From 04e66ed1966b60cf71574df7206b5f9e6724c3a1 Mon Sep 17 00:00:00 2001 From: Meena Kumari Chatla Date: Tue, 29 Aug 2023 17:07:43 +0530 Subject: [PATCH 1/5] Parser change and Repackage --- .../Data/Solution_Juniper SRX.json | 2 +- Solutions/Juniper SRX/Package/3.0.0.zip | Bin 0 -> 8163 bytes .../Package/createUiDefinition.json | 4 +- .../Juniper SRX/Package/mainTemplate.json | 129 +++++++++--------- Solutions/Juniper SRX/Parsers/JuniperSRX.yaml | 8 +- Solutions/Juniper SRX/ReleaseNotes.md | 4 + 6 files changed, 79 insertions(+), 68 deletions(-) create mode 100644 Solutions/Juniper SRX/Package/3.0.0.zip create mode 100644 Solutions/Juniper SRX/ReleaseNotes.md diff --git a/Solutions/Juniper SRX/Data/Solution_Juniper SRX.json b/Solutions/Juniper SRX/Data/Solution_Juniper SRX.json index dcadfef0c9d..a54f9341379 100644 --- a/Solutions/Juniper SRX/Data/Solution_Juniper SRX.json +++ b/Solutions/Juniper SRX/Data/Solution_Juniper SRX.json @@ -10,7 +10,7 @@ "Parsers/JuniperSRX.txt" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Juniper SRX", - "Version": "2.0.3", + "Version": "3.0.0", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false diff --git a/Solutions/Juniper SRX/Package/3.0.0.zip b/Solutions/Juniper SRX/Package/3.0.0.zip new file mode 100644 index 0000000000000000000000000000000000000000..72d3818cecd005cc8342d1a5d190b2e53f72ff4a GIT binary patch literal 8163 zcmZ{pRZtv2x2f&C=AvQp@&>rIoFd zt%t3%6Pum8vs0IDpz~Vmr;p&?ZrBpXXtHH>Vv|;YuJg!he^>EFERA=I6e+1qOucW3 z9GU!}X9v^^%Zm*}{=r{PKGUIc>AV?Q+Wy-2v9srO8PfBPZ$9d5*iC@1!lqmQ(CtMC zBv6@+weQBsm=W8*Bxasn*JPcvv_5XQ3oz2ZrW~a6H-(4noU$9os@olx|2aOD@qJRt zc;AYDSK>l#Uo;?8(4D>4J6IIZc)sHrA(yksp@{Ir`Z7Un$=Y_1snZvZOnP~Y^sVhr zxxqPx3(ZE$4Ot63hGK1g_I*07H4G!mBK>CcEM3R+@rroc~zi*|WhR z|JTeBqa;|Eu1wSq4i!b?~x!`Vb0T)2#uc5TKp=C*T{~ za$kL@}(gd=0DpUX*vK7+X*j*b@L+ zO|2F#BuN1`{dQa)R?UMyp?yw}yUX112G~JEuW|<@p^ji$Oq8ls;7p_sd>cEeJ@_tF z%(f+yClmwYhpX?A+&Z(a_4mv)g2&SlG@Y*Nn$ct^TB(6wfv)4Oi8Gt<=!XU$wX8jl z`@`>Bm1M4uS_Egm7Kx@CdH{m!J}ZEKssl9^N@eAIAEos0$X87@LPASnZ+mmk@6?57 zBgZg%{TxUpa?H#j_1E5@sKbZ1VxJb0-xZB#PIiCV@JU!Su%C5|E(rJVocVW+75+Vw zaqbYs=$*thBCODx#)G#PL%DM|rt!rZqLXskipg`El^|(w_-`aCxa^^WodjOY`si?o z*U0ZE^Ea>|-TG-zl10}+$zmm&+kLrLx_6die3v)xbYxj={3>^%)()8XZVB;w!WWi= zwht`ssKyCc>zE*y(d26<$h81k4ws-fF&hiLQ8DEMawDQ;D0%7IO(e^Yb0GkCGqwY* z>P}(CqGpM3l^(Wa)4i?^2y<|xeKoqy z+;0sH-cx*yqF`%7`&`ky)ri-N?+Km4*f40VgR61O*`8AdDG*qh)!YuE6`Ig58)}JH z<4^6B>+57Lr*i1cTr(UX?Hd)v-NQx4M!C=;fh7p*%`YyYj7@R4^ULR>dGo?gjxAs) z(Fqd$1n z)DZR{zX4z$5Q-0`ucM@|6Q!fyMG(lTz#I@WXZ@Ql`jL*^9D%}reSlB1ni(~rVhs`& z)(h6)_)63JC0S$cIj2#}<0c5(yjzZqV01JdTfddpoIcK?SuTurxGISrE3ieUQgdxK zcE?2qjk=jcUaF#b=A!)=8cOry?5emb7oz{*!+Tz{gFUByEx9g70eYgWjE>$jnLEe4 z+szb(P4qp*e3(pobA`PSH^*P6FyQoD&qb_`7)VL1-2(e(6Ba?SY4YR@`gOqQl9|k; z2O|39x|8uuW97>j;DO5oL(Gy&*Squ7y?~{ki~NEobOVZb;dG%`sf7~d0;j*kpOY~d z^44z&VPbKI#gOIGo@LYR7K>nr59eL);_zdVnSV?l=iWGPkOYc;lh`WFmD5RYjhg|Fb-QXJfUVDNhn8>YHjJV(AK;$_I9+)06{ z*aJQyW3(UFV^2|1@Kf@hFTJnv)$XGS>Dh)X=1&L&s`E$QwbMpP!V{D`eM@=cl*)TQ zejG~fYZ$L^{|RjGg;Rv+O4Z*pp3C#yUmC&`GA}%zd=~@1%CHFUNr}iddVXdbzzg1< z?txPMe?iI|Nv88N?90fXe+kM_2?d4yFGw9tZJjhN9bFv$#p!=V=(*^N{~BLv&n4vi zBjn^lJ2felrP4OfUDXBx*VT@PnD?ARXsGPxxYhIs|3CNWl7 zeW1L+E*}RxwnQ)_A$`6W$Z^lzZD??KgQbs1!q``twEl_;K;5UUhBq{7oOMFRMU(8prDzdq3I-m5 zaVTYQMzPwE%x{XSd*f`rS~-7od@BgTy`vUx4n;Ik+3m$76UIIp)4AemOJFFqmOq2f zisi!ijcPQz#RdF)%Hw}Ni|W5m|99;@79yO$h^kX3^+E8h+J=LanaNtHHdTOz?O?!& z#`mNP1GnC6zG>u%2>@Nr<|&VpI${;SeC?J_qr>5snM`4?wKlu$!Gs!Eg?#o%*Nu1`$<;kkw*h^o!hGUec^+y*_oPYL1Ruv? zQ@xHDyMu8lf;8MUWmc5Cr6s%wmKYfTSfqD8Mc$f;MJG@ZQ$*)yHxF`9N?NB`V*pb5?n6>e@NCgtss)a2j4X*g1fxA z0vBvv=)Dj0y{q3RC2ciZhTJ~}YjxH|FPbf%u22i71#5ZdA&l#`v6eH3>@WQdXkRBM z>`f?2Ja1W{Z8!HN4)mcUp-J18hu(}|js%+M$QY-Dc;Jd7OkWKi7l>haw}d!hvr~RaN{BT_(1YAV8h{)KM%cUE!Edpg*vdnMjwwCs$N!f(!dj}#Y*5~nA>Vg z&{q5*&*RCZ#{8G16octZ6CxD#2lysGx%I5AahY-&|4cCPGR@4CKTuo%6;+`o$GkJ4 z;%=2bOqX@HE8wA{{8K&k??88{po|A>9r*>-VPN&8P~dxLH1xy(6b**C_vXFop|puD zuZzSqPnX>lJap*er-V7dn)(J9x!cCW#|1ygctnQF5+?|`!8D;zO*pE!W@y5Vi?i-l zY+9vC_P5Z$xQZEpnt?Sz7-yMiv{eHDujA0u%wr-iPLlg&lZ&4=#<_2~)W^{rmzqf* zm~)%zyKf1^@=*9G(9Ih){Mz)bvKeI`I@3g6tD3ZcG@k%aeoYg9s2SfzdfeQ+$AAGA zMQUI95~~O#n1hiLzG)P&arV9pT`mcgp0Q8bv?&fn`xzf+IO@hbNz?YGcG)~yf{tzRE%CmMd}7Es@MwG~p5>Wi^S;7<>TQLAv>)VAwcfy7{P>W8 zCH9}{C_^DillTr*wbPTfR$wO(a;MNy3t7n6`1t9P#2az#17$Y zED^kZ6@_|ZAu(DdbL3Ebc6o4M#loMl8$y?cpEm<_h^ixkAUyN9x_h0g*@o;Odd(W` z#5MmKe*UtJPTjJNqQdcGQshIMcXw_56XA8gBAtPPZ<;tAJ?iqIvEP#BmVOkcIILt% zSTMBcFyT;^*VY>qPbjttId8;rsA4BAQ~nV-?w}BIMk>y5;+gw2L=|=jL2b466geSC zG1$nL6QXRq#!;#po2~|bAhG8HWTl3)2{eYtW7^}it=Yy5 zL<>xE2vTlA<8Aw7*i_im0zLRxmr9a+Xl2#k6EUp!unf4DETb%}1O8CU4)67Pnxd~~ z4{R28BHDR|We-lNMQ94kmxi~O1X4=bSLN#MSht{&Qhc&7Ctu9Tox~AQ_F=B6?@Kgk z^dmGBpeH}U1+G#cJf^TmVX?OLn-KzBli&d|-lMFD6i%NlW}p0*w)~31Kj0OcmT-z< z`4Y3yNYhy+>N_&OEh6ZVR!GJx5DUhn1ezH~g(K!3iR~ODeQmgeTg)qRDWCI!JEp&m zC8j|(>*$C+x4*(S19b4hGaNDF3Ij`yDiLDtMZ8$TyN37r9zNBCRX>o5CU4K06NwXt zF=CXP?U;W;UQ|j{!~e2Z@!WzTJ{g;8{V`+ytGrb-^o_ibqq^ z-j5}WeOnT9J7i}Gcv(>nyB^4#J16-?8l+n>k&l;hbv%NQ{@YQUMHga~d3o|Yx!jND7E}xR z9VqTVRPfN~Hw&ARnYIyz2`m=`qzpXYEeq^o$w6HLfTHR-qC+&tvvwTCuIhS^DRtr> z3==}QE;CMVsejmM)WwUj7** zk|jS8(t7sfmb(Yyj8D(55D}m>Tj9#9Q{A!Sp5Vy$LGQ%)N_+;4fqCN!5}u`w))2-> zFh|TElpJMu1j%$C$_zc^$jcixEd!21#9NahIqzg>fs#wqG$hz$0@=2PTO7E1==h{L z{&T^nWS(8{eRxx0vL<~JQRv)U^kE!FL|{#HxQVu6y}!Yss$lKICbK{BV?X`wwcJhm z6fM7KpY+#m$PV0HdS`tB{IU{m3#q$AoRvsc7^W}dFHMCod$ry`8Op$csYJ97FE2al zh;+A?(Wyd$`o79E7z-85&dG%sl(xZaOqW(?7&a3|W7J}2fO=hH>h;(tPMA@0 zsonz7NrUEOvxMAL8l>=)T9CKuZ2uLVTox!DE+|GK5bXF^n@*TPN|v{`$)PNAh} z{0%zGoq5BS`*!DP;2DUiy4DjE(dK&GomUCFh&D5l%GkGrZXrZhl>pajQ25OY#LP2| z)_?rkwG(;BG(#9#bUwmuN-nxyj2^n1h1z~|PhQAiJf}-aJ`D@g??c$@#6HeN(~OF6 zq>3hji-ZW^+G2*S9E2??AXBV3lRz!JF|jFLOf4Y8*65{zIf4vXR8V4;B1y)&$5xyj zJtj}@*VOya)zvuw=7#9>?yyCOaBmFQOt@ci7i*2kI)5X;;%#i2woo7;Pk#5YSNaux z(!y~pY%4NhX|(S%kL2!MJDAXuRUcm1EvEyWX^a?Ac$$B_#5;pj;S)YI+PY4$o3av} zUpVkE7Q!2Jzr_8we-!p}D#KKImQ) z1i8P9`__^44nq=mbX@JMjDdlvj1iT}H4!YCl|S%|S38x`x9LLOJJ6Z7GAKK2(*62M z3<-k}VSX*sEOuwUr2>L?qSVSJ-_yDHZ3J&PZPJ9)(R2h-g(})*6c!I^kU3 zXcj9zt2$IxwosI0*@@8hd?&*oFltT3O%(`8)L@4$bt}Vmox8 zeMr)C^tMj^;(Ywv%3~`(Lv&~h+Sa}Y=jtz(Bh-di2L|etnV<|MUusSviBzA|)G{)4 zn3a_nmnEJAe!rjgvCBHH#1`6H4Uz;r){ZLOt-tan{N}^&4&eKd0;cka>53gFaYAbM z<6UUFx-FVV;O~g?*6p~w&vjHrt&!EriEeXp%M%R0O(JAi-?$=y4WFtggVbQa5yONW zME1Od73tIdBz&xh?0O3;q_)!S?O<6iAULatY`=vmVC$4IZUtn`EBL!-Zi1(Ivp@Om!GJU6$Kfcy_{N&`vDkkWywX~!}A`GfBVulFgYAbGV$qx zE(QG%WvNOw@S$Arv|enDi+%0+Y)l)Nkue-cGFG~7@vx@{Ok-`J?XZyNvzFzvl;$IQ z!E=s1sVA?t0=u#Uw)t{4bV(%>#`q3Dc%I`Nn|Jv1uQ#ojy^P=9FRf^sThG8=rH*V6 z{uIyUzBP-aP|N_nBE!e&X(k6w;EDz{YJi?nF+%q!=y!z!sFsn0SDu6ysA0vns8QBb z{~;!^_*ZnXG!qyI`4aq-glW54@FG7$hYC0)zxw&X@bLcfiEq5tGt&_Dw4*<)Lx#W* zbpga#qD}6nWxo-7)1H#fOY~8a!w(7yMUsHs&q0fv+OIx=-9e0ECJ z3fMeWKWA}CoE`mz7i5z&spc+{(VA4 zbgdRaijML0MPm&(4o`Beb1oUkqJx*5EM1qTj3lp~n1W^A=lboD$&f^hTgueHpqv9%#M{m2Uez>JZ7^P$ zKtUn;KGeSS`bc-3^FGmsR7}7SK|U+OvifzLQ+aiM@b@hJnhM&ktz7PCRTsNG5l)e# z9gQYoKOV7N@KvXNNNd2(oo@qq??ehlTBcE6XatJ-3cRMEsTIG9<(4h>V=^rxhg^w{ zq$gUxPnTYyM(7kOPNY2;MhBk9j1}r#g-BH}mur$b9$@;-JW2oykYK}f+I&WTh;ev+ z8Bl1#Rk+S_Q>??%y}g@>;gSxkUepd?IzyfoTsq z#hZn|w<*kh*+wryracm$V`=(8JGwab;Qs0jV9^d>?2TXF-C^LDn!J{ZehZy{a{P_m z^u5v_roiY~Ol5lV0k{v?k^PkjvyG;a;xgrk7j5krBH5ZQ#79GTWl7n}V3V;WC8dYg zo|0vtkI#OhJkqC2bA`u=he>lAd1uVx&{UpYJAr4e+!h zB`f6I@ZwHGl=+r2E6=McxL|LekPHq2#5mnjhx5$o4Lv->2F68To6FWBNWDW7&z49h zNZUZ39A$^)M56Ky!S#iv>x_Mw*6>66aEKeodtZMOKNv>ZjlL>$0X;lJ_JS& zE_|-7ARNE?HWJ?6rG$Ndc+SU;^K2S}os#27w3kJDwa^yw1M2-`q7y?GIGs=4jgdC> z^Kqq1XV58I@1&M@qp3o}zTH}>!>PT+&)_%2er;kxXW_~!h+NCXSk^=jr{l<^f`hfd zXMSbJpK=zj>>1UBJv>Y!Jw>|bblIsI@h<*99RksnuJCO~1_TRRd5x?k_$uCd+k0gGFsa;jaKL@3g>;JN>Q>yyc z>!DC(lcHcMSMuX)0fPZ$vwVil*OVEj{aN9*$&KpyauE+XPu-8zFEK|!doqp86yWWn z2gR$SZcCB%ZN0ht?V0yN)yqcK`S*_!)fX~S%@Q%Gf+8-$PTe(?PmX#T4{nQ}3m&}W z#B84ERc2>TB6C4Gn?F!e32f(S1OGhp0o@AxaL&a;DQVHzAf|$qNkw1x_-`WEASym0 z^^J8zxV~m-(qGvNr!@BKz-QMu_P5u#Jnpo&|#B^OlW5 z)Ld~=;ZEb2Y{On|t0sTtuEIx$^Uu+$_9PE3)_q6!AQjJn@>ikz^DYtsFxejE^1tWZ zt5z6JBBUfR0p?*$x#|_*j9;c(s@U|Bg)wnsqN!)@*%OZ9NOv-2Fc1&KG5hNBcgMTt zV<=5d34^-!|CY{hUE!XvgkfQsUgzPLIq?POI(+U1`YL6zC-=u$UAuh^5aJ2Q+~PI( zX;#WoU9(FmdSd$dM~Og1A0e+5#S-Tku7Kdm78c!S+yBLK zb7RI7e(}jg-Lq)KOpaPD9z~VRWV<|tfj44M+;Wm-&ze%5K1v{+9+wiyg1)4v$lOTe z!1q}Pz+)cKs{yCDSB=iv#;la06fk`tN^{s5>#GOH74zWtB zL`88m_L{mwE3ttOv4&G$fm036A%$(By_%Zz8Q0lYUiZw#Eap6~?#E3WWCACpZ3_&# zMT$pOp{_a^N5_V7o;3*FS_aLUd z={vWeyXFBn%_`vZQFRWUjj708|ClbfnP1y?~71>&\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Juniper SRX](https://www.juniper.net/us/en/products/security/srx-series.html) solution for Microsoft Sentinel enables you to ingest Juniper SRX traffic and system logs into Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution is dependent on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Agent-based log collection (Syslog)](https://docs.microsoft.com/azure/sentinel/connect-syslog)\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Juniper%20SRX/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution.\n\nThe [Juniper SRX](https://www.juniper.net/us/en/products/security/srx-series.html) solution for Microsoft Sentinel enables you to ingest Juniper SRX traffic and system logs into Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution is dependent on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Agent-based log collection (Syslog)](https://docs.microsoft.com/azure/sentinel/connect-syslog)\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -60,7 +60,7 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The Juniper SRX data connector allows you to easily connect your Juniper SRX logs with Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + "text": "This Solution installs the data connector for Juniper SRX. You can get Juniper SRX Syslog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { diff --git a/Solutions/Juniper SRX/Package/mainTemplate.json b/Solutions/Juniper SRX/Package/mainTemplate.json index e00c66ea97d..47566caf9d9 100644 --- a/Solutions/Juniper SRX/Package/mainTemplate.json +++ b/Solutions/Juniper SRX/Package/mainTemplate.json @@ -30,57 +30,43 @@ } }, "variables": { - "solutionId": "azuresentinel.azure-sentinel-solution-junipersrx", - "_solutionId": "[variables('solutionId')]", "email": "support@microsoft.com", "_email": "[variables('email')]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_solutionName": "Juniper SRX", + "_solutionVersion": "3.0.0", + "solutionId": "azuresentinel.azure-sentinel-solution-junipersrx", + "_solutionId": "[variables('solutionId')]", "uiConfigId1": "JuniperSRX", "_uiConfigId1": "[variables('uiConfigId1')]", "dataConnectorContentId1": "JuniperSRX", "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", "dataConnectorVersion1": "1.0.0", - "parserVersion1": "1.0.0", - "parserContentId1": "JuniperSRX-Parser", - "_parserContentId1": "[variables('parserContentId1')]", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", "parserName1": "JuniperSRX", "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]", "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", "_parserId1": "[variables('parserId1')]", - "parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]" + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]", + "parserVersion1": "1.0.0", + "parserContentId1": "JuniperSRX-Parser", + "_parserContentId1": "[variables('parserContentId1')]", + "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('dataConnectorTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "Juniper SRX data connector with template", - "displayName": "Juniper SRX template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Juniper SRX data connector with template version 2.0.3", + "description": "Juniper SRX data connector with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -219,7 +205,7 @@ }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "properties": { "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", @@ -244,12 +230,23 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "Juniper SRX", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "dependsOn": [ "[variables('_dataConnectorId1')]" @@ -408,33 +405,15 @@ } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('parserTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Parser" - }, - "properties": { - "description": "JuniperSRX Data Parser with template", - "displayName": "JuniperSRX Data Parser template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Parser" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "JuniperSRX Data Parser with template version 2.0.3", + "description": "JuniperSRX Data Parser with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion1')]", @@ -443,7 +422,7 @@ "resources": [ { "name": "[variables('_parserName1')]", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "location": "[parameters('workspace-location')]", "properties": { @@ -452,6 +431,7 @@ "category": "Samples", "functionAlias": "JuniperSRX", "query": "\n\r\nlet LogHeader = Syslog\r\n| extend Parser = extract_all(@\"(\\w+)\\:?\\s([\\S\\s]+)\", dynamic([1,2]),SyslogMessage)\r\n| mv-expand Parser\r\n| extend EventTimestamp = EventTime,\r\n DvcHostname = HostName,\r\n EventType = ProcessName,\r\n ProcessId = ProcessID,\r\n Message = trim(\"- \",tostring(Parser[1]))\r\n| project-away Parser;\r\nlet SshEvents = LogHeader\r\n| where EventType =~ \"sshd\"\r\n| extend Parser = extract_all(@\"password\\sfor\\s(\\w+)\\sfrom\\s([0-9.]+)\\sport\\s(\\d+)\",dynamic([1,2,3]), Message)\r\n| mv-expand Parser\r\n| extend UserName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[1]),\r\n DstIpAddr = \"\",\r\n SrcPortNumber = toint(Parser[2]),\r\n DstPortNumber = toint(\"\"),\r\n ZoneName = \"\",\r\n InterfaceName = \"\",\r\n Action = \"\"\r\n| extend EventName = extract(@\"^(\\w+\\s?\\w+?)\\s(for|from)\",1, Message)\r\n| extend EventName = extract(@\"([\\w\\s]+\\!)\",1, Message)\r\n| extend UserName = iif(isempty(UserName), extract(@\"for\\suser\\s\\'(\\w+)\\'\\sfrom\\shost\\s\\'([0-9\\.]+)\\'\",1, Message), UserName)\r\n| extend UserName = iif(isempty(UserName), extract(@\"PAM_USER\\:\\s(\\w+)\",1, Message), UserName)\r\n| extend UserName = iif(isempty(UserName), extract(@\"user:\\s(\\w+)\",1, Message), UserName)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"from\\s(host)?\\s?\\'?([0-9.]+)\\'?\",2, Message), SrcIpAddr)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"source\\:\\s([0-9.]+)\\:\",1, Message), SrcIpAddr)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"closed\\sby\\s([0-9.]+)\\s\",1, Message), SrcIpAddr)\r\n| extend DstIpAddr = iif(isempty(DstIpAddr), extract(@\"destination\\:\\s([0-9.]+)\\:[0-9]+\",1, Message), DstIpAddr)\r\n| extend DstPortNumber = iif(isempty(DstPortNumber), toint(extract(@\"destination\\:\\s[0-9.]+\\:([0-9]+)\",1, Message)), DstPortNumber)\r\n| extend SrcPortNumber = iif(isempty(SrcPortNumber), toint(extract(@\"closed\\sby\\s([0-9.]+)\\sport\\s([0-9]+)\",2, Message)), SrcPortNumber)\r\n| extend SrcPortNumber = iif(isempty(SrcPortNumber), toint(extract(@\"source\\:\\s[0-9.]+\\:([0-9]+)\",1, Message)), SrcPortNumber)\r\n| extend ZoneName = iif(isempty(ZoneName), extract(@\"zone\\sname\\:\\s([\\w]+)\\,\\s\",1, Message), ZoneName)\r\n| extend InterfaceName = iif(isempty(InterfaceName), extract(@\"interface\\sname\\:\\s([\\w\\-\\.\\/]+)\\,\\s\",1, Message), InterfaceName)\r\n| extend Action = iif(isempty(Action), extract(@\"action\\:\\s([\\w]+)\",1, Message), Action)\r\n| project-away Parser;\r\nlet IdsEvents = LogHeader\r\n| where EventType == \"RT_IDS\"\r\n| extend SrcIpAddr = extract(@\"source\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",1, Message),\r\n SrcPortNumber = toint(extract(@\"source\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",2, Message)),\r\n DstIpAddr = extract(@\"destination\\:\\s([0-9.]+)\\,?\",1, Message),\r\n DstPortNumber = toint(extract(@\"destination\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",2, Message)),\r\n ProtocolId = toint(extract(@\"protocol-id\\:\\s([0-9.]+)\\,\",1, Message)),\r\n ZoneName = extract(@\"zone\\sname\\:\\s([\\w]+)\\,\",1, Message),\r\n InterfaceName = extract(@\"interface\\sname\\:\\s([\\w\\.]+)\\,\",1, Message),\r\n Action = extract(@\"action\\:\\s([\\w\\-\\.]+)\",1, Message);\r\nlet FlowEvents = LogHeader\r\n| where EventType == \"RT_FLOW\"\r\n| extend FlowEventName = extract(@\"^([\\w\\s]+)\\s(\\d.*)\",1, Message);\r\nlet FlowDenyEvents = FlowEvents\r\n| where FlowEventName =~ 'session denied'\r\n| extend Parser = extract_all(@\"^([\\w\\s\\-]+)(\\s|\\:)\\s?([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s(\\w+)?\\s?([\\w\\-]+)\\s([\\S\\s]+)\",dynamic([1,2,3,4,5,6,7,8,9]), Message)\r\n| mv-expand Parser\r\n| extend EventName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[2]),\r\n SrcPortNumber = toint(Parser[3]),\r\n DstIpAddr = tostring(Parser[4]),\r\n DstPortNumber = toint(Parser[5]),\r\n ServiceName = tostring(Parser[7]),\r\n Substring = tostring(Parser[8])\r\n| project-away Parser, Substring;\r\nlet FlowNotDenyEvents = FlowEvents\r\n| where FlowEventName !~ 'session denied'\r\n| extend Parser = extract_all(@\"^([\\w\\s\\-]+)(\\s|\\:)\\s?([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s(\\w+)?\\s?([\\w\\-]+)\\s([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s([\\S\\s]+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12,13]), Message)\r\n| mv-expand Parser\r\n| extend EventName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[2]),\r\n SrcPortNumber = toint(Parser[3]),\r\n DstIpAddr = tostring(Parser[4]),\r\n DstPortNumber = toint(Parser[5]),\r\n ServiceName = tostring(Parser[7]),\r\n SrcNatIpAddr = tostring(Parser[8]),\r\n SrcNatPortNumber = toint(Parser[9]),\r\n DstNatIpAddr = tostring(Parser[10]),\r\n DstNatPortNumber = toint(Parser[11]),\r\n Substring = tostring(Parser[12])\r\n| extend Parser2 = extract_all(@\"(0x0/s)?([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s(\\d+)\\s([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s(\\d+)\",dynamic([1,2,3,4,5,6,7,8,9,10]), Substring)\r\n| mvexpand Parser2\r\n| extend ProtocolId = toint(Parser2[5]),\r\n PolicyName = tostring(Parser2[6]),\r\n SrcNatRuleName = tostring(Parser2[7]),\r\n DstNatRuleName = tostring(Parser2[8]),\r\n SessionId = toint(Parser2[9])\r\n| project-away Parser, Parser2, Substring;\r\nlet AllOtherEvents = LogHeader\r\n| where EventType !in (\"sshd\",\"RT_IDS\",\"RT_FLOW\")\r\n| extend EventName = extract(@\"^([\\w\\s]+)\\s(0)\",1, Message);\r\nunion SshEvents, IdsEvents, AllOtherEvents, FlowNotDenyEvents, FlowDenyEvents\r\n| extend EventName = iif(isempty(EventName), extract(@\"^([\\w\\s]+)\\s(\\d.*)\",1, Message), EventName)", + "functionParameters": "", "version": 1, "tags": [ { @@ -491,7 +471,18 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_parserContentId1')]", + "contentKind": "Parser", + "displayName": "JuniperSRX", + "contentProductId": "[variables('_parsercontentProductId1')]", + "id": "[variables('_parsercontentProductId1')]", + "version": "[variables('parserVersion1')]" } }, { @@ -505,7 +496,14 @@ "category": "Samples", "functionAlias": "JuniperSRX", "query": "\n\r\nlet LogHeader = Syslog\r\n| extend Parser = extract_all(@\"(\\w+)\\:?\\s([\\S\\s]+)\", dynamic([1,2]),SyslogMessage)\r\n| mv-expand Parser\r\n| extend EventTimestamp = EventTime,\r\n DvcHostname = HostName,\r\n EventType = ProcessName,\r\n ProcessId = ProcessID,\r\n Message = trim(\"- \",tostring(Parser[1]))\r\n| project-away Parser;\r\nlet SshEvents = LogHeader\r\n| where EventType =~ \"sshd\"\r\n| extend Parser = extract_all(@\"password\\sfor\\s(\\w+)\\sfrom\\s([0-9.]+)\\sport\\s(\\d+)\",dynamic([1,2,3]), Message)\r\n| mv-expand Parser\r\n| extend UserName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[1]),\r\n DstIpAddr = \"\",\r\n SrcPortNumber = toint(Parser[2]),\r\n DstPortNumber = toint(\"\"),\r\n ZoneName = \"\",\r\n InterfaceName = \"\",\r\n Action = \"\"\r\n| extend EventName = extract(@\"^(\\w+\\s?\\w+?)\\s(for|from)\",1, Message)\r\n| extend EventName = extract(@\"([\\w\\s]+\\!)\",1, Message)\r\n| extend UserName = iif(isempty(UserName), extract(@\"for\\suser\\s\\'(\\w+)\\'\\sfrom\\shost\\s\\'([0-9\\.]+)\\'\",1, Message), UserName)\r\n| extend UserName = iif(isempty(UserName), extract(@\"PAM_USER\\:\\s(\\w+)\",1, Message), UserName)\r\n| extend UserName = iif(isempty(UserName), extract(@\"user:\\s(\\w+)\",1, Message), UserName)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"from\\s(host)?\\s?\\'?([0-9.]+)\\'?\",2, Message), SrcIpAddr)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"source\\:\\s([0-9.]+)\\:\",1, Message), SrcIpAddr)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"closed\\sby\\s([0-9.]+)\\s\",1, Message), SrcIpAddr)\r\n| extend DstIpAddr = iif(isempty(DstIpAddr), extract(@\"destination\\:\\s([0-9.]+)\\:[0-9]+\",1, Message), DstIpAddr)\r\n| extend DstPortNumber = iif(isempty(DstPortNumber), toint(extract(@\"destination\\:\\s[0-9.]+\\:([0-9]+)\",1, Message)), DstPortNumber)\r\n| extend SrcPortNumber = iif(isempty(SrcPortNumber), toint(extract(@\"closed\\sby\\s([0-9.]+)\\sport\\s([0-9]+)\",2, Message)), SrcPortNumber)\r\n| extend SrcPortNumber = iif(isempty(SrcPortNumber), toint(extract(@\"source\\:\\s[0-9.]+\\:([0-9]+)\",1, Message)), SrcPortNumber)\r\n| extend ZoneName = iif(isempty(ZoneName), extract(@\"zone\\sname\\:\\s([\\w]+)\\,\\s\",1, Message), ZoneName)\r\n| extend InterfaceName = iif(isempty(InterfaceName), extract(@\"interface\\sname\\:\\s([\\w\\-\\.\\/]+)\\,\\s\",1, Message), InterfaceName)\r\n| extend Action = iif(isempty(Action), extract(@\"action\\:\\s([\\w]+)\",1, Message), Action)\r\n| project-away Parser;\r\nlet IdsEvents = LogHeader\r\n| where EventType == \"RT_IDS\"\r\n| extend SrcIpAddr = extract(@\"source\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",1, Message),\r\n SrcPortNumber = toint(extract(@\"source\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",2, Message)),\r\n DstIpAddr = extract(@\"destination\\:\\s([0-9.]+)\\,?\",1, Message),\r\n DstPortNumber = toint(extract(@\"destination\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",2, Message)),\r\n ProtocolId = toint(extract(@\"protocol-id\\:\\s([0-9.]+)\\,\",1, Message)),\r\n ZoneName = extract(@\"zone\\sname\\:\\s([\\w]+)\\,\",1, Message),\r\n InterfaceName = extract(@\"interface\\sname\\:\\s([\\w\\.]+)\\,\",1, Message),\r\n Action = extract(@\"action\\:\\s([\\w\\-\\.]+)\",1, Message);\r\nlet FlowEvents = LogHeader\r\n| where EventType == \"RT_FLOW\"\r\n| extend FlowEventName = extract(@\"^([\\w\\s]+)\\s(\\d.*)\",1, Message);\r\nlet FlowDenyEvents = FlowEvents\r\n| where FlowEventName =~ 'session denied'\r\n| extend Parser = extract_all(@\"^([\\w\\s\\-]+)(\\s|\\:)\\s?([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s(\\w+)?\\s?([\\w\\-]+)\\s([\\S\\s]+)\",dynamic([1,2,3,4,5,6,7,8,9]), Message)\r\n| mv-expand Parser\r\n| extend EventName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[2]),\r\n SrcPortNumber = toint(Parser[3]),\r\n DstIpAddr = tostring(Parser[4]),\r\n DstPortNumber = toint(Parser[5]),\r\n ServiceName = tostring(Parser[7]),\r\n Substring = tostring(Parser[8])\r\n| project-away Parser, Substring;\r\nlet FlowNotDenyEvents = FlowEvents\r\n| where FlowEventName !~ 'session denied'\r\n| extend Parser = extract_all(@\"^([\\w\\s\\-]+)(\\s|\\:)\\s?([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s(\\w+)?\\s?([\\w\\-]+)\\s([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s([\\S\\s]+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12,13]), Message)\r\n| mv-expand Parser\r\n| extend EventName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[2]),\r\n SrcPortNumber = toint(Parser[3]),\r\n DstIpAddr = tostring(Parser[4]),\r\n DstPortNumber = toint(Parser[5]),\r\n ServiceName = tostring(Parser[7]),\r\n SrcNatIpAddr = tostring(Parser[8]),\r\n SrcNatPortNumber = toint(Parser[9]),\r\n DstNatIpAddr = tostring(Parser[10]),\r\n DstNatPortNumber = toint(Parser[11]),\r\n Substring = tostring(Parser[12])\r\n| extend Parser2 = extract_all(@\"(0x0/s)?([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s(\\d+)\\s([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s(\\d+)\",dynamic([1,2,3,4,5,6,7,8,9,10]), Substring)\r\n| mvexpand Parser2\r\n| extend ProtocolId = toint(Parser2[5]),\r\n PolicyName = tostring(Parser2[6]),\r\n SrcNatRuleName = tostring(Parser2[7]),\r\n DstNatRuleName = tostring(Parser2[8]),\r\n SessionId = toint(Parser2[9])\r\n| project-away Parser, Parser2, Substring;\r\nlet AllOtherEvents = LogHeader\r\n| where EventType !in (\"sshd\",\"RT_IDS\",\"RT_FLOW\")\r\n| extend EventName = extract(@\"^([\\w\\s]+)\\s(0)\",1, Message);\r\nunion SshEvents, IdsEvents, AllOtherEvents, FlowNotDenyEvents, FlowDenyEvents\r\n| extend EventName = iif(isempty(EventName), extract(@\"^([\\w\\s]+)\\s(\\d.*)\",1, Message), EventName)", - "version": 1 + "functionParameters": "", + "version": 1, + "tags": [ + { + "name": "description", + "value": "JuniperSRX" + } + ] } }, { @@ -539,13 +537,20 @@ } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "2.0.3", + "version": "3.0.0", "kind": "Solution", - "contentSchemaVersion": "2.0.0", + "contentSchemaVersion": "3.0.0", + "displayName": "Juniper SRX", + "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Juniper SRX solution for Microsoft Sentinel enables you to ingest Juniper SRX traffic and system logs into Microsoft Sentinel.

\n

Underlying Microsoft Technologies used:

\n

This solution is dependent on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Agent-based log collection (Syslog)
    2. \n
\n

Data Connectors: 1, Parsers: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", "contentId": "[variables('_solutionId')]", "parentId": "[variables('_solutionId')]", "source": { diff --git a/Solutions/Juniper SRX/Parsers/JuniperSRX.yaml b/Solutions/Juniper SRX/Parsers/JuniperSRX.yaml index e5726f7e6e0..e7a58eec6a9 100644 --- a/Solutions/Juniper SRX/Parsers/JuniperSRX.yaml +++ b/Solutions/Juniper SRX/Parsers/JuniperSRX.yaml @@ -86,10 +86,12 @@ FunctionQuery: | Substring = tostring(Parser[12]) | extend Parser2 = extract_all(@"(0x0/s)?([\S]+)\s([\S]+)\s([\S]+)\s([\S]+)\s(\d+)\s([\S]+)\s([\S]+)\s([\S]+)\s(\d+)",dynamic([1,2,3,4,5,6,7,8,9,10]), Substring) | mvexpand Parser2 - | extend ProtocolId = toint(Parser2[5]), + | extend SrcNatRuleName = tostring(Parser2[2]), + DstNatRuleName = tostring(Parser2[4]), + ProtocolId = toint(Parser2[5]), PolicyName = tostring(Parser2[6]), - SrcNatRuleName = tostring(Parser2[7]), - DstNatRuleName = tostring(Parser2[8]), + SourceZoneName = tostring(Parser2[7]), + DestinationZoneName = tostring(Parser2[8]), SessionId = toint(Parser2[9]) | project-away Parser, Parser2, Substring; let AllOtherEvents = LogHeader diff --git a/Solutions/Juniper SRX/ReleaseNotes.md b/Solutions/Juniper SRX/ReleaseNotes.md new file mode 100644 index 00000000000..5fcb57a2206 --- /dev/null +++ b/Solutions/Juniper SRX/ReleaseNotes.md @@ -0,0 +1,4 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------------------------------------| +| 3.0.0 | 29-08-2023 | Modified the **Parser** to process Zone Details | + From b4f1c74c0db93364d50e27d867d6cde359145da1 Mon Sep 17 00:00:00 2001 From: v-sabiraj Date: Thu, 31 Aug 2023 12:19:33 +0530 Subject: [PATCH 2/5] Update JuniperSRX.txt --- Solutions/Juniper SRX/Parsers/JuniperSRX.txt | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Solutions/Juniper SRX/Parsers/JuniperSRX.txt b/Solutions/Juniper SRX/Parsers/JuniperSRX.txt index 4d5448aeb20..00511e63997 100644 --- a/Solutions/Juniper SRX/Parsers/JuniperSRX.txt +++ b/Solutions/Juniper SRX/Parsers/JuniperSRX.txt @@ -100,10 +100,12 @@ let FlowNotDenyEvents = FlowEvents Substring = tostring(Parser[12]) | extend Parser2 = extract_all(@"(0x0/s)?([\S]+)\s([\S]+)\s([\S]+)\s([\S]+)\s(\d+)\s([\S]+)\s([\S]+)\s([\S]+)\s(\d+)",dynamic([1,2,3,4,5,6,7,8,9,10]), Substring) | mvexpand Parser2 -| extend ProtocolId = toint(Parser2[5]), +| extend SrcNatRuleName = tostring(Parser2[2]), + DstNatRuleName = tostring(Parser2[4]), + ProtocolId = toint(Parser2[5]), PolicyName = tostring(Parser2[6]), - SrcNatRuleName = tostring(Parser2[7]), - DstNatRuleName = tostring(Parser2[8]), + SourceZoneName = tostring(Parser2[7]), + DestinationZoneName = tostring(Parser2[8]), SessionId = toint(Parser2[9]) | project-away Parser, Parser2, Substring; let AllOtherEvents = LogHeader From e9ac201d2c831daaa77f3a4c65b4cf9a0323c991 Mon Sep 17 00:00:00 2001 From: v-sabiraj Date: Thu, 31 Aug 2023 12:27:56 +0530 Subject: [PATCH 3/5] Updated the parser for solution --- Solutions/Juniper SRX/Package/3.0.0.zip | Bin 8163 -> 8178 bytes .../Juniper SRX/Package/mainTemplate.json | 4 ++-- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Solutions/Juniper SRX/Package/3.0.0.zip b/Solutions/Juniper SRX/Package/3.0.0.zip index 72d3818cecd005cc8342d1a5d190b2e53f72ff4a..e4c1064b8fd4b1bcbf1d054a3266c4b045d1f4cc 100644 GIT binary patch delta 6232 zcmV-e7^mmsKk`2fP)h>@6aWAK2mnrFAF&Na2M+RLA6HgOBD~-i000K4lVJxYf7X&u z56fx#$R*CYal7?34`1Z8_g&;oVG_1jQzT1JcHE}>x8DpNB=`Uyvbyp0#NDs4h{4QY zFf$kcqtUN_{u3d+f91}CEotu&=`E5Z;*Ta1`DVPN0lj2P79?Z(%PMALCtRvFKH1-! zemUCvbhI~}xGeI+TZB7h%gCn*e;fbA!{A?fLqWg^g9O^XXEFD}0O?G}d-y-qzGMk? zX@VU5iZ9?5T_uY!M$i|Y6Nfy!NXUrrRTPDB^4Fz)hYU$1g3J zF2b1n=PK|b7L(cQ|L$R@-z5Er#uRt}_6!dE(4mQBSG|Il$!)|CJx^jUf4J0?aR^@U zoCTN30$QipYnNTnm7jc1{gvqVHfB6r#SZ&h9Im4NV63T}nYc>gP`J1gdy(R)_cBb# ziZgde&Q}Qu7;~9Rl8{7{b3)_gC`qnh^gJOyK37CWvqiY_-4S#heZ@xK(%5xE==S57 zkRKTF0-iAHB36)HLZ2m}Y7M`;p9w#n~y=x$O5r<0w{``=n9eSGY z-{c>^={YK+Y$xBMAUlieEhr%n?C-p0mqIT>BDI!qttxtMI2nPeG1Lmw8yufz7GC?z z!M}Efnb!1obomQVX4ke>L;gY2BLOff4B&ZqNe%<*f8Qpa!(lF2%t&Tn zGq4^nU_MSSXUQrm4aG2;YZ`m>+-IiEfM4)@!EvpjzDwcWrdawr;^ofZECbUs^Agxc zXw!U4K!$gDkogvX&;Z9Swh2GR)j*|J8|jZD4LbTsQsVLZG9ih_}oUjb*rLa2WXJuVjspQQG{cZS5YrnCXfX-Et#Gv=&fFS$)oyhtpq z1}^E@rdJQXARrJwXK^~GRd!YYX`c2Rzeew!GGQ&;bqs65DXh^mMq>!tYRoJr6B|44 z^8A!~6s$wOfBYzB5yf?8AsMsUgKV}NLa}>ZCq^ftxhOQd?=5pvlK3W!EsEDRHaViQ zm6bU!nO9zx1wp5zisM^jc-&umczUZ)9$*QURJE$nslgc$QW{Ufc;3n}mm}TQmK??5 zwFf~rpD1x@%i>00NF&dPgZB6KAIKdVSOmNF*o^@if2g3!y4aO0*U(Io+aLAbR+{1{ zi;B&T5O%Y`<*$NFEaLsgk0!JpQs)Y`y~S|C)CMEUKg&i2Qv{49o*5IXA?E^fBaS5~ za^h&2lN&EtWP8?YIhQ0C&+JrS=dm7BoU z6W@a9CIiDiP~Q)4IJpg1c!I$w_xxMkjBj&iT*MDAxpXPzP5zjiE?}R3>0L94ZyCno z3<$Lf{sr^`Ul?D~!23mN0w=&cY6zi$OS~m2oa`PG%{mFSk`jkT^xX43)PS)?l+<-S zf2q;0+0QF47T)PA3L}b@NI4_0q@ySZ1s3J{0YC&OP$EMNa!xsO<(uzT9GL%R6^Mfx zb<6{elp`>7yAbD9+MnAPyNqeH_%BJg>|yj%sjc|nAr07tKD#Y5KEA2WyH(OETJ z(bs2}Oqy4Dw^0F(gGWwp3q7hk{8sh)f2>*voPzsjcaTD1={pT0GTkF@V9JzcenUMU zCg+554vOVg_^K4w&*dSKdGJA2F9 z1Q+uQ1EX36Nq<1jZw0raBSIu{1n0LB;+;*%mSJ?2)bY`b9D!>Vy3CR6Oe}ijfB1wP zx-P7N8e=&kmK9MDT-^V}2VhGWaJ1BOM68CrzVsw|>3h==OM5dg-cMY!h8TenY zRJxY2Zu7Ey0w4(lPOgiUjK>$Epf4a?|}=ho5#u$+LgtaoAGap2B_)(chrbf0C>nZy#bA z3b>ZFS>sepDujBeP47KwJ98(DI)H1APTEX^>LW%5P^h0ZxP|ZcSqf^0tW?^XhH8CA zr-32Tvc^r+Ylrrh$YJySp;HE^P1B*+z|Z)e=UHiWh0 zG$iP2#M=vv6EA!ry3gMP4l!mgyqlD_3OLJ_;XOC1-C=fONUAj%zN08Z%p(j>wFq$N=9 z?mh=Wy$9nH^lf`iF(kwIYyDuYCnVL$BUa$_G~(GJ3}Ig@f8!vS)spNU)j3pwtG)Ni zo(BH#$#^_gJf(9fOpgc=lkdGa0X-!zsIvgOY2sF3E@;tA-C(?VAGbW(uq>4CSoI@KY!9P=R#_f;SStmLc3+YYVGu!~O? z>l=hy(Xd7!f7xRRxU;93%NA0sQBz8SFc_K2dIu#v3U7jR$x2D!hZxlNn!;zTyr`rX zAs*0)c2np6s9O3m41}Cp=}w!Om(NGm&w7B`{`Diwjmz}iA|0@1fL4}l5x!|4(=kbH zB*5kJJfyLy&>}Mor}OuU7oO=rUj}~EQD?#;dbmLwe*(v^7If|FJv>pqX0bdxo(BYm z@g{)XUY2D@s0#+@Fbq5s2nQiD5G#YAB?6({-Jwd^gBCpH!O%djCA+&arhr8R(C?4Q zOhX<<5rh=y3{BZF@gbkfTW#@NVdL3CW{gd?m?L;FCghn~z-IKC)vjJ0yuk(o6w}^e zw;xCef6bJ5YfZ3&>bEfIJ83-3WnSe()ChBTZp4khm$HMNev_^OJiiV|JvTWsuWO(Y zOz{SdlMA^&!XvX0d3zeuiwn<@`>(#fmLw-3DATQYJIHoSSLeB#rsLoud?xlW6A#Si z{nH4H{)xJ|{fp;5`R=RfXAk$j{0nR>q9-rDe?C1tIy^lbD9SMZ30n#h>r=QoM+*Cc zc>ojhMr9WtpMd#_^K0Du>FrgzJCX~x+*YYu@${|qS}IVKJ78=)VjQ$o+G&Qp&csrM zd0;9G8m_)lD@;+R^V;&u5?tX$QTIwZcb6;SG-oxigg(r)!DIP8 ze~-YI+EW@;&e0^FS7b2Rc>fGsvp{DYef0d3yJoZIhURDxF}7BisuAgn{@fH*LSEk` z4@BXR;hr?(`fd{TFXEmv`$er=_id(Bp=0~V$#^W)#83GywO zQAzmixd9&-Ll0Ub*mfEIg-&3AahqXdfAE2DY0{FUG0xLi!>yVh4YzDc4P1f9`ueU$ z!8D8|->IAtcvjV0UsF_e#YRiNMjbW#DC?hz)GpgsBTUG({e(vFU6Y&Wx%q1vi*0Ir z`D{=tUq$E=dliX8-4Jy3YPxIT>p!UtZgvgtuy)_;HQSyRT92wS5p&(-HhTu=e;+SU zxVzyu1_qr?$Lw1j2s8u$%?p3`1wXe+R4?#N3w!$oJx9#4fOlEAJ1y8v3w7rOI$e0J zzHmb>sg?HTEWLd??p^$~Ee&^l4^@+PYxiDGQ<`myG}#vEvD>uRJEz4qWSy1|1lGth zZJAx#GOIKnTo?4gp3YYuNvHI^e|wd-S0@6eU3#AVq^CI@uPzPmqov=SwHHxCj&WHu z8^|f{mKpnza*3Od12>p6+)W}I&K0gxkNWIOd)8%rwq;(n_1TrJvMMW&7dMnexykIw zwX!B#W=nR-l5Eb7Y|4skI`%2v6xC%tR?S}HUP8fbGP|)jgc_A?&i`rje;3*I%DByfyYE?Wcg}vRJGALouH!yb zfynr2zP7r?r{pC!0te#@{`U2KCFq47AzPui> z_YqAAy93~veReZ*y4aK6~F9O zy2|-Sdb!nVTG9)yIfn=Zr$)^a$Ad00RePf^$7kXdo_9+Se^*SLId8)UFmt5Cq@~wp zAfbX(_5f8*nAy!!8F*R*KH^CV3{vQoP@TXqUapqsOrrCGMC018z*PZ_SPOvv69!C; zrcCn~V@TNH*dY#ONF$rdx~=-Dxx;z;yO<}KjHmeTQ=FYXOyCEcHJqAhaW3l7p+VjV zgPhMlsq1gdf12lA^gS-`(DiFj0RyYls1?rqoX_VwTDNvG^}_gAHKL-;=Tg;n@+=Hf zx_98_*xLpaD`fXB3-xuVnOcRAScq)}(=c!?-J5Pb`zDYO3 zbQi*M#a9B%$UQ2Kax>H%KZMvHNS)sn98pVprYA7zf2Hs9^xSNpRURV#3D!{{oM9>w z&bf^O@vIF{NS9K_hT;M~^d%Pst&)5gNQ*+Z@{((-;>A7%dM(H}+Rt&6N4+_YOciV) zm>M<=mu+&OU*~n>7kCR4VZBS$AM9I*VpyS&DUuw;;yPfG&9&ued%CI2z0NSyQH&N9D28Gbr^IQ(q*`S6S3mmN1NrnK+0TPf`@YWE`#>h?B8)StH7yeR00 zeXfPwu@ccEi+CcZbux;dDBj?hmJ3 zH{Dx3uHgG6wKMZYHN2glFDtmOBQPzAU3Rcjn3hgF>TGekf0mE>3F^JEfc<9d8X6QrKEus(T|2L>7Ts3 zw4wg2G*X8`u;1-Gi)2weBuS9uMa4P zS#UozLY-CzR>e4HuPVk_1-LS#r>Dbg?=dWJJ}j?6!$Npu<;vVWrSJ0_s5VjAe=tK@ zS=>53yFW2+Y+Y- zQ`yH`+<#_06={VvU&@XIKw||J%dKzPUUx-T1h2?RX}tD|%>qimHV_UrBc~xTS~?3{gPHB z3f#w1Dh)27SVN`k5!&7GH`h*)j1h~<7Dk@4|}Fj zWp+o~Ij_&=Xq&~c&ED8%Z)~$Sw%Hq%v(}u*u+83RNuXm|!!~=P9ldS#e@1Y}T#0S= zMw|QOZT7}Cd!uC*#5Q}w8aK7Iwr%#tHhW{6z46g+y|>vLEmW}^rk1+9&ED9g9&fWZ zw%Hro?2T>q#(mA+XpyyH$=0aM(kR?jw#mw9%*HS-0MqNg&0XQtWmj~_s#yPqMvLfv zq+zrxif`cP_Wkzgz9m=Of8hqzo=nmHO497KEkFPNq5S+E98{s|M4g|qm+@HJPg!l+ zQ1)_yLY?+@$a84Gz_KwNg5$L2CKeSc%bu`6I0Rih9~gv~GhdNO6k#^395d@_gAJQ3^~H znG(}s;2TO_!=)~f%Cm|=4$@;D283EWAX2SR5K(O<=UcSLnfUCI`V(c(BYf+N5-rpp zf&GG7!91wq({c_HtPKP5Uy7d*fVFnzW9=p^&!p-eDZ%47e*rGc+z@df+UJjyOhTWa z(*iyz(0~`dcTnct4IN%!T?{8x_lYX;G?FE@0M#LulN!kaN?6iVRRTkP`Z7ynfJ1pa z0fInw68iZ$7A0|>rN4Dy7$XF}8c43rxyDRcY$hr=*Ng+F&mrCj(0Z%eHr^@$+lYCUWDs$pQ#`{xEtE9~TVuKK*>qGU&4><>f-x zc3rj+-5(&L%SQy6LoW?UI#40m-r>um0$oS_5=XB^e>JMcpSecu%uf4eAq zX?`<7=TlZGl^bFaw~BAW^j^x}|A93;H!O1;`p;}Yn>uZ1u6HMh%Te}VNsCsAEYkMp zKf(Y15EoEO0Rj{N6aWAK2mnrFACp)gLJsm`A6HgOBD~-i000K4lc*mx23Q{e0000P CtOSk# delta 6217 zcmV-P7`Er~KjS|QP)h>@6aWAK2mnKd9kC5Y2M#NR9apM?M99$>001zjlVJxYe^!!@ zk}Ribn_S|o8#h~D^YBGZd*4~!lqO+|HAS)nWyfv0fBVhgL4ptPA*&l-Pu%?)i5Scb z1~Y>JFdF~*=RXnB`&Z^H=+f>zCcQfrPFx!K;Vr_Q&}HP?e+eD`#KPcTdKM?(gh2vr-_w|RVSsd|<6ZopY+usE zcI^Z?_!VEkD|?kJ!Wcncc}^U%@FF22!d6if#>roo>K!s9kZ>|fWPxF?S?I44AVw0& z5V;6r@}H}~i)c({Z~wc8oqiMaBRjT%2VhU*zz-ce5$wuW@G`lLD57Ucf9wU9iZTwt z3trOTGFd?DG<)sR3wz}!-`oC*_dAU#3sbx9JE$YzY#@p60(@x{ki4qi^llbwcR& zH8+fmK-DN}1?mlsPcaLx zed^$+zLjasps(8d!{J%;*mFa!8JStzS`GOJMUMo)C^vwY;Uzf;e{BCY@f-$oNn=Vf z1Dk>McmefsdKpbtQE4ce(OlcHXP^62w;AvYp3gb1HPrVh+-Zts(C07v!?O%b&CF|H zAE9;gEdgoX3%{YlN>`c_l#k?V~57R>w4e=91S#Gsu3hNe+SE8@&g zb7qvsCYSW%ICNJ|s#22Q#J-|AMsx$Q9_}LNeXH*}eg1)n0nEezBo1SD-t|!DMPO+) za6!*By=w3U0fG1#jng@;va{duF|qSL z&rhjG!8*jte@|i-QCw#hf-$2#h-R}P6uakjVsy-#i$XK|-ZD2OiEqN#qIhj%6C)~H zS()>adF5qU5OhkaIKDN8$NaU2r?v{^0hVA%RjVAG9Gn&*rST+;=TwZj9O<^U1h>Z6o<$eD4FJTwELjaG}A73@DcgIxB~aO=9?n8@&fLt z|3(8Ed(OL~3K)|?qyVYnzmwaYYB+%OO1rN2)mx-Ozr;&?)8?@N8m-QKkHMZ;12=$b z2K~y8uiWs43-V+^$*D%@Y@qD#=H_NBHJpWcTCoTZS<| z146BWe*rzm7si)%;Qb;rfe~OHHH6rKOS~m2oai1C#X1R~qiePy@yWQQEHS ze+i9#OMhN@G51bi+c2V7ij+|TOFD{z*ubJ#KLCgT1)GQvgPhxpy5h}uD+bKJSOxr` zMjrD(qsPUxa?unQ>m@^;2{mzg*v-92@~5F-ae)d#iO%o zy1cJXFR3uE@@}I790!k_-WGaPclfR9fAv|l5SR__pWZIX=_m1u8YBr~ySs?(Yw#6fA-gpNDCjE_J6WOVrv{1jJa#ODy~pIj_8F~$tM(i{ zkm1r}7(W_EMjej!V%t1yMJv6 zYspDS(AV&{7YZj{_(F7_zX`N3W-q*(l(!5B03nEPyVN3%?>Sc~uZ(X97(Zy{H;qWt z_F*X^+5&(uerUTDEI}86@f4SaY~yqZG2-f+pHm#*iG}#@NU=0IfA_=l$r9FZ8c)t0dXra)#$SBMZa0UpK6nWre5uifFSQa5mQ0)h7h%owA ziyz}q+`nNXj?oTa7X-axc^pYR+^={S9!9-NI;iMLOzkD^#58fN*a~)ew*(hI1_9P+ z`j9NWV3oi(&G}pVhfGLHqFp1F$nND*CLX>zQm0Agf@A58HTri#o^I)GycaQ-%q3;Wm2m_E7 zN4c}}5(M=DjE~bd?K%07G~=)JgSDQJR40!Zfz#87=Zi3ee|@cpgJ4!mvU^Tfl)SQ?1=vj!w;Xdpi)K8Rf)9BquvAKdYf->` zMj(B}&W;TKc6Mqbgp_jo$L4B`n_^y-} zmGmOS13KQW>)anzOJ9cpmvbxKX*2WU`NaBJ4^Z2`euTMk>Ast%1J(@C$dW0-*9~Mk zCaH}CxLlrxcC0Hj&kV!q{Jr9Z=PJ+_fuHTjGhrS*f83xAf#a78y7KiNo+w|_SR5YD z0|LW%7r<^W%Q7Uk3kK*=3_KGE2O%=xD+8y+1EHNAOQ!5W3!d^|XrR`TogEQVz#;u3jCy!3F~q z-QHohe;)`5&7^p1O|XONw=n5DX*|qjUgdby2y=I?#f`t0vV)$!NLK-tUk8Mq>zwJ= zHP8sAc!S2txZEG(k=clxp2YUWh3AO<*FarMlH(AR>6X78W;>><^W06-QE(AH=lht6 z2j=tPSp-J^RNmbF#dDv2_x1FPhr5sd0vn6yf9b1lP7V$aP7a2WGR%KMmz>1<6t2#Z z!rpKmz{I?h*~Lf4V7~nP8uxx`dzJ2v#KJAMRq|FmeJi|{3>3u<7#j~M11%MHnqjXq zu~cCm=n8{|tFF`vQ`G6aw*0aLS9np>y^_w|N7> ze^`FNBJic=lt!6zG|A@`X-qcWKLgh^P#H&`Jpbgb*{r#tISPc2trezfMCzhHH$|0@ z*LTSSkvN37O)FK(j5_Ku+}*Z5pzNvXElDY#)LmiARotgPTdC$=v6bq8fvL*;`1fgo zd`o6z5`KGbzz4?A!>$o*yA1zACosUcf6cHl_&~TcX-Uu+=V`3rR`su%Th^rpu7GEK zeOIGk3dWG{RL%%ItLm+;DJr{SqoH4;j_Q4+_0M=}m+7YwI^^1ZLLvCB$xZa!{56fi zHWj{nHmH%WB6Nwpio~IA2)cST)wS^RpVS67yM}jIyYKayZB7fVM^%}Kxo&cse>sEm zj~6K1-S8U&gU+U-_pJ^D8Uldkg}?iPpIarW7x<=yz5RloBW75@yDZ$D7VM^ly7K~^ zF1$uxxFMI+N_%sb-aZ}oF8V{RZCdP|(_$O4PRj=Z zYh;M*T zxGb6t

+yjQvEp#LdTn8_XH*CXo&23fHMeefFg}>#{!EGB4Zu?8;VIm6gYf8_J^G zWcK7*S(7cZCA(xvHfKjRWkog}`xI}A>arfIX0LHCA>lTe-B=t#jmkFXfB!W4i*2^z zHe2!DW-E4I{r>M}CAPTiuXdtsF84Q)b=bn&WRHOld^Vq5_|MNOY%y8cQzHv}T1}t^ zzR9e?rfjUPDH}CO8#P%|W-iuKqqVaCK0(&sJ=UU@S$+3Jf2tcQ;j20BoRwE1SiMiyNQ)vPh0P8zvRc3fv=+-AYu_bj+OXTQ}Q+H@?} zaUZHcWc)N=TixMG$obu>H$~M2*S2MwHe0p{eH1QoL~PXmP$iq9LcO+6T&qc+$4IYA z*s8$N-e|fDlBx21UClRFMzQKPYE7$35j1A1(i0nRZF@V_N061Ne^sUfOJIavhT^b) z#xGy0Po32v&w(%QteWtqHwg1!9?t`xCb(pNOKprNpUSfmZ23sI({PmuJ;m=aEWPhx zDI5HC-W$y4H~&7I&mTXV&)MK~KA*wAXYi(H5%(7K!*d3wQ)};RXbG&ZV2uMa84B#n z>k<7B*(re>O>vXqe=T91gs}td^o50R>2MCOop058{FLBF6mK3zyA>hFaR{oy%0RN= z$jyL`4)Y+AeSVqdEeG@7h`>;jP*$%Lqd1+O4dnpkMcl}~v2W!V|3is<#ul6{2G~;Z zi*BW>oPVU3Tdk%gz2KTNh){59?h|A=k4!&o?tSb;lIytb_OtkA92=jYNo}xs7Hqe zdBY8IKL4z)f4??so_8_un7Bh%uR#SgtU{w!IP-HhpZAq+^)vOt_*gcgqRr<*)%tlB ztd#B@xH&#}_5R)Lo44SDGCkis860j`0=jzvxk}SS;SHY&CFnoXEVcg(=M7E;wU#m&GAEs{ejf^ZNU+>q^ElVf1O_XK2Oih_F3g2;zzKK0^tl( zk#Np!6o_YSfI_&GIyNL1@MR#lC}@@7Lql2=x{;S$TNN+nDNt)c#?fAmqde-(aiptY z3>|p}B0G1NAzu8^6F?pa|<-s{UZ#TohJ?LZ(P^6pQPCPBzz;r|qexG6VDZ2wdiT zJ~48Vf5)3+CtY-OKE%sB1Gb~vgdBH)j_lVQ%pAF_bugpnr5HU)vwyOlVcaRgmS+XV zTLcH)3FJ({7@V|pJytEt)e%a2)GhgjC^re6(B~m>woF2Xolg_I6*}YfAZkSr?t~K4Yrc-OWXHC0q zy0>~!7ov}0RFykD@clQK{MRy9l$C&iEYj1jwJNg?NcNMGrfTvP**B%koBLYiWDl=a|CvQjgca8OQaa)Q zjb%*?SFve(-Mv{6ydqJg@h&RTe+<3ORqrPMELn~-$M~CO(OdsHXnnO4F;@+y+2!t3 zc5bL|qBO3#a7oKbD4l=qte&cbf23`Flgdup`X+ks*LKD2{e7%&(%=$`g-yyHq20B6 zb3qfqND-_}C6kstTYD_kXLE^9hRlf;*&5x_K-NydFsJ`ird+h0^ZFEvwy71{l!|Ri z#Wtm4n^I9ZYt7jO+mwoy1Ulv#Y*Q-Q(c7j}1b0ke*rrspx#ZoZRBTf!e_Ey{Y*Q+X zaZ_7s+on`(Q!2J86`%YndYe+wLKVAVYN@;1l!{I2@iwJmn^Lh&so17ebV{jckxF4m zp{PuqC|n@6NtI|!kYp@Fzl=-o%AiN1Y##WTgd;9zw5nrE7?0u|Bf1B7|fKhQ0k_79E zDrtiI^Qq0Sn%V`3gE!M9P`{AH*0H1wbR0jK0DDg+(f&MuAz*vGVl}XEP@aae_`>P6{Bu8f0}GSzFB!qmM@UQi)Qh1Onf>te3sxfT&iNCEUT^K zAU*0~K&Z3>BGn27;dM!JzD0SQiBB(WeV%o35g;IFLp3md?Y ziMIEt@w02tCUWDs$pQ#``7rtbUl$bhKK;JmGUzjB%H=}Wc3rj+-5(&L%SQy6LoW?U zI8ZLx-ofj`0$oS`&5B-&x=oFL5K6+C)wtbXo|0&~fBto;Jc8z*AvC3eufGSA{abIh z3Y_a-P3gWDUd)nX5mz3HievI1;NfU@FYh5#q+Xok^soG6FZG`bs3gZKrE)_ocUJKe zmELRdmvUeY&kai-hx(WeXj7*R&6VLeaWTpsENRgy5#`MO{3rPT{{m1;0Rj{N6aWAK n2mnKd0UeWPA3_c*g&kL_f<(yC7XSb-r<1oIH3mr^00000EfN$| diff --git a/Solutions/Juniper SRX/Package/mainTemplate.json b/Solutions/Juniper SRX/Package/mainTemplate.json index 47566caf9d9..8be1856f1ea 100644 --- a/Solutions/Juniper SRX/Package/mainTemplate.json +++ b/Solutions/Juniper SRX/Package/mainTemplate.json @@ -430,7 +430,7 @@ "displayName": "JuniperSRX", "category": "Samples", "functionAlias": "JuniperSRX", - "query": "\n\r\nlet LogHeader = Syslog\r\n| extend Parser = extract_all(@\"(\\w+)\\:?\\s([\\S\\s]+)\", dynamic([1,2]),SyslogMessage)\r\n| mv-expand Parser\r\n| extend EventTimestamp = EventTime,\r\n DvcHostname = HostName,\r\n EventType = ProcessName,\r\n ProcessId = ProcessID,\r\n Message = trim(\"- \",tostring(Parser[1]))\r\n| project-away Parser;\r\nlet SshEvents = LogHeader\r\n| where EventType =~ \"sshd\"\r\n| extend Parser = extract_all(@\"password\\sfor\\s(\\w+)\\sfrom\\s([0-9.]+)\\sport\\s(\\d+)\",dynamic([1,2,3]), Message)\r\n| mv-expand Parser\r\n| extend UserName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[1]),\r\n DstIpAddr = \"\",\r\n SrcPortNumber = toint(Parser[2]),\r\n DstPortNumber = toint(\"\"),\r\n ZoneName = \"\",\r\n InterfaceName = \"\",\r\n Action = \"\"\r\n| extend EventName = extract(@\"^(\\w+\\s?\\w+?)\\s(for|from)\",1, Message)\r\n| extend EventName = extract(@\"([\\w\\s]+\\!)\",1, Message)\r\n| extend UserName = iif(isempty(UserName), extract(@\"for\\suser\\s\\'(\\w+)\\'\\sfrom\\shost\\s\\'([0-9\\.]+)\\'\",1, Message), UserName)\r\n| extend UserName = iif(isempty(UserName), extract(@\"PAM_USER\\:\\s(\\w+)\",1, Message), UserName)\r\n| extend UserName = iif(isempty(UserName), extract(@\"user:\\s(\\w+)\",1, Message), UserName)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"from\\s(host)?\\s?\\'?([0-9.]+)\\'?\",2, Message), SrcIpAddr)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"source\\:\\s([0-9.]+)\\:\",1, Message), SrcIpAddr)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"closed\\sby\\s([0-9.]+)\\s\",1, Message), SrcIpAddr)\r\n| extend DstIpAddr = iif(isempty(DstIpAddr), extract(@\"destination\\:\\s([0-9.]+)\\:[0-9]+\",1, Message), DstIpAddr)\r\n| extend DstPortNumber = iif(isempty(DstPortNumber), toint(extract(@\"destination\\:\\s[0-9.]+\\:([0-9]+)\",1, Message)), DstPortNumber)\r\n| extend SrcPortNumber = iif(isempty(SrcPortNumber), toint(extract(@\"closed\\sby\\s([0-9.]+)\\sport\\s([0-9]+)\",2, Message)), SrcPortNumber)\r\n| extend SrcPortNumber = iif(isempty(SrcPortNumber), toint(extract(@\"source\\:\\s[0-9.]+\\:([0-9]+)\",1, Message)), SrcPortNumber)\r\n| extend ZoneName = iif(isempty(ZoneName), extract(@\"zone\\sname\\:\\s([\\w]+)\\,\\s\",1, Message), ZoneName)\r\n| extend InterfaceName = iif(isempty(InterfaceName), extract(@\"interface\\sname\\:\\s([\\w\\-\\.\\/]+)\\,\\s\",1, Message), InterfaceName)\r\n| extend Action = iif(isempty(Action), extract(@\"action\\:\\s([\\w]+)\",1, Message), Action)\r\n| project-away Parser;\r\nlet IdsEvents = LogHeader\r\n| where EventType == \"RT_IDS\"\r\n| extend SrcIpAddr = extract(@\"source\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",1, Message),\r\n SrcPortNumber = toint(extract(@\"source\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",2, Message)),\r\n DstIpAddr = extract(@\"destination\\:\\s([0-9.]+)\\,?\",1, Message),\r\n DstPortNumber = toint(extract(@\"destination\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",2, Message)),\r\n ProtocolId = toint(extract(@\"protocol-id\\:\\s([0-9.]+)\\,\",1, Message)),\r\n ZoneName = extract(@\"zone\\sname\\:\\s([\\w]+)\\,\",1, Message),\r\n InterfaceName = extract(@\"interface\\sname\\:\\s([\\w\\.]+)\\,\",1, Message),\r\n Action = extract(@\"action\\:\\s([\\w\\-\\.]+)\",1, Message);\r\nlet FlowEvents = LogHeader\r\n| where EventType == \"RT_FLOW\"\r\n| extend FlowEventName = extract(@\"^([\\w\\s]+)\\s(\\d.*)\",1, Message);\r\nlet FlowDenyEvents = FlowEvents\r\n| where FlowEventName =~ 'session denied'\r\n| extend Parser = extract_all(@\"^([\\w\\s\\-]+)(\\s|\\:)\\s?([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s(\\w+)?\\s?([\\w\\-]+)\\s([\\S\\s]+)\",dynamic([1,2,3,4,5,6,7,8,9]), Message)\r\n| mv-expand Parser\r\n| extend EventName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[2]),\r\n SrcPortNumber = toint(Parser[3]),\r\n DstIpAddr = tostring(Parser[4]),\r\n DstPortNumber = toint(Parser[5]),\r\n ServiceName = tostring(Parser[7]),\r\n Substring = tostring(Parser[8])\r\n| project-away Parser, Substring;\r\nlet FlowNotDenyEvents = FlowEvents\r\n| where FlowEventName !~ 'session denied'\r\n| extend Parser = extract_all(@\"^([\\w\\s\\-]+)(\\s|\\:)\\s?([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s(\\w+)?\\s?([\\w\\-]+)\\s([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s([\\S\\s]+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12,13]), Message)\r\n| mv-expand Parser\r\n| extend EventName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[2]),\r\n SrcPortNumber = toint(Parser[3]),\r\n DstIpAddr = tostring(Parser[4]),\r\n DstPortNumber = toint(Parser[5]),\r\n ServiceName = tostring(Parser[7]),\r\n SrcNatIpAddr = tostring(Parser[8]),\r\n SrcNatPortNumber = toint(Parser[9]),\r\n DstNatIpAddr = tostring(Parser[10]),\r\n DstNatPortNumber = toint(Parser[11]),\r\n Substring = tostring(Parser[12])\r\n| extend Parser2 = extract_all(@\"(0x0/s)?([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s(\\d+)\\s([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s(\\d+)\",dynamic([1,2,3,4,5,6,7,8,9,10]), Substring)\r\n| mvexpand Parser2\r\n| extend ProtocolId = toint(Parser2[5]),\r\n PolicyName = tostring(Parser2[6]),\r\n SrcNatRuleName = tostring(Parser2[7]),\r\n DstNatRuleName = tostring(Parser2[8]),\r\n SessionId = toint(Parser2[9])\r\n| project-away Parser, Parser2, Substring;\r\nlet AllOtherEvents = LogHeader\r\n| where EventType !in (\"sshd\",\"RT_IDS\",\"RT_FLOW\")\r\n| extend EventName = extract(@\"^([\\w\\s]+)\\s(0)\",1, Message);\r\nunion SshEvents, IdsEvents, AllOtherEvents, FlowNotDenyEvents, FlowDenyEvents\r\n| extend EventName = iif(isempty(EventName), extract(@\"^([\\w\\s]+)\\s(\\d.*)\",1, Message), EventName)", + "query": "\n\r\nlet LogHeader = Syslog\r\n| extend Parser = extract_all(@\"(\\w+)\\:?\\s([\\S\\s]+)\", dynamic([1,2]),SyslogMessage)\r\n| mv-expand Parser\r\n| extend EventTimestamp = EventTime,\r\n DvcHostname = HostName,\r\n EventType = ProcessName,\r\n ProcessId = ProcessID,\r\n Message = trim(\"- \",tostring(Parser[1]))\r\n| project-away Parser;\r\nlet SshEvents = LogHeader\r\n| where EventType =~ \"sshd\"\r\n| extend Parser = extract_all(@\"password\\sfor\\s(\\w+)\\sfrom\\s([0-9.]+)\\sport\\s(\\d+)\",dynamic([1,2,3]), Message)\r\n| mv-expand Parser\r\n| extend UserName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[1]),\r\n DstIpAddr = \"\",\r\n SrcPortNumber = toint(Parser[2]),\r\n DstPortNumber = toint(\"\"),\r\n ZoneName = \"\",\r\n InterfaceName = \"\",\r\n Action = \"\"\r\n| extend EventName = extract(@\"^(\\w+\\s?\\w+?)\\s(for|from)\",1, Message)\r\n| extend EventName = extract(@\"([\\w\\s]+\\!)\",1, Message)\r\n| extend UserName = iif(isempty(UserName), extract(@\"for\\suser\\s\\'(\\w+)\\'\\sfrom\\shost\\s\\'([0-9\\.]+)\\'\",1, Message), UserName)\r\n| extend UserName = iif(isempty(UserName), extract(@\"PAM_USER\\:\\s(\\w+)\",1, Message), UserName)\r\n| extend UserName = iif(isempty(UserName), extract(@\"user:\\s(\\w+)\",1, Message), UserName)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"from\\s(host)?\\s?\\'?([0-9.]+)\\'?\",2, Message), SrcIpAddr)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"source\\:\\s([0-9.]+)\\:\",1, Message), SrcIpAddr)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"closed\\sby\\s([0-9.]+)\\s\",1, Message), SrcIpAddr)\r\n| extend DstIpAddr = iif(isempty(DstIpAddr), extract(@\"destination\\:\\s([0-9.]+)\\:[0-9]+\",1, Message), DstIpAddr)\r\n| extend DstPortNumber = iif(isempty(DstPortNumber), toint(extract(@\"destination\\:\\s[0-9.]+\\:([0-9]+)\",1, Message)), DstPortNumber)\r\n| extend SrcPortNumber = iif(isempty(SrcPortNumber), toint(extract(@\"closed\\sby\\s([0-9.]+)\\sport\\s([0-9]+)\",2, Message)), SrcPortNumber)\r\n| extend SrcPortNumber = iif(isempty(SrcPortNumber), toint(extract(@\"source\\:\\s[0-9.]+\\:([0-9]+)\",1, Message)), SrcPortNumber)\r\n| extend ZoneName = iif(isempty(ZoneName), extract(@\"zone\\sname\\:\\s([\\w]+)\\,\\s\",1, Message), ZoneName)\r\n| extend InterfaceName = iif(isempty(InterfaceName), extract(@\"interface\\sname\\:\\s([\\w\\-\\.\\/]+)\\,\\s\",1, Message), InterfaceName)\r\n| extend Action = iif(isempty(Action), extract(@\"action\\:\\s([\\w]+)\",1, Message), Action)\r\n| project-away Parser;\r\nlet IdsEvents = LogHeader\r\n| where EventType == \"RT_IDS\"\r\n| extend SrcIpAddr = extract(@\"source\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",1, Message),\r\n SrcPortNumber = toint(extract(@\"source\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",2, Message)),\r\n DstIpAddr = extract(@\"destination\\:\\s([0-9.]+)\\,?\",1, Message),\r\n DstPortNumber = toint(extract(@\"destination\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",2, Message)),\r\n ProtocolId = toint(extract(@\"protocol-id\\:\\s([0-9.]+)\\,\",1, Message)),\r\n ZoneName = extract(@\"zone\\sname\\:\\s([\\w]+)\\,\",1, Message),\r\n InterfaceName = extract(@\"interface\\sname\\:\\s([\\w\\.]+)\\,\",1, Message),\r\n Action = extract(@\"action\\:\\s([\\w\\-\\.]+)\",1, Message);\r\nlet FlowEvents = LogHeader\r\n| where EventType == \"RT_FLOW\"\r\n| extend FlowEventName = extract(@\"^([\\w\\s]+)\\s(\\d.*)\",1, Message);\r\nlet FlowDenyEvents = FlowEvents\r\n| where FlowEventName =~ 'session denied'\r\n| extend Parser = extract_all(@\"^([\\w\\s\\-]+)(\\s|\\:)\\s?([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s(\\w+)?\\s?([\\w\\-]+)\\s([\\S\\s]+)\",dynamic([1,2,3,4,5,6,7,8,9]), Message)\r\n| mv-expand Parser\r\n| extend EventName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[2]),\r\n SrcPortNumber = toint(Parser[3]),\r\n DstIpAddr = tostring(Parser[4]),\r\n DstPortNumber = toint(Parser[5]),\r\n ServiceName = tostring(Parser[7]),\r\n Substring = tostring(Parser[8])\r\n| project-away Parser, Substring;\r\nlet FlowNotDenyEvents = FlowEvents\r\n| where FlowEventName !~ 'session denied'\r\n| extend Parser = extract_all(@\"^([\\w\\s\\-]+)(\\s|\\:)\\s?([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s(\\w+)?\\s?([\\w\\-]+)\\s([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s([\\S\\s]+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12,13]), Message)\r\n| mv-expand Parser\r\n| extend EventName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[2]),\r\n SrcPortNumber = toint(Parser[3]),\r\n DstIpAddr = tostring(Parser[4]),\r\n DstPortNumber = toint(Parser[5]),\r\n ServiceName = tostring(Parser[7]),\r\n SrcNatIpAddr = tostring(Parser[8]),\r\n SrcNatPortNumber = toint(Parser[9]),\r\n DstNatIpAddr = tostring(Parser[10]),\r\n DstNatPortNumber = toint(Parser[11]),\r\n Substring = tostring(Parser[12])\r\n| extend Parser2 = extract_all(@\"(0x0/s)?([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s(\\d+)\\s([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s(\\d+)\",dynamic([1,2,3,4,5,6,7,8,9,10]), Substring)\r\n| mvexpand Parser2\r\n| extend SrcNatRuleName = tostring(Parser2[2]),\r\n DstNatRuleName = tostring(Parser2[4]),\r\n ProtocolId = toint(Parser2[5]),\r\n PolicyName = tostring(Parser2[6]),\r\n SourceZoneName = tostring(Parser2[7]),\r\n DestinationZoneName = tostring(Parser2[8]),\r\n SessionId = toint(Parser2[9])\r\n| project-away Parser, Parser2, Substring;\r\nlet AllOtherEvents = LogHeader\r\n| where EventType !in (\"sshd\",\"RT_IDS\",\"RT_FLOW\")\r\n| extend EventName = extract(@\"^([\\w\\s]+)\\s(0)\",1, Message);\r\nunion SshEvents, IdsEvents, AllOtherEvents, FlowNotDenyEvents, FlowDenyEvents\r\n| extend EventName = iif(isempty(EventName), extract(@\"^([\\w\\s]+)\\s(\\d.*)\",1, Message), EventName)", "functionParameters": "", "version": 1, "tags": [ @@ -495,7 +495,7 @@ "displayName": "JuniperSRX", "category": "Samples", "functionAlias": "JuniperSRX", - "query": "\n\r\nlet LogHeader = Syslog\r\n| extend Parser = extract_all(@\"(\\w+)\\:?\\s([\\S\\s]+)\", dynamic([1,2]),SyslogMessage)\r\n| mv-expand Parser\r\n| extend EventTimestamp = EventTime,\r\n DvcHostname = HostName,\r\n EventType = ProcessName,\r\n ProcessId = ProcessID,\r\n Message = trim(\"- \",tostring(Parser[1]))\r\n| project-away Parser;\r\nlet SshEvents = LogHeader\r\n| where EventType =~ \"sshd\"\r\n| extend Parser = extract_all(@\"password\\sfor\\s(\\w+)\\sfrom\\s([0-9.]+)\\sport\\s(\\d+)\",dynamic([1,2,3]), Message)\r\n| mv-expand Parser\r\n| extend UserName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[1]),\r\n DstIpAddr = \"\",\r\n SrcPortNumber = toint(Parser[2]),\r\n DstPortNumber = toint(\"\"),\r\n ZoneName = \"\",\r\n InterfaceName = \"\",\r\n Action = \"\"\r\n| extend EventName = extract(@\"^(\\w+\\s?\\w+?)\\s(for|from)\",1, Message)\r\n| extend EventName = extract(@\"([\\w\\s]+\\!)\",1, Message)\r\n| extend UserName = iif(isempty(UserName), extract(@\"for\\suser\\s\\'(\\w+)\\'\\sfrom\\shost\\s\\'([0-9\\.]+)\\'\",1, Message), UserName)\r\n| extend UserName = iif(isempty(UserName), extract(@\"PAM_USER\\:\\s(\\w+)\",1, Message), UserName)\r\n| extend UserName = iif(isempty(UserName), extract(@\"user:\\s(\\w+)\",1, Message), UserName)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"from\\s(host)?\\s?\\'?([0-9.]+)\\'?\",2, Message), SrcIpAddr)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"source\\:\\s([0-9.]+)\\:\",1, Message), SrcIpAddr)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"closed\\sby\\s([0-9.]+)\\s\",1, Message), SrcIpAddr)\r\n| extend DstIpAddr = iif(isempty(DstIpAddr), extract(@\"destination\\:\\s([0-9.]+)\\:[0-9]+\",1, Message), DstIpAddr)\r\n| extend DstPortNumber = iif(isempty(DstPortNumber), toint(extract(@\"destination\\:\\s[0-9.]+\\:([0-9]+)\",1, Message)), DstPortNumber)\r\n| extend SrcPortNumber = iif(isempty(SrcPortNumber), toint(extract(@\"closed\\sby\\s([0-9.]+)\\sport\\s([0-9]+)\",2, Message)), SrcPortNumber)\r\n| extend SrcPortNumber = iif(isempty(SrcPortNumber), toint(extract(@\"source\\:\\s[0-9.]+\\:([0-9]+)\",1, Message)), SrcPortNumber)\r\n| extend ZoneName = iif(isempty(ZoneName), extract(@\"zone\\sname\\:\\s([\\w]+)\\,\\s\",1, Message), ZoneName)\r\n| extend InterfaceName = iif(isempty(InterfaceName), extract(@\"interface\\sname\\:\\s([\\w\\-\\.\\/]+)\\,\\s\",1, Message), InterfaceName)\r\n| extend Action = iif(isempty(Action), extract(@\"action\\:\\s([\\w]+)\",1, Message), Action)\r\n| project-away Parser;\r\nlet IdsEvents = LogHeader\r\n| where EventType == \"RT_IDS\"\r\n| extend SrcIpAddr = extract(@\"source\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",1, Message),\r\n SrcPortNumber = toint(extract(@\"source\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",2, Message)),\r\n DstIpAddr = extract(@\"destination\\:\\s([0-9.]+)\\,?\",1, Message),\r\n DstPortNumber = toint(extract(@\"destination\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",2, Message)),\r\n ProtocolId = toint(extract(@\"protocol-id\\:\\s([0-9.]+)\\,\",1, Message)),\r\n ZoneName = extract(@\"zone\\sname\\:\\s([\\w]+)\\,\",1, Message),\r\n InterfaceName = extract(@\"interface\\sname\\:\\s([\\w\\.]+)\\,\",1, Message),\r\n Action = extract(@\"action\\:\\s([\\w\\-\\.]+)\",1, Message);\r\nlet FlowEvents = LogHeader\r\n| where EventType == \"RT_FLOW\"\r\n| extend FlowEventName = extract(@\"^([\\w\\s]+)\\s(\\d.*)\",1, Message);\r\nlet FlowDenyEvents = FlowEvents\r\n| where FlowEventName =~ 'session denied'\r\n| extend Parser = extract_all(@\"^([\\w\\s\\-]+)(\\s|\\:)\\s?([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s(\\w+)?\\s?([\\w\\-]+)\\s([\\S\\s]+)\",dynamic([1,2,3,4,5,6,7,8,9]), Message)\r\n| mv-expand Parser\r\n| extend EventName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[2]),\r\n SrcPortNumber = toint(Parser[3]),\r\n DstIpAddr = tostring(Parser[4]),\r\n DstPortNumber = toint(Parser[5]),\r\n ServiceName = tostring(Parser[7]),\r\n Substring = tostring(Parser[8])\r\n| project-away Parser, Substring;\r\nlet FlowNotDenyEvents = FlowEvents\r\n| where FlowEventName !~ 'session denied'\r\n| extend Parser = extract_all(@\"^([\\w\\s\\-]+)(\\s|\\:)\\s?([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s(\\w+)?\\s?([\\w\\-]+)\\s([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s([\\S\\s]+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12,13]), Message)\r\n| mv-expand Parser\r\n| extend EventName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[2]),\r\n SrcPortNumber = toint(Parser[3]),\r\n DstIpAddr = tostring(Parser[4]),\r\n DstPortNumber = toint(Parser[5]),\r\n ServiceName = tostring(Parser[7]),\r\n SrcNatIpAddr = tostring(Parser[8]),\r\n SrcNatPortNumber = toint(Parser[9]),\r\n DstNatIpAddr = tostring(Parser[10]),\r\n DstNatPortNumber = toint(Parser[11]),\r\n Substring = tostring(Parser[12])\r\n| extend Parser2 = extract_all(@\"(0x0/s)?([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s(\\d+)\\s([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s(\\d+)\",dynamic([1,2,3,4,5,6,7,8,9,10]), Substring)\r\n| mvexpand Parser2\r\n| extend ProtocolId = toint(Parser2[5]),\r\n PolicyName = tostring(Parser2[6]),\r\n SrcNatRuleName = tostring(Parser2[7]),\r\n DstNatRuleName = tostring(Parser2[8]),\r\n SessionId = toint(Parser2[9])\r\n| project-away Parser, Parser2, Substring;\r\nlet AllOtherEvents = LogHeader\r\n| where EventType !in (\"sshd\",\"RT_IDS\",\"RT_FLOW\")\r\n| extend EventName = extract(@\"^([\\w\\s]+)\\s(0)\",1, Message);\r\nunion SshEvents, IdsEvents, AllOtherEvents, FlowNotDenyEvents, FlowDenyEvents\r\n| extend EventName = iif(isempty(EventName), extract(@\"^([\\w\\s]+)\\s(\\d.*)\",1, Message), EventName)", + "query": "\n\r\nlet LogHeader = Syslog\r\n| extend Parser = extract_all(@\"(\\w+)\\:?\\s([\\S\\s]+)\", dynamic([1,2]),SyslogMessage)\r\n| mv-expand Parser\r\n| extend EventTimestamp = EventTime,\r\n DvcHostname = HostName,\r\n EventType = ProcessName,\r\n ProcessId = ProcessID,\r\n Message = trim(\"- \",tostring(Parser[1]))\r\n| project-away Parser;\r\nlet SshEvents = LogHeader\r\n| where EventType =~ \"sshd\"\r\n| extend Parser = extract_all(@\"password\\sfor\\s(\\w+)\\sfrom\\s([0-9.]+)\\sport\\s(\\d+)\",dynamic([1,2,3]), Message)\r\n| mv-expand Parser\r\n| extend UserName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[1]),\r\n DstIpAddr = \"\",\r\n SrcPortNumber = toint(Parser[2]),\r\n DstPortNumber = toint(\"\"),\r\n ZoneName = \"\",\r\n InterfaceName = \"\",\r\n Action = \"\"\r\n| extend EventName = extract(@\"^(\\w+\\s?\\w+?)\\s(for|from)\",1, Message)\r\n| extend EventName = extract(@\"([\\w\\s]+\\!)\",1, Message)\r\n| extend UserName = iif(isempty(UserName), extract(@\"for\\suser\\s\\'(\\w+)\\'\\sfrom\\shost\\s\\'([0-9\\.]+)\\'\",1, Message), UserName)\r\n| extend UserName = iif(isempty(UserName), extract(@\"PAM_USER\\:\\s(\\w+)\",1, Message), UserName)\r\n| extend UserName = iif(isempty(UserName), extract(@\"user:\\s(\\w+)\",1, Message), UserName)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"from\\s(host)?\\s?\\'?([0-9.]+)\\'?\",2, Message), SrcIpAddr)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"source\\:\\s([0-9.]+)\\:\",1, Message), SrcIpAddr)\r\n| extend SrcIpAddr = iif(isempty(SrcIpAddr), extract(@\"closed\\sby\\s([0-9.]+)\\s\",1, Message), SrcIpAddr)\r\n| extend DstIpAddr = iif(isempty(DstIpAddr), extract(@\"destination\\:\\s([0-9.]+)\\:[0-9]+\",1, Message), DstIpAddr)\r\n| extend DstPortNumber = iif(isempty(DstPortNumber), toint(extract(@\"destination\\:\\s[0-9.]+\\:([0-9]+)\",1, Message)), DstPortNumber)\r\n| extend SrcPortNumber = iif(isempty(SrcPortNumber), toint(extract(@\"closed\\sby\\s([0-9.]+)\\sport\\s([0-9]+)\",2, Message)), SrcPortNumber)\r\n| extend SrcPortNumber = iif(isempty(SrcPortNumber), toint(extract(@\"source\\:\\s[0-9.]+\\:([0-9]+)\",1, Message)), SrcPortNumber)\r\n| extend ZoneName = iif(isempty(ZoneName), extract(@\"zone\\sname\\:\\s([\\w]+)\\,\\s\",1, Message), ZoneName)\r\n| extend InterfaceName = iif(isempty(InterfaceName), extract(@\"interface\\sname\\:\\s([\\w\\-\\.\\/]+)\\,\\s\",1, Message), InterfaceName)\r\n| extend Action = iif(isempty(Action), extract(@\"action\\:\\s([\\w]+)\",1, Message), Action)\r\n| project-away Parser;\r\nlet IdsEvents = LogHeader\r\n| where EventType == \"RT_IDS\"\r\n| extend SrcIpAddr = extract(@\"source\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",1, Message),\r\n SrcPortNumber = toint(extract(@\"source\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",2, Message)),\r\n DstIpAddr = extract(@\"destination\\:\\s([0-9.]+)\\,?\",1, Message),\r\n DstPortNumber = toint(extract(@\"destination\\:\\s([0-9.]+)\\,?\\:?(\\d+)?\",2, Message)),\r\n ProtocolId = toint(extract(@\"protocol-id\\:\\s([0-9.]+)\\,\",1, Message)),\r\n ZoneName = extract(@\"zone\\sname\\:\\s([\\w]+)\\,\",1, Message),\r\n InterfaceName = extract(@\"interface\\sname\\:\\s([\\w\\.]+)\\,\",1, Message),\r\n Action = extract(@\"action\\:\\s([\\w\\-\\.]+)\",1, Message);\r\nlet FlowEvents = LogHeader\r\n| where EventType == \"RT_FLOW\"\r\n| extend FlowEventName = extract(@\"^([\\w\\s]+)\\s(\\d.*)\",1, Message);\r\nlet FlowDenyEvents = FlowEvents\r\n| where FlowEventName =~ 'session denied'\r\n| extend Parser = extract_all(@\"^([\\w\\s\\-]+)(\\s|\\:)\\s?([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s(\\w+)?\\s?([\\w\\-]+)\\s([\\S\\s]+)\",dynamic([1,2,3,4,5,6,7,8,9]), Message)\r\n| mv-expand Parser\r\n| extend EventName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[2]),\r\n SrcPortNumber = toint(Parser[3]),\r\n DstIpAddr = tostring(Parser[4]),\r\n DstPortNumber = toint(Parser[5]),\r\n ServiceName = tostring(Parser[7]),\r\n Substring = tostring(Parser[8])\r\n| project-away Parser, Substring;\r\nlet FlowNotDenyEvents = FlowEvents\r\n| where FlowEventName !~ 'session denied'\r\n| extend Parser = extract_all(@\"^([\\w\\s\\-]+)(\\s|\\:)\\s?([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s(\\w+)?\\s?([\\w\\-]+)\\s([\\d\\.]+)\\/(\\d+)\\-\\>([\\d\\.]+)\\/(\\d+)\\s([\\S\\s]+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12,13]), Message)\r\n| mv-expand Parser\r\n| extend EventName = tostring(Parser[0]),\r\n SrcIpAddr = tostring(Parser[2]),\r\n SrcPortNumber = toint(Parser[3]),\r\n DstIpAddr = tostring(Parser[4]),\r\n DstPortNumber = toint(Parser[5]),\r\n ServiceName = tostring(Parser[7]),\r\n SrcNatIpAddr = tostring(Parser[8]),\r\n SrcNatPortNumber = toint(Parser[9]),\r\n DstNatIpAddr = tostring(Parser[10]),\r\n DstNatPortNumber = toint(Parser[11]),\r\n Substring = tostring(Parser[12])\r\n| extend Parser2 = extract_all(@\"(0x0/s)?([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s(\\d+)\\s([\\S]+)\\s([\\S]+)\\s([\\S]+)\\s(\\d+)\",dynamic([1,2,3,4,5,6,7,8,9,10]), Substring)\r\n| mvexpand Parser2\r\n| extend SrcNatRuleName = tostring(Parser2[2]),\r\n DstNatRuleName = tostring(Parser2[4]),\r\n ProtocolId = toint(Parser2[5]),\r\n PolicyName = tostring(Parser2[6]),\r\n SourceZoneName = tostring(Parser2[7]),\r\n DestinationZoneName = tostring(Parser2[8]),\r\n SessionId = toint(Parser2[9])\r\n| project-away Parser, Parser2, Substring;\r\nlet AllOtherEvents = LogHeader\r\n| where EventType !in (\"sshd\",\"RT_IDS\",\"RT_FLOW\")\r\n| extend EventName = extract(@\"^([\\w\\s]+)\\s(0)\",1, Message);\r\nunion SshEvents, IdsEvents, AllOtherEvents, FlowNotDenyEvents, FlowDenyEvents\r\n| extend EventName = iif(isempty(EventName), extract(@\"^([\\w\\s]+)\\s(\\d.*)\",1, Message), EventName)", "functionParameters": "", "version": 1, "tags": [ From 0aecf05bed2fe052cb672fce08604123f7ed3c04 Mon Sep 17 00:00:00 2001 From: v-sabiraj Date: Thu, 31 Aug 2023 13:38:41 +0530 Subject: [PATCH 4/5] Revert "Update JuniperSRX.txt" This reverts commit b4f1c74c0db93364d50e27d867d6cde359145da1. --- Solutions/Juniper SRX/Parsers/JuniperSRX.txt | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/Solutions/Juniper SRX/Parsers/JuniperSRX.txt b/Solutions/Juniper SRX/Parsers/JuniperSRX.txt index 00511e63997..4d5448aeb20 100644 --- a/Solutions/Juniper SRX/Parsers/JuniperSRX.txt +++ b/Solutions/Juniper SRX/Parsers/JuniperSRX.txt @@ -100,12 +100,10 @@ let FlowNotDenyEvents = FlowEvents Substring = tostring(Parser[12]) | extend Parser2 = extract_all(@"(0x0/s)?([\S]+)\s([\S]+)\s([\S]+)\s([\S]+)\s(\d+)\s([\S]+)\s([\S]+)\s([\S]+)\s(\d+)",dynamic([1,2,3,4,5,6,7,8,9,10]), Substring) | mvexpand Parser2 -| extend SrcNatRuleName = tostring(Parser2[2]), - DstNatRuleName = tostring(Parser2[4]), - ProtocolId = toint(Parser2[5]), +| extend ProtocolId = toint(Parser2[5]), PolicyName = tostring(Parser2[6]), - SourceZoneName = tostring(Parser2[7]), - DestinationZoneName = tostring(Parser2[8]), + SrcNatRuleName = tostring(Parser2[7]), + DstNatRuleName = tostring(Parser2[8]), SessionId = toint(Parser2[9]) | project-away Parser, Parser2, Substring; let AllOtherEvents = LogHeader From 2569701444ada5aacf51e50efd90258c8af3e6cd Mon Sep 17 00:00:00 2001 From: v-sabiraj Date: Thu, 31 Aug 2023 13:52:56 +0530 Subject: [PATCH 5/5] Updated data connector text --- Solutions/Juniper SRX/Package/3.0.0.zip | Bin 8178 -> 8175 bytes .../Package/createUiDefinition.json | 4 ++-- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Solutions/Juniper SRX/Package/3.0.0.zip b/Solutions/Juniper SRX/Package/3.0.0.zip index e4c1064b8fd4b1bcbf1d054a3266c4b045d1f4cc..45d0464765eaad9f1b8f31947d89fc51e6bd6234 100644 GIT binary patch delta 1888 zcmV-m2cP)zKkq*mP)h>@6aWAK2mowuA6F;E-QE!g007gG7a)J@ZsWKW{$HT)KxkXU z4s0nCV9`aevqd_y*xh2LJ4mt@APx#zqHJy`QYEQ)JktRCEPa8#(>_VRLrSt_JJad) zPsSn-&yC+X=i|Kp^{*I9e&h1BsCaV0lC}4>yU4P*l2%;vm8gXFDSy{kk>;jq_gr?C zK1BB|L;6@t&5jm>XTn)ouYx()}Rcaa&-q^pw3(f;+*i zD1~L-FuxY8G)kF`)GM|WrLlrZ?L1eCR%qWD)lfheY+>0#vtNGx8@md*9Bs4PD-pGm zF?ToVB94F2J{{sxnPnH}b*s!}e{8g@h5haM+4a?rS*to|PODc3 zTocZ-fe*}EUY0Uvs0`+|NMXg4SviP8{!n8Y(eRxvgjHJ#btiKp^0hWN4gVOhSpY9F zZe*hO6u%2m3ne^VJDY4=zYpZ%rt15IGuI4}zt{eIFXbKFut*9n|dWWt;mUvNwHp5k$R0<7p z26^S}MsA#U7nA{>vfIlQRL@cKqM!_8S1FN)bCc_>!_su;c42b2=XHprM_`7!*El|R z@o2o3m)vvqBJLRLs9vAV*y-sTZULM4O_G1NuLQT6RaC2dX&QgzrVqd$9O&#%*)KcMQpscLkTu)>)&=a;a>N1B-t8cWUdw1E!*n3y=TsW%AXg%W?CH|^GeSJXNNX62a`wt1DNy|J)mZ%4p3_Q7N{YbFJH@o%C1u~V;jL%0ucACw5AHxNoYk1)z)KN zu|5?e?;b}%B@fa`G@fqeJ>hzHpIq-Im8dOEBh}kxsHpqd{^%6%rfLt3 z;ds@U*%UWoe0BLlAIi`xzpcfXA@qN+PA_eBSxZ!yw?>Um8KZ6_MUjMlS4u_PfGxMX zj5(x}dnPC*Y9f@}t2PHLB!M|WO+geR-Kh20ZAkm=Dlip0Q9`f$dNNAlWSUZh)7jbd zE*Yo#FPKsO7)aKJxJmNWmp5Z%g5mgeun7Br$7EQXFeHoF$)FlOwt#-mYdL>!xz+RY zv-7k0*=O^!XD4v@*zNW%9lOQNM_%9yQ&kwkFRiIxVqlM?6<-QP;>XcYE3B-IDk5#X z4)?=2d&2Y{3JO>(h)`^#QcTgk8?6SA7$Cy^i;!>_-I&tu;7&u~h~j&$aOL3wD_&0` zASbarCMV+pIGLsoBtB!U+?0Pk|AG;>gb6qC<`p#Bb`Li{ow081DE_7pm`IR`pr@ws zGigzD@_rF>zDO<>$;ph7SU5FfCyQjZNP;KFcOOrn`fd-Wgl%a>ao8h<8QZm_p->C7 zyRLhH0M-Arc~Do)`zd=IO?#twB(zk#5I52XZ$2m~A|pANbo&kcxMzRQz+>L}gL(60 zecV9$4;Tga2S-dDr{=*ZA$4RU0ABp^^WO*D5?|yG>m6bNnLQf?AD5_wcAHl1h?)i- zx&g;K#zWa<2`E1G(wMRM5^IQ>fJ8zb}8PXKGyn9a>s+C3YnA7VYq;s9eZvJSMnX? z=qUFoJ+2Oy`)A2gc)G;gSSu8d9J*wMEb+Lc=K&?ag(Wf@2+3|Uti|5r2u_8S4+5%- zxi@qC!@x*EoU!QyuVBsrY`E9%H3j0TCGG&R&Dgr381O^lX%T;(CQ?5TtzSjA2t?>~ zHF66`@6aWAK2mnrFA6I94tkx6<008R~000-0fFBxvy;yy3+qfD3 zf55&2p>2pA*isr`xFJ|?$lAlbpxufjceg_v9B7HMd7(%hNyT-$0Q)TaX!l9>dq_!^ zY^T@lwgE+J@p<^Xzx>$uzy1|t$!}f078Oq}ShDuMb{AO|PtuBOz7mztKIQKkE7IIl zEzM9h2FUR&`X#U^`yVFmZ%>n~r5Qfld?(dp|(dHGG1{@{%MO)?9*)?61#Skm=c z=GHh<`t&l$9!O}JAB1%fM9d>)ExG2FSHgn{9PjA}hq=+ETn6vrwMIRl@H|a|Hb+c@ou+Zp#DMA#R;7R;@evLz^ zg~|{t7@55?E8`;V`;L~nht(os8(H`@6nygg`Yk@!Lax@n|NeBL7y9({FUE_D(^K|F z3GM{5q7;^S!~9yX(kNv%Qm@!jl*S4swewslIw86sFY{zG}3rh5g<6+4a@mvQ~7EoL0qjXUWZ4z~qW= zVLiLO*Jh)cbgmg%!0%CxE_1EM&SDq1BlDC&ndc}!@|pr89qX(~DTq+SZd=Iq-!axUS*+E;3Sx(gk`&iayOU1XThe5r(E zThowDFikkm1~xEnd0EPwp);7?>k*~GEZP>?9 zn+576`i)5Rmg09IY5@V-GklK=$PZ-9qEV(2%#_53%IL1|um|G<9vP&y-kkm9u@yPnO&IN?O7c>=_@cp z-)mf-yLdIGD9Ctjc+_6f8HWq}@|{qlt@sO>r-Gqw?IB~ap?mDW_DJE>X` zLbdf+SF8`k$hyaoQ^|vL5`(APc~6+$CG>M^n)<+gPBY=Nw-UXjX{CDG3S*Mq_x~wHS%v+prIg&k!JWdh;&buL=riEC^6+q*6>#-i=m+k{DEk`!`F%VRd6myMvsD#u3FgTp{Hl zffcVOu^=b0JtimP1~{3f55zuWE#H)XJ^z#uwuA~d@#YmI+LngQPiL$<;t|tQ@j~24AFTNxr-+E;VAJgn^y8L)Jp+z; z>kszLll^f6?muG{+#g&qb=;ZdSSu8d$hu^OEb-)|M*{`Gg(FfMV9Jgd&f-LJ z^yDe5d=L;_%)Oc89|oKXI1Qo`yn;H1ag4lnZ!ExBEs+EGHe>6Ce83NXi3dk`ut@zt zV1E_Oq9Vfls}Wn2L=Fe6G+~Y(c{%;piv;z3fBwHN4^ncBFr0MYZUe_7w*y zhI1;;ZiGGAso(4-H1F->uv0r9M*B1wdDeYQMl3tzLp(>cbwDn}6o28*zW`86 t0|b+x9~!e{2mKcfPGcWeXM3#H6bAqR>yvIDRsl(q#UCUFSRViY004Kgu~h&7 diff --git a/Solutions/Juniper SRX/Package/createUiDefinition.json b/Solutions/Juniper SRX/Package/createUiDefinition.json index f7be2df6d71..e55d78ea28c 100644 --- a/Solutions/Juniper SRX/Package/createUiDefinition.json +++ b/Solutions/Juniper SRX/Package/createUiDefinition.json @@ -60,7 +60,7 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This Solution installs the data connector for Juniper SRX. You can get Juniper SRX Syslog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + "text": "The Juniper SRX data connector allows you to easily connect your Juniper SRX logs with Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { @@ -89,4 +89,4 @@ "workspace": "[basics('workspace')]" } } -} +} \ No newline at end of file