[ASIM: NXLog ASIM DNS PARSER UPDATES] #8516
Conversation
This PR addresses the feedback received from Microsoft / @devikamehra about contributing my changes to the ASIM DNS NXLog parser direcly, instead of as part of a solution. CHANGES: - Updated schema version - Extended the list of known DNS query types - Trying to re-introduce the DvcIpAddr field - Removed deprecated fields REASONS FOR CHANGE(S): - The previous version of the parser was over a year old - New schema versions were released since then - Aiming to sync up the two parser versions that are in the repository VERSION UPDATED: - Yes, to version 0.5 TESTING COMPLETED: - Need Help / How can I test this unreleased parser in my environment? RAN VALIDATIONS: - Yes, all validations passed successfully This work is associated with NXLog's Jira Issue IN-366 Signed-off-by: Janos Szigetvari <janos.szigetvari@nxlog.org>
|
Dear @devikamehra , as requested in PR 8154, these are the changes that I would like to contribute to the Microsoft-maintained, NXLog-related ASIM parsers. |
|
@vakohl Could you please give me some feedback, to see if there are any necessary changes, that I'd need to make? |
ghost
mentioned this pull request
@jszigetvari-nxlog thankyou for your contributing in making Microsoft Sentinel better. I'll try to complete my review this week. Can you please run the ASIM parser test functions for schema and data and attach both output with this PR? would be 4 file csv files, two for ASIM and two for vim. Also, if possible please attach the sample logs as well, would help me with the review. |
|
@vakohl Thanks for your feedback and kind words. Unfortunately I will have very little time in the upcoming few days to work on the tests. Perhaps next Monday, I can allot some time for this. Either way, I will let you know once I'm done with it, or get stuck somewhere. |
|
@vakohl Hi Varun, I tried saving the parsers into my workspace manually, by pasting the ParserQuery parts to the Sentinel Logs view/query editor, and saving them under a unique name, as functions. But unfortunately in case of the vim one, I get an error, and the save operation fails with:
|
|
Hi @jszigetvari-nxlog, thanks for sharing the information, we will get back soon on this. |
* added link pointing to the source of the DNS RR IDs Signed-off-by: Janos Szigetvari <janos.szigetvari@nxlog.org>
Try replacing last line: |
* addressing review findings by vakohl (Thanks!) Signed-off-by: Janos Szigetvari <janos.szigetvari@nxlog.org>
ghost
force-pushed
the
nxlog-asim-dns-parser-update-data-enrichment-schema-update
branch
from
acc0609 to
77d399a
Compare
@vakohl Thank you Varun for your review comments! I will try your suggestion when I will have some time. |
@vakohl Hi Varun, Thank you, your recommendation worked, I was able to save the vim parser with your changes. |
|
@vakohl Hello Varun, Please let us agree on the still open questions, and I will push the resulting corrections to this branch, and then hopefully we can move towards merging this PR. ASimDnsMicrosoftNXLog_ASimSchemaTester_query_out.csv |
I'll take a look and respond by this week. |
ghost
mentioned this pull request
|
@vakohl do you have any update on this? |
@jszigetvari-nxlog can you upload the result as mentioned in the guidelines here? |
|
@vakohl Thanks for the review, I will start working on it on next Monday. |
Parsers/ASimDns/Tests/Microsoft_DNS Server_Dns_SchemaTest_ASimDnsMicrosoftNXLog.csv
Outdated
Show resolved
Hide resolved
|
@vakohl After the latest corrections I tried to run both of these (separately) But they both returned no results. (The time range was set to the last 4 months, and I used this very same setting during the last round of testing.) |
* addressing latest review findings by vakohl * cleaned up non-normalized fields a bit further * removed fields/aliases that were marked as deprecated in the schema * removed obsolete DNS RR types * added new fields/aliases: SrcHostname and EventUid * added latest test outputs for the parsers * had some problems with running the data tests Signed-off-by: Janos Szigetvari <janos.szigetvari@nxlog.org>
* hoping to clean up failing test Signed-off-by: Janos Szigetvari <janos.szigetvari@nxlog.org>
|
@vakohl Apparently some of the tests are failing, but to me they don't seem to be tightly related to the changes I've made. Could you please help in finding out what may be wrong? |
when running the parser for testing results, you can use the filter/parameters you were using before i.e. giving specific values. But with PR submission, you should declare the filter as I suggested in one of my previous comment |
For validation errors, Please see https://dev.azure.com/azure/Azure-Sentinel/_build/results?buildId=64957&view=logs&jobId=2bbe2297-1b5b-54f3-6060-67e7b289f6c3&j=2bbe2297-1b5b-54f3-6060-67e7b289f6c3&t=293f4a23-e36d-5efa-3a4e-ea46d4ab6d83 Please add '_ItemId' field of type string in the custom table here: https://github.com/Azure/Azure-Sentinel/blob/d798b63ced54f34a701e4893e0066b857b4ced72/.script/tests/KqlvalidationsTests/CustomTables/NXLog_DNS_Server_CL.json the other two fields showing in the error i.e Category and Level, we should not see error for them after removing from Project-away |
Thanks for pointing to the source of the problem. It really helped. |
It turned out that there was a different problem, but I sorted it now, so I am submitting the latest results for the data tests too. |
|
@vakohl All the necessary changes were carried out, and the tests are passing now. |
* addressing latest review findings by vakohl
* re-added fields Category and Level
* synchronized DNS RR types with the IANA list
* corrected NXLog_DNS_Server_CL table schema for the KQL validation
tests
* added latest test outputs for the parsers
Signed-off-by: Janos Szigetvari <janos.szigetvari@nxlog.org>
ghost
force-pushed
the
nxlog-asim-dns-parser-update-data-enrichment-schema-update
branch
from
9d4d4e1 to
da8b1f8
Compare
|
@vakohl This has been an exhausing process. I assume it was the same for you. Thanks for your efforts! |
ghost
mentioned this pull request
* addressing latest review findings by vakohl * undid some of the recent changes to fields, like SrcHostname and Hostname * updated test results Signed-off-by: Janos Szigetvari <janos.szigetvari@nxlog.org>
|
@jszigetvari-nxlog thankyou for your contribution. I'll approve this PR once the validation are through. |
@vakohl The KqlValidations task failed for some reason, and I tried to look at the error(s) but the error log doesn't seem to be too helpful: https://dev.azure.com/azure/43fcaf68-ba3d-474b-97f3-7a1e6fbb5c8d/_apis/build/builds/65361/logs/155 |
|
@v-atulyadav can you please check the validation error? |
|
@vakohl, validations are cleared now. |
Thaknyou @v-atulyadav |
This PR addresses the feedback received from Microsoft / @devikamehra about contributing my changes to the ASIM DNS NXLog parser direcly, instead of as part of a solution.
CHANGES:
REASONS FOR CHANGE(S):
VERSION UPDATED:
TESTING COMPLETED:
RAN VALIDATIONS:
This work is associated with NXLog's Jira Issue IN-366