvcInterface = coalesce(DvcInterface, DvcInboundInterface, DvcOutboundInterface), \n | project-away\n TenantId, SourceSystem, _ResourceId\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionPaloAltoCEF/vimWebSessionPaloAltoCEF.json b/Parsers/ASimWebSession/ARM/vimWebSessionPaloAltoCEF/vimWebSessionPaloAltoCEF.json index 7d190d66406..dd1db72314a 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionPaloAltoCEF/vimWebSessionPaloAltoCEF.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionPaloAltoCEF/vimWebSessionPaloAltoCEF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionPaloAltoCEF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionPaloAltoCEF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM Filtering parser for Palo Alto Networks URL Filtering", - "category": "ASIM", - "FunctionAlias": "vimWebSessionPaloAltoCEF", - "query": "let parser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n)\n{\n let src_or_any = set_union(\n srcipaddr_has_any_prefix,\n ipaddr_has_any_prefix\n ); \n let EventLookup=datatable(DeviceAction:string, DvcAction:string,EventResult:string,HttpStatusCode:string)\n [\n \"alert\", \"Allow\", \"Success\",\"200\",\n \"allow\", \"Allow\", \"Success\", \"200\",\n \"continue\", \"Allow\", \"Success\", \"200\",\n \"override\", \"Allow\", \"Success\", \"200\",\n \"block-continue\", \"Allow\", \"Partial\", \"200\",\n \"block-url\", \"Deny\", \"Failure\", \"503\",\n \"block-override\", \"Deny\", \"Failure\", \"302\",\n \"override-lockout\", \"Deny\", \"Failure\",\"503\",\n \"reset client\", \"Reset Source\", \"Failure\", \"503\",\n \"reset server\", \"Reset Destination\", \"Failure\", \"503\",\n \"reset both\", \"Reset\", \"Failure\", \"503\",\n \"deny\", \"Deny\", \"Failure\", \"503\",\n \"drop\", \"Drop\", \"Failure\", \"503\",\n \"drop ICMP\", \"Drop ICMP\", \"Failure\", \"503\"\n ];\n let SeverityLookup=datatable(LogSeverity:string,EventSeverity:string)\n [ \n 1, \"Informational\", \n 2, \"Low\",\n 3, \"Medium\",\n 4, \"Medium\", \n 5, \"High\"\n ];\n let remove_protocol_from_list = (list:dynamic)\n {\n print list\n | mv-apply l = print_0 to typeof(string) on\n ( extend l = replace_regex (tostring(l), \"^(?i:.*?)://\", \"\") )\n | project l\n };\n CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"Palo Alto Networks\"\n and DeviceProduct == \"PAN-OS\"\n and Activity == \"THREAT\"\n and DeviceEventClassID == \"url\"\n | where (array_length(url_has_any) == 0 or RequestURL has_any (remove_protocol_from_list(url_has_any)))\n | where (array_length(httpuseragent_has_any) == 0 or RequestClientApplication has_any (httpuseragent_has_any))\n | extend temp_SrcMatch = has_any_ipv4_prefix(SourceIP,src_or_any)\n | extend temp_DstMatch = has_any_ipv4_prefix(DestinationIP,ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0, \"-\",\n temp_DstMatch and temp_SrcMatch, \"Both\",\n temp_SrcMatch , \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\") \n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | extend EventResultDetails = \"NA\"\n | where (array_length(eventresultdetails_in) == 0 or tostring(EventResultDetails) has_any(eventresultdetails_in))\n | lookup EventLookup on DeviceAction\n | where (eventresult == '*' or EventResult =~ eventresult)\n | lookup SeverityLookup on LogSeverity\n | parse-kv AdditionalExtensions as (\n PanOSXForwarderfor:string,\n PanXFFIP:string,\n PanOSReferer:string,\n PanOSRuleUUID:string,\n PanSrcHostname:string,\n PanSrcMac:string,\n PanSrcDeviceCat:string,\n PanSrcDAG:string,\n PanOSSrcUUID:string,\n PanSrcDeviceProf:string,\n PanSrcDeviceModel:string,\n PanSrcDeviceVendor:string,\n PanSrcDeviceOS:string,\n PanSrcDeviceOSv:string,\n PanDstHostname:string,\n PanDstMac:string,\n PanDstDeviceCat:string,\n PanDstDAG:string,\n PanOSDstUUID:string,\n PanDstDeviceProf:string,\n PanDstDeviceModel:string,\n PanDstDeviceVendor:string,\n PanDstDeviceOS:string,\n PanDstDeviceOSv:string\n ) with (pair_delimiter=';', kv_delimiter='=')\n | extend \n HttpRequestXff = coalesce(PanOSXForwarderfor, PanXFFIP)\n | project-rename \n DvcHostname = Computer,\n HttpReferrer = PanOSReferer,\n DstMacAddr = PanDstMac,\n SrcMacAddr = PanSrcMac,\n DstHostname = PanDstHostname,\n SrcHostname = PanSrcHostname,\n DvcId = DeviceExternalID,\n SrcZone = DeviceCustomString4,\n DstZone = DeviceCustomString5,\n UrlCategory = DeviceCustomString2,\n DvcOriginalAction = DeviceAction,\n EventUid = _ItemId,\n EventOriginalSeverity = LogSeverity,\n EventProductVersion = DeviceVersion,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n DstIpAddr = DestinationIP,\n DstPortNumber = DestinationPort,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n SrcUsername = SourceUserName,\n DstUsername = DestinationUserName,\n NetworkRuleName = DeviceCustomString1,\n ThreatOriginalConfidence = ThreatConfidence,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n HttpUserAgent = RequestClientApplication\n | extend\n Dvc = DvcHostname,\n DvcIdType = \"Other\",\n EventType = \"HTTPsession\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.5\",\n EventVendor = \"Palo Alto\",\n EventProduct = \"PanOS\",\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n HttpRequestMethod = toupper(RequestMethod),\n HttpContentFormat = RequestContext,\n DstDomainType = \"FQDN\",\n Src = SrcIpAddr,\n SrcUsernameType = case(isempty(SrcUsername), \"\", \n \"Windows\"),\n DstUsernameType = case(isempty(DstUsername), \"\", \n \"Windows\"),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\" , \"IPv4\",\n DstIpAddr contains \":\" , \"IPv6\",\n \"\"),\n NetworkDirection = case(\n FlexString2 == \"client-to-server\", \"Outbound\",\n FlexString2 == \"server-to-client\", \"Inbound\",\n \"\"),\n IpAddr = SrcIpAddr,\n NetworkProtocol = toupper(Protocol),\n User = SrcUsername,\n Rule = NetworkRuleName,\n NetworkSessionId = tostring(DeviceCustomNumber1),\n DvcInterface = DvcInboundInterface,\n Hostname = DstHostname,\n Url = trim('\"', RequestURL),\n UserAgent = HttpUserAgent\n | extend\n DstFQDN = iif(Url contains \":\", split(Url, \":\")[0], split(Url, \"/\")[0]),\n SessionId = NetworkSessionId,\n ThreatField = case(\n isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\",\n isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\",\n \"\")\n | extend \n ThreatIpAddr = case(\n ThreatField == \"SrcIpAddr\", SrcIpAddr,\n ThreatField == \"DstIpAddr\", DstIpAddr,\n \"\"),\n Dst = DstFQDN\n | project ASimMatchingIpAddr, DeviceVendor, Dst, DstDomainType, DstFQDN, DstHostname, DstIpAddr, DstMacAddr, DstNatIpAddr, DstNatPortNumber, DstPortNumber, DstUsername, DstUsernameType, DstZone, Dvc, DvcAction, DvcHostname, DvcId, DvcIdType, DvcInboundInterface, DvcInterface, DvcOriginalAction, DvcOutboundInterface, EventCount, EventEndTime, EventOriginalSeverity, EventProduct, EventProductVersion, EventResult, EventResultDetails, EventSchema, EventSchemaVersion, EventSeverity, EventStartTime, EventType, EventUid, EventVendor, Hostname, HttpContentFormat, HttpRequestMethod, HttpRequestXff, HttpStatusCode, IpAddr, NetworkDirection, NetworkProtocol, NetworkProtocolVersion, NetworkRuleName, NetworkSessionId, Protocol, RequestContext, Rule, SessionId, Src, SrcHostname, SrcIpAddr, SrcMacAddr, SrcNatIpAddr, SrcNatPortNumber, SrcPortNumber, SrcUsername, SrcUsernameType, SrcZone, ThreatField, ThreatIpAddr, ThreatOriginalConfidence, TimeGenerated, Type, Url, UrlCategory, User, HttpUserAgent, UserAgent\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM Filtering parser for Palo Alto Networks URL Filtering", + "category": "ASIM", + "FunctionAlias": "vimWebSessionPaloAltoCEF", + "query": "let parser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n)\n{\n let src_or_any = set_union(\n srcipaddr_has_any_prefix,\n ipaddr_has_any_prefix\n ); \n let EventLookup=datatable(DeviceAction:string, DvcAction:string,EventResult:string,HttpStatusCode:string)\n [\n \"alert\", \"Allow\", \"Success\",\"200\",\n \"allow\", \"Allow\", \"Success\", \"200\",\n \"continue\", \"Allow\", \"Success\", \"200\",\n \"override\", \"Allow\", \"Success\", \"200\",\n \"block-continue\", \"Allow\", \"Partial\", \"200\",\n \"block-url\", \"Deny\", \"Failure\", \"503\",\n \"block-override\", \"Deny\", \"Failure\", \"302\",\n \"override-lockout\", \"Deny\", \"Failure\",\"503\",\n \"reset client\", \"Reset Source\", \"Failure\", \"503\",\n \"reset server\", \"Reset Destination\", \"Failure\", \"503\",\n \"reset both\", \"Reset\", \"Failure\", \"503\",\n \"deny\", \"Deny\", \"Failure\", \"503\",\n \"drop\", \"Drop\", \"Failure\", \"503\",\n \"drop ICMP\", \"Drop ICMP\", \"Failure\", \"503\"\n ];\n let SeverityLookup=datatable(LogSeverity:string,EventSeverity:string)\n [ \n 1, \"Informational\", \n 2, \"Low\",\n 3, \"Medium\",\n 4, \"Medium\", \n 5, \"High\"\n ];\n let remove_protocol_from_list = (list:dynamic)\n {\n print list\n | mv-apply l = print_0 to typeof(string) on\n ( extend l = replace_regex (tostring(l), \"^(?i:.*?)://\", \"\") )\n | project l\n };\n CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"Palo Alto Networks\"\n and DeviceProduct == \"PAN-OS\"\n and Activity == \"THREAT\"\n and DeviceEventClassID == \"url\"\n | where (array_length(url_has_any) == 0 or RequestURL has_any (remove_protocol_from_list(url_has_any)))\n | where (array_length(httpuseragent_has_any) == 0 or RequestClientApplication has_any (httpuseragent_has_any))\n | extend temp_SrcMatch = has_any_ipv4_prefix(SourceIP,src_or_any)\n | extend temp_DstMatch = has_any_ipv4_prefix(DestinationIP,ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0, \"-\",\n temp_DstMatch and temp_SrcMatch, \"Both\",\n temp_SrcMatch , \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\") \n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | extend EventResultDetails = \"NA\"\n | where (array_length(eventresultdetails_in) == 0 or tostring(EventResultDetails) has_any(eventresultdetails_in))\n | lookup EventLookup on DeviceAction\n | where (eventresult == '*' or EventResult =~ eventresult)\n | lookup SeverityLookup on LogSeverity\n | parse-kv AdditionalExtensions as (\n PanOSXForwarderfor:string,\n PanXFFIP:string,\n PanOSReferer:string,\n PanOSRuleUUID:string,\n PanSrcHostname:string,\n PanSrcMac:string,\n PanSrcDeviceCat:string,\n PanSrcDAG:string,\n PanOSSrcUUID:string,\n PanSrcDeviceProf:string,\n PanSrcDeviceModel:string,\n PanSrcDeviceVendor:string,\n PanSrcDeviceOS:string,\n PanSrcDeviceOSv:string,\n PanDstHostname:string,\n PanDstMac:string,\n PanDstDeviceCat:string,\n PanDstDAG:string,\n PanOSDstUUID:string,\n PanDstDeviceProf:string,\n PanDstDeviceModel:string,\n PanDstDeviceVendor:string,\n PanDstDeviceOS:string,\n PanDstDeviceOSv:string\n ) with (pair_delimiter=';', kv_delimiter='=')\n | extend \n HttpRequestXff = coalesce(PanOSXForwarderfor, PanXFFIP)\n | project-rename \n DvcHostname = Computer,\n HttpReferrer = PanOSReferer,\n DstMacAddr = PanDstMac,\n SrcMacAddr = PanSrcMac,\n DstHostname = PanDstHostname,\n SrcHostname = PanSrcHostname,\n DvcId = DeviceExternalID,\n SrcZone = DeviceCustomString4,\n DstZone = DeviceCustomString5,\n UrlCategory = DeviceCustomString2,\n DvcOriginalAction = DeviceAction,\n EventUid = _ItemId,\n EventOriginalSeverity = LogSeverity,\n EventProductVersion = DeviceVersion,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n DstIpAddr = DestinationIP,\n DstPortNumber = DestinationPort,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n SrcUsername = SourceUserName,\n DstUsername = DestinationUserName,\n NetworkRuleName = DeviceCustomString1,\n ThreatOriginalConfidence = ThreatConfidence,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n HttpUserAgent = RequestClientApplication\n | extend\n Dvc = DvcHostname,\n DvcIdType = \"Other\",\n EventType = \"HTTPsession\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.5\",\n EventVendor = \"Palo Alto\",\n EventProduct = \"PanOS\",\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n HttpRequestMethod = toupper(RequestMethod),\n HttpContentFormat = RequestContext,\n DstDomainType = \"FQDN\",\n Src = SrcIpAddr,\n SrcUsernameType = case(isempty(SrcUsername), \"\", \n \"Windows\"),\n DstUsernameType = case(isempty(DstUsername), \"\", \n \"Windows\"),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\" , \"IPv4\",\n DstIpAddr contains \":\" , \"IPv6\",\n \"\"),\n NetworkDirection = case(\n FlexString2 == \"client-to-server\", \"Outbound\",\n FlexString2 == \"server-to-client\", \"Inbound\",\n \"\"),\n IpAddr = SrcIpAddr,\n NetworkProtocol = toupper(Protocol),\n User = SrcUsername,\n Rule = NetworkRuleName,\n NetworkSessionId = tostring(DeviceCustomNumber1),\n DvcInterface = DvcInboundInterface,\n Hostname = DstHostname,\n Url = trim('\"', RequestURL),\n UserAgent = HttpUserAgent\n | extend\n DstFQDN = iif(Url contains \":\", split(Url, \":\")[0], split(Url, \"/\")[0]),\n SessionId = NetworkSessionId,\n ThreatField = case(\n isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\",\n isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\",\n \"\")\n | extend \n ThreatIpAddr = case(\n ThreatField == \"SrcIpAddr\", SrcIpAddr,\n ThreatField == \"DstIpAddr\", DstIpAddr,\n \"\"),\n Dst = DstFQDN\n | project ASimMatchingIpAddr, DeviceVendor, Dst, DstDomainType, DstFQDN, DstHostname, DstIpAddr, DstMacAddr, DstNatIpAddr, DstNatPortNumber, DstPortNumber, DstUsername, DstUsernameType, DstZone, Dvc, DvcAction, DvcHostname, DvcId, DvcIdType, DvcInboundInterface, DvcInterface, DvcOriginalAction, DvcOutboundInterface, EventCount, EventEndTime, EventOriginalSeverity, EventProduct, EventProductVersion, EventResult, EventResultDetails, EventSchema, EventSchemaVersion, EventSeverity, EventStartTime, EventType, EventUid, EventVendor, Hostname, HttpContentFormat, HttpRequestMethod, HttpRequestXff, HttpStatusCode, IpAddr, NetworkDirection, NetworkProtocol, NetworkProtocolVersion, NetworkRuleName, NetworkSessionId, Protocol, RequestContext, Rule, SessionId, Src, SrcHostname, SrcIpAddr, SrcMacAddr, SrcNatIpAddr, SrcNatPortNumber, SrcPortNumber, SrcUsername, SrcUsernameType, SrcZone, ThreatField, ThreatIpAddr, ThreatOriginalConfidence, TimeGenerated, Type, Url, UrlCategory, User, HttpUserAgent, UserAgent\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionPaloAltoCortexDataLake/vimWebSessionPaloAltoCortexDataLake.json b/Parsers/ASimWebSession/ARM/vimWebSessionPaloAltoCortexDataLake/vimWebSessionPaloAltoCortexDataLake.json index 773b702776d..0a7b5e52a65 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionPaloAltoCortexDataLake/vimWebSessionPaloAltoCortexDataLake.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionPaloAltoCortexDataLake/vimWebSessionPaloAltoCortexDataLake.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionPaloAltoCortexDataLake')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionPaloAltoCortexDataLake", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Palo Alto Cortex Data Lake", - "category": "ASIM", - "FunctionAlias": "vimWebSessionPaloAltoCortexDataLake", - "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventLookup=datatable(\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"alert\", \"Allow\", \"Success\",\n \"continue\", \"Allow\", \"Success\",\n \"override\", \"Allow\", \"Success\",\n \"block-continue\", \"Allow\", \"Partial\",\n \"block-url\", \"Deny\", \"Failure\",\n \"block-override\", \"Deny\", \"Failure\",\n \"override-lockout\", \"Deny\", \"Failure\",\n];\nlet ThreatRiskLevelLookup = datatable(PanOSApplicationRisk: string, ThreatRiskLevel: int)\n [\n \"1\", 20,\n \"2\", 40,\n \"3\", 60,\n \"4\", 80,\n \"5\", 100\n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]),\n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);\n CommonSecurityLog\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"THREAT\" and Activity == \"url\"\n and (array_length(httpuseragent_has_any) == 0 or RequestClientApplication has_any (httpuseragent_has_any))\n and array_length(eventresultdetails_in) == 0\n and (array_length(url_has_any) == 0 or RequestURL has_any (url_has_any))\n | parse-kv AdditionalExtensions as (PanOSDestinationUUID: string, PanOSDestinationLocation: string, PanOSDestinationDeviceMac: string, PanOSSourceUUID: string, PanOSSourceDeviceMac: string, PanOSReferer: string, PanOSIsClienttoServer: string, PanOSSourceDeviceHost: string, PanOSDestinationDeviceHost: string, start: string, PanOSApplicationCategory: string, PanOSApplicationSubcategory: string, PanOSApplicationTechnology: string, PanOSDestinationDeviceOS: string, PanOSDestinationDeviceOSFamily: string, PanOSDestinationDeviceOSVersion: string, PanOSHostID: string, PanOSHTTPHeaders: string, PanOSInlineMLVerdict: string, PanOSInboundInterfaceDetailsType: string, PanOSOutboundInterfaceDetailsType: string, PanOSParentSessionID: string, PanOSContainerName: string, PanOSContainerNameSpace: string, PanOSHTTPRefererFQDN: string, PanOSHTTPRefererPort: string, PanOSHTTPRefererProtocol: string, PanOSHTTPRefererURLPath: string, PanOSRuleUUID: string, PanOSURLCategoryList: string, PanOSURLDomain: string, PanOSURLCounter: string, PanOSUsers: string, PanOSVendorSeverity: string, [\"PanOSX-Forwarded-For\"]: string, [\"PanOSX-Forwarded-ForIP\"]: string, PanOSIsSaaSApplication: string, PanOSLogSource: string, PanOSSourceLocation: string, PanOSCortexDataLakeTenantID: string, PanOSApplicationRisk: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | lookup EventLookup on DeviceAction\n | where (eventresult == '*' or EventResult =~ eventresult)\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(coalesce(DeviceCustomIPv6Address2, SourceIP), src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(coalesce(DeviceCustomIPv6Address3, DestinationIP), ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | invoke _ASIM_ResolveDstFQDN('PanOSDestinationDeviceHost')\n | lookup EventSeverityLookup on LogSeverity\n | lookup ThreatRiskLevelLookup on PanOSApplicationRisk\n | extend\n EventStartTime = todatetime(coalesce(start, ReceiptTime)),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n HttpRequestMethod = toupper(RequestMethod),\n NetworkProtocol = toupper(Protocol),\n NetworkSessionId = tostring(FieldDeviceCustomNumber1),\n SrcDomain = coalesce(SourceNTDomain, SrcDomain),\n DstDomain = coalesce(DestinationNTDomain, DstDomain),\n AdditionalFields = bag_pack(\n \"DirectionOfAttack\",\n FlexString2,\n \"VirtualLocation\",\n DeviceCustomString3,\n \"PanOSApplicationCategory\",\n PanOSApplicationCategory,\n \"PanOSApplicationSubcategory\",\n PanOSApplicationSubcategory,\n \"PanOSApplicationTechnology\",\n PanOSApplicationTechnology,\n \"PanOSDestinationDeviceOS\",\n PanOSDestinationDeviceOS,\n \"PanOSDestinationDeviceOSFamily\",\n PanOSDestinationDeviceOSFamily,\n \"PanOSDestinationDeviceOSVersion\",\n PanOSDestinationDeviceOSVersion,\n \"PanOSHostID\",\n PanOSHostID,\n \"PanOSHTTPHeaders\",\n PanOSHTTPHeaders,\n \"PanOSInlineMLVerdict\",\n PanOSInlineMLVerdict,\n \"PanOSInboundInterfaceDetailsType\",\n PanOSInboundInterfaceDetailsType,\n \"PanOSOutboundInterfaceDetailsType\",\n PanOSOutboundInterfaceDetailsType,\n \"PanOSParentSessionID\",\n PanOSParentSessionID,\n \"PanOSContainerName\",\n PanOSContainerName,\n \"PanOSContainerNameSpace\",\n PanOSContainerNameSpace,\n \"PanOSHTTPRefererFQDN\",\n PanOSHTTPRefererFQDN,\n \"PanOSHTTPRefererPort\",\n PanOSHTTPRefererPort,\n \"PanOSHTTPRefererProtocol\",\n PanOSHTTPRefererProtocol,\n \"PanOSHTTPRefererURLPath\",\n PanOSHTTPRefererURLPath,\n \"PanOSRuleUUID\",\n PanOSRuleUUID,\n \"PanOSDestinationDeviceOS\",\n PanOSDestinationDeviceOS,\n \"PanOSDestinationDeviceOSFamily\",\n PanOSDestinationDeviceOSFamily,\n \"PanOSDestinationDeviceOSVersion\",\n PanOSDestinationDeviceOSVersion,\n \"PanOSURLCategoryList\",\n PanOSURLCategoryList,\n \"PanOSURLDomain\",\n PanOSURLDomain,\n \"PanOSURLCounter\",\n PanOSURLCounter,\n \"PanOSUsers\",\n PanOSUsers,\n \"PanOSVendorSeverity\",\n PanOSVendorSeverity,\n \"PanOSX-Forwarded-For\",\n [\"PanOSX-Forwarded-For\"],\n \"PanOSX-Forwarded-ForIP\",\n [\"PanOSX-Forwarded-ForIP\"],\n \"PanOSLogSource\",\n PanOSLogSource\n ),\n HttpContentType = RequestContext\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DstDvcId = PanOSDestinationUUID,\n DstGeoCountry = PanOSDestinationLocation,\n DstMacAddr = PanOSDestinationDeviceMac,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n DstPortNumber = DestinationPort,\n DstUsername = DestinationUserName,\n DstZone = DeviceCustomString5,\n DvcId = DeviceExternalID,\n DvcOriginalAction = DeviceAction,\n EventOriginalSeverity = LogSeverity,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n HttpContentFormat = RequestContext,\n HttpReferrer = PanOSReferer,\n RuleName = DeviceCustomString1,\n SrcDvcId = PanOSSourceUUID,\n SrcMacAddr = PanOSSourceDeviceMac,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n SrcPortNumber = SourcePort,\n SrcUsername = SourceUserName,\n SrcZone = DeviceCustomString4,\n Url = RequestURL,\n UrlCategory = DeviceCustomString2,\n EventOriginalSubType = Activity,\n DvcOutboundInterface = DeviceOutboundInterface,\n DvcInboundInterface = DeviceInboundInterface,\n DstUserId = DestinationUserID,\n SrcUserId = SourceUserID,\n EventOwner = PanOSLogSource,\n HttpUserAgent = RequestClientApplication,\n SrcGeoCountry = PanOSSourceLocation,\n DvcScopeId = PanOSCortexDataLakeTenantID,\n SrcAppName = ApplicationProtocol,\n ThreatOriginalRiskLevel = PanOSApplicationRisk\n | extend\n Dst = coalesce(DstFQDN, DstDvcId, DstHostname, DstIpAddr),\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Src = coalesce(SrcFQDN, SrcDvcId, SrcHostname, SrcIpAddr),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n ),\n NetworkDirection = iff(PanOSIsClienttoServer == \"true\", \"Outbound\", \"Inbound\"),\n Rule = RuleName,\n SrcUserType = _ASIM_GetUserType(SrcUsername, SrcUserId),\n DstUserType = _ASIM_GetUserType(DstUsername, DstUserId),\n User = SrcUsername,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n SessionId = NetworkSessionId,\n UserAgent = HttpUserAgent,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\"),\n DstDvcIdType = iff(isnotempty(DstDvcId), \"Other\", \"\"),\n SrcDomainType = iff(isnotempty(SourceNTDomain), \"Windows\", SrcDomainType),\n DstDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", DstDomainType),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n SrcUserIdType = iff(isnotempty(SrcUserId), \"UID\", \"\"),\n DstUserIdType = iff(isnotempty(DstUserId), \"UID\", \"\"),\n SrcAppType = case(\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"true\",\n \"SaaS Application\",\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"false\",\n \"Other\",\n \"\"\n )\n | extend\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n Protocol,\n temp*,\n ExternalID,\n Message,\n start,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n Indicator*,\n _ResourceId,\n ThreatConfidence,\n ThreatDescription,\n ThreatSeverity\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Palo Alto Cortex Data Lake", + "category": "ASIM", + "FunctionAlias": "vimWebSessionPaloAltoCortexDataLake", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventLookup=datatable(\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"alert\", \"Allow\", \"Success\",\n \"continue\", \"Allow\", \"Success\",\n \"override\", \"Allow\", \"Success\",\n \"block-continue\", \"Allow\", \"Partial\",\n \"block-url\", \"Deny\", \"Failure\",\n \"block-override\", \"Deny\", \"Failure\",\n \"override-lockout\", \"Deny\", \"Failure\",\n];\nlet ThreatRiskLevelLookup = datatable(PanOSApplicationRisk: string, ThreatRiskLevel: int)\n [\n \"1\", 20,\n \"2\", 40,\n \"3\", 60,\n \"4\", 80,\n \"5\", 100\n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]),\n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);\n CommonSecurityLog\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"THREAT\" and Activity == \"url\"\n and (array_length(httpuseragent_has_any) == 0 or RequestClientApplication has_any (httpuseragent_has_any))\n and array_length(eventresultdetails_in) == 0\n and (array_length(url_has_any) == 0 or RequestURL has_any (url_has_any))\n | parse-kv AdditionalExtensions as (PanOSDestinationUUID: string, PanOSDestinationLocation: string, PanOSDestinationDeviceMac: string, PanOSSourceUUID: string, PanOSSourceDeviceMac: string, PanOSReferer: string, PanOSIsClienttoServer: string, PanOSSourceDeviceHost: string, PanOSDestinationDeviceHost: string, start: string, PanOSApplicationCategory: string, PanOSApplicationSubcategory: string, PanOSApplicationTechnology: string, PanOSDestinationDeviceOS: string, PanOSDestinationDeviceOSFamily: string, PanOSDestinationDeviceOSVersion: string, PanOSHostID: string, PanOSHTTPHeaders: string, PanOSInlineMLVerdict: string, PanOSInboundInterfaceDetailsType: string, PanOSOutboundInterfaceDetailsType: string, PanOSParentSessionID: string, PanOSContainerName: string, PanOSContainerNameSpace: string, PanOSHTTPRefererFQDN: string, PanOSHTTPRefererPort: string, PanOSHTTPRefererProtocol: string, PanOSHTTPRefererURLPath: string, PanOSRuleUUID: string, PanOSURLCategoryList: string, PanOSURLDomain: string, PanOSURLCounter: string, PanOSUsers: string, PanOSVendorSeverity: string, [\"PanOSX-Forwarded-For\"]: string, [\"PanOSX-Forwarded-ForIP\"]: string, PanOSIsSaaSApplication: string, PanOSLogSource: string, PanOSSourceLocation: string, PanOSCortexDataLakeTenantID: string, PanOSApplicationRisk: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | lookup EventLookup on DeviceAction\n | where (eventresult == '*' or EventResult =~ eventresult)\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(coalesce(DeviceCustomIPv6Address2, SourceIP), src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(coalesce(DeviceCustomIPv6Address3, DestinationIP), ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | invoke _ASIM_ResolveDstFQDN('PanOSDestinationDeviceHost')\n | lookup EventSeverityLookup on LogSeverity\n | lookup ThreatRiskLevelLookup on PanOSApplicationRisk\n | extend\n EventStartTime = todatetime(coalesce(start, ReceiptTime)),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n HttpRequestMethod = toupper(RequestMethod),\n NetworkProtocol = toupper(Protocol),\n NetworkSessionId = tostring(FieldDeviceCustomNumber1),\n SrcDomain = coalesce(SourceNTDomain, SrcDomain),\n DstDomain = coalesce(DestinationNTDomain, DstDomain),\n AdditionalFields = bag_pack(\n \"DirectionOfAttack\",\n FlexString2,\n \"VirtualLocation\",\n DeviceCustomString3,\n \"PanOSApplicationCategory\",\n PanOSApplicationCategory,\n \"PanOSApplicationSubcategory\",\n PanOSApplicationSubcategory,\n \"PanOSApplicationTechnology\",\n PanOSApplicationTechnology,\n \"PanOSDestinationDeviceOS\",\n PanOSDestinationDeviceOS,\n \"PanOSDestinationDeviceOSFamily\",\n PanOSDestinationDeviceOSFamily,\n \"PanOSDestinationDeviceOSVersion\",\n PanOSDestinationDeviceOSVersion,\n \"PanOSHostID\",\n PanOSHostID,\n \"PanOSHTTPHeaders\",\n PanOSHTTPHeaders,\n \"PanOSInlineMLVerdict\",\n PanOSInlineMLVerdict,\n \"PanOSInboundInterfaceDetailsType\",\n PanOSInboundInterfaceDetailsType,\n \"PanOSOutboundInterfaceDetailsType\",\n PanOSOutboundInterfaceDetailsType,\n \"PanOSParentSessionID\",\n PanOSParentSessionID,\n \"PanOSContainerName\",\n PanOSContainerName,\n \"PanOSContainerNameSpace\",\n PanOSContainerNameSpace,\n \"PanOSHTTPRefererFQDN\",\n PanOSHTTPRefererFQDN,\n \"PanOSHTTPRefererPort\",\n PanOSHTTPRefererPort,\n \"PanOSHTTPRefererProtocol\",\n PanOSHTTPRefererProtocol,\n \"PanOSHTTPRefererURLPath\",\n PanOSHTTPRefererURLPath,\n \"PanOSRuleUUID\",\n PanOSRuleUUID,\n \"PanOSDestinationDeviceOS\",\n PanOSDestinationDeviceOS,\n \"PanOSDestinationDeviceOSFamily\",\n PanOSDestinationDeviceOSFamily,\n \"PanOSDestinationDeviceOSVersion\",\n PanOSDestinationDeviceOSVersion,\n \"PanOSURLCategoryList\",\n PanOSURLCategoryList,\n \"PanOSURLDomain\",\n PanOSURLDomain,\n \"PanOSURLCounter\",\n PanOSURLCounter,\n \"PanOSUsers\",\n PanOSUsers,\n \"PanOSVendorSeverity\",\n PanOSVendorSeverity,\n \"PanOSX-Forwarded-For\",\n [\"PanOSX-Forwarded-For\"],\n \"PanOSX-Forwarded-ForIP\",\n [\"PanOSX-Forwarded-ForIP\"],\n \"PanOSLogSource\",\n PanOSLogSource\n ),\n HttpContentType = RequestContext\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DstDvcId = PanOSDestinationUUID,\n DstGeoCountry = PanOSDestinationLocation,\n DstMacAddr = PanOSDestinationDeviceMac,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n DstPortNumber = DestinationPort,\n DstUsername = DestinationUserName,\n DstZone = DeviceCustomString5,\n DvcId = DeviceExternalID,\n DvcOriginalAction = DeviceAction,\n EventOriginalSeverity = LogSeverity,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n HttpContentFormat = RequestContext,\n HttpReferrer = PanOSReferer,\n RuleName = DeviceCustomString1,\n SrcDvcId = PanOSSourceUUID,\n SrcMacAddr = PanOSSourceDeviceMac,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n SrcPortNumber = SourcePort,\n SrcUsername = SourceUserName,\n SrcZone = DeviceCustomString4,\n Url = RequestURL,\n UrlCategory = DeviceCustomString2,\n EventOriginalSubType = Activity,\n DvcOutboundInterface = DeviceOutboundInterface,\n DvcInboundInterface = DeviceInboundInterface,\n DstUserId = DestinationUserID,\n SrcUserId = SourceUserID,\n EventOwner = PanOSLogSource,\n HttpUserAgent = RequestClientApplication,\n SrcGeoCountry = PanOSSourceLocation,\n DvcScopeId = PanOSCortexDataLakeTenantID,\n SrcAppName = ApplicationProtocol,\n ThreatOriginalRiskLevel = PanOSApplicationRisk\n | extend\n Dst = coalesce(DstFQDN, DstDvcId, DstHostname, DstIpAddr),\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Src = coalesce(SrcFQDN, SrcDvcId, SrcHostname, SrcIpAddr),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n ),\n NetworkDirection = iff(PanOSIsClienttoServer == \"true\", \"Outbound\", \"Inbound\"),\n Rule = RuleName,\n SrcUserType = _ASIM_GetUserType(SrcUsername, SrcUserId),\n DstUserType = _ASIM_GetUserType(DstUsername, DstUserId),\n User = SrcUsername,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n SessionId = NetworkSessionId,\n UserAgent = HttpUserAgent,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\"),\n DstDvcIdType = iff(isnotempty(DstDvcId), \"Other\", \"\"),\n SrcDomainType = iff(isnotempty(SourceNTDomain), \"Windows\", SrcDomainType),\n DstDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", DstDomainType),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n SrcUserIdType = iff(isnotempty(SrcUserId), \"UID\", \"\"),\n DstUserIdType = iff(isnotempty(DstUserId), \"UID\", \"\"),\n SrcAppType = case(\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"true\",\n \"SaaS Application\",\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"false\",\n \"Other\",\n \"\"\n )\n | extend\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n Protocol,\n temp*,\n ExternalID,\n Message,\n start,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n Indicator*,\n _ResourceId,\n ThreatConfidence,\n ThreatDescription,\n ThreatSeverity\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionSonicWallFirewall/vimWebSessionSonicWallFirewall.json b/Parsers/ASimWebSession/ARM/vimWebSessionSonicWallFirewall/vimWebSessionSonicWallFirewall.json index 6260c563e3d..762de424932 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionSonicWallFirewall/vimWebSessionSonicWallFirewall.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionSonicWallFirewall/vimWebSessionSonicWallFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionSonicWallFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionSonicWallFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM filtering parser for SonicWall firewalls", - "category": "ASIM", - "FunctionAlias": "vimWebSessionSonicWallFirewall", - "query": "let parser=(\n starttime:datetime=datetime(null),\n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n )\n {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let Actions=datatable(fw_action:string, DvcAction:string, EventSeverity:string)\n [ \"\\\"forward\\\"\", \"Allow\", \"Informational\"\n , \"\\\"mgmt\\\"\", \"Other\", \"Informational\"\n , \"\\\"NA\\\"\", \"Other\", \"Informational\"\n , \"\\\"drop\\\"\", \"Drop\", \"Low\"\n ];\n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"SonicWall\"\n and DeviceEventClassID in (14, 97)\n and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(httpuseragent_has_any) == 0 or RequestClientApplication has_any (httpuseragent_has_any))\n and Protocol has_any(dynamic([\"udp/http\", \"tcp/http\", \"udp/https\", \"tcp/https\"]))\n and (array_length(url_has_any) == 0 or RequestURL has_any (url_has_any) or AdditionalExtensions has_any (url_has_any))\n and (array_length(eventresultdetails_in) == 0)\n | parse-kv AdditionalExtensions as (['gcat']:string, ['app']:string, ['arg']:string, ['dstV6']:string, ['srcV6']:string, ['snpt']:string, ['dnpt']:string, ['susr']:string,['appName']:string, ['appcat']:string, ['appid']:string, ['sid']:string, ['catid']:string, ['ipscat']:string, ['ipspri']:string, ['spycat']:string, ['spypri']:string, ['fw_action']:string, ['dpi']:string, ['bid']:string, ['af_action']:string, ['af_polid']:string, ['af_policy']:string, ['af_type']:string, ['af_service']:string, ['af_object']:string, ['contentObject']:string, ['fileid']:string, ['uuid']:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | extend\n SrcIpAddr = coalesce(SourceIP, srcV6)\n , DstIpAddr = coalesce(DestinationIP, dstV6)\n | where (isnotempty(SrcIpAddr) or isnotempty(DstIpAddr))\n and isnotempty(fw_action)\n | extend temp_SrcMatch = has_any_ipv4_prefix(SrcIpAddr, src_or_any)\n , temp_DstMatch = has_any_ipv4_prefix(DstIpAddr, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(array_length(src_or_any) == 0, \"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\")\n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*\n | extend RequestURL_ = extract(@\"(?:[.*;]+?)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)(?:;fw_action)\", 1, AdditionalExtensions)\n | extend RequestURL_ = iif(RequestURL_ startswith \"snpt\" or RequestURL_ startswith \"dnpt\" or RequestURL_ startswith \"appid\" or RequestURL_ startswith \"appName\", extract(@\"(?:\\d;|.{1}\\w.{1};)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)\", 1, RequestURL_), RequestURL_)\n | extend RequestURL_ = iif(RequestURL_ matches regex @\"^(.{2,6}=.{1,6})\", extract(@\"(?:\\d;|.{1}\\w.{1};)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)\", 1, RequestURL_), iif(RequestURL_ matches regex @\"^\\w=\\d$\", \"\", RequestURL_))\n | extend RequestURL_ = iif(RequestURL_ has_any(dynamic([\"af_polid=\", \"ipscat=\", \"snpt=\", \"dnpt=\"])), \"\", RequestURL_)\n | extend RequestURL = iif(isnotempty(RequestURL), RequestURL, iif(RequestURL_ contains \"/\" and RequestURL_ contains \".\", RequestURL_, \"\"))\n | where isnotempty(RequestURL)\n | lookup Actions on fw_action\n | extend EventResult = case(DvcAction == \"Allow\", \"Success\",\n DvcAction == \"Management\", \"NA\",\n DvcAction == \"NA\", \"NA\",\n DvcAction == \"Other\", \"NA\",\n \"Failure\"\n )\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n | extend sosLogMsgSeverity = case(LogSeverity == 10, \"Emergency (0)\",\n LogSeverity == 9, \"Alert (1)\",\n LogSeverity == 8, \"Critical (2)\",\n LogSeverity == 7, \"Error (3)\",\n LogSeverity == 6, \"Warning (4)\",\n LogSeverity == 5, \"Notice (5)\",\n LogSeverity == 4, \"Info (6)/Debug (7)\",\n LogSeverity == 3, \"Not Mapped (3)\",\n LogSeverity == 2, \"Not Mapped (2)\",\n LogSeverity == 1, \"Not Mapped (1)\",\n \"Not Mapped\"\n )\n | extend EventSeverity = case(tolong(LogSeverity) <= 4, \"Informational\"\n , tolong(LogSeverity) <= 6, \"Low\"\n , tolong(LogSeverity) <= 8, \"Medium\"\n , tolong(LogSeverity) > 8, \"High\"\n , \"\"\n )\n | extend HttpRequestMethod = case(tolong(RequestMethod) == 0, \"\"\n , tolong(RequestMethod) == 1, \"GET\"\n , tolong(RequestMethod) == 2, \"POST\"\n , tolong(RequestMethod) == 3, \"HEAD\"\n , tolong(RequestMethod) == 4, \"PUT\"\n , tolong(RequestMethod) == 5, \"CONNECT\"\n , tolong(RequestMethod) == 6, \"\"\n , \"\"\n )\n | extend NetworkProtocolVersion = case(DestinationIP has \".\", \"IPv4\"\n , DestinationIP has \":\", \"IPv6\"\n , \"\"\n )\n , NetworkProtocol = toupper(iff(Protocol contains \"-\" and Protocol !contains \"/\", toupper(trim_start(@\".*-\", Protocol)), toupper(trim_end(@\"/.*\", Protocol))))\n , NetworkApplicationProtocol = tostring(toupper(trim_start(@\".*/\", Protocol)))\n , EventOriginalType = DeviceEventClassID\n | project-rename\n DstMacAddr = DestinationMACAddress\n , SrcMacAddr = SourceMACAddress\n , DstPortNumber = DestinationPort\n , SrcPortNumber = SourcePort\n , EventMessage = Activity\n , sosEventMessageDetail = Message\n , EventProductVersion = DeviceVersion\n , Dvc = Computer\n , DvcOutboundInterface = DeviceOutboundInterface\n , DvcInboundInterface = DeviceInboundInterface\n , sosApplicationID = ApplicationProtocol // Application ID number (when Flow Reporting is enabled).\n , sosCFSFullString = Reason // CFS Block Category ID and Name\n , RuleName = DeviceCustomString1 // Rule ID. Identify a policy or rule associated with an event.\n , sosSourceVPNPolicyName = DeviceCustomString2 // Displays the source VPN policy name associated with the event.\n , sosDestinationVPNPolicyName = DeviceCustomString3 // Displays the destination VPN policy name associated with the event.\n , sosLogMsgNote = DeviceCustomString6 // \"Note\" field. Additional information that is application-dependent.\n , SrcNatIpAddr = DeviceCustomString1Label // NAT'ed source IP4/IPv6 address.\n , DstNatIpAddr = DeviceCustomString2Label // NAT'ed destination IPv4/IPv6 address.\n , SrcZone = DeviceCustomString3Label // Source Zone on Gen7. Src Zone Type on Gen6.\n , DstZone = DeviceCustomString4Label // Destination Zone on Gen7. Dest Zone Type (Trusted/Untrusted, etc.) on Gen6.\n , sosUserSessionType = DeviceCustomString5Label // String indicating the user session type, determined by the auth mechanism.\n , sosUserSessionDuration = DeviceCustomString6Label // User session duration in seconds.\n , SrcUsername = SourceUserName\n , ThreatOriginalConfidence = ThreatConfidence\n , HttpUserAgent = RequestClientApplication\n , Url = RequestURL\n| where (array_length(url_has_any) == 0 or Url has_any (url_has_any))\n| extend sosLogMsgCategory = case(gcat == 1, \"System (1)\",\n gcat == 2, \"Log (2)\",\n gcat == 3, \"Security Services (3)\",\n gcat == 4, \"Users (4)\",\n gcat == 5, \"Firewall Settings (5)\",\n gcat == 6, \"Network (6)\",\n gcat == 7, \"VPN (7)\",\n gcat == 8, \"High Availability (8)\",\n gcat == 9, \"3G/4G, Modem, and Module (9)\",\n gcat == 10, \"Firewall (10)\",\n gcat == 11, \"Wireless (11)\",\n gcat == 12, \"VoIP (12)\",\n gcat == 13, \"SSL VPN (13)\",\n gcat == 14, \"Anti-Spam (14)\",\n gcat == 15, \"WAN Acceleration (15)\",\n gcat == 16, \"Object (16)\",\n gcat == 17, \"SD-WAN (17)\",\n gcat == 18, \"Multi-Instance (18)\",\n gcat == 19, \"Unified Policy Engine (19)\",\n \"Log Category Not Mapped\"\n )\n| extend EventOriginalSubType = case(DeviceEventCategory == 0, \"None (0)\",\n DeviceEventCategory == 1, \"System Maintenance (1)\",\n DeviceEventCategory == 2, \"System Errors (2)\",\n DeviceEventCategory == 4, \"Blocked Web Sites (4)\",\n DeviceEventCategory == 8, \"Blocked Java Etc. (8)\",\n DeviceEventCategory == 16, \"User Activity (16)\",\n DeviceEventCategory == 32, \"Attacks (32)\",\n DeviceEventCategory == 64, \"Dropped TCP (64)\",\n DeviceEventCategory == 128, \"Dropped UDP (128)\",\n DeviceEventCategory == 256, \"Dropped ICMP (256)\",\n DeviceEventCategory == 512, \"Network Debug (512)\",\n DeviceEventCategory == 1024, \"Connection Closed (1024)\",\n DeviceEventCategory == 2048, \"Dropped LAN TCP (2048)\",\n DeviceEventCategory == 4096, \"Dropped LAN UDP (4096)\",\n DeviceEventCategory == 8192, \"Dropped LAN ICMP (8192)\",\n DeviceEventCategory == 32768, \"Modem Debug (32768)\",\n DeviceEventCategory == 65536, \"VPN Tunnel Status (65536)\",\n DeviceEventCategory == 131072, \"IEEE 802.11 Management (131072)\",\n DeviceEventCategory == 262144, \"Connection Opened (262144)\",\n DeviceEventCategory == 524288, \"System Environment (524288)\",\n DeviceEventCategory == 1048576, \"Expanded - VoIP Activity (1048576)\",\n DeviceEventCategory == 2097152, \"Expanded - WLAN IDS Activity (2097152)\",\n DeviceEventCategory == 4194304, \"Expanded - SonicPoint Activity (4194304)\",\n DeviceEventCategory == 8388608, \"Expanded - Unified Policy Engine (8388608)\",\n \"Legacy Category Not Mapped\"\n )\n| extend sosIPSPriority = case(ipspri == 1, \"High (1)\",\n ipspri == 2, \"Medium (2)\",\n ipspri == 3, \"Low (3)\",\n \"\"\n )\n| extend sosAntiSpywarePriority = case(spypri == 1, \"High (1)\",\n spypri == 2, \"Medium (2)\",\n spypri == 3, \"Low (3)\",\n \"\"\n )\n| extend\n EventVendor = \"SonicWall\"\n , EventProduct = \"Firewall\"\n , DvcOs = \"SonicOS\"\n , DvcOsVersion = EventProductVersion\n , DvcIdType = \"Other\"\n , DvcDescription = DeviceProduct\n , Rule = RuleName\n , NetworkBytes = tolong(coalesce(toint(ReceivedBytes), 0) + coalesce(toint(SentBytes), 0))\n , sosIPSFullString = ipscat\n , ipscat = extract(@'^\"?([a-zA-Z-\\/]+)', 1, ipscat) // IPS Category/Signature\n , sosIPSSignatureName = extract(@'[ ](.*)\\S', 1, ipscat) // IPS Signature name\n , FileSize = tolong(coalesce(FileSize, long(null)))\n , sosAppControlFileName = extract(@'.*Filename: (.*)\\\"', 1, sosEventMessageDetail) // App Control Filename Logging\n , HttpReferrer = extract(@'Referer: (.*)\\\"$', 1, coalesce(sosLogMsgNote, \"\"))\n , sosHttpRequestMethod_ = extract(@'Command: (.\\w+)', 1, coalesce(sosLogMsgNote, \"\"))\n , sosCFSCategoryID = extract(@'(\\d+)\\s', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSCategoryName = extract(@'.*-(\"(.*))', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSPolicyName = extract(@'Policy: (.*), Info:', 1, coalesce(sosLogMsgNote, \"\"))\n , sosCaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\\. ', 1, sosEventMessageDetail)\n , sosGAVSignatureName = extract(@'Gateway Anti-Virus Alert: (.*) blocked\\.', 1, sosEventMessageDetail)\n , sosASWSignatureName = extract(@'Anti-Spyware Detection Alert: (.*)\\. ', 1, sosEventMessageDetail)\n , sosCountry = extract(@'Country Name:(.*)\\\"$', 1, sosEventMessageDetail)\n , EventOriginalSeverity = LogSeverity\n , Dst = DstIpAddr\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = \"HTTPsession\"\n , EventSchemaVersion = \"0.2.5\"\n , EventSchema = \"WebSession\"\n , EventCount = toint(1)\n , EventUid = _ItemId\n , UserAgent = HttpUserAgent\n , ThreatConfidence = coalesce(toint(ThreatOriginalConfidence), int(null))\n| extend\n UrlCategory = sosCFSCategoryName\n , HttpRequestMethod = coalesce(HttpRequestMethod, sosHttpRequestMethod_)\n , EventResultDetails = \"\"\n , HttpStatusCode = \"\"\n , SrcUsername = coalesce(susr, SrcUsername)\n , FileName = coalesce(FileName, sosAppControlFileName)\n , NetworkDirection = case(SrcZone == \"\" and DstZone == \"\", \"NA\"\n , SrcZone == \"WAN\" and (DstZone == \"WAN\" and DstIpAddr !has \".255\"), \"Inbound\"\n , SrcZone == \"WAN\" and DstZone == \"WAN\", \"External\"\n , SrcZone == \"WAN\" and DstZone != \"WAN\", \"Inbound\"\n , SrcZone == \"VPN\" and DstZone == \"WAN\", \"Outbound\"\n , SrcZone == \"VPN\" and DstZone != \"WAN\", \"Inbound\"\n , DstZone == \"MULTICAST\", \"NA\"\n , DstZone == \"WAN\", \"Outbound\"\n , \"Local\"\n )\n , User = SrcUsername\n| extend\n SrcUsernameType = case(SrcUsername has \"=\", \"DN\",\n SrcUsername has \"\\\\\", \"Windows\",\n SrcUsername has \"@\", \"UPN\",\n SrcUsername == \"Unknown (external IP)\", \"\",\n SrcUsername == \"Unknown (SSO bypassed)\", \"\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"\n )\n , ThreatField = case(isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\"\n , isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\"\n , \"\"\n )\n| extend\n ThreatIpAddr = case(ThreatField == \"SrcIpAddr\", SrcIpAddr\n , ThreatField == \"DstIpAddr\", DstIpAddr\n , \"\"\n )\n| extend\n SrcGeoCountry = iff(NetworkDirection == \"Inbound\", sosCountry, \"\")\n , DstGeoCountry = iff(NetworkDirection == \"Outbound\", sosCountry, \"\")\n , SrcAppName = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , DstAppName = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , SrcAppId = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), sid, \"\")\n , DstAppId = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), sid, \"\")\n , SrcBytes = case(NetworkDirection == \"Outbound\", tolong(SentBytes)\n , NetworkDirection == \"Inbound\", tolong(ReceivedBytes)\n , NetworkDirection == \"Local\" and SrcZone == \"WAN\", tolong(ReceivedBytes)\n , NetworkDirection == \"Local\" and SrcZone != \"WAN\", tolong(SentBytes)\n , tolong(long(null))\n )\n , DstBytes = case(NetworkDirection == \"Outbound\", tolong(ReceivedBytes)\n , NetworkDirection == \"Inbound\", tolong(SentBytes)\n , NetworkDirection == \"Local\" and DstZone == \"WAN\", tolong(SentBytes)\n , NetworkDirection == \"Local\" and DstZone != \"WAN\", tolong(ReceivedBytes)\n , tolong(long(null))\n )\n| extend\n SrcAppType = case(isempty(SrcAppName), \"\"\n , SrcAppName contains \"\\'General \" or SrcAppName contains \"\\'Service \", \"Service\", \"Other\")\n , DstAppType = case(isempty(DstAppName), \"\"\n , DstAppName contains \"\\'General \" or DstAppName contains \"\\'Service \", \"Service\", \"Other\")\n| project-rename\n sosReceivedPackets = DeviceCustomNumber1Label // DeviceCustomNumberXLabel (cnXLabel=)\n , sosSentPackets = DeviceCustomNumber2Label // DeviceCustomNumberXLabel (cnXLabel=)\n| extend\n DstPackets = case(NetworkDirection == \"Outbound\", tolong(sosReceivedPackets)\n , NetworkDirection == \"Inbound\", tolong(sosSentPackets)\n , tolong(long(null))\n )\n , SrcPackets = case(NetworkDirection == \"Outbound\", tolong(sosSentPackets)\n , NetworkDirection == \"Inbound\", tolong(sosReceivedPackets)\n , tolong(long(null))\n )\n| project-rename\n sosConnectionDuration = DeviceCustomNumber3Label // Applies to \"Connection Closed\"\n , sosUser = susr // Logged-in username associated with the log event.\n , sosAppRulePolicyId = af_polid // App Rule Policy ID.\n , sosAppRulePolicyName = af_policy // App Rule Policy Name.\n , sosAppRuleService = af_service // App Rule Service Name.\n , sosAppRuleType = af_type // App Rule Policy Type.\n , sosAppRuleObject = af_object // App Rule Object Name.\n , sosAppRuleObjectContent = contentObject // App Rule Object Content.\n , sosAppRuleAction = af_action // App Rule Action.\n , sosSourceIPv6Address = srcV6 // Source IPv6 IP\n , sosDestinationIPv6Address = dstV6 // Destination IPv6 IP\n , sosAppFullString = appcat // The full \" -- \" string.\n , sosAppIDNumber = app // Numeric Application ID. Not the same as \"ApplicationProtocol\".\n , sosAppID = appid // Application ID from App Control\n , sosAppCategoryID = catid // Application Category ID\n , sosAppSignatureID = sid // Application Signature ID\n , sosIPSCategoryName = ipscat // IPS Category Name\n , sosAntiSpywareCategory = spycat // Anti-Spyware Category\n , sosURLPathName = arg // URL. Represents the URL path name.\n , sosFileIdentifier = fileid // File hash or URL\n , sosDPIInspectedFlow = dpi // Indicates a flow was inspected by DPI. Applies only to Connection Closed messages.\n , DstNatPortNumber = dnpt\n , SrcNatPortNumber = snpt\n , sosBladeID = bid // Blade ID\n , sosUUID = uuid\n , sosFileName = FileName\n , DvcOriginalAction = fw_action\n| extend\n ThreatName = coalesce(sosASWSignatureName, sosGAVSignatureName, sosIPSSignatureName, \"\")\n , ThreatId = coalesce(sosAppSignatureID, \"\")\n , ThreatCategory = coalesce(sosIPSCategoryName, sosAntiSpywareCategory, \"\")\n , DstNatPortNumber = toint(DstNatPortNumber)\n , SrcNatPortNumber = toint(SrcNatPortNumber)\n| extend AdditionalFields = bag_pack(\n \"AppRulePolicyId\", sosAppRulePolicyId\n , \"AppRulePolicyName\", sosAppRulePolicyName\n , \"AppRuleService\", sosAppRuleService\n , \"AppRuleType\", sosAppRuleType\n , \"AppRuleObject\", sosAppRuleObject\n , \"AppRuleObjectContent\", sosAppRuleObjectContent\n , \"AppRuleAction\", sosAppRuleAction\n , \"AppID\", sosAppID\n , \"AppCategoryID\", sosAppCategoryID\n , \"IPSCategoryName\", sosIPSCategoryName\n , \"AntiSpywareCategory\", sosAntiSpywareCategory\n , \"URLPathName\", sosURLPathName\n , \"FileIdentifier\", sosFileIdentifier\n , \"DPIInspectedFlow\", sosDPIInspectedFlow\n , \"BladeID\", sosBladeID\n , \"UUID\", sosUUID\n , \"FileName\", sosFileName\n , \"FileSize\", FileSize\n , \"CaptureATPVerdict\", sosCaptureATPVerdict\n , \"CFSCategoryID\", sosCFSCategoryID\n , \"CFSCategoryName\", sosCFSCategoryName\n , \"CFSPolicyName\", sosCFSPolicyName\n , \"AppControlFileName\", sosAppControlFileName\n , \"IPSFullString\", sosIPSFullString\n , \"IPSSignatureName\", sosIPSSignatureName\n , \"LogMsgCategory\", sosLogMsgCategory\n , \"LogMsgNote\", sosLogMsgNote\n , \"LogMsgSeverity\", sosLogMsgSeverity\n , \"SourceVPNPolicyName\", sosSourceVPNPolicyName\n , \"DestinationVPNPolicyName\", sosDestinationVPNPolicyName\n , \"EventMessageDetail\", sosEventMessageDetail\n , \"UserSessionType\", sosUserSessionType\n , \"UserSessionDuration\", sosUserSessionDuration\n )\n| project-away\n DeviceEventCategory\n , gcat\n , RequestMethod\n , RequestURL_\n , ipspri\n , spypri\n , sos*\n , Protocol\n , appName\n , AdditionalExtensions\n , Flex*\n , Indicator*\n , Malicious*\n , Field*\n , DeviceCustom*\n , Old*\n , File*\n , Source*\n , Destination*\n , Device*\n , SimplifiedDeviceAction\n , ExternalID\n , ExtID\n , TenantId\n , ProcessName\n , ProcessID\n , ExtID\n , OriginalLogSeverity\n , LogSeverity\n , EventOutcome\n , StartTime\n , EndTime\n , ReceiptTime\n , Remote*\n , ThreatDescription\n , ThreatSeverity\n , RequestContext\n , RequestCookies\n , CommunicationDirection\n , ReportReferenceLink\n , ReceivedBytes\n , SentBytes\n , _ResourceId\n , _ItemId\n| project-reorder\n TimeGenerated\n , EventVendor\n , EventProduct\n , DvcDescription\n , Dvc\n , DvcOs\n , DvcOsVersion\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM filtering parser for SonicWall firewalls", + "category": "ASIM", + "FunctionAlias": "vimWebSessionSonicWallFirewall", + "query": "let parser=(\n starttime:datetime=datetime(null),\n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n )\n {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let Actions=datatable(fw_action:string, DvcAction:string, EventSeverity:string)\n [ \"\\\"forward\\\"\", \"Allow\", \"Informational\"\n , \"\\\"mgmt\\\"\", \"Other\", \"Informational\"\n , \"\\\"NA\\\"\", \"Other\", \"Informational\"\n , \"\\\"drop\\\"\", \"Drop\", \"Low\"\n ];\n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"SonicWall\"\n and DeviceEventClassID in (14, 97)\n and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(httpuseragent_has_any) == 0 or RequestClientApplication has_any (httpuseragent_has_any))\n and Protocol has_any(dynamic([\"udp/http\", \"tcp/http\", \"udp/https\", \"tcp/https\"]))\n and (array_length(url_has_any) == 0 or RequestURL has_any (url_has_any) or AdditionalExtensions has_any (url_has_any))\n and (array_length(eventresultdetails_in) == 0)\n | parse-kv AdditionalExtensions as (['gcat']:string, ['app']:string, ['arg']:string, ['dstV6']:string, ['srcV6']:string, ['snpt']:string, ['dnpt']:string, ['susr']:string,['appName']:string, ['appcat']:string, ['appid']:string, ['sid']:string, ['catid']:string, ['ipscat']:string, ['ipspri']:string, ['spycat']:string, ['spypri']:string, ['fw_action']:string, ['dpi']:string, ['bid']:string, ['af_action']:string, ['af_polid']:string, ['af_policy']:string, ['af_type']:string, ['af_service']:string, ['af_object']:string, ['contentObject']:string, ['fileid']:string, ['uuid']:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | extend\n SrcIpAddr = coalesce(SourceIP, srcV6)\n , DstIpAddr = coalesce(DestinationIP, dstV6)\n | where (isnotempty(SrcIpAddr) or isnotempty(DstIpAddr))\n and isnotempty(fw_action)\n | extend temp_SrcMatch = has_any_ipv4_prefix(SrcIpAddr, src_or_any)\n , temp_DstMatch = has_any_ipv4_prefix(DstIpAddr, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(array_length(src_or_any) == 0, \"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\")\n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*\n | extend RequestURL_ = extract(@\"(?:[.*;]+?)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)(?:;fw_action)\", 1, AdditionalExtensions)\n | extend RequestURL_ = iif(RequestURL_ startswith \"snpt\" or RequestURL_ startswith \"dnpt\" or RequestURL_ startswith \"appid\" or RequestURL_ startswith \"appName\", extract(@\"(?:\\d;|.{1}\\w.{1};)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)\", 1, RequestURL_), RequestURL_)\n | extend RequestURL_ = iif(RequestURL_ matches regex @\"^(.{2,6}=.{1,6})\", extract(@\"(?:\\d;|.{1}\\w.{1};)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)\", 1, RequestURL_), iif(RequestURL_ matches regex @\"^\\w=\\d$\", \"\", RequestURL_))\n | extend RequestURL_ = iif(RequestURL_ has_any(dynamic([\"af_polid=\", \"ipscat=\", \"snpt=\", \"dnpt=\"])), \"\", RequestURL_)\n | extend RequestURL = iif(isnotempty(RequestURL), RequestURL, iif(RequestURL_ contains \"/\" and RequestURL_ contains \".\", RequestURL_, \"\"))\n | where isnotempty(RequestURL)\n | lookup Actions on fw_action\n | extend EventResult = case(DvcAction == \"Allow\", \"Success\",\n DvcAction == \"Management\", \"NA\",\n DvcAction == \"NA\", \"NA\",\n DvcAction == \"Other\", \"NA\",\n \"Failure\"\n )\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n | extend sosLogMsgSeverity = case(LogSeverity == 10, \"Emergency (0)\",\n LogSeverity == 9, \"Alert (1)\",\n LogSeverity == 8, \"Critical (2)\",\n LogSeverity == 7, \"Error (3)\",\n LogSeverity == 6, \"Warning (4)\",\n LogSeverity == 5, \"Notice (5)\",\n LogSeverity == 4, \"Info (6)/Debug (7)\",\n LogSeverity == 3, \"Not Mapped (3)\",\n LogSeverity == 2, \"Not Mapped (2)\",\n LogSeverity == 1, \"Not Mapped (1)\",\n \"Not Mapped\"\n )\n | extend EventSeverity = case(tolong(LogSeverity) <= 4, \"Informational\"\n , tolong(LogSeverity) <= 6, \"Low\"\n , tolong(LogSeverity) <= 8, \"Medium\"\n , tolong(LogSeverity) > 8, \"High\"\n , \"\"\n )\n | extend HttpRequestMethod = case(tolong(RequestMethod) == 0, \"\"\n , tolong(RequestMethod) == 1, \"GET\"\n , tolong(RequestMethod) == 2, \"POST\"\n , tolong(RequestMethod) == 3, \"HEAD\"\n , tolong(RequestMethod) == 4, \"PUT\"\n , tolong(RequestMethod) == 5, \"CONNECT\"\n , tolong(RequestMethod) == 6, \"\"\n , \"\"\n )\n | extend NetworkProtocolVersion = case(DestinationIP has \".\", \"IPv4\"\n , DestinationIP has \":\", \"IPv6\"\n , \"\"\n )\n , NetworkProtocol = toupper(iff(Protocol contains \"-\" and Protocol !contains \"/\", toupper(trim_start(@\".*-\", Protocol)), toupper(trim_end(@\"/.*\", Protocol))))\n , NetworkApplicationProtocol = tostring(toupper(trim_start(@\".*/\", Protocol)))\n , EventOriginalType = DeviceEventClassID\n | project-rename\n DstMacAddr = DestinationMACAddress\n , SrcMacAddr = SourceMACAddress\n , DstPortNumber = DestinationPort\n , SrcPortNumber = SourcePort\n , EventMessage = Activity\n , sosEventMessageDetail = Message\n , EventProductVersion = DeviceVersion\n , Dvc = Computer\n , DvcOutboundInterface = DeviceOutboundInterface\n , DvcInboundInterface = DeviceInboundInterface\n , sosApplicationID = ApplicationProtocol // Application ID number (when Flow Reporting is enabled).\n , sosCFSFullString = Reason // CFS Block Category ID and Name\n , RuleName = DeviceCustomString1 // Rule ID. Identify a policy or rule associated with an event.\n , sosSourceVPNPolicyName = DeviceCustomString2 // Displays the source VPN policy name associated with the event.\n , sosDestinationVPNPolicyName = DeviceCustomString3 // Displays the destination VPN policy name associated with the event.\n , sosLogMsgNote = DeviceCustomString6 // \"Note\" field. Additional information that is application-dependent.\n , SrcNatIpAddr = DeviceCustomString1Label // NAT'ed source IP4/IPv6 address.\n , DstNatIpAddr = DeviceCustomString2Label // NAT'ed destination IPv4/IPv6 address.\n , SrcZone = DeviceCustomString3Label // Source Zone on Gen7. Src Zone Type on Gen6.\n , DstZone = DeviceCustomString4Label // Destination Zone on Gen7. Dest Zone Type (Trusted/Untrusted, etc.) on Gen6.\n , sosUserSessionType = DeviceCustomString5Label // String indicating the user session type, determined by the auth mechanism.\n , sosUserSessionDuration = DeviceCustomString6Label // User session duration in seconds.\n , SrcUsername = SourceUserName\n , ThreatOriginalConfidence = ThreatConfidence\n , HttpUserAgent = RequestClientApplication\n , Url = RequestURL\n| where (array_length(url_has_any) == 0 or Url has_any (url_has_any))\n| extend sosLogMsgCategory = case(gcat == 1, \"System (1)\",\n gcat == 2, \"Log (2)\",\n gcat == 3, \"Security Services (3)\",\n gcat == 4, \"Users (4)\",\n gcat == 5, \"Firewall Settings (5)\",\n gcat == 6, \"Network (6)\",\n gcat == 7, \"VPN (7)\",\n gcat == 8, \"High Availability (8)\",\n gcat == 9, \"3G/4G, Modem, and Module (9)\",\n gcat == 10, \"Firewall (10)\",\n gcat == 11, \"Wireless (11)\",\n gcat == 12, \"VoIP (12)\",\n gcat == 13, \"SSL VPN (13)\",\n gcat == 14, \"Anti-Spam (14)\",\n gcat == 15, \"WAN Acceleration (15)\",\n gcat == 16, \"Object (16)\",\n gcat == 17, \"SD-WAN (17)\",\n gcat == 18, \"Multi-Instance (18)\",\n gcat == 19, \"Unified Policy Engine (19)\",\n \"Log Category Not Mapped\"\n )\n| extend EventOriginalSubType = case(DeviceEventCategory == 0, \"None (0)\",\n DeviceEventCategory == 1, \"System Maintenance (1)\",\n DeviceEventCategory == 2, \"System Errors (2)\",\n DeviceEventCategory == 4, \"Blocked Web Sites (4)\",\n DeviceEventCategory == 8, \"Blocked Java Etc. (8)\",\n DeviceEventCategory == 16, \"User Activity (16)\",\n DeviceEventCategory == 32, \"Attacks (32)\",\n DeviceEventCategory == 64, \"Dropped TCP (64)\",\n DeviceEventCategory == 128, \"Dropped UDP (128)\",\n DeviceEventCategory == 256, \"Dropped ICMP (256)\",\n DeviceEventCategory == 512, \"Network Debug (512)\",\n DeviceEventCategory == 1024, \"Connection Closed (1024)\",\n DeviceEventCategory == 2048, \"Dropped LAN TCP (2048)\",\n DeviceEventCategory == 4096, \"Dropped LAN UDP (4096)\",\n DeviceEventCategory == 8192, \"Dropped LAN ICMP (8192)\",\n DeviceEventCategory == 32768, \"Modem Debug (32768)\",\n DeviceEventCategory == 65536, \"VPN Tunnel Status (65536)\",\n DeviceEventCategory == 131072, \"IEEE 802.11 Management (131072)\",\n DeviceEventCategory == 262144, \"Connection Opened (262144)\",\n DeviceEventCategory == 524288, \"System Environment (524288)\",\n DeviceEventCategory == 1048576, \"Expanded - VoIP Activity (1048576)\",\n DeviceEventCategory == 2097152, \"Expanded - WLAN IDS Activity (2097152)\",\n DeviceEventCategory == 4194304, \"Expanded - SonicPoint Activity (4194304)\",\n DeviceEventCategory == 8388608, \"Expanded - Unified Policy Engine (8388608)\",\n \"Legacy Category Not Mapped\"\n )\n| extend sosIPSPriority = case(ipspri == 1, \"High (1)\",\n ipspri == 2, \"Medium (2)\",\n ipspri == 3, \"Low (3)\",\n \"\"\n )\n| extend sosAntiSpywarePriority = case(spypri == 1, \"High (1)\",\n spypri == 2, \"Medium (2)\",\n spypri == 3, \"Low (3)\",\n \"\"\n )\n| extend\n EventVendor = \"SonicWall\"\n , EventProduct = \"Firewall\"\n , DvcOs = \"SonicOS\"\n , DvcOsVersion = EventProductVersion\n , DvcIdType = \"Other\"\n , DvcDescription = DeviceProduct\n , Rule = RuleName\n , NetworkBytes = tolong(coalesce(toint(ReceivedBytes), 0) + coalesce(toint(SentBytes), 0))\n , sosIPSFullString = ipscat\n , ipscat = extract(@'^\"?([a-zA-Z-\\/]+)', 1, ipscat) // IPS Category/Signature\n , sosIPSSignatureName = extract(@'[ ](.*)\\S', 1, ipscat) // IPS Signature name\n , FileSize = tolong(coalesce(FileSize, long(null)))\n , sosAppControlFileName = extract(@'.*Filename: (.*)\\\"', 1, sosEventMessageDetail) // App Control Filename Logging\n , HttpReferrer = extract(@'Referer: (.*)\\\"$', 1, coalesce(sosLogMsgNote, \"\"))\n , sosHttpRequestMethod_ = extract(@'Command: (.\\w+)', 1, coalesce(sosLogMsgNote, \"\"))\n , sosCFSCategoryID = extract(@'(\\d+)\\s', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSCategoryName = extract(@'.*-(\"(.*))', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSPolicyName = extract(@'Policy: (.*), Info:', 1, coalesce(sosLogMsgNote, \"\"))\n , sosCaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\\. ', 1, sosEventMessageDetail)\n , sosGAVSignatureName = extract(@'Gateway Anti-Virus Alert: (.*) blocked\\.', 1, sosEventMessageDetail)\n , sosASWSignatureName = extract(@'Anti-Spyware Detection Alert: (.*)\\. ', 1, sosEventMessageDetail)\n , sosCountry = extract(@'Country Name:(.*)\\\"$', 1, sosEventMessageDetail)\n , EventOriginalSeverity = LogSeverity\n , Dst = DstIpAddr\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = \"HTTPsession\"\n , EventSchemaVersion = \"0.2.5\"\n , EventSchema = \"WebSession\"\n , EventCount = toint(1)\n , EventUid = _ItemId\n , UserAgent = HttpUserAgent\n , ThreatConfidence = coalesce(toint(ThreatOriginalConfidence), int(null))\n| extend\n UrlCategory = sosCFSCategoryName\n , HttpRequestMethod = coalesce(HttpRequestMethod, sosHttpRequestMethod_)\n , EventResultDetails = \"\"\n , HttpStatusCode = \"\"\n , SrcUsername = coalesce(susr, SrcUsername)\n , FileName = coalesce(FileName, sosAppControlFileName)\n , NetworkDirection = case(SrcZone == \"\" and DstZone == \"\", \"NA\"\n , SrcZone == \"WAN\" and (DstZone == \"WAN\" and DstIpAddr !has \".255\"), \"Inbound\"\n , SrcZone == \"WAN\" and DstZone == \"WAN\", \"External\"\n , SrcZone == \"WAN\" and DstZone != \"WAN\", \"Inbound\"\n , SrcZone == \"VPN\" and DstZone == \"WAN\", \"Outbound\"\n , SrcZone == \"VPN\" and DstZone != \"WAN\", \"Inbound\"\n , DstZone == \"MULTICAST\", \"NA\"\n , DstZone == \"WAN\", \"Outbound\"\n , \"Local\"\n )\n , User = SrcUsername\n| extend\n SrcUsernameType = case(SrcUsername has \"=\", \"DN\",\n SrcUsername has \"\\\\\", \"Windows\",\n SrcUsername has \"@\", \"UPN\",\n SrcUsername == \"Unknown (external IP)\", \"\",\n SrcUsername == \"Unknown (SSO bypassed)\", \"\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"\n )\n , ThreatField = case(isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\"\n , isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\"\n , \"\"\n )\n| extend\n ThreatIpAddr = case(ThreatField == \"SrcIpAddr\", SrcIpAddr\n , ThreatField == \"DstIpAddr\", DstIpAddr\n , \"\"\n )\n| extend\n SrcGeoCountry = iff(NetworkDirection == \"Inbound\", sosCountry, \"\")\n , DstGeoCountry = iff(NetworkDirection == \"Outbound\", sosCountry, \"\")\n , SrcAppName = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , DstAppName = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , SrcAppId = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), sid, \"\")\n , DstAppId = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), sid, \"\")\n , SrcBytes = case(NetworkDirection == \"Outbound\", tolong(SentBytes)\n , NetworkDirection == \"Inbound\", tolong(ReceivedBytes)\n , NetworkDirection == \"Local\" and SrcZone == \"WAN\", tolong(ReceivedBytes)\n , NetworkDirection == \"Local\" and SrcZone != \"WAN\", tolong(SentBytes)\n , tolong(long(null))\n )\n , DstBytes = case(NetworkDirection == \"Outbound\", tolong(ReceivedBytes)\n , NetworkDirection == \"Inbound\", tolong(SentBytes)\n , NetworkDirection == \"Local\" and DstZone == \"WAN\", tolong(SentBytes)\n , NetworkDirection == \"Local\" and DstZone != \"WAN\", tolong(ReceivedBytes)\n , tolong(long(null))\n )\n| extend\n SrcAppType = case(isempty(SrcAppName), \"\"\n , SrcAppName contains \"\\'General \" or SrcAppName contains \"\\'Service \", \"Service\", \"Other\")\n , DstAppType = case(isempty(DstAppName), \"\"\n , DstAppName contains \"\\'General \" or DstAppName contains \"\\'Service \", \"Service\", \"Other\")\n| project-rename\n sosReceivedPackets = DeviceCustomNumber1Label // DeviceCustomNumberXLabel (cnXLabel=)\n , sosSentPackets = DeviceCustomNumber2Label // DeviceCustomNumberXLabel (cnXLabel=)\n| extend\n DstPackets = case(NetworkDirection == \"Outbound\", tolong(sosReceivedPackets)\n , NetworkDirection == \"Inbound\", tolong(sosSentPackets)\n , tolong(long(null))\n )\n , SrcPackets = case(NetworkDirection == \"Outbound\", tolong(sosSentPackets)\n , NetworkDirection == \"Inbound\", tolong(sosReceivedPackets)\n , tolong(long(null))\n )\n| project-rename\n sosConnectionDuration = DeviceCustomNumber3Label // Applies to \"Connection Closed\"\n , sosUser = susr // Logged-in username associated with the log event.\n , sosAppRulePolicyId = af_polid // App Rule Policy ID.\n , sosAppRulePolicyName = af_policy // App Rule Policy Name.\n , sosAppRuleService = af_service // App Rule Service Name.\n , sosAppRuleType = af_type // App Rule Policy Type.\n , sosAppRuleObject = af_object // App Rule Object Name.\n , sosAppRuleObjectContent = contentObject // App Rule Object Content.\n , sosAppRuleAction = af_action // App Rule Action.\n , sosSourceIPv6Address = srcV6 // Source IPv6 IP\n , sosDestinationIPv6Address = dstV6 // Destination IPv6 IP\n , sosAppFullString = appcat // The full \" -- \" string.\n , sosAppIDNumber = app // Numeric Application ID. Not the same as \"ApplicationProtocol\".\n , sosAppID = appid // Application ID from App Control\n , sosAppCategoryID = catid // Application Category ID\n , sosAppSignatureID = sid // Application Signature ID\n , sosIPSCategoryName = ipscat // IPS Category Name\n , sosAntiSpywareCategory = spycat // Anti-Spyware Category\n , sosURLPathName = arg // URL. Represents the URL path name.\n , sosFileIdentifier = fileid // File hash or URL\n , sosDPIInspectedFlow = dpi // Indicates a flow was inspected by DPI. Applies only to Connection Closed messages.\n , DstNatPortNumber = dnpt\n , SrcNatPortNumber = snpt\n , sosBladeID = bid // Blade ID\n , sosUUID = uuid\n , sosFileName = FileName\n , DvcOriginalAction = fw_action\n| extend\n ThreatName = coalesce(sosASWSignatureName, sosGAVSignatureName, sosIPSSignatureName, \"\")\n , ThreatId = coalesce(sosAppSignatureID, \"\")\n , ThreatCategory = coalesce(sosIPSCategoryName, sosAntiSpywareCategory, \"\")\n , DstNatPortNumber = toint(DstNatPortNumber)\n , SrcNatPortNumber = toint(SrcNatPortNumber)\n| extend AdditionalFields = bag_pack(\n \"AppRulePolicyId\", sosAppRulePolicyId\n , \"AppRulePolicyName\", sosAppRulePolicyName\n , \"AppRuleService\", sosAppRuleService\n , \"AppRuleType\", sosAppRuleType\n , \"AppRuleObject\", sosAppRuleObject\n , \"AppRuleObjectContent\", sosAppRuleObjectContent\n , \"AppRuleAction\", sosAppRuleAction\n , \"AppID\", sosAppID\n , \"AppCategoryID\", sosAppCategoryID\n , \"IPSCategoryName\", sosIPSCategoryName\n , \"AntiSpywareCategory\", sosAntiSpywareCategory\n , \"URLPathName\", sosURLPathName\n , \"FileIdentifier\", sosFileIdentifier\n , \"DPIInspectedFlow\", sosDPIInspectedFlow\n , \"BladeID\", sosBladeID\n , \"UUID\", sosUUID\n , \"FileName\", sosFileName\n , \"FileSize\", FileSize\n , \"CaptureATPVerdict\", sosCaptureATPVerdict\n , \"CFSCategoryID\", sosCFSCategoryID\n , \"CFSCategoryName\", sosCFSCategoryName\n , \"CFSPolicyName\", sosCFSPolicyName\n , \"AppControlFileName\", sosAppControlFileName\n , \"IPSFullString\", sosIPSFullString\n , \"IPSSignatureName\", sosIPSSignatureName\n , \"LogMsgCategory\", sosLogMsgCategory\n , \"LogMsgNote\", sosLogMsgNote\n , \"LogMsgSeverity\", sosLogMsgSeverity\n , \"SourceVPNPolicyName\", sosSourceVPNPolicyName\n , \"DestinationVPNPolicyName\", sosDestinationVPNPolicyName\n , \"EventMessageDetail\", sosEventMessageDetail\n , \"UserSessionType\", sosUserSessionType\n , \"UserSessionDuration\", sosUserSessionDuration\n )\n| project-away\n DeviceEventCategory\n , gcat\n , RequestMethod\n , RequestURL_\n , ipspri\n , spypri\n , sos*\n , Protocol\n , appName\n , AdditionalExtensions\n , Flex*\n , Indicator*\n , Malicious*\n , Field*\n , DeviceCustom*\n , Old*\n , File*\n , Source*\n , Destination*\n , Device*\n , SimplifiedDeviceAction\n , ExternalID\n , ExtID\n , TenantId\n , ProcessName\n , ProcessID\n , ExtID\n , OriginalLogSeverity\n , LogSeverity\n , EventOutcome\n , StartTime\n , EndTime\n , ReceiptTime\n , Remote*\n , ThreatDescription\n , ThreatSeverity\n , RequestContext\n , RequestCookies\n , CommunicationDirection\n , ReportReferenceLink\n , ReceivedBytes\n , SentBytes\n , _ResourceId\n , _ItemId\n| project-reorder\n TimeGenerated\n , EventVendor\n , EventProduct\n , DvcDescription\n , Dvc\n , DvcOs\n , DvcOsVersion\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionSquidProxy/vimWebSessionSquidProxy.json b/Parsers/ASimWebSession/ARM/vimWebSessionSquidProxy/vimWebSessionSquidProxy.json index fda80ba5f93..e5a02451910 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionSquidProxy/vimWebSessionSquidProxy.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionSquidProxy/vimWebSessionSquidProxy.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionSquidProxy')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionSquidProxy", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM filtering parser for Squid Proxy", - "category": "ASIM", - "FunctionAlias": "vimWebSessionSquidProxy", - "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n ){\nSquidProxy_CL | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (array_length(httpuseragent_has_any) == 0)\n and ((array_length(url_has_any) == 0) or (RawData has_any (url_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RawData, srcipaddr_has_any_prefix))\n and ((array_length(ipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RawData, ipaddr_has_any_prefix))\n and ((array_length(eventresultdetails_in) == 0) or (RawData has_any (eventresultdetails_in)))\n // -- Parse\n | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\n // -- Post filtering\n | extend EventResultDetails = tostring(AccessRawLog[4])\n | where array_length(eventresultdetails_in) == 0 or EventResultDetails in (eventresultdetails_in)\n | extend EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9]))\n | extend EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, \"Failure\", \"Success\")\n | where eventresult == \"*\" or eventresult == EventResult\n // -- Map\n | project-rename\n Dvc = Computer\n | extend\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \n NetworkDuration = toint(AccessRawLog[1]), \n SrcIpAddr = tostring(AccessRawLog[2]), \n DstBytes = tolong(AccessRawLog[5]), \n HttpRequestMethod = tostring(AccessRawLog[6]), \n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\n Url = tostring(AccessRawLog[7]), \n SrcUsername = tostring(AccessRawLog[8]), \n DstIpAddr = tostring(AccessRawLog[10]), \n HttpContentType = tostring(AccessRawLog[11]) \n //\n | extend \n ASimMatchingIpAddr = case( \n array_length(ipaddr_has_any_prefix) == 0 , \"-\",\n has_any_ipv4_prefix(DstIpAddr, ipaddr_has_any_prefix), \"DstIpAddr\",\n has_any_ipv4_prefix(SrcIpAddr, ipaddr_has_any_prefix), \"SrcIpAddr\"\n , \"No match\"\n )\n // Post Filter\n | where \n (\n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n and (ASimMatchingIpAddr != \"No match\")\n )\n // -- Constant fields\n | extend \n EventCount = int(1), \n EventProduct = 'Squid Proxy', \n EventVendor = 'Squid', \n EventSchema = 'WebSession', \n EventSchemaVersion = '0.2.3', \n EventType = 'HTTPsession' \n // -- Value normalization\n | extend\n SrcUsernameType = \"Unknown\",\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\n | extend \n FQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\n | extend \n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\")\n | invoke _ASIM_ResolveDstFQDN ('FQDN')\n // -- aliases\n | extend \n EventStartTime = EventEndTime,\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname\n | project-away AccessRawLog, RawData, *_s, MG, ManagementGroupName, SourceSystem, TenantId, DstIpAddrIsHost\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM filtering parser for Squid Proxy", + "category": "ASIM", + "FunctionAlias": "vimWebSessionSquidProxy", + "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n ){\nSquidProxy_CL | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (array_length(httpuseragent_has_any) == 0)\n and ((array_length(url_has_any) == 0) or (RawData has_any (url_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RawData, srcipaddr_has_any_prefix))\n and ((array_length(ipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RawData, ipaddr_has_any_prefix))\n and ((array_length(eventresultdetails_in) == 0) or (RawData has_any (eventresultdetails_in)))\n // -- Parse\n | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\n // -- Post filtering\n | extend EventResultDetails = tostring(AccessRawLog[4])\n | where array_length(eventresultdetails_in) == 0 or EventResultDetails in (eventresultdetails_in)\n | extend EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9]))\n | extend EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, \"Failure\", \"Success\")\n | where eventresult == \"*\" or eventresult == EventResult\n // -- Map\n | project-rename\n Dvc = Computer\n | extend\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \n NetworkDuration = toint(AccessRawLog[1]), \n SrcIpAddr = tostring(AccessRawLog[2]), \n DstBytes = tolong(AccessRawLog[5]), \n HttpRequestMethod = tostring(AccessRawLog[6]), \n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\n Url = tostring(AccessRawLog[7]), \n SrcUsername = tostring(AccessRawLog[8]), \n DstIpAddr = tostring(AccessRawLog[10]), \n HttpContentType = tostring(AccessRawLog[11]) \n //\n | extend \n ASimMatchingIpAddr = case( \n array_length(ipaddr_has_any_prefix) == 0 , \"-\",\n has_any_ipv4_prefix(DstIpAddr, ipaddr_has_any_prefix), \"DstIpAddr\",\n has_any_ipv4_prefix(SrcIpAddr, ipaddr_has_any_prefix), \"SrcIpAddr\"\n , \"No match\"\n )\n // Post Filter\n | where \n (\n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n and (ASimMatchingIpAddr != \"No match\")\n )\n // -- Constant fields\n | extend \n EventCount = int(1), \n EventProduct = 'Squid Proxy', \n EventVendor = 'Squid', \n EventSchema = 'WebSession', \n EventSchemaVersion = '0.2.3', \n EventType = 'HTTPsession' \n // -- Value normalization\n | extend\n SrcUsernameType = \"Unknown\",\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\n | extend \n FQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\n | extend \n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\")\n | invoke _ASIM_ResolveDstFQDN ('FQDN')\n // -- aliases\n | extend \n EventStartTime = EventEndTime,\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname\n | project-away AccessRawLog, RawData, *_s, MG, ManagementGroupName, SourceSystem, TenantId, DstIpAddrIsHost\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionVectraAI/vimWebSessionVectraAI.json b/Parsers/ASimWebSession/ARM/vimWebSessionVectraAI/vimWebSessionVectraAI.json index 5961725dee1..76cb5d4dfaf 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionVectraAI/vimWebSessionVectraAI.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionVectraAI/vimWebSessionVectraAI.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionVectraAI')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionVectraAI", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM filtering parser for Vectra AI streams", - "category": "ASIM", - "FunctionAlias": "vimWebSessionVectraAI", - "query": "let parser = (starttime: datetime = datetime(null),\n endtime: datetime = datetime(null),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n ipaddr_has_any_prefix: dynamic = dynamic([]),\n url_has_any: dynamic = dynamic([]),\n httpuseragent_has_any: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool = false,\n pack:bool = false)\n{\n let NetworkDirectionLookup = datatable(local_orig_b:bool, local_resp_b:bool, NetworkDirection:string)\n [\n false, true, 'Inbound',\n true, false, 'Outbound',\n true, true, 'Local',\n false, false, 'Local'\n ];\n let NetworkProtocolVersionLookup = datatable(id_ip_ver_s:string, NetworkApplicationProtocol:string)\n [\n 'ipv4', 'IPv4',\n 'ipv6', 'IPv6'\n ];\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\n let remove_protocol_from_urls = \n materialize (\n print url_has_any \n | mv-apply l = print_0 to typeof(string) on ( \n extend l = extract(@'^(?i:.*?://)?(.*)$', 1, l)\n ) \n | project l\n );\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n VectraStream_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where metadata_type_s == 'metadata_httpsessioninfo'\n | where \n (array_length(url_has_any) == 0 \n or host_s has_any(remove_protocol_from_urls) \n or uri_s has_any (remove_protocol_from_urls) \n or strcat(host_s, uri_s) has_any (remove_protocol_from_urls))\n | where (array_length(httpuseragent_has_any) == 0 or user_agent_s has_any(httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or tostring(status_code_d) has_any(eventresultdetails_in))\n | extend temp_SrcMatch=has_any_ipv4_prefix(id_orig_h_s,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(id_resp_h_s,ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | extend EventResult = iff(tolong(status_code_d) >= 400, \"Failure\", \"Success\")\n | where (eventresult == '*' or EventResult =~ eventresult)\n | project-rename\n DvcDescription = hostname_s,\n DstDescription = resp_hostname_s,\n SrcDescription = orig_hostname_s,\n DstIpAddr = id_resp_h_s,\n EventOriginalUid = uid_s,\n HttpContentType = resp_mime_types_s,\n HttpReferrer = referrer_s,\n HttpRequestMethod = method_s,\n HttpUserAgent = user_agent_s,\n DvcId = sensor_uid_s,\n // -- community id is just a hash of addresses and ports, and not unique for the session\n // NetworkSessionId = community_id_s,\n SrcIpAddr = id_orig_h_s,\n SrcSessionId = orig_sluid_s,\n DstSessionId = resp_sluid_s,\n HttpResponseCacheControl = response_cache_control_s,\n HttpRequestCacheControl = request_cache_control_s,\n HttpCookie = cookie_s,\n HttpResponseExpires = response_expires_s,\n HttpIsProxied = is_proxied_b,\n EventOriginalStatusDetails = status_msg_s\n | extend\n DstHostname = iff (DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\", DstDescription),\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\n DstBytes = tolong(resp_ip_bytes_d),\n DstPackets = tolong(resp_pkts_d),\n DstPortNumber = toint(id_resp_p_d),\n EventCount = toint(1),\n EventStartTime = unixtime_milliseconds_todatetime(ts_d),\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\n EventProduct = 'Vectra Stream',\n EventResultDetails = tostring(toint(status_code_d)),\n HttpRequestBodyBytes = tolong(request_body_len_d),\n HttpResponseBodyBytes = tolong(response_body_len_d),\n HttpRequestHeaderCount = toint(request_header_count_d),\n HttpResponseHeaderCount = toint(response_header_count_d),\n EventSchema = 'WebSession',\n EventSchemaVersion='0.2.3',\n DvcIdType = 'VectraId',\n EventSeverity = iff (EventResult == 'Success', 'Informational', 'Low'),\n EventType = 'HTTPsession',\n EventVendor = 'Vectra AI',\n SrcBytes = tolong(orig_ip_bytes_d),\n SrcPackets = tolong(orig_pkts_d),\n SrcPortNumber = toint(id_orig_p_d),\n Url = strcat('http://', host_s, uri_s)\n | lookup NetworkDirectionLookup on local_orig_b, local_resp_b\n | lookup NetworkProtocolVersionLookup on id_ip_ver_s\n // -- preserving non-normalized important fields\n | extend AdditionalFields = iff (\n pack, \n bag_pack (\n \"first_orig_resp_data_pkt\", first_orig_resp_data_pkt_s,\n \"first_resp_orig_data_pkt\", first_resp_orig_data_pkt_s,\n \"orig_huid\", orig_huid_s,\n \"resp_huid\", resp_huid_s,\n \"community_id\", community_id_s,\n \"resp_multihome\", resp_multihomed_b,\n \"host_multihomed\", host_multihomed_b,\n \"first_orig_resp_data_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_data_pkt_time_d),\n \"first_orig_resp_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_pkt_time_d),\n \"first_resp_orig_data_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_data_pkt_time_d),\n \"first_resp_orig_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_pkt_time_d)\n ),\n dynamic([])\n )\n | project-away\n *_d, *_s, *_b, *_g, Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n | extend\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventEndTime = EventStartTime,\n Hostname = DstHostname,\n HttpStatusCode = EventResultDetails,\n IpAddr = SrcIpAddr,\n NetworkBytes = SrcBytes + DstBytes,\n NetworkPackets = SrcPackets + DstPackets,\n //SessionId = NetworkSessionId,\n Src = SrcIpAddr,\n UserAgent = HttpUserAgent \n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled, pack=pack)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False,pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM filtering parser for Vectra AI streams", + "category": "ASIM", + "FunctionAlias": "vimWebSessionVectraAI", + "query": "let parser = (starttime: datetime = datetime(null),\n endtime: datetime = datetime(null),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n ipaddr_has_any_prefix: dynamic = dynamic([]),\n url_has_any: dynamic = dynamic([]),\n httpuseragent_has_any: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool = false,\n pack:bool = false)\n{\n let NetworkDirectionLookup = datatable(local_orig_b:bool, local_resp_b:bool, NetworkDirection:string)\n [\n false, true, 'Inbound',\n true, false, 'Outbound',\n true, true, 'Local',\n false, false, 'Local'\n ];\n let NetworkProtocolVersionLookup = datatable(id_ip_ver_s:string, NetworkApplicationProtocol:string)\n [\n 'ipv4', 'IPv4',\n 'ipv6', 'IPv6'\n ];\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\n let remove_protocol_from_urls = \n materialize (\n print url_has_any \n | mv-apply l = print_0 to typeof(string) on ( \n extend l = extract(@'^(?i:.*?://)?(.*)$', 1, l)\n ) \n | project l\n );\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n VectraStream_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where metadata_type_s == 'metadata_httpsessioninfo'\n | where \n (array_length(url_has_any) == 0 \n or host_s has_any(remove_protocol_from_urls) \n or uri_s has_any (remove_protocol_from_urls) \n or strcat(host_s, uri_s) has_any (remove_protocol_from_urls))\n | where (array_length(httpuseragent_has_any) == 0 or user_agent_s has_any(httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or tostring(status_code_d) has_any(eventresultdetails_in))\n | extend temp_SrcMatch=has_any_ipv4_prefix(id_orig_h_s,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(id_resp_h_s,ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | extend EventResult = iff(tolong(status_code_d) >= 400, \"Failure\", \"Success\")\n | where (eventresult == '*' or EventResult =~ eventresult)\n | project-rename\n DvcDescription = hostname_s,\n DstDescription = resp_hostname_s,\n SrcDescription = orig_hostname_s,\n DstIpAddr = id_resp_h_s,\n EventOriginalUid = uid_s,\n HttpContentType = resp_mime_types_s,\n HttpReferrer = referrer_s,\n HttpRequestMethod = method_s,\n HttpUserAgent = user_agent_s,\n DvcId = sensor_uid_s,\n // -- community id is just a hash of addresses and ports, and not unique for the session\n // NetworkSessionId = community_id_s,\n SrcIpAddr = id_orig_h_s,\n SrcSessionId = orig_sluid_s,\n DstSessionId = resp_sluid_s,\n HttpResponseCacheControl = response_cache_control_s,\n HttpRequestCacheControl = request_cache_control_s,\n HttpCookie = cookie_s,\n HttpResponseExpires = response_expires_s,\n HttpIsProxied = is_proxied_b,\n EventOriginalStatusDetails = status_msg_s\n | extend\n DstHostname = iff (DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\", DstDescription),\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\n DstBytes = tolong(resp_ip_bytes_d),\n DstPackets = tolong(resp_pkts_d),\n DstPortNumber = toint(id_resp_p_d),\n EventCount = toint(1),\n EventStartTime = unixtime_milliseconds_todatetime(ts_d),\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\n EventProduct = 'Vectra Stream',\n EventResultDetails = tostring(toint(status_code_d)),\n HttpRequestBodyBytes = tolong(request_body_len_d),\n HttpResponseBodyBytes = tolong(response_body_len_d),\n HttpRequestHeaderCount = toint(request_header_count_d),\n HttpResponseHeaderCount = toint(response_header_count_d),\n EventSchema = 'WebSession',\n EventSchemaVersion='0.2.3',\n DvcIdType = 'VectraId',\n EventSeverity = iff (EventResult == 'Success', 'Informational', 'Low'),\n EventType = 'HTTPsession',\n EventVendor = 'Vectra AI',\n SrcBytes = tolong(orig_ip_bytes_d),\n SrcPackets = tolong(orig_pkts_d),\n SrcPortNumber = toint(id_orig_p_d),\n Url = strcat('http://', host_s, uri_s)\n | lookup NetworkDirectionLookup on local_orig_b, local_resp_b\n | lookup NetworkProtocolVersionLookup on id_ip_ver_s\n // -- preserving non-normalized important fields\n | extend AdditionalFields = iff (\n pack, \n bag_pack (\n \"first_orig_resp_data_pkt\", first_orig_resp_data_pkt_s,\n \"first_resp_orig_data_pkt\", first_resp_orig_data_pkt_s,\n \"orig_huid\", orig_huid_s,\n \"resp_huid\", resp_huid_s,\n \"community_id\", community_id_s,\n \"resp_multihome\", resp_multihomed_b,\n \"host_multihomed\", host_multihomed_b,\n \"first_orig_resp_data_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_data_pkt_time_d),\n \"first_orig_resp_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_pkt_time_d),\n \"first_resp_orig_data_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_data_pkt_time_d),\n \"first_resp_orig_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_pkt_time_d)\n ),\n dynamic([])\n )\n | project-away\n *_d, *_s, *_b, *_g, Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n | extend\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventEndTime = EventStartTime,\n Hostname = DstHostname,\n HttpStatusCode = EventResultDetails,\n IpAddr = SrcIpAddr,\n NetworkBytes = SrcBytes + DstBytes,\n NetworkPackets = SrcPackets + DstPackets,\n //SessionId = NetworkSessionId,\n Src = SrcIpAddr,\n UserAgent = HttpUserAgent \n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled, pack=pack)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False,pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionzScalerZIA/vimWebSessionzScalerZIA.json b/Parsers/ASimWebSession/ARM/vimWebSessionzScalerZIA/vimWebSessionzScalerZIA.json index 0092886e5ee..7888517bd84 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionzScalerZIA/vimWebSessionzScalerZIA.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionzScalerZIA/vimWebSessionzScalerZIA.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionZscalerZIA')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionZscalerZIA", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM filtering parser for Zscaler ZIA", - "category": "ASIM", - "FunctionAlias": "vimWebSessionZscalerZIA", - "query": "let DvcActionLookup = datatable (DeviceAction:string, DvcAction: string) \n[\n 'Allowed', 'Allow',\n 'Blocked', 'Deny'\n]; \nlet remove_protocol_from_list = (list:dynamic) \n{\n print list \n | mv-apply l = print_0 to typeof(string) on\n ( extend l = replace_regex (tostring(l), \"^(?i:.*?)://\", \"\") ) \n | project l\n};\nlet parser = (\nstarttime:datetime=datetime(null), \nendtime:datetime=datetime(null),\nsrcipaddr_has_any_prefix:dynamic=dynamic([]), \nipaddr_has_any_prefix:dynamic=dynamic([]), \nurl_has_any:dynamic=dynamic([]),\nhttpuseragent_has_any:dynamic=dynamic([]),\neventresultdetails_in:dynamic=dynamic([]),\neventresult:string='*',\ndisabled:bool=false\n){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSWeblog\"\n// -- Pre filtering\n| where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and ((array_length(httpuseragent_has_any) == 0) or (RequestClientApplication has_any (httpuseragent_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n| extend \n ASimMatchingIpAddr = case( \n array_length(ipaddr_has_any_prefix) == 0 , \"-\",\n has_any_ipv4_prefix(DestinationIP, ipaddr_has_any_prefix), \"DstIpAddr\",\n has_any_ipv4_prefix(SourceIP, ipaddr_has_any_prefix), \"SrcIpAddr\"\n , \"No match\"\n )\n| where\n (ASimMatchingIpAddr != \"No match\")\n and ((array_length(eventresultdetails_in) == 0) or (AdditionalExtensions has_any (eventresultdetails_in)))\n and ((array_length(url_has_any) == 0) or (RequestURL has_any (remove_protocol_from_list(url_has_any))))\n// -- Parse\n| parse AdditionalExtensions with \n * \"rulelabel=\" RuleName:string \";\"\n \"ruletype=\" ruletype:string \";\"\n \"urlclass=\" urlclass:string \";\"\n \"devicemodel=\" * \n // -- Post filtering\n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventResultDetails = coalesce(\n column_ifexists(\"EventOutcome\", \"\"),\n extract(@'outcome=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n )\n| where\n ((array_length(eventresultdetails_in) == 0) or (EventResultDetails in (eventresultdetails_in)))\n| extend\n EventResult = iff (EventResultDetails == \"NA\" or toint(EventResultDetails) >= 400, \"Failure\", \"Success\")\n| where eventresult == \"*\" or eventresult == EventResult\n// -- Event fields\n| lookup DvcActionLookup on DeviceAction\n| extend \n // -- Adjustment to support both old and new CSL fields.\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n ),\n ThreatRiskLevel = coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n EventCount=int(1), \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Proxy\", \n EventSchema = \"WebSession\", \n EventSchemaVersion=\"0.2.3\", \n EventType = 'HTTPsession',\n EventEndTime=TimeGenerated\n// -- Field mapping\n| project-rename\n EventProductVersion = DeviceVersion,\n NetworkApplicationProtocol = ApplicationProtocol,\n HttpContentType = FileType,\n HttpUserAgent = RequestClientApplication,\n HttpRequestMethod = RequestMethod,\n DstAppName = DestinationServiceName,\n DstIpAddr = DestinationIP,\n DstFQDN = DestinationHostName,\n SrcIpAddr = SourceIP,\n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress,\n SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\n UrlCategory = DeviceCustomString2,\n ThreatName = DeviceCustomString5,\n FileMD5 = DeviceCustomString6,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message\n// -- Calculated fields\n| extend\n Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\n UrlCategory = strcat (urlclass, \"/\", UrlCategory),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\n RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\n FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\n HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\n DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\n DstFQDNparts = split (DstFQDN, \".\"),\n DstHostnameNotAddr = DstIpAddr != DstFQDN,\n DstBytes = tolong(ReceivedBytes),\n SrcBytes = tolong(SentBytes),\n DvcHostname = tostring(Computer)\n| extend\n DstHostname = iff (DstHostnameNotAddr, tostring(DstFQDNparts[0]), DstFQDN),\n DstDomain = iff (DstHostnameNotAddr, strcat_array(array_slice(DstFQDNparts,1,-1),\".\"), \"\"),\n DstFQDN = iff (DstHostnameNotAddr, DstFQDN, \"\") \n// -- Enrichment\n| extend\n EventSeverity = case (ThreatRiskLevel > 90, \"High\", ThreatRiskLevel > 60, \"Medium\", ThreatRiskLevel > 10, \"Low\", \"Informational\"),\n DstAppType = \"SaaS application\",\n DstDomainType = iff (DstHostnameNotAddr, \"FQDN\", \"\"),\n SrcUsernameType = \"UPN\"\n// -- Aliases\n| extend\n Dvc = DvcHostname,\n Hostname = DstHostname,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n HttpStatusCode = EventResultDetails,\n IpAddr = SrcNatIpAddr,\n Src = SrcNatIpAddr,\n Dst = DstFQDN,\n Hash = FileMD5,\n FileHashType = iff(FileMD5 == \"\", \"\", \"MD5\")\n| project-away DstFQDNparts\n| project-away AdditionalExtensions, CommunicationDirection, Computer, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, Protocol, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, Activity, EventOutcome, FieldDevice*, ExtID, Reason, ReportReferenceLink, urlclass, ruletype, DstHostnameNotAddr\n};\nparser (starttime, endtime\n , srcipaddr_has_any_prefix, ipaddr_has_any_prefix\n , url_has_any, httpuseragent_has_any\n , eventresultdetails_in, eventresult, disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM filtering parser for Zscaler ZIA", + "category": "ASIM", + "FunctionAlias": "vimWebSessionZscalerZIA", + "query": "let DvcActionLookup = datatable (DeviceAction:string, DvcAction: string) \n[\n 'Allowed', 'Allow',\n 'Blocked', 'Deny'\n]; \nlet remove_protocol_from_list = (list:dynamic) \n{\n print list \n | mv-apply l = print_0 to typeof(string) on\n ( extend l = replace_regex (tostring(l), \"^(?i:.*?)://\", \"\") ) \n | project l\n};\nlet parser = (\nstarttime:datetime=datetime(null), \nendtime:datetime=datetime(null),\nsrcipaddr_has_any_prefix:dynamic=dynamic([]), \nipaddr_has_any_prefix:dynamic=dynamic([]), \nurl_has_any:dynamic=dynamic([]),\nhttpuseragent_has_any:dynamic=dynamic([]),\neventresultdetails_in:dynamic=dynamic([]),\neventresult:string='*',\ndisabled:bool=false\n){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSWeblog\"\n// -- Pre filtering\n| where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and ((array_length(httpuseragent_has_any) == 0) or (RequestClientApplication has_any (httpuseragent_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n| extend \n ASimMatchingIpAddr = case( \n array_length(ipaddr_has_any_prefix) == 0 , \"-\",\n has_any_ipv4_prefix(DestinationIP, ipaddr_has_any_prefix), \"DstIpAddr\",\n has_any_ipv4_prefix(SourceIP, ipaddr_has_any_prefix), \"SrcIpAddr\"\n , \"No match\"\n )\n| where\n (ASimMatchingIpAddr != \"No match\")\n and ((array_length(eventresultdetails_in) == 0) or (AdditionalExtensions has_any (eventresultdetails_in)))\n and ((array_length(url_has_any) == 0) or (RequestURL has_any (remove_protocol_from_list(url_has_any))))\n// -- Parse\n| parse AdditionalExtensions with \n * \"rulelabel=\" RuleName:string \";\"\n \"ruletype=\" ruletype:string \";\"\n \"urlclass=\" urlclass:string \";\"\n \"devicemodel=\" * \n // -- Post filtering\n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventResultDetails = coalesce(\n column_ifexists(\"EventOutcome\", \"\"),\n extract(@'outcome=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n )\n| where\n ((array_length(eventresultdetails_in) == 0) or (EventResultDetails in (eventresultdetails_in)))\n| extend\n EventResult = iff (EventResultDetails == \"NA\" or toint(EventResultDetails) >= 400, \"Failure\", \"Success\")\n| where eventresult == \"*\" or eventresult == EventResult\n// -- Event fields\n| lookup DvcActionLookup on DeviceAction\n| extend \n // -- Adjustment to support both old and new CSL fields.\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n ),\n ThreatRiskLevel = coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n EventCount=int(1), \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Proxy\", \n EventSchema = \"WebSession\", \n EventSchemaVersion=\"0.2.3\", \n EventType = 'HTTPsession',\n EventEndTime=TimeGenerated\n// -- Field mapping\n| project-rename\n EventProductVersion = DeviceVersion,\n NetworkApplicationProtocol = ApplicationProtocol,\n HttpContentType = FileType,\n HttpUserAgent = RequestClientApplication,\n HttpRequestMethod = RequestMethod,\n DstAppName = DestinationServiceName,\n DstIpAddr = DestinationIP,\n DstFQDN = DestinationHostName,\n SrcIpAddr = SourceIP,\n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress,\n SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\n UrlCategory = DeviceCustomString2,\n ThreatName = DeviceCustomString5,\n FileMD5 = DeviceCustomString6,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message\n// -- Calculated fields\n| extend\n Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\n UrlCategory = strcat (urlclass, \"/\", UrlCategory),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\n RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\n FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\n HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\n DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\n DstFQDNparts = split (DstFQDN, \".\"),\n DstHostnameNotAddr = DstIpAddr != DstFQDN,\n DstBytes = tolong(ReceivedBytes),\n SrcBytes = tolong(SentBytes),\n DvcHostname = tostring(Computer)\n| extend\n DstHostname = iff (DstHostnameNotAddr, tostring(DstFQDNparts[0]), DstFQDN),\n DstDomain = iff (DstHostnameNotAddr, strcat_array(array_slice(DstFQDNparts,1,-1),\".\"), \"\"),\n DstFQDN = iff (DstHostnameNotAddr, DstFQDN, \"\") \n// -- Enrichment\n| extend\n EventSeverity = case (ThreatRiskLevel > 90, \"High\", ThreatRiskLevel > 60, \"Medium\", ThreatRiskLevel > 10, \"Low\", \"Informational\"),\n DstAppType = \"SaaS application\",\n DstDomainType = iff (DstHostnameNotAddr, \"FQDN\", \"\"),\n SrcUsernameType = \"UPN\"\n// -- Aliases\n| extend\n Dvc = DvcHostname,\n Hostname = DstHostname,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n HttpStatusCode = EventResultDetails,\n IpAddr = SrcNatIpAddr,\n Src = SrcNatIpAddr,\n Dst = DstFQDN,\n Hash = FileMD5,\n FileHashType = iff(FileMD5 == \"\", \"\", \"MD5\")\n| project-away DstFQDNparts\n| project-away AdditionalExtensions, CommunicationDirection, Computer, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, Protocol, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, Activity, EventOutcome, FieldDevice*, ExtID, Reason, ReportReferenceLink, urlclass, ruletype, DstHostnameNotAddr\n};\nparser (starttime, endtime\n , srcipaddr_has_any_prefix, ipaddr_has_any_prefix\n , url_has_any, httpuseragent_has_any\n , eventresultdetails_in, eventresult, disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Solutions/Google Cloud Platform Security Command Center/Data Connectors/GCPSecurityCommandCenter.json b/Solutions/Google Cloud Platform Security Command Center/Data Connectors/GCPSecurityCommandCenter.json index ce311ecc984..022557d7302 100644 --- a/Solutions/Google Cloud Platform Security Command Center/Data Connectors/GCPSecurityCommandCenter.json +++ b/Solutions/Google Cloud Platform Security Command Center/Data Connectors/GCPSecurityCommandCenter.json @@ -20,7 +20,7 @@ "dataTypes": [ { "name": "{{graphQueriesTableName}}", - "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | where name_s == \"no data test\" | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriteria": [ diff --git a/Solutions/Google Cloud Platform Security Command Center/Package/3.0.6.zip b/Solutions/Google Cloud Platform Security Command Center/Package/3.0.6.zip new file mode 100644 index 00000000000..5db960f7457 Binary files /dev/null and b/Solutions/Google Cloud Platform Security Command Center/Package/3.0.6.zip differ diff --git a/Solutions/Google Cloud Platform Security Command Center/Package/mainTemplate.json b/Solutions/Google Cloud Platform Security Command Center/Package/mainTemplate.json index a40b7983517..46a068e82be 100644 --- a/Solutions/Google Cloud Platform Security Command Center/Package/mainTemplate.json +++ b/Solutions/Google Cloud Platform Security Command Center/Package/mainTemplate.json @@ -42,7 +42,7 @@ "variables": { "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_solutionName": "Google Cloud Security Command Center", - "_solutionVersion": "3.0.5", + "_solutionVersion": "3.0.6", "_solutionAuthor": "Microsoft", "_packageIcon": "google_logo", "solutionId": "azuresentinel.azure-sentinel-solution-gcpscclogs-api", @@ -113,7 +113,7 @@ "dataTypes": [ { "name": "{{graphQueriesTableName}}", - "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | where name_s == \"no data test\" | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriteria": [ @@ -297,7 +297,7 @@ "dataTypes": [ { "name": "{{graphQueriesTableName}}", - "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | where name_s == \"no data test\" | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriteria": [ diff --git a/Solutions/Google Cloud Platform Security Command Center/ReleaseNotes.md b/Solutions/Google Cloud Platform Security Command Center/ReleaseNotes.md index 2afcd26bfe9..b505b3409c7 100644 --- a/Solutions/Google Cloud Platform Security Command Center/ReleaseNotes.md +++ b/Solutions/Google Cloud Platform Security Command Center/ReleaseNotes.md @@ -1,4 +1,5 @@ -| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | -|-------------|--------------------------------|---------------------------------------------| -| 3.0.5 | 16-05-2024 | Modification in ** Data Connector ** | -| 3.0.4 | 28-02-2024 | Initial solution release | \ No newline at end of file +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|------------------------------------------------| +| 3.0.6 | 12-11-2024 | Modified datatype query for **Data Connector** | +| 3.0.5 | 16-05-2024 | Modification in ** Data Connector ** | +| 3.0.4 | 28-02-2024 | Initial solution release | \ No newline at end of file diff --git a/Solutions/RubrikSecurityCloud/Data/Solution_RubrikSecurityCloud.json b/Solutions/RubrikSecurityCloud/Data/Solution_RubrikSecurityCloud.json index 58745037d18..dbc33554635 100644 --- a/Solutions/RubrikSecurityCloud/Data/Solution_RubrikSecurityCloud.json +++ b/Solutions/RubrikSecurityCloud/Data/Solution_RubrikSecurityCloud.json @@ -22,7 +22,7 @@ "Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents_FunctionApp.json" ], "BasePath": "C:\\Azure-Sentinel\\Solutions\\RubrikSecurityCloud", - "Version": "3.2.0", + "Version": "3.2.1", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/RubrikSecurityCloud/Package/3.2.1.zip b/Solutions/RubrikSecurityCloud/Package/3.2.1.zip new file mode 100644 index 00000000000..daeba8ac591 Binary files /dev/null and b/Solutions/RubrikSecurityCloud/Package/3.2.1.zip differ diff --git a/Solutions/RubrikSecurityCloud/Package/mainTemplate.json b/Solutions/RubrikSecurityCloud/Package/mainTemplate.json index 75944cc9801..43459c8a6e0 100644 --- a/Solutions/RubrikSecurityCloud/Package/mainTemplate.json +++ b/Solutions/RubrikSecurityCloud/Package/mainTemplate.json @@ -33,7 +33,7 @@ "email": "ben.meadowcroft@rubrik.com", "_email": "[variables('email')]", "_solutionName": "RubrikSecurityCloud", - "_solutionVersion": "3.2.0", + "_solutionVersion": "3.2.1", "solutionId": "rubrik_inc.rubrik_sentinel", "_solutionId": "[variables('solutionId')]", "RubrikCustomConnector": "RubrikCustomConnector", @@ -190,7 +190,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikCustomConnector Playbook with template version 3.2.0", + "description": "RubrikCustomConnector Playbook with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -356,7 +356,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikAnomalyAnalysis Playbook with template version 3.2.0", + "description": "RubrikAnomalyAnalysis Playbook with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -3413,7 +3413,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikAnomalyIncidentResponse Playbook with template version 3.2.0", + "description": "RubrikAnomalyIncidentResponse Playbook with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -4111,7 +4111,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikDataObjectDiscovery Playbook with template version 3.2.0", + "description": "RubrikDataObjectDiscovery Playbook with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -6722,7 +6722,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikFilesetRansomwareDiscovery Playbook with template version 3.2.0", + "description": "RubrikFilesetRansomwareDiscovery Playbook with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion5')]", @@ -7368,7 +7368,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikIOCScan Playbook with template version 3.2.0", + "description": "RubrikIOCScan Playbook with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion6')]", @@ -9821,7 +9821,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikPollAsyncResult Playbook with template version 3.2.0", + "description": "RubrikPollAsyncResult Playbook with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion7')]", @@ -10685,7 +10685,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikRansomwareDiscoveryAndFileRecovery Playbook with template version 3.2.0", + "description": "RubrikRansomwareDiscoveryAndFileRecovery Playbook with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion8')]", @@ -12613,7 +12613,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikRansomwareDiscoveryAndVMRecovery Playbook with template version 3.2.0", + "description": "RubrikRansomwareDiscoveryAndVMRecovery Playbook with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion9')]", @@ -16554,7 +16554,7 @@ "RubrikCustomConnector": { "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RubrikcustomconnectorConnectionName'))]", "connectionName": "[[variables('RubrikcustomconnectorConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/customApis/Rubrikcustomconnector')]" + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('Rubrik Connector name'))]" }, "keyvault_1": { "connectionId": "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", @@ -16734,7 +16734,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikFileObjectContextAnalysis Playbook with template version 3.2.0", + "description": "RubrikFileObjectContextAnalysis Playbook with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion10')]", @@ -19991,7 +19991,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikUserIntelligenceAnalysis Playbook with template version 3.2.0", + "description": "RubrikUserIntelligenceAnalysis Playbook with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion11')]", @@ -21957,7 +21957,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikRetrieveUserIntelligenceInformation Playbook with template version 3.2.0", + "description": "RubrikRetrieveUserIntelligenceInformation Playbook with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion12')]", @@ -23657,7 +23657,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikAnomalyGenerateDownloadableLink Playbook with template version 3.2.0", + "description": "RubrikAnomalyGenerateDownloadableLink Playbook with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion13')]", @@ -24977,7 +24977,7 @@ "DownloadLink", "Rubrik" ], - "lastUpdateTime": "2024-04-22T00:14:11.499Z", + "lastUpdateTime": "2024-04-21T00:00:00Z", "releaseNotes": { "version": "1.0", "title": "[variables('blanks')]", @@ -25009,7 +25009,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikSecurityCloud data connector with template version 3.2.0", + "description": "RubrikSecurityCloud data connector with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -25438,7 +25438,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.2.0", + "version": "3.2.1", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "RubrikSecurityCloud", diff --git a/Solutions/RubrikSecurityCloud/Playbooks/RubrikFileObjectContextAnalysis/azuredeploy.json b/Solutions/RubrikSecurityCloud/Playbooks/RubrikFileObjectContextAnalysis/azuredeploy.json index bb1b66313f6..8e5f7a3b461 100644 --- a/Solutions/RubrikSecurityCloud/Playbooks/RubrikFileObjectContextAnalysis/azuredeploy.json +++ b/Solutions/RubrikSecurityCloud/Playbooks/RubrikFileObjectContextAnalysis/azuredeploy.json @@ -35,6 +35,7 @@ "4. In principal section, search by copied object ID. Click next.", "5. Click review + create." ], + "lastUpdateTime": "2024-04-22T00:14:08.736Z", "entities": [ "account", "url" diff --git a/Solutions/RubrikSecurityCloud/Playbooks/RubrikRansomwareDiscoveryAndVMRecovery/azuredeploy.json b/Solutions/RubrikSecurityCloud/Playbooks/RubrikRansomwareDiscoveryAndVMRecovery/azuredeploy.json index 2de8ba41ea9..ce65ed2d3b4 100644 --- a/Solutions/RubrikSecurityCloud/Playbooks/RubrikRansomwareDiscoveryAndVMRecovery/azuredeploy.json +++ b/Solutions/RubrikSecurityCloud/Playbooks/RubrikRansomwareDiscoveryAndVMRecovery/azuredeploy.json @@ -88,7 +88,7 @@ { "properties": { "provisioningState": "Succeeded", - "state": "Disabled", + "state": "Enabled", "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", "contentVersion": "1.0.0.0", @@ -4044,7 +4044,7 @@ "RubrikCustomConnector": { "connectionId": "[resourceId('Microsoft.Web/connections', variables('RubrikcustomconnectorConnectionName'))]", "connectionName": "[variables('RubrikcustomconnectorConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/customApis/Rubrikcustomconnector')]" + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('Rubrik Connector name'))]" }, "keyvault_1": { "connectionId": "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", diff --git a/Solutions/RubrikSecurityCloud/ReleaseNotes.md b/Solutions/RubrikSecurityCloud/ReleaseNotes.md index f58d0af8ae8..6dc9ee7d3e2 100644 --- a/Solutions/RubrikSecurityCloud/ReleaseNotes.md +++ b/Solutions/RubrikSecurityCloud/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.2.1 | 11-11-2024 | Fixed the issue of Custom Connector id parameter in RubrikRansomwareDiscoveryAndVmRecovery playbook. | | 3.2.0 | 24-02-2024 | Added 3 new Playbooks(RubrikFileObjectContextAnalysis, RubrikUserIntelligenceAnalysis, RubrikRetrieveUserIntelligenceInformation) for FileObject and User, fixed clusterLocation issue of Collect_IOC_Scan_Data adaptive card in RubrikRansomwareDiscoveryAndVmRecovery playbook and updated python packages to fix vulnerability CVE-2023-50782 of cryptography module. Enhanced Anomaly Analysis playbook and added RubrikAnomalyGenerateDownloadableLink playbook. | | 3.1.0 | 20-10-2023 | Updated the **DataConnector** code by implementing Durable Function App. | | 3.0.0 | 14-07-2023 | Updated the title in such a way that user can identify the adaptive card based on incident. | \ No newline at end of file diff --git a/Solutions/Windows Firewall/Data Connectors/template_WindowsFirewallAma.JSON b/Solutions/Windows Firewall/Data Connectors/template_WindowsFirewallAma.JSON index d62f39cc8a1..b14d419584e 100644 --- a/Solutions/Windows Firewall/Data Connectors/template_WindowsFirewallAma.JSON +++ b/Solutions/Windows Firewall/Data Connectors/template_WindowsFirewallAma.JSON @@ -1,6 +1,6 @@ { "id": "WindowsFirewallAma", - "title": "Windows Firewall Events via AMA (Preview)", + "title": "Windows Firewall Events via AMA", "publisher": "Microsoft", "descriptionMarkdown": "Windows Firewall is a Microsoft Windows application that filters information coming to your system from the internet and blocking potentially harmful programs. The firewall software blocks most programs from communicating through the firewall. To stream your Windows Firewall application logs collected from your machines, use the Azure Monitor agent (AMA) to stream those logs to the Microsoft Sentinel workspace.\n\nA configured data collection endpoint (DCE) is required to be linked with the data collection rule (DCR) created for the AMA to collect logs. For this connector, a DCE is automatically created in the same region as the workspace. If you already use a DCE stored in the same region, it's possible to change the default created DCE and use your existing one through the API. DCEs can be located in your resources with **SentinelDCE** prefix in the resource name.\n\nFor more information, see the following articles:\n- [Data collection endpoints in Azure Monitor](https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-endpoint-overview?tabs=portal)\n- [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2228623&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci)", "graphQueries": [ diff --git a/Solutions/Windows Firewall/Package/3.0.2.zip b/Solutions/Windows Firewall/Package/3.0.2.zip index 4ac2a16a2f7..8b1eaf43b1a 100644 Binary files a/Solutions/Windows Firewall/Package/3.0.2.zip and b/Solutions/Windows Firewall/Package/3.0.2.zip differ diff --git a/Solutions/Windows Firewall/Package/mainTemplate.json b/Solutions/Windows Firewall/Package/mainTemplate.json index 4763bf9ef7c..92720f9f6d9 100644 --- a/Solutions/Windows Firewall/Package/mainTemplate.json +++ b/Solutions/Windows Firewall/Package/mainTemplate.json @@ -256,7 +256,7 @@ "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId2')]", - "title": "Windows Firewall Events via AMA (Preview)", + "title": "Windows Firewall Events via AMA", "publisher": "Microsoft", "descriptionMarkdown": "Windows Firewall is a Microsoft Windows application that filters information coming to your system from the internet and blocking potentially harmful programs. The firewall software blocks most programs from communicating through the firewall. To stream your Windows Firewall application logs collected from your machines, use the Azure Monitor agent (AMA) to stream those logs to the Microsoft Sentinel workspace.\n\nA configured data collection endpoint (DCE) is required to be linked with the data collection rule (DCR) created for the AMA to collect logs. For this connector, a DCE is automatically created in the same region as the workspace. If you already use a DCE stored in the same region, it's possible to change the default created DCE and use your existing one through the API. DCEs can be located in your resources with **SentinelDCE** prefix in the resource name.\n\nFor more information, see the following articles:\n- [Data collection endpoints in Azure Monitor](https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-endpoint-overview?tabs=portal)\n- [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2228623&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci)", "graphQueries": [ @@ -316,7 +316,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_dataConnectorContentId2')]", "contentKind": "DataConnector", - "displayName": "Windows Firewall Events via AMA (Preview)", + "displayName": "Windows Firewall Events via AMA", "contentProductId": "[variables('_dataConnectorcontentProductId2')]", "id": "[variables('_dataConnectorcontentProductId2')]", "version": "[variables('dataConnectorVersion2')]" @@ -360,7 +360,7 @@ "kind": "StaticUI", "properties": { "connectorUiConfig": { - "title": "Windows Firewall Events via AMA (Preview)", + "title": "Windows Firewall Events via AMA", "publisher": "Microsoft", "descriptionMarkdown": "Windows Firewall is a Microsoft Windows application that filters information coming to your system from the internet and blocking potentially harmful programs. The firewall software blocks most programs from communicating through the firewall. To stream your Windows Firewall application logs collected from your machines, use the Azure Monitor agent (AMA) to stream those logs to the Microsoft Sentinel workspace.\n\nA configured data collection endpoint (DCE) is required to be linked with the data collection rule (DCR) created for the AMA to collect logs. For this connector, a DCE is automatically created in the same region as the workspace. If you already use a DCE stored in the same region, it's possible to change the default created DCE and use your existing one through the API. DCEs can be located in your resources with **SentinelDCE** prefix in the resource name.\n\nFor more information, see the following articles:\n- [Data collection endpoints in Azure Monitor](https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-endpoint-overview?tabs=portal)\n- [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2228623&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci)", "graphQueries": [